Ballot Details: Approve of the TC proceeding with the development of the comment object as a merge of the intel note and opinion objects (CLOSED)

Ballot Question Should the TC proceed with the development of the merged 'comment' object to capture all notes and opinions (the use cases from the previously developed intel note and opinion objects)?
Ballot Description The TC has been having a debate about whether an "intel note" and "opinion" are fundamentally the same object or two different objects. After extensive discussion on the mailing list, there seems to be a slight preference for merging the objects into a single "comment" object that would cover both use cases. A vote of 'yes' means the TC should proceed with the comment object, a vote of 'no' means the TC should proceed with the separate intel note and opinion objects.

Comment Object (if merged): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.s9c08p1vu5u1

Intel Note Object (if separate): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc

Opinion Object (if separate): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq
Ballot Options
VOTING CLOSED: Wednesday, 3 May 2017 @ 11:59 pm EDT
Yes 11 32.353
No 23 67.647
Abstain 2
Open Date Wednesday, 26 April 2017 @ 12:00 pm EDT
Close Date Wednesday, 3 May 2017 @ 11:59 pm EDT
Ballot Type Official, as defined by organization policies and procedures

Voting Statistics

Number of votes cast (excluding abstentions) 34
Eligible members who have voted 36 of 55 65.455%
Eligible members who have not voted 19 of 55 34.545%

Voting Summary by Option

Options with highest number of votes are bold
Option # Votes % of Total
Yes 11 32.353%
No 23 67.647%
Abstain 2

Voting Details

Voter Name Company Vote * Time (UTC) Comments
* Bedwell, Ted Cisco Systems Yes 2017-05-01 16:44:00
* Butt, Michael NC4 Yes 2017-05-01 20:11:00
* Davidson, Mark NC4 Yes 2017-04-26 17:33:00
* Gurney, John-Mark New Context Services, Inc. Yes 2017-05-03 22:43:00 1
* Hagen, Stefan Individual Yes 2017-04-26 19:08:00
* Hunt, Christian New Context Services, Inc. Yes 2017-05-03 20:48:00
* Jordan, Bret Symantec Corp. Yes 2017-04-26 23:35:00
* Keirstead, Jason IBM Yes 2017-04-28 16:34:00
* Maroney, Patrick Wapack Labs LLC Yes 2017-05-01 20:57:00
* Masuoka, Ryusuke Fujitsu Limited Yes 2017-04-27 01:22:00
* Pumo, Beth Kaiser Permanente Yes 2017-04-27 14:39:00
* Back, Greg Mitre Corporation No 2017-05-01 14:14:00 1
* Baker, Jonathan Mitre Corporation No 2017-04-28 16:39:00 1
* Barnum, Sean Mitre Corporation No 2017-04-26 20:08:00
* Boles, Phillip FireEye, Inc. No 2017-05-02 18:47:00
* Coderre, Robert VeriSign No 2017-05-03 18:33:00
* Creedon, Gus Logistics Management Institute No 2017-05-02 12:26:00 1
* Darley, Trey Kingfisher Operations, sprl No 2017-04-27 09:15:00 1
* Day, Jamison LookingGlass No 2017-05-01 15:10:00
* Ginn, Jane Cyber Threat Intelligence Network, Inc. (C... No 2017-04-27 10:15:00
* Kakumaru, Takahiro NEC Corporation No 2017-05-02 13:06:00
* Kelley, Sarah CIS No 2017-04-27 13:16:00 1
* Kirillov, Ivan Mitre Corporation No 2017-04-28 17:50:00 1
* MacDonald, Terry Individual No 2017-05-02 00:30:00 1
* Patrick, Paul FireEye, Inc. No 2017-05-01 17:18:00
* Piazza, Richard Mitre Corporation No 2017-04-26 18:28:00
* Riedel, Daniel New Context Services, Inc. No 2017-05-01 16:32:00
* Struse, Richard DHS Office of Cybersecurity and Communicat... No 2017-05-01 20:41:00 1
* Taylor, Marlon DHS Office of Cybersecurity and Communicat... No 2017-05-01 23:59:00
* Terada, Masato Hitachi, Ltd. No 2017-05-02 15:42:00
* Thomson, Allan LookingGlass No 2017-04-27 21:49:00 1
* Truslove, Ian LookingGlass No 2017-04-28 15:34:00 1
* Williams, Ron IBM No 2017-04-28 14:04:00 1
* Wunder, John Mitre Corporation No 2017-04-26 23:46:00 1
* Mates, Jeffrey US Department of Defense (DoD) Abstain 2017-05-02 19:35:00
* Storms, Andrew New Context Services, Inc. Abstain 2017-05-03 20:49:00
* Anderson, John NC4 --
* Bohling, James US Department of Defense (DoD) --
* Burger, Eric Georgetown University --
* Eilken, Dave Perch --
* Gong, Nicole Mitre Corporation --
* Jones, Elysa Individual --
* Katz, Gary US Department of Defense (DoD) --
* Kawada, Yoshihide Hitachi, Ltd. --
* Lenk, Chris Mitre Corporation --
* Maxwell, Kyle VeriSign --
* Morris, John IBM --
* Noguchi, Kazuo Hitachi, Ltd. --
* Pahare, Kinshuk LookingGlass --
* Pandya, Shyamal FireEye, Inc. --
* Shok, Richard U.S. Bank --
* Suarez, Natalie NC4 --
* Thompson, Dean Australia and New Zealand Banking Group (A... --
* Verma, Jyoti Cisco Systems --
* Weterings, Remko FireEye, Inc. --

