Proposal: Identify a core set of required functionality (use cases)

[MarkDavidson]

TAXII is open-ended in terms of what can be implemented, and there is not any required functionality. As a result, the following things are not possible: deterministic automated discovery (heuristic discovery is possible currently), taking certain meaningful actions with a previously unknown TAXII endpoint - e.g., it's not possible to say "Please redistribute this information to all interested parties" or "I'm reporting this malware for analysis" without some form of a priori knowledge.

This topic is wide ranging. It will require identification of TAXII's core use cases and will require deciding the specific mechanisms by which those core use cases will be implemented. This topic will also require, for cyber threat information sharing, a discussion of both STIX and TAXII to determine the appropriate tearlines.

A quick dive into one topic to provide an example of what I'm talking about. Presume the "Please redistribute this information to all interested parties" concept. The community will have to come to a consensus on:

1. Whether this is a "required functionality" use case
2. Whether this really belongs in STIX or TAXII, or fits somewhere between the two
3. Whether this can be implemented in TAXII currently, or
4. What modifications to TAXII would be necessary to implement the use case.

Thank you. -Mark

[jordan2175]

+1 for coming up with top down functional use cases and then mapping them to how we get things done. I also like the uses cases you brought up. One that I can think of, that goes without saying, global discovery. AKA DNS and the inverse. Say I know the domain of a company, and I want to query a global directory to see what they offer. Also, what if I am looking for a certain type of service, say INBOX on HTTP, list out all of the providers of that service.