CTI TAXII Subcommittee

All, As we begin work on writing the specification for TAXII 2.0 I want to make sure we are diligent about capturing your ideas, questions, comments, and concerns.  I also want to try and be very clear on where things might fall in the scope discussion.  By doing this I believe we will remove confusion and allow us to focus on specific scoping concerns that people might have.   To this end I would like to propose that we document the decisions we have already made in this SC and how they relate to scope in a manner that looks something like the following graphic.....  BTW, this is an early rough draft with only the most basic information..   Please let us know if you find this kind of visual easy to follow and understand, and most importantly if it will help you understand where things fall in relation to scoping.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

Great graphic. Has anyone considered the potential use of EVcerts in conjunction with TAXII? --tony On 2015-10-15 1:28 PM, Jordan, Bret wrote: All, As we begin work on writing the specification for TAXII 2.0 I want to make sure we are diligent about capturing your ideas, questions, comments, and concerns.  I also want to try and be very clear on where things might fall in the scope discussion.  By doing this I believe we will remove confusion and allow us to focus on specific scoping concerns that people might have.   To this end I would like to propose that we document the decisions we have already made in this SC and how they relate to scope in a manner that looks something like the following graphic.....  BTW, this is an early rough draft with only the most basic information..   Please let us know if you find this kind of visual easy to follow and understand, and most importantly if it will help you understand where things fall in relation to scoping.  

I personally don't hold a lot of value in the use of EV Certs. Certificate Authorities have a long history of getting social engineered, hacked, and so forth. I think if people are super concerned with validation of certificates then that will happen either with phone calls to repeat the fingerprints of certs, or for super secret trustgroups people will use their own shared PKI solution (e.g. separate offline trustgroup root cert, with a trustgroup run issuing server for all participants). Vendors will of course issue client certs through their vendor portals, or just accept the user auth as confirmation of the TAXII clients identity. IMHO taxii client implementations will need to support certificate pinning to stop fake sites impersonating the real ones. I'm thinking of man in the middle style attacks to try and steal or alter threat intel. It would not be a good look if a threat intel platform had all of its info stolen because we didn't restrict interaction enough. Or if  someone malicious started modifying it in transit so that large ISPs automatically started blocking valid customers ranges or websites.... Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My opinions do not necessarily reflect those of Threatloop.com. On 16 October 2015 at 09:06, Tony Rutkowski < tony@yaanatech.com > wrote: Great graphic. Has anyone considered the potential use of EVcerts in conjunction with TAXII? --tony On 2015-10-15 1:28 PM, Jordan, Bret wrote: All, As we begin work on writing the specification for TAXII 2.0 I want to make sure we are diligent about capturing your ideas, questions, comments, and concerns.  I also want to try and be very clear on where things might fall in the scope discussion.  By doing this I believe we will remove confusion and allow us to focus on specific scoping concerns that people might have.   To this end I would like to propose that we document the decisions we have already made in this SC and how they relate to scope in a manner that looks something like the following graphic.....  BTW, this is an early rough draft with only the most basic information..   Please let us know if you find this kind of visual easy to follow and understand, and most importantly if it will help you understand where things fall in relation to scoping.  

Hi Terry, Your concerns certainly reflect those of many in the community. On the other hand, there are arguably more ubiquitous TAXII use cases where EVcerts have a value proposition. Perhaps this all gets folded into the trust model options. --tony On 2015-10-15 7:14 PM, Terry MacDonald wrote: I personally don't hold a lot of value in the use of EV Certs. Certificate Authorities have a long history of getting social engineered, hacked, and so forth. I think if people are super concerned with validation of certificates then that will happen either with phone calls to repeat the fingerprints of certs, or for super secret trustgroups people will use their own shared PKI solution (e.g. separate offline trustgroup root cert, with a trustgroup run issuing server for all participants). Vendors will of course issue client certs through their vendor portals, or just accept the user auth as confirmation of the TAXII clients identity.

