OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  [RFI]: [cti] TAXII 2.1 CS Motion

    Posted 01-11-2020 16:18




    Re: However, to level set, right now we have three competing ideas / proposals for adding this type of functionality to TAXII
     
    Where do interested stakeholders find these three competing proposals?  We could only find the proposal submitted by DHS on December 9, 2019 in the Public discourse. 

     
    Could these perhaps be uploaded as Working Documents to the TC/SC?
     
    Patrick Maroney
    Principal Technology Security
    AT&T Chief Security Office
     


    From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
    On Behalf Of Taylor, Marlon
    Sent: Friday, January 10, 2020 9:29 AM
    To: Bret Jordan <bret.jordan@broadcom.com>
    Cc: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
    Subject: RE: [cti] TAXII 2.1 CS Motion


     
    Hi Bret,
     
    Yes, there have been several proposals submitted to address these concerns however the TC has not evaluated them. The has made great progress while in the others areas and now has the opportunity to refocus on this area. During previous
    meetings including Face-to-Face sessions, the TC agreed to include these use-cases within TAXII 2.1.
     
    While you may see no convergence in sight, TC members are actively at work (providing proposals, software implementations, etc.) to resolve this this concern within TAXII 2.1 so I wouldn t agree there is a TC wide-census to send TAXII 2.1
    as is. It would be an injustice to the TC and TAXII community to move toward as a CS knowing the current situation and not trying to evaluate and resolve them within the TC before going release.
     
    -Marlon
     
     
    From: cti@lists.oasis-open.org < cti@lists.oasis-open.org >
    On Behalf Of Bret Jordan
    Sent: Thursday, January 9, 2020 4:11 PM
    To: Taylor, Marlon < Marlon.Taylor@cisa.dhs.gov >
    Cc: OASIS CTI TC Discussion List < cti@lists.oasis-open.org >
    Subject: Re: [cti] TAXII 2.1 CS Motion
     

    Marlon, 

     


    Thank you for your comments.  However, to level set, right now we have three competing ideas / proposals for adding this type of functionality to TAXII and no convergence in sight. In order to get a solution that works for all parties,
    my best guess is that it would be 5-6 months of work and testing. 


     


    While I personally would have liked to see this get done 12 months ago, we did not then, nor do we now have consensus in the TC to add anything else to TAXII. What we do have is TC wide consensus to ship TAXII 2.1 as is. Keep in mind we
    have done 4 CSDs and 3 public reviews, and the TC as a whole is not saying that TAXII 2.1 needs anything else.


     


    This is also why I proposed that we work on a solution that we could release as a standalone specification after TAXII 2.1 ships.  Maybe call it TAXII 2.1 Query or something like that. To do this we would need to find a solution that works
    for all parties so we can have TC wide consensus on the solution. If we went this route, then we can release TAXII 2.1 now, release the TAXII 2.1 Query specification whenever it gets done, and then fold that Query specification in to TAXII 2.2 whenever we
    start that work. 






     


    Thanks,


    Bret






    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."











     


     


    On Thu, Jan 9, 2020 at 12:06 PM Taylor, Marlon < Marlon.Taylor@cisa.dhs.gov > wrote:




    Hi TC,
     
    I object to this motion, based on the original goal to address several down-selection use-cases within TAXII 2.1 which have proposals ready  for TC evaluation that have not been
    resolved. The most recent proposal was provided in Dec 2019 and with suggestion/edit permissions regranted to TC members can be added for review with the TC documents.
     
    As a member of this TC and member (in an addition to representative of other members) within the STIX/TAXII community, I truly appreciate and value all the work we have contributed
    to get to this point and anticipate supporting the remaining use-cases needed to increase the success of this TC and the ecosystems that will rely on what we provide.
     
    Looking forward to TAXII 2.1,
     
    -Marlon
     


    From: Taylor, Marlon

    Sent: Wednesday, January 8, 2020 5:37 PM
    To: Justin Stewart < jstewart@lookingglasscyber.com >; Bret Jordan < bret.jordan@broadcom.com >; OASIS CTI TC Discussion List
    < cti@lists.oasis-open.org >
    Subject: Re: [cti] TAXII 2.1 CS Motion


     



    We have made several accomplishments however moving forward with TAXII 2.1 a CS without additional support for TAXII Filtering which has been long requested capability throughout
    the community and can be accomplished  via a minor spec change would be a disservice to the TC and TAXII community.


