Ballot Details: Approve of the TC proceeding with the development of the comment object as a merge of the intel note and opinion objects (CLOSED)
|Ballot Question||Should the TC proceed with the development of the merged 'comment' object to capture all notes and opinions (the use cases from the previously developed intel note and opinion objects)?|
|Ballot Description||The TC has been having a debate about whether an "intel note" and "opinion" are fundamentally the same object or two different objects. After extensive discussion on the mailing list, there seems to be a slight preference for merging the objects into a single "comment" object that would cover both use cases. A vote of 'yes' means the TC should proceed with the comment object, a vote of 'no' means the TC should proceed with the separate intel note and opinion objects.
Comment Object (if merged): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.s9c08p1vu5u1
Intel Note Object (if separate): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc
Opinion Object (if separate): https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq
VOTING CLOSED: Wednesday, 3 May 2017 @ 11:59 pm EDT
|Open Date||Wednesday, 26 April 2017 @ 12:00 pm EDT|
|Close Date||Wednesday, 3 May 2017 @ 11:59 pm EDT|
|Ballot Type||Official, as defined by organization policies and procedures|
|Number of votes cast (excluding abstentions)||34|
|Eligible members who have voted||36 of 55||65.455%|
|Eligible members who have not voted||19 of 55||34.545%|
|Options with highest number of votes are bold|
|Option||# Votes||% of Total|
|Voter Name||Company||Vote||Time (UTC)||Comments|
|Bedwell, Ted||Cisco Systems||Yes||2017-05-01 16:44:00|
|Butt, Michael||NC4||Yes||2017-05-01 20:11:00|
|Davidson, Mark||NC4||Yes||2017-04-26 17:33:00|
|Gurney, John-Mark||New Context Services, Inc.||Yes||2017-05-03 22:43:00||1|
|Hagen, Stefan||Individual||Yes||2017-04-26 19:08:00|
|Hunt, Christian||New Context Services, Inc.||Yes||2017-05-03 20:48:00|
|Jordan, Bret||Symantec Corp.||Yes||2017-04-26 23:35:00|
|Keirstead, Jason||IBM||Yes||2017-04-28 16:34:00|
|Maroney, Patrick||Wapack Labs LLC||Yes||2017-05-01 20:57:00|
|Masuoka, Ryusuke||Fujitsu Limited||Yes||2017-04-27 01:22:00|
|Pumo, Beth||Kaiser Permanente||Yes||2017-04-27 14:39:00|
|Back, Greg||Mitre Corporation||No||2017-05-01 14:14:00||1|
|Baker, Jonathan||Mitre Corporation||No||2017-04-28 16:39:00||1|
|Barnum, Sean||Mitre Corporation||No||2017-04-26 20:08:00|
|Boles, Phillip||FireEye, Inc.||No||2017-05-02 18:47:00|
|Coderre, Robert||VeriSign||No||2017-05-03 18:33:00|
|Creedon, Gus||Logistics Management Institute||No||2017-05-02 12:26:00||1|
|Darley, Trey||Kingfisher Operations, sprl||No||2017-04-27 09:15:00||1|
|Day, Jamison||LookingGlass||No||2017-05-01 15:10:00|
|Ginn, Jane||Cyber Threat Intelligence Network, Inc. (C...||No||2017-04-27 10:15:00|
|Kakumaru, Takahiro||NEC Corporation||No||2017-05-02 13:06:00|
|Kelley, Sarah||CIS||No||2017-04-27 13:16:00||1|
|Kirillov, Ivan||Mitre Corporation||No||2017-04-28 17:50:00||1|
|MacDonald, Terry||Individual||No||2017-05-02 00:30:00||1|
|Patrick, Paul||FireEye, Inc.||No||2017-05-01 17:18:00|
|Piazza, Richard||Mitre Corporation||No||2017-04-26 18:28:00|
|Riedel, Daniel||New Context Services, Inc.||No||2017-05-01 16:32:00|
|Struse, Richard||DHS Office of Cybersecurity and Communicat...||No||2017-05-01 20:41:00||1|
|Taylor, Marlon||DHS Office of Cybersecurity and Communicat...||No||2017-05-01 23:59:00|
|Terada, Masato||Hitachi, Ltd.||No||2017-05-02 15:42:00|
|Thomson, Allan||LookingGlass||No||2017-04-27 21:49:00||1|
|Truslove, Ian||LookingGlass||No||2017-04-28 15:34:00||1|
|Williams, Ron||IBM||No||2017-04-28 14:04:00||1|
|Wunder, John||Mitre Corporation||No||2017-04-26 23:46:00||1|
|Mates, Jeffrey||US Department of Defense (DoD)||Abstain||2017-05-02 19:35:00|
|Storms, Andrew||New Context Services, Inc.||Abstain||2017-05-03 20:49:00|
|Bohling, James||US Department of Defense (DoD)||--|
|Burger, Eric||Georgetown University||--|
|Gong, Nicole||Mitre Corporation||--|
|Katz, Gary||US Department of Defense (DoD)||--|
|Kawada, Yoshihide||Hitachi, Ltd.||--|
|Lenk, Chris||Mitre Corporation||--|
|Noguchi, Kazuo||Hitachi, Ltd.||--|
|Pandya, Shyamal||FireEye, Inc.||--|
|Shok, Richard||U.S. Bank||--|
|Thompson, Dean||Australia and New Zealand Banking Group (A...||--|
|Verma, Jyoti||Cisco Systems||--|
|Weterings, Remko||FireEye, Inc.||--|
New Context Services, Inc.