For an example where "special" certs might lead to a barrier to entry, US-CERT's CISCP program insists on using FedBridge certificates at the moment. I know both ourselves and another large financial services firm have had trouble obtaining this type of certificate due to general confusion from our internal approval processes and even with external CAs who can't scale requests for certificates that require additional verification. This is not to say that we'd necessarily have the same trouble with extended validation certificates -- but we're certainly making it harder for the average bear to use SSL if we prefer or require them. Thanks, Alex
Original Message----- From: cti-taxii@lists.oasis-open.org [ mailto:cti-taxii@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: Friday, October 16, 2015 10:45 AM To: Terry MacDonald Cc: Jordan, Bret; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Items in scope vs out of scope Hi Terry, Your concerns certainly reflect those of many in the community. On the other hand, there are arguably more ubiquitous TAXII use cases where EVcerts have a value proposition. Perhaps this all gets folded into the trust model options. --tony On 2015-10-15 7:14 PM, Terry MacDonald wrote: > I personally don't hold a lot of value in the use of EV Certs. > Certificate Authorities have a long history of getting social > engineered, hacked, and so forth. I think if people are super > concerned with validation of certificates then that will happen either > with phone calls to repeat the fingerprints of certs, or for super > secret trustgroups people will use their own shared PKI solution (e.g. > separate offline trustgroup root cert, with a trustgroup run issuing > server for all participants). Vendors will of course issue client > certs through their vendor portals, or just accept the user auth as > confirmation of the TAXII clients identity. > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer . If you are not the intended recipient, please delete this message.

These are all great points and this is why I would like to insist that we have a defined extension point in the authentication process for TAXII 2.0.  It would be great if this was also discoverable so clients could auto detect.  But we may need to make that optional.  Can anyone speak to that?   HTTP Basic + JWT as the MTI seems like a good idea that most people can get behind. It is just important to note that you could have a policy that says you do not accept HTTP Basic + JWT authentication.  In this case you could just respond with a simple error message and either tell the user why or not, depending on your security model.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 16, 2015, at 12:54, Foley, Alexander - GIS < alexander.foley@bankofamerica.com > wrote: For an example where special certs might lead to a barrier to entry, US-CERT's CISCP program insists on using FedBridge certificates at the moment.  I know both ourselves and another large financial services firm have had trouble obtaining this type of certificate due to general confusion from our internal approval processes and even with external CAs who can't scale requests for certificates that require additional verification. This is not to say that we'd necessarily have the same trouble with extended validation certificates -- but we're certainly making it harder for the average bear to use SSL if we prefer or require them. Thanks, Alex
Original Message----- From: cti-taxii@lists.oasis-open.org [ mailto:cti-taxii@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: Friday, October 16, 2015 10:45 AM To: Terry MacDonald Cc: Jordan, Bret; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Items in scope vs out of scope Hi Terry, Your concerns certainly reflect those of many in the community.  On the other hand, there are arguably more ubiquitous TAXII use cases where EVcerts have a value proposition.  Perhaps this all gets folded into the trust model options. --tony On 2015-10-15 7:14 PM, Terry MacDonald wrote: I personally don't hold a lot of value in the use of EV Certs. Certificate Authorities have a long history of getting social engineered, hacked, and so forth. I think if people are super concerned with validation of certificates then that will happen either with phone calls to repeat the fingerprints of certs, or for super secret trustgroups people will use their own shared PKI solution (e.g. separate offline trustgroup root cert, with a trustgroup run issuing server for all participants). Vendors will of course issue client certs through their vendor portals, or just accept the user auth as confirmation of the TAXII clients identity. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer .   If you are not the intended recipient, please delete this message. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

On 15.10.2015 17:28:48, Jordan, Bret wrote: > > As we begin work on writing the specification for TAXII 2.0 I want > to make sure we are diligent about capturing your ideas, questions, > comments, and concerns. I also want to try and be very clear on > where things might fall in the scope discussion. By doing this I > believe we will remove confusion and allow us to focus on specific > scoping concerns that people might have. > > To this end I would like to propose that we document the decisions > we have already made in this SC and how they relate to scope in a > manner that looks something like the following graphic..... BTW, > this is an early rough draft with only the most basic information.. > Hey, Bret & Mark - Am I correct in my understanding that a query capability is currently considered out of scope for TAXII 2.0? -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com Attachment: signature.asc Description: PGP signature

