Provided feedback via google doc comments.
Sorry that I wont be on the call today to explain. If anything in my comments needs further explanation please send me an email.
regards
Allan
From: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <
jwunder@mitre.org>
Date: Tuesday, September 12, 2017 at 5:36 AM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Updated report proposal
All,
As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here:
https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case).
Proposal is here:
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq The changes are:
The description of the Report object was modified slightly to remove the reference to it being “published”. There were also some additional examples added. The
published property was made optional, to allow for cases where the report is not yet published. A new
status property was added, based on a suggestion from Allan that what we were describing as “published” or “not published” was not really a binary flag. The vocabulary is still somewhat TBD, right now I just put “ongoing-analysis” and “final” in as placeholders.
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Now that you’ve seen the proposal, does this general approach seem acceptable? What are the possible values in the “status” vocabulary? The thought on the call was that there were more than two, but I couldn’t think of anything and I asked
on Slack and didn’t get anything either.
Thanks,
John