Ballot Details: Normative Text on Lengths Proposal (CLOSED)

Ballot Question Should the STIX specification provide normative text (SHOULD or MUST statements) on the lengths supported by free form string fields, such as (but not limited to) description, title, and open vocab?
Ballot Description NOTE: The purpose of this ballot is to develop consensus for STIX on an issue that has been discussed on the list in the "Unicode, strings and STIX" thread. This is a non-binding ballot that can be reversed at any time in the future by simple majority vote of the TC.

Elaboration:
============

On May 31, John-Mark Gurney raised questions related to whether or not we were going to determine the specific length of fields in the STIX specification. His original post is here:

https://lists.oasis-open.org/archives/cti-stix/201605/msg00174.html

There was a vibrant debate for the next few days, and there seems to be general consensus that we should specify some normative text, even if it is SHOULD, for the length of fields. If the results of this ballot yield a YES vote, there will be additional questions to follow (such as whether lengths should be mandatory or advisory) but for now, please help us decide whether we should specify limits at all.

To consider the discussion in the entire thread, please use this link to the MarkMail archives of the cti-stix list:

http://markmail.org/search/?q=Unicode%2C+strings+and+STIX&q=list%3Aorg.oasis-open.lists.cti-stix
Ballot Options
VOTING CLOSED: Monday, 20 June 2016 @ 12:00 pm EDT
No, there should be no normative text describing length limits. 19 61.29
Yes, the spec should have normative text describing length limits for some fields. 12 38.71
Open Date Monday, 13 June 2016 @ 12:00 pm EDT
Close Date Monday, 20 June 2016 @ 12:00 pm EDT
Ballot Type Official, as defined by organization policies and procedures

Voting Statistics

Number of votes cast (excluding abstentions) 31
Eligible members who have voted 31 of 59 52.542%
Eligible members who have not voted 28 of 59 47.458%

Voting Summary by Option

Options with highest number of votes are bold
Option # Votes % of Total
No, there should be no normative text describing length limits. 19 61.29%
Yes, the spec should have normative text describing length limits for some fields. 12 38.71%