     


    Looking forward to TAXII 2.1,


     


    -Marlon



     



    Marlon Taylor


    Strategy & Resources


    Cybersecurity and Infrastructure Security Agency



    Office: 703 235-3614 Cell: 202 603-8541 Email:
    marlon.taylor@cisa.dhs.gov







    From:
    cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Justin
    Stewart < jstewart@lookingglasscyber.com >
    Sent: Wednesday, January 8, 2020 5:14:11 PM
    To: Bret Jordan < bret.jordan@broadcom.com >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org >
    Subject: Re: [cti] TAXII 2.1 CS Motion

     




    I second this motion.
     
    Thanks,
    Justin Stewart
    CTI-TC Interop SC co-chair
     

    From:
    < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@broadcom.com >
    Date: Wednesday, January 8, 2020 at 12:21 PM
    To: OASIS CTI TC Discussion List < cti@lists.oasis-open.org >
    Subject: [cti] TAXII 2.1 CS Motion


     


    All,

     


    Over the past couple of years the CTI TC has done a lot of work on the TAXII 2.1 specification. During this time the TC has released 10 working drafts, 4 committee specification drafts, and 3 public reviews. The
    last public review for TAXII 2.1 was completed in December with no new comments or issues.


     


    I am also pleased to report that all required sponsorship activities for TAXII 2.1 are complete. We now have at least 2 independent implementations of all new features and changes. Further all implementers have
    reported that the design works and it is implementable.


     


    At this time, I believe we are ready to move forward. As such:


     


    I move that the TC approves the CTI Chair(s) and TAXII Subcommittee Chair to request that the TC Administration hold a Special Majority Ballot to approve TAXII 2.1 Working Draft 10 / Committee Specification Draft
    04 contained in
    https://www.oasis-open.org/committees/document.php?document_id=66205&wg_abbrev=cti as a Committee Specification.







     


