Evaluate mandatory CybOX objects as evidence if applying confidence to STIX object

[bauman]

short discussion STIXProject/python-stix#31

I appreciate the inclusion of the community standardizing on a way to share confidence, but adding a layer of subjectivity into an automated transfer mechanism seems like it would trend to being misused.

Could you consider a method to influence parties to supply cybox observables, or some form of evidence to back their assertion for any stix objects marked with any type of confidence?

[johnwunder]

I think this might make sense more as an optional field than as a mandatory field. In a lot of cases that evidence data could contain sensitive internal information from the indicator producer's operational environment. By including confidence and not requiring evidence we can allow those organizations to share the indicator and their derived confidence without being required to supply the more sensitive evidence.

I would support this as an optional addition to the confidence structure though, because I can imagine cases where you have that information and are willing to share it.

What do you think, @bauman?

[bauman]

@johnwunder I agree with you, optional is better than nothing.

I believe organizations can arbitrarily redact information in their cybox representation enough to strip anything sensitive, which is why I'd rather it be mandatory with at minimum a highly redacted cybox representation.

At the end of the day, a highly redacted cybox object is probably no better than nothing at all.

[benjaminxscott]

We are looking to implement this in #162 as an optional field