Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relax requirements for UUID to allow time-based generated ones #133

Closed
adulau opened this issue Jan 14, 2019 · 2 comments
Closed

Relax requirements for UUID to allow time-based generated ones #133

adulau opened this issue Jan 14, 2019 · 2 comments

Comments

@adulau
Copy link

@adulau adulau commented Jan 14, 2019

The current STIX Core Concept document states that UUID MUST be only UUID version 4:

The UUID  MUST be generated according to  the algorithm(s) defined in RFC 4122, section 4.4 (Version 4 UUID) 

As discussed in Slack and other channels, some STIX documents with UUIDs are generated with other algorithms which is basically limiting current threat intelligence platform to import STIX documents due to the strictness of the standard (cf. oasis-open/cti-python-stix2#235).

We ask to change the specification to relax the UUID format and mention that Version 4 of the UUID is only RECOMMENDED.

@adulau
Copy link
Author

@adulau adulau commented Jan 15, 2019

We evaluated some potential sources of STIX with UUID not being randomly generated but time-based. It's quite common for some UUID libraries to fallback on a time-based when a random generator is not available or low quality.

 util-linux-2.31.1/libuuid/src/gen_uuid.c

/*
 * Check whether good random source (/dev/random or /dev/urandom)
 * is available.
 */

static int have_random_source(void)
{
    return (access("/dev/random", R_OK) == 0 ||
        access("/dev/urandom", R_OK) == 0);
}

/*
 * This is the generic front-end to uuid_generate_random and
 * uuid_generate_time.  It uses uuid_generate_random only if
 * /dev/urandom is available, since otherwise we won't have
 * high-quality randomness.
 */

void uuid_generate(uuid_t out)
{
    if (have_random_source())
        uuid_generate_random(out);
    else
        uuid_generate_time(out);
}

So having a relaxed version of the UUID requirements (at least for ingestion) would make a lot of sense.

@jordan2175
Copy link

@jordan2175 jordan2175 commented May 23, 2019

This was done for working draft 04.

@jordan2175 jordan2175 added this to To do in STIX 2.1 via automation May 23, 2019
@jordan2175 jordan2175 added this to the 2.1-csd02-wd04 milestone May 23, 2019
STIX 2.1 automation moved this from To do to Done May 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
STIX 2.1
  
Done
Development

No branches or pull requests

2 participants