Nested references vs SROs

[nor3th]

Hey

I have a basic questions concerning nested references/properties and SROs. In my understanding, nested references (of type identifier) like the SDO Malware's sample_refs aims at referencing to files or artifacts, which are a sample of the given malware entity.

A hypothetical SRO of type sample (File/Artifact - sample -> Malware) would have the same meaning (creating a directional n to 1 relationship).

The example for the most confusing example of nested reference vs SRO is the Domain-Name's resolves-to property. An analyst can use either the nested reference resolves_to_refs as well as the resolves-to SRO. Only with the SRO the analyst is able to set the first/last seen property values. https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_i2zf5h7vnrd9

Hence my question, what is the point of having nested references AND SROs in the STIX 2.1 schema, if either of those approaches achieve the same result?

[ejratl]

We discussed this on the STIX WG meeting today. SROs allow for someone who did not create the objects to assert a relationship between them. Embedded references allow for the object creator to assert a relationship that is a component part of the object.

[nor3th]

Hey @ejratl

Thank you very much for your response. What's the use case for restricting somebody who didn't create the object from changing the created relationships? Shouldn't the software the analyst uses be responsible for read/write permissions and not the data structure standard itself? Also why do the creator and the consumer have then a different set of relationships they can use?

I did some further digging and it also seems to me that the nested references are required for the STIX indicator pattern? https://github.com/oasis-tcs/cti-stix2/issues/202

Thanks