OASIS Cyber Threat Intelligence (CTI) TC

 View Only

  • 1.  Fwd: Implementation observation concerning STIX trust-score modelling

    Posted 04-09-2026 11:32
    CTI TC Members,

    Please see the message below, which was intended for the CTI Comment Mailing List.

    ---------- Forwarded message ---------
    From: Markkanen, Veikko <veikko.m.markkanen@jyu.fi>
    Date: Thu, Apr 9, 2026 at 5:20 AM
    Subject: Implementation observation concerning STIX trust-score modelling
    To: kelly.cullinane@oasis-open.org <kelly.cullinane@oasis-open.org>


    Dear OASIS Staff Contact Kelly Cullinane, 

    I hope this message finds you well. 

    On behalf of the CISSAN project consortium, we are contacting you regarding an implementation observation relevant to the CTI STIX Subcommittee. We attempted to use the published contact route via cti-comment-subscribe@lists.oasis-open.org, but this has not been available to us, nor is it currently possible to register as a community member to access additional OASIS resources. We are therefore contacting you directly to communicate this implementation observation.

    Within CISSAN, selected platform outputs are transformed into STIX 2.1 bundles for exchange in machine-readable cyber threat intelligence workflows. In doing so, we identified a recurring modelling gap related to computational trust assessments.
    We would like to make the Committee aware that, in our implementation, there is a practical need to represent trust assessments as first-class structured intelligence objects. Our view is that this need may grow as zero-trust architectures, automated sharing pipelines, and AI-assisted analysis continue to mature. If similar use cases emerge elsewhere, a more standardized modelling approach could become important for interoperability and efficient automation.
    We are not submitting a formal specification proposal at this stage. Rather, we inform the Committee that this requirement has arisen in practice, and that we believe computational trust may be a candidate area for future consideration if broader community demand appears.
    To address this in our prototype, we defined a custom SDO tentatively named Trust Score, with the properties:
    Property Category
    Properties
    Required Common Properties
    type, spec_version, id, created, modified
    Optional Common Properties
    created_by_ref, revoked, labels, confidence, external_references, object_marking_refs, granular_markings, lang
    Not Applicable Common Properties
    hashes, extensions, first_observed, last_observed, count, defanged
    Trust Score Specific Properties
    target_ref, score_value, score_threshold, is_below_threshold, calculation_method, basis_refs, explanation

    Thank you for your time and consideration. 

    Best regards,
    Veikko Markkanen JYU



  • 2.  RE: Fwd: Implementation observation concerning STIX trust-score modelling

    Posted 04-09-2026 17:29

    Could this be done through an extension of Opinion?

     

    Looking at the type specific properties I can see mappings for some of these

     

    Trust Score – Opinion Mapping

     

    target_ref – object_refs

    score_value - <new extension property >

    score_threshold - <new extension property>

    is_below_threshold - <map to enum where disagree if it is under the threshold agree if it is above.  If it's more granular others can be used>

    calculation_method - <new extension property>

    basis_refs - <new extension property>

    explanation – explanation

     

    This would allow existing systems to consume the object to at least get a high level understanding of if it was passing the calculation method while allowing anyone who processes the full extension details to understand more of the why shared in the math.

     

    //SIGNED//

     

    Jeffrey Mates, Civ DC3/XT

    Computer Scientist

    Information Technology

    jeffrey.mates@us.af.mil

     






  • 3.  RE: Fwd: Implementation observation concerning STIX trust-score modelling

    Posted 04-10-2026 16:47

    It makes indeed a lot of sense to define an extension definition in this case.

    The Opinion object already contains some fields that could be used and using extension properties simplifies the mapping between a Trusted Score and the Opinion object.

    We plan to discuss the extension definitions topic at the CTI TC meeting next Thursday, particularly the idea of maintaining a repository with common extension definitions. 

    --  Christian STUDER CIRCL - Computer Incident Response Center Luxembourg 122 Rue Adolphe Fischer, L-1521 Luxembourg (+352)247 88444 - circl.lu



    Original Message


Related Content