    Thanks,


    Bret






    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

























  • 2.  Re: [RFI]: [cti] TAXII 2.1 CS Motion

    Posted 01-11-2020 18:30
    They should be in the minutes from previous meetings. I know I sent an email to the list around July 19th 2019 talking about a dedicated call. This was after several months of discussions over slack and working calls to try and come to consensus. Ideally I think now that there might be a way to merge these ideas together and release this as a separate TAXII Query specification. This way, we can have different conformance levels. So people that want to follow the Jason/Terry proposal, a more simplified version of the Jason/Terry proposal, the original Trey proposal, or want an expanded query through filtering can do so. But as we talked, this would require the TAXII server via the api-root resource identifying what types of queries it can support. But there is a lot of things to figure out, a lot of prose text to write, and overall we need TC consensus on a solution. The last time we did an informal vote on a working call, the overwhelming majority 90+% said to push this out of TAXII 2.1 and do it later. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sat, Jan 11, 2020 at 9:18 AM MARONEY, PATRICK < rx118r@att.com > wrote: Re: However, to level set, right now we have three competing ideas / proposals for adding this type of functionality to TAXII Where do interested stakeholders find these three competing proposals? We could only find the proposal submitted by DHS on December 9, 2019 in the Public discourse. Could these perhaps be uploaded as Working Documents to the TC/SC? Patrick Maroney Principal Technology Security AT&T Chief Security Office From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Taylor, Marlon Sent: Friday, January 10, 2020 9:29 AM To: Bret Jordan < bret.jordan@broadcom.com > Cc: OASIS CTI TC Discussion List < cti@lists.oasis-open.org > Subject: RE: [cti] TAXII 2.1 CS Motion Hi Bret, Yes, there have been several proposals submitted to address these concerns however the TC has not evaluated them. The has made great progress while in the others areas and now has the opportunity to refocus on this area. During previous meetings including Face-to-Face sessions, the TC agreed to include these use-cases within TAXII 2.1. While you may see no convergence in sight, TC members are actively at work (providing proposals, software implementations, etc.) to resolve this this concern within TAXII 2.1 so I wouldn t agree there is a TC wide-census to send TAXII 2.1 as is. It would be an injustice to the TC and TAXII community to move toward as a CS knowing the current situation and not trying to evaluate and resolve them within the TC before going release. -Marlon From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of Bret Jordan Sent: Thursday, January 9, 2020 4:11 PM To: Taylor, Marlon < Marlon.Taylor@cisa.dhs.gov > Cc: OASIS CTI TC Discussion List < cti@lists.oasis-open.org > Subject: Re: [cti] TAXII 2.1 CS Motion Marlon, Thank you for your comments. However, to level set, right now we have three competing ideas / proposals for adding this type of functionality to TAXII and no convergence in sight. In order to get a solution that works for all parties, my best guess is that it would be 5-6 months of work and testing. While I personally would have liked to see this get done 12 months ago, we did not then, nor do we now have consensus in the TC to add anything else to TAXII. What we do have is TC wide consensus to ship TAXII 2.1 as is. Keep in mind we have done 4 CSDs and 3 public reviews, and the TC as a whole is not saying that TAXII 2.1 needs anything else. This is also why I proposed that we work on a solution that we could release as a standalone specification after TAXII 2.1 ships. Maybe call it TAXII 2.1 Query or something like that. To do this we would need to find a solution that works for all parties so we can have TC wide consensus on the solution. If we went this route, then we can release TAXII 2.1 now, release the TAXII 2.1 Query specification whenever it gets done, and then fold that Query specification in to TAXII 2.2 whenever we start that work. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Thu, Jan 9, 2020 at 12:06 PM Taylor, Marlon < Marlon.Taylor@cisa.dhs.gov > wrote: Hi TC, I object to this motion, based on the original goal to address several down-selection use-cases within TAXII 2.1 which have proposals ready for TC evaluation that have not been resolved. The most recent proposal was provided in Dec 2019 and with suggestion/edit permissions regranted to TC members can be added for review with the TC documents. As a member of this TC and member (in an addition to representative of other members) within the STIX/TAXII community, I truly appreciate and value all the work we have contributed to get to this point and anticipate supporting the remaining use-cases needed to increase the success of this TC and the ecosystems that will rely on what we provide. Looking forward to TAXII 2.1, -Marlon From: Taylor, Marlon Sent: Wednesday, January 8, 2020 5:37 PM To: Justin Stewart < jstewart@lookingglasscyber.com >; Bret Jordan < bret.jordan@broadcom.com >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org > Subject: Re: [cti] TAXII 2.1 CS Motion We have made several accomplishments however moving forward with TAXII 2.1 a CS without additional support for TAXII Filtering which has been long requested capability throughout the community and can be accomplished via a minor spec change would be a disservice to the TC and TAXII community. Looking forward to TAXII 2.1, -Marlon Marlon Taylor Strategy & Resources Cybersecurity and Infrastructure Security Agency Office: 703 235-3614 Cell: 202 603-8541 Email: marlon.taylor@cisa.dhs.gov From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Justin Stewart < jstewart@lookingglasscyber.com > Sent: Wednesday, January 8, 2020 5:14:11 PM To: Bret Jordan < bret.jordan@broadcom.com >; OASIS CTI TC Discussion List < cti@lists.oasis-open.org > Subject: Re: [cti] TAXII 2.1 CS Motion I second this motion. Thanks, Justin Stewart CTI-TC Interop SC co-chair From: < cti@lists.oasis-open.org > on behalf of Bret Jordan < bret.jordan@broadcom.com > Date: Wednesday, January 8, 2020 at 12:21 PM To: OASIS CTI TC Discussion List < cti@lists.oasis-open.org > Subject: [cti] TAXII 2.1 CS Motion All, Over the past couple of years the CTI TC has done a lot of work on the TAXII 2.1 specification. During this time the TC has released 10 working drafts, 4 committee specification drafts, and 3 public reviews. The last public review for TAXII 2.1 was completed in December with no new comments or issues. I am also pleased to report that all required sponsorship activities for TAXII 2.1 are complete. We now have at least 2 independent implementations of all new features and changes. Further all implementers have reported that the design works and it is implementable. At this time, I believe we are ready to move forward. As such: I move that the TC approves the CTI Chair(s) and TAXII Subcommittee Chair to request that the TC Administration hold a Special Majority Ballot to approve TAXII 2.1 Working Draft 10 / Committee Specification Draft 04 contained in https://www.oasis-open.org/committees/document.php?document_id=66205&wg_abbrev=cti as a Committee Specification. Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."