Coalesce STIX ControlledVocabularyStringType + CybOX ControlledVocabularyStringType

[ikiril01]

We should consider coalescing the STIX ControlledVocabularyStringType and CybOX ControlledVocabularyStringType into a single type, so that all vocabularies (including those from MAEC) can be used across all languages. This may require the development of a new, language-independent "common" schema.

[athiasjerome]

Consider RFC7495 Ref. https://www.rfc-editor.org/rfc/rfc7495.txt

[sbarnum]

This issue was discussed extensively. Agreement was achieved that STIX and CybOX should share a common set of base structures. This set of structures is now referred to as CTI Common. Agreement was achieved that STIX and CybOX should use a common structure for controlled vocabularies. Draft normative text has been created in the pre-draft CTI Common spec doc Consensus was asserted on the draft normative text in the pre-draft CTI Common spec doc A one week comment period was opened 2/1-2/5 where no objections were raised to the consensus. Consensus is now officially asserted as achieved.

[sbarnum]

The consensus normative text is as follows:

Controlled Vocabularies This section defines the Controlled Vocabulary type. All controlled vocabularies in the CTI specifications are either "Open" or "Closed" vocabularies. Each controlled vocabulary (CV) also supports an extension point to support additional / external vocabularies. The key name for the extension point is [controlled_vocabulary _field_name]_ext. The controlled vocabulary fields also support the ability to have a fallback value. Using the value of other in the main field indicates no fallback value.

Open - This type represents a controlled vocabulary that is not yet defined in the specification, but may be defined in a future version. This type means you can you can use any string value you want or use the extension point to specify a value from your own controlled vocabulary.

Closed - This type represents a controlled vocabulary that is defined in the specification. You can use this controlled vocabulary or use the extension point to specify a value from your own controlled vocabulary.
Examples In this example the field object_foo_type is an open CV, which means you can use any string value you want { "type": "object1", "object_foo_type": "foo bar" } In this example the indicator_type is a closed CV, where you use something from the defined vocabulary in the specification. { "type": "indicator", "indicator_type": "malware" }

In this example the indicator_type is a closed CV (example is the same for an open CV), however, you want to use your own controlled vocabulary with no fallback / default value. Using the value of other in the main field indicates no fallback value. { "type": "indicator", "indicator_type": "other" "indicator_type_ext": { "value": "malware type foo", "vocab": "my name or url to my super cool vocab" } }

In this example the indicator_type is a closed CV (example is the same for an open CV), however, you want to use your own controlled vocabulary with a fallback / default value from the defined vocabulary.
{ "type": "indicator", "indicator_type": "malware" "indicator_type_ext": { "value": "malware type foo", "vocab": "my name or url to my super cool vocab" } }

In this example the indicator_type is a closed CV (not valid for open CV), however, you want to use some arbitrary string value that is not part of the defined vocabulary or any other vocabulary with no fallback / default value. Note the use of the value other in this case. { "type": "indicator", "indicator_type": "other" "indicator_type_ext": { "value": "malware type foo" } }

In this example the indicator_type is a closed CV (not valid for open CV), however, you want to use some arbitrary string value that is not part of the defined vocabulary or any other vocabulary and you want to add a fallback / default value from the defined vocabulary. { "type": "indicator", "indicator_type": "malware" "indicator_type_ext": { "value": "malware type foo" } }