|Yes||I'm fine either way. One issue is that author is only on Intel Note, but not Opinion, though IMO, it seems more useful to have it on Opinion.
Though less than ideal to have optional components, we did merge Malware and Malware Family, and IMO, this is a more simple object.
Limitations on other parts of our system should not dictate how we design things if we can fix the other limitations, or have plans to. That is the easiest way to create technical debt and cause problems in the future.
|No||At the expense of an additional type to keep track of, I prefer the semantic clarity of a separate intel-note and opinion.
|No||I believe both combined or separate can work. I agree they are different concepts (and analysts understand those differences). Additionally one of my primary concerns in keeping them separate is because I want to easily ask a TAXII server for intel notes but not muddy that request with opinions unless i want them. Currently TAXII filtering supports object type filtering easily but if these objects become combined then to separate opinion from intel note I have to do deeper filtering/search and in some cases that might not even be possible to tell them apart.
|No||I don't feel strongly either way, but think that keeping them separate is cleaner conceptually.
Kingfisher Operations, sprl
|No||I agree with John Wunder's comment that we can probably make it work either way, but I also agree with Terry MacDonald's arguments for why these represent fundamentally different concepts and hence despite the similarity of the two data structures they should still be distinct objects, a la "Threat Actor" and "Intrusion Set".
This is not a hill I'm willing to die on, however. We need to move on from this discussion. I will happily live with whatever the TC's consensus is based on the vote.
Logistics Management Institute
|No||If we want to use a generic object for comment, it would need a "specific property" like "comment_type". This moves the identity of the comment from the object syntax level into the object data, forcing the consumer to read the value of the specific property prior to interpreting and consuming the comment. This might be useful if there were tens of different comment types. But with only two, I believe keeping the identity of the comment at the object level is cleaner.
|No||I agree with Trey and John. I believe these are two fundamentally different objects and that an analyst will recognize when to use a Note and when to use an Opinion. I will go along with the consensus, and ultimately it won't kill me to have one object rather than two.
|No||If an analyst's note includes a conclusion or argument based on evidence provided by observables and indicators, the conclusion is an opinion. That said, in practice analysts appear to differentiate such opinions based on evidence, from assertions without. I'm good with keeping them separate.
|No||I prefer that each object has only one meaning. Consolidating the intel note and opinion into one comment object feels like creating one object with two different meanings. The language in the referenced proposal seems to confirm this too. Specifically, language like:
"If no opinion value is defined then the object represents context without any assertion of agreement or disagreement."
implies that the proposed comment object is really representing two distinct concepts.
|No||Both options are workable and I think we're in good shape either way. I do believe that intelligence/analyst notes are fundamentally different than opinions though and so support the two separate objects.
|No||I strongly prefer using single defined objects that do a single purpose well. Having a combined object in my mind goes against the principle of making STIX simple to use, and the principle of each object doing one thing well.
I also believe that we should include this fact in our guiding principles for the group so that we don't have this same argument in 6 months time.
|No||I feel that these objects are semantically different enough and have enough unique use cases to warrant defining separately. That said, I do have a slight concern about the continued addition of SDOs into STIX.
DHS Office of Cybersecurity and Communicat...
|No||One of the guiding principles of STIX 2 was that we would try to have each object do one thing well. As such I think this points in the direction of two separate objects. One thing to consider is that while I think Intel Notes would largely be produced and consumed by humans, the vast majority of Opinions may be consumed, and perhaps produced, by machines. Once we deploy STIX solutions that support opinions we may find that we want to add additional properties that would be useful but that increase the semantic distance between Opinion and Intel Note. As separate objects this is easy - as a consolidated Comment object it could get messy fast.