Add support to get embedded objects in a single request, dereference embedded objects

[jordan2175]

TAXII should support the ability to automatically dereference objects. Meaning, if you request a STIX indicator and the client says auto-dereference the object, then the TAXII server should send the identity object that is linked via the created_by_ref at the same time.

[MarkDavidson]

Recommendation: Discuss whether this should be in or out of scope for TAXII 2.1

[MarkDavidson]

Acceptance criteria:

• A mechanism for requesting all embedded references (not external relationships)
• Server can provide what it has. It's OK to elide objects it does not have
• Its OK to elide information based on access control rules

Open Questions:

• Should this feature be optional for servers to implement?
• What happens if the server has the data, but the information is in another collection? Should the response be scoped to only data in the collection, or something else?
  • If it isn't, how do you know where to get it from?
• What is the dereference depth? Is dereference depth standardized, is it choosable by the implementation?
• How to handle cyclical references?
• What if the size of the dereferenced objects is YUUUGE?
• Should we have a way of specifying BFS vs. DFS?
• Is it OK that this feature requires knowledge/understanding of STIX?
• Should this capability be combined or separate from the SRO dereferencing feature?
• A report might contain a relationship, which has embedded relationships. What then?