Document:
02933: Approve Custom Properties (STIX 2.0-1, Section 5.1) text as working draft

Draft (A preliminary unapproved sketch, outline, or version.)

Details

Submitted By Mr. Richard Struse on 2016-05-20 5:10 pm UTC

Publication Type

None at this time.

Group / Folder

OASIS Cyber Threat Intelligence (CTI) TC / System Ballot Results

Modified by

Not modified.

Copy

This document is not a copy.

Technical Contact

None at this time.

Download Count

506

Download Agreement

None at this time.

Description

Working draft status indicates that the TC generally agrees with the approach and the text as written. Editorial changes to the text may be made after text has been moved to draft status, but any substantive changes after the ballot has passed require another ballot to accept those substantive changes. Link to text: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.8072zpptza86 Full Text: 5.1. Custom Properties The authors of this specification recognize that there will be cases where certain information exchanges can be improved by adding fields that are not specified nor reserved in this document; these fields are called Custom Properties. This section provides guidance and requirements for how producers can use Custom Properties and how consumers should interpret them in order to extend STIX in an interoperable manner. 5.1.1. Requirements • A STIX TLO MAY have any number of Custom Properties. • Custom Properties SHOULD start with “x_” followed by a source unique identifier (like a domain name), an underscore and then the name. For example: x_examplecom_customfield. • Custom Property keys SHOULD have a maximum length of 30 characters. • Custom Property keys MUST have a minimum length of 3 characters (including the prefix). • Custom Property keys MUST have a maximum length of 256 characters. • Custom Properties that are not prefixed with “x_” may be used in a future version of the specification for a different meaning. If compatibility with future versions of this specification is required, the “x_” prefix MUST be used. • Custom Properties SHOULD be uniquely named when produced by the same source and SHOULD use a consistent namespace prefix (e.g., a domain name). • Custom Properties SHOULD only be used when there is no existing field defined by the STIX specification that fulfills that need. A consumer that receives a STIX document with one or more Custom Properties that it does not understand MAY refuse to process the document further or silently ignore non-understood properties and continue processing the document. The reporting and logging of errors originating from the processing of Custom Properties depends heavily on the technology used to transport the STIX document and is therefore not covered in this specification. Non-Normative: Producers of STIX documents that contain Custom Properties should be well aware of the variability of consumer behavior depending on whether or not the consumer understands the Custom Properties present in a STIX TLO. Rules for processing Custom Properties should be well defined and accessible to any consumer that would be reasonably expected to parse them. 5.1.2. Examples { ..., "x_acmeinc_scoring": { "impact": "high", "probability": "low" }, ... }