[media-types] Update to media type registration: application/stix+json
Chet Ensign <chet.ensign@oasis-open.org> Wed, 08 April 2020 15:38 UTC
Return-Path: <chet.ensign@oasis-open.org>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576D13A0F01 for <media-types@ietfa.amsl.com>; Wed, 8 Apr 2020 08:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oasis-open-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFb3BQx_sQZO for <media-types@ietfa.amsl.com>; Wed, 8 Apr 2020 08:38:33 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6703A0EF4 for <media-types@ietf.org>; Wed, 8 Apr 2020 08:38:33 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id cf14so9075568edb.13 for <media-types@ietf.org>; Wed, 08 Apr 2020 08:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oasis-open-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=3HtUylubVY6ojzVdJAk/zrZcjTaGqvHxbYIe2T0MuI4=; b=oC/EkMvcqulRWYwCu4LrBMqHPYNKS0IZcfc5i7ljIJJAwDZneA45lVHe5VwonPa7me pBi4DPDnn5OAm1LxcbQMf901SCie7/aRe/EA4Ld7Vt13VE80ZOG+pDE35OePs/BY62hK jX32gvrKMTUxvv9DBY6WVxkXsvR6Y6Sh/3gI08/KYexnUND6K8DyBWoRRkultlKiyflX IjNiNgUM23glywGU5iNvleet/zlRQj0RyRVJpmD1O/VsxYS+O3+/oIbeJWlcX4uispVs 1RJ2dnxTlh1dqQnt+NAttEuncVQpPEyXn7m/U9zlfNdy5+yllyOtXx8e/UdRd+swYTJG 4GxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=3HtUylubVY6ojzVdJAk/zrZcjTaGqvHxbYIe2T0MuI4=; b=OR2yxwoQwej/IGy0q2nya/GKbMThAlmNDO1zLs5xiLg36TCpYaZQcZNMDVVzJpl0RI fanHOemZGQi5oA/DJj9Rywmb06bnbHpaH179X2H+VXacXkoabjECaBHrehCav2p3SgJR 71A0qU+2hhLOHfTeykyUxqEaHB5qgb1tQdLszq9qwt+yYFDjCqZubUF7bkR5lf3aO6v9 kdY3WQ6HpbKvaz2yPon6pVMwX8wP7Cb2FutaOVyHhOfW/aCD/xMPtnfZV9H4yNqVlp0W WfWDpdcdP+fAxdujFih5ChhVVuBdaREa6Z71EcH4u1woUB6aTMq9BRAtgNg5SvqCLI3K Cj2Q==
X-Gm-Message-State: AGi0PuaxTJW9Ho+jyNhMzLkupr7v8+7GzU0aa+qFk8CkOOTwHov6EEWI oeivZwtFOh7k+6SCMF2uoXzjzAwAnrP6tI8nyExTLKHsZA==
X-Google-Smtp-Source: APiQypKrrCvGi0HmbahXpZR6TdBNjHMcvz2YBBuuK1DX7AaQamABXa0jB9/LiKctUm7NJ1Qj0/FsV9Lrt2CiSoQIMvM=
X-Received: by 2002:a17:906:344a:: with SMTP id d10mr7313604ejb.157.1586360310907; Wed, 08 Apr 2020 08:38:30 -0700 (PDT)
MIME-Version: 1.0
From: Chet Ensign <chet.ensign@oasis-open.org>
Date: Wed, 08 Apr 2020 11:38:20 -0400
Message-ID: <CAAwgnnN=fCONmyfDC3p0f-L=K1c7km9FmeKks3rWesfNrQiGTg@mail.gmail.com>
To: media-types@ietf.org
Cc: Bret Jordan <bret.jordan@broadcom.com>
Content-Type: multipart/alternative; boundary="000000000000d23e5105a2c94ae3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/hYoUu94DmRC00Vvi_F-pY4ZlT1c>
Subject: [media-types] Update to media type registration: application/stix+json
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2020 15:38:37 -0000
The members of the OASIS Cyber Threat Intelligence Technical Committee have approved STIX Version 2.1 and wish to update the existing media type registration to reflect this change. This message contains the updated media-type registration from the IANA Considerations appendix of the spec ( https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_6aygoa1w5oc6 ). The only change from the current registration is the update to the specification version number. Questions on the specification and this request can be submitted to Chet Ensign (chet.ensign@oasis-open.org) or, for technical details, to Bret Jordan (bret.jordan@broadcom.com), the specification's technical editor. — Media type name: application Media subtype name: stix+json Required parameters: None Optional parameters: version This parameter is used to designate the specification version of STIX that is being used during HTTP content negotiation. Example: "application/stix+json;version=2.1". The parameter value is of the form 'n.m', where n is the major version and m the minor version, both unsigned integer values. Encoding considerations: binary Encoding considerations are identical to those specified for the "application/json" media type. See [RFC8259]. Security considerations: Security considerations relating to the generation and consumption of STIX messages are similar to application/json and are discussed in section 12 of [RFC8259]. Unicode is used to represent text such as descriptions in the format. The considerations documented by Unicode Technical Report #36: Unicode Security Considerations [UnicodeTR#36] should be taken into account. The STIX standard does not itself specify a transport mechanism for STIX documents. It is expected that TAXII is often used (which uses TLS via HTTPS). As there is no transport mechanism specified, it is up to the users of this to use an appropriately secured transport method. For example, TLS, JSON Web Encryption [RFC7516] and/or JSON Web Signature [RFC7515] can provide such mechanisms. Documents of "application/stix+json" are STIX based Cyber Threat Intelligence (CTI) documents. The documents may contain active or