Trey, One of our stated requirements for TAXII 2 is feature parity with TAXII 1.x [1]. To me, that means query has not been scoped out. That said, there is still plenty of conversation to be had about query (e.g., what feature set constitutes 'feature parity' as well as the actual design). The graphic Bret shared was intended to convey that for any particular discussion there are four high level buckets of "scope" to consider. The graphic was not intended to be a complete list of TAXII 2 features - it only includes items that this SC have discussed so far. If you (or anyone) have ideas or requirements for query, please share them! Thank you. -Mark [1] https://github.com/TAXIIProject/TAXII-Specifications/wiki/TAXII-2.0-Requirements
Original Message----- From: Trey Darley [ mailto:trey@soltra.com ] Sent: Friday, October 16, 2015 4:22 AM To: Jordan, Bret <bret.jordan@bluecoat.com>; Davidson II, Mark S <mdavidson@mitre.org> Cc: cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Items in scope vs out of scope On 15.10.2015 17:28:48, Jordan, Bret wrote: > > As we begin work on writing the specification for TAXII 2.0 I want > to make sure we are diligent about capturing your ideas, questions, > comments, and concerns. I also want to try and be very clear on > where things might fall in the scope discussion. By doing this I > believe we will remove confusion and allow us to focus on specific > scoping concerns that people might have. > > To this end I would like to propose that we document the decisions > we have already made in this SC and how they relate to scope in a > manner that looks something like the following graphic..... BTW, > this is an early rough draft with only the most basic information.. > Hey, Bret & Mark - Am I correct in my understanding that a query capability is currently considered out of scope for TAXII 2.0? -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com

From my perspective - while I think that having QUERY for CTI is a fundamental and necessary use case - I think bundling it in with TAXII creates needless confusion. Not all use cases for TAXII care about QUERY. And not all use cases that care about QUERY, care about TAXII. QUERY also has a lot more implicit ties to the data model. TAXII does not need any of these. I feel that QUERY should be it's own separate API that may even follow a totally different paradigm. It should have it's own, seperate specification - and if needed, even have a different CTI subcommittee created for it. It's really an entirely different use case. Just because they were shoe-horned together in TAXII 1.X does not mean we can not fork it off now. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Davidson II, Mark S" ---2015/10/16 08:37:12 AM---Trey, One of our stated requirements for TAXII 2 is feature parity with TAXII 1.x [1]. To me, that m From: "Davidson II, Mark S" <mdavidson@mitre.org> To: Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com> Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org> Date: 2015/10/16 08:37 AM Subject: RE: [cti-taxii] Items in scope vs out of scope Sent by: <cti-taxii@lists.oasis-open.org> Trey, One of our stated requirements for TAXII 2 is feature parity with TAXII 1.x [1]. To me, that means query has not been scoped out. That said, there is still plenty of conversation to be had about query (e.g., what feature set constitutes 'feature parity' as well as the actual design). The graphic Bret shared was intended to convey that for any particular discussion there are four high level buckets of "scope" to consider. The graphic was not intended to be a complete list of TAXII 2 features - it only includes items that this SC have discussed so far. If you (or anyone) have ideas or requirements for query, please share them! Thank you. -Mark [1] https://github.com/TAXIIProject/TAXII-Specifications/wiki/TAXII-2.0-Requirements
Original Message----- From: Trey Darley [ mailto:trey@soltra.com ] Sent: Friday, October 16, 2015 4:22 AM To: Jordan, Bret <bret.jordan@bluecoat.com>; Davidson II, Mark S <mdavidson@mitre.org> Cc: cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Items in scope vs out of scope On 15.10.2015 17:28:48, Jordan, Bret wrote: > > As we begin work on writing the specification for TAXII 2.0 I want > to make sure we are diligent about capturing your ideas, questions, > comments, and concerns. I also want to try and be very clear on > where things might fall in the scope discussion. By doing this I > believe we will remove confusion and allow us to focus on specific > scoping concerns that people might have. > > To this end I would like to propose that we document the decisions > we have already made in this SC and how they relate to scope in a > manner that looks something like the following graphic..... BTW, > this is an early rough draft with only the most basic information.. > Hey, Bret & Mark - Am I correct in my understanding that a query capability is currently considered out of scope for TAXII 2.0? -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com