Voting Details

Voter Name Company Vote * Time (UTC) Comments
* Baker, Jonathan Mitre Corporation No, there should be no normative text describing length limits. 2016-06-20 14:44:00
* Barnum, Sean Mitre Corporation No, there should be no normative text describing length limits. 2016-06-14 14:51:00
* Brown, Iain United Kingdom Cabinet Office No, there should be no normative text describing length limits. 2016-06-14 10:49:00
* Clancy, Mark Soltra No, there should be no normative text describing length limits. 2016-06-18 22:40:00
* Coderre, Robert VeriSign No, there should be no normative text describing length limits. 2016-06-20 15:18:00
* Darley, Trey Soltra No, there should be no normative text describing length limits. 2016-06-14 00:27:00
* Davidson, Mark Soltra No, there should be no normative text describing length limits. 2016-06-13 16:36:00 1
* Keirstead, Jason IBM No, there should be no normative text describing length limits. 2016-06-15 12:47:00
* Kelley, Sarah Center for Internet Security (CIS) No, there should be no normative text describing length limits. 2016-06-13 17:31:00
* Kirillov, Ivan Mitre Corporation No, there should be no normative text describing length limits. 2016-06-13 16:40:00 1
* Maroney, Patrick Integrated Networking Technologies, Inc. No, there should be no normative text describing length limits. 2016-06-15 16:04:00 1
* Masuoka, Ryusuke Fujitsu Limited No, there should be no normative text describing length limits. 2016-06-15 08:56:00
* Patrick, Paul FireEye, Inc. No, there should be no normative text describing length limits. 2016-06-15 15:42:00
* Peloquin, Joey Citrix Systems No, there should be no normative text describing length limits. 2016-06-15 16:26:00
* Piazza, Richard Mitre Corporation No, there should be no normative text describing length limits. 2016-06-13 17:29:00
* Riedel, Daniel New Context Services, Inc. No, there should be no normative text describing length limits. 2016-06-14 22:45:00
* Thompson, Dean Australia and New Zealand Banking Group (A... No, there should be no normative text describing length limits. 2016-06-14 07:29:00
* Thomson, Laurie United Kingdom Cabinet Office No, there should be no normative text describing length limits. 2016-06-20 15:44:00
* Wunder, John Mitre Corporation No, there should be no normative text describing length limits. 2016-06-13 23:11:00
* Bohling, James US Department of Defense (DoD) Yes, the spec should have normative text describing length limits for some fields. 2016-06-15 17:22:00
* Foley, Alexander Bank of America Yes, the spec should have normative text describing length limits for some fields. 2016-06-13 16:24:00
* Ginn, Jane Cyber Threat Intelligence Network, Inc. (C... Yes, the spec should have normative text describing length limits for some fields. 2016-06-14 07:20:00
* Jordan, Bret Blue Coat Systems, Inc. Yes, the spec should have normative text describing length limits for some fields. 2016-06-14 08:36:00
* Kakumaru, Takahiro NEC Corporation Yes, the spec should have normative text describing length limits for some fields. 2016-06-20 13:41:00
* MacDonald, Terry Individual Yes, the spec should have normative text describing length limits for some fields. 2016-06-13 21:17:00
* Mates, Jeffrey US Department of Defense (DoD) Yes, the spec should have normative text describing length limits for some fields. 2016-06-16 11:56:00
* Pumo, Beth Kaiser Permanente Yes, the spec should have normative text describing length limits for some fields. 2016-06-14 20:33:00
* Thomson, Allan LookingGlass Yes, the spec should have normative text describing length limits for some fields. 2016-06-16 00:39:00 1
* Urbanski, Will Dell Yes, the spec should have normative text describing length limits for some fields. 2016-06-17 18:29:00
* Vorthman, Lee LookingGlass Yes, the spec should have normative text describing length limits for some fields. 2016-06-16 14:36:00 1
* Williams, Ron IBM Yes, the spec should have normative text describing length limits for some fields. 2016-06-13 19:32:00 1
* Beekman, Jeff Soltra --
* Butt, Michael Soltra --
* Butts, Brad U.S. Bank --
* Casey, Tim Intel Corporation --
* Chernin, Aharon Soltra --
* Davidson, Ron Check Point Software Technologies --
* DePeppe, Doug Cyber Threat Intelligence Network, Inc. (C... --
* Dye, Daniel Soltra --
* Eilken, David Financial Services Information Sharing and... --
* Gurney, John-Mark New Context Services, Inc. --
* Jones, Elysa Individual --
* Katz, Gary US Department of Defense (DoD) --
* Keckler, Raymond Soltra --
* Khan, Ali Soltra --
* Kiehl, Chris Soltra --
* Maxwell, Kyle VeriSign --
* McLellan, Mike United Kingdom Cabinet Office --
* Moler, James New Context Services, Inc. --
* Noguchi, Kazuo Hitachi, Ltd. --
* Pepin, Michael Soltra --
* Reaume, Greg TELUS --
* Sander, Tomas Hewlett Packard Enterprise (HPE) --
* Schmoker, Ben ThreatConnect, Inc. --
* Storms, Andrew New Context Services, Inc. --
* Struse, Richard DHS Office of Cybersecurity and Communicat... --
* Taylor, Chris United Kingdom Cabinet Office --
* Terada, Masato Hitachi, Ltd. --
* Verma, Jyoti Cisco Systems --

Voter Comments

Submitter Vote Comment
Davidson, Mark
Soltra
No, there should be no normative text describing length limits. I am voting for what makes sense right now (as of 6/12/2016). If, as people implement the MVP drafts, it turns out that some normative statements regarding string lengths make sense, we should reserve the right to course correct.

For now, I vote for no normative statements describing string lengths.
Kirillov, Ivan
Mitre Corporation
No, there should be no normative text describing length limits. This was never an issue with STIX 1.x, and all current issues discussed around it are theoretical at best.
Maroney, Patrick
Integrated Networking Technologies, Inc.
No, there should be no normative text describing length limits. Shouldn't this be determined by string limitation (if any) in a given Serialization Binding Specification?
Vorthman, Lee
LookingGlass
Yes, the spec should have normative text describing length limits for some fields. Yes we should provide normative text describing length limits.

Appliances can use these lengths to make decisions on how to handle info from STIX/Cybox and developers can use this information to understand what will or will not be truncated. This can be very important when trying to actually do something with the information.
Thomson, Allan
LookingGlass
Yes, the spec should have normative text describing length limits for some fields. Yes we should provide reommendations with "should" that will drive interop tests for common use cases and practical examples that most products "should" support.

For example if a router that has limited memory for regex mtching and that router can injest stix/cybox natively then knowing what is practical requirements for memory allocation for rule space is needed.

A router can always reject a rule that is too large but having recommendations from ti experts in the spec will be heflpful.
Williams, Ron
IBM
Yes, the spec should have normative text describing length limits for some fields. As a developer knowing what might or might not be truncated could be important.