All,
As we have previously discussed and agreed, I would really like 3.0 to be a long-term stable release. Meaning, I do not want breaking changes after we release 3.0. That said, I would rather remove things that we do not feel comfortable with than have them be in the document and not be correct.
As we start getting back into having working calls, here are the major issues we need to address.
1. We still need to figure out the commands, agents, and targets stuff. It is not simple, and there are lots of weird aspects with this. On the surface it seems super easy to fix and there are some ideas that we have thrown around to address it. But the problem comes when you try to write normative language for it. That is when all of the weird corner cases come out of the woodwork. We have also had some fundamental disagreements about what certain things mean. So if we in the TC read these sections differently, then for sure the rest of the world is going to read it differently too.
2. We really need to remove the references to STIX, otherwise this will get hung up when we send it to the ITU. This means we need to fix the identity pieces and probably the grammar piece.
3. I have never really felt comfortable with all of the metadata stuff that MITRE added per a request from DHS. I am just not sure it works. I am not against the idea of having it. But it feels super squishy to me. I think what I would like to do is pull it out of the main specification and do some work with it, aka write some code, and then if it proves to be workable, we could release it as a companion spec. The other option is to pull it out and put it in an appendix or optional annex.
4. Some of the command types we have, I am not sure we have documented and modeled correctly. And given we have no one that can speak to them authoritatively, it gives me pause.
I will add to this list as we get back into the swing of things.
Bret