executable content as well as URLs, IP addresses, and domain names that are known or suspected to be malicious. Systems should thus take appropriate precautions before decoding any of this content, either for persistent storage or execution purposes. Such precautions may include measures such as de-fanging, sandboxing, or other measures. The samples included in STIX documents are reference samples only, and there is no provision or expectation in the specification that they will be loaded and/or executed. There are provisions in the specification to encrypt these samples so that even if a tool decodes the data, a further active step must be done before the payload will be "live". It is highly recommended that all active code be armored in this manner. STIX specifies the use of hashing and encryption mechanisms for some data types. A cryptography expert should be consulted when choosing which hashing or encryption algorithms to use to ensure that they do not have any security issues. STIX provides a graph-based data model. As such, STIX implementations should implement protections against graph queries that can potentially consume a significant amount of resources and prevent the implementation from functioning in a normal way. This specification also describes "STIX Patterning", a mechanism to describe and evaluate a search/match for data observed on systems and networks. Patterning is a grammar itself and includes PCRE regular expressions. Care should be taken when parsing and evaluating the grammar (particularly when evaluating PCRE from unknown or untrusted sources) as they can potentially consume a significant amount of resources. Privacy considerations: These considerations are, in part, derived from Section 10 of the Resource-Oriented Lightweight Information Exchange [RFC8322]. Documents may include highly confidential, personal (PII), and/or classified information. There are methods in the standard for marking elements of the document such that the consumer knows of these limitations. These markings may not always be used. For example, an out-of-band agreement may cover and restrict sharing. Just because a document is not marked as containing information that should not be shared does not mean that a document is free for sharing. It may be the case that a legal agreement has been entered into between the parties sharing documents, and that each party understands and follows their obligations under that agreement as well as any applicable laws or regulations. Adoption of the information-sharing approach described in this document will enable users to more easily perform correlations across separate, and potentially unrelated, cybersecurity information providers. A client may succeed in assembling a data set that would not have been permitted within the context of the authorization policies of either provider when considered individually. Thus, providers may face a risk of an attacker obtaining an access that constitutes an undetected separation of duties (SOD) violation. It is important to note that this risk is not unique to this specification, and a similar potential for abuse exists with any other cybersecurity information-sharing protocol. Interoperability considerations: The STIX specification specifies the format of conforming messages and the interpretation thereof. In addition, the OASIS Cyber Threat Intelligence (CTI) Technical Committee has defined interoperability tests to ensure conforming products and solutions can exchange STIX documents. Published specification: STIX Version 2.1 OASIS Committee Specification 01 http://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html Cited in the "OASIS Standards" document: https://www.oasis-open.org/standards#oasiscommiteespecs, from https://www.oasis-open.org/standards#stix2.1 Applications which use this media: Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI) such as Threat Actors, Campaigns, Intrusion Sets, Attack Patterns, Indicators of Compromise, etc. STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Fragment identifier considerations: None Restrictions on usage: None Additional information: 1. Deprecated alias names for this type: application/vnd.oasis.stix+json 2. Magic number(s): n/a [RFC8259] 3. File extension(s): stix 4. Macintosh file type code: TEXT [RFC8259] 5. Object Identifiers: None Person and email to contact for further information: Chet Ensign ( chet.ensign@oasis-open.org) Intended usage: COMMON Author: OASIS Cyber Threat Intelligence (CTI) Technical Committee; URI reference: http://www.oasis-open.org/committees/cti/. Change controller: OASIS Provisional registration: No -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open source & open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393