Voter Comments

Submitter Vote Comment
Gurney, John-Mark
New Context Services, Inc.
Yes I'm fine either way. One issue is that author is only on Intel Note, but not Opinion, though IMO, it seems more useful to have it on Opinion.

Though less than ideal to have optional components, we did merge Malware and Malware Family, and IMO, this is a more simple object.

Limitations on other parts of our system should not dictate how we design things if we can fix the other limitations, or have plans to. That is the easiest way to create technical debt and cause problems in the future.
Truslove, Ian
LookingGlass
No At the expense of an additional type to keep track of, I prefer the semantic clarity of a separate intel-note and opinion.
Thomson, Allan
LookingGlass
No I believe both combined or separate can work. I agree they are different concepts (and analysts understand those differences). Additionally one of my primary concerns in keeping them separate is because I want to easily ask a TAXII server for intel notes but not muddy that request with opinions unless i want them. Currently TAXII filtering supports object type filtering easily but if these objects become combined then to separate opinion from intel note I have to do deeper filtering/search and in some cases that might not even be possible to tell them apart.
Back, Greg
Mitre Corporation
No I don't feel strongly either way, but think that keeping them separate is cleaner conceptually.
Darley, Trey
Kingfisher Operations, sprl
No I agree with John Wunder's comment that we can probably make it work either way, but I also agree with Terry MacDonald's arguments for why these represent fundamentally different concepts and hence despite the similarity of the two data structures they should still be distinct objects, a la "Threat Actor" and "Intrusion Set".

This is not a hill I'm willing to die on, however. We need to move on from this discussion. I will happily live with whatever the TC's consensus is based on the vote.
Creedon, Gus
Logistics Management Institute
No If we want to use a generic object for comment, it would need a "specific property" like "comment_type". This moves the identity of the comment from the object syntax level into the object data, forcing the consumer to read the value of the specific property prior to interpreting and consuming the comment. This might be useful if there were tens of different comment types. But with only two, I believe keeping the identity of the comment at the object level is cleaner.
Kelley, Sarah
CIS
No I agree with Trey and John. I believe these are two fundamentally different objects and that an analyst will recognize when to use a Note and when to use an Opinion. I will go along with the consensus, and ultimately it won't kill me to have one object rather than two.
Williams, Ron
IBM
No If an analyst's note includes a conclusion or argument based on evidence provided by observables and indicators, the conclusion is an opinion. That said, in practice analysts appear to differentiate such opinions based on evidence, from assertions without. I'm good with keeping them separate.
Baker, Jonathan
Mitre Corporation
No I prefer that each object has only one meaning. Consolidating the intel note and opinion into one comment object feels like creating one object with two different meanings. The language in the referenced proposal seems to confirm this too. Specifically, language like:

"If no opinion value is defined then the object represents context without any assertion of agreement or disagreement."

implies that the proposed comment object is really representing two distinct concepts.
Wunder, John
Mitre Corporation
No Both options are workable and I think we're in good shape either way. I do believe that intelligence/analyst notes are fundamentally different than opinions though and so support the two separate objects.
MacDonald, Terry
Individual
No I strongly prefer using single defined objects that do a single purpose well. Having a combined object in my mind goes against the principle of making STIX simple to use, and the principle of each object doing one thing well.

I also believe that we should include this fact in our guiding principles for the group so that we don't have this same argument in 6 months time.
Kirillov, Ivan
Mitre Corporation
No I feel that these objects are semantically different enough and have enough unique use cases to warrant defining separately. That said, I do have a slight concern about the continued addition of SDOs into STIX.
Struse, Richard
DHS Office of Cybersecurity and Communicat...
No One of the guiding principles of STIX 2 was that we would try to have each object do one thing well. As such I think this points in the direction of two separate objects. One thing to consider is that while I think Intel Notes would largely be produced and consumed by humans, the vast majority of Opinions may be consumed, and perhaps produced, by machines. Once we deploy STIX solutions that support opinions we may find that we want to add additional properties that would be useful but that increase the semantic distance between Opinion and Intel Note. As separate objects this is easy - as a consolidated Comment object it could get messy fast.