-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need ability to represent producer-asserted maturity status of any domain object #549
Comments
@sbarnum or @Bradichus - Can this please be demonstrated with one graph file (/JSON-LD snippet/Turtle snippet) that includes a single object with two "maturities?" I think this is likely to be an occurrence when merging two data sources that can potentially discuss the same individual. |
@sbarnum or @Bradichus - I firmly think this proposal needs at least a first-try demonstration. I have denoted that it will not be voted on at this Thursday's meeting. |
Analyzing this proposal, we identified an additional aspect that has not yet been identified, as follows. The purpose for this addition is to allow for a historical trace of data, as it elaborates over de different statuses. This would imply to store copies of the data graph throughout its life-cycle. Those historical data should not interfere with the current "truth" of the latest graph, instead, should be reference-able and/or query-able on demand. |
There is an important follow-on question on this historical data note, if the committee decides it's worth pursuing: Should the historical graph conform to UCO's SHACL rules? Cardinality constraints are fairly guaranteed to fail when looking the totality of the history, and probably the same would happen with type(class) constraints. |
At last week's meeting, we heard that this proposal intends to leave the question of how to store past versions of objects out of scope. This is my interpretation of the discussion around Requirement 4: that it is a "Reality of operations" reminder. So as policy, UCO consumers would need to be prepared to handle graph objects that change their status on data refreshes. With our current tested technology stack of RDF 1.1 triples, not quads, it is not possible to have one graph that has an object in both its "draft" status and its "final" status. I think it would be possible to design something for this with quads ("The graph with this IRI holds true until this time..."), but I haven't personally explored this line of data design far. For anyone interested in tinkering, it's a 1-liner change to convert a JSON-LD graph from triples to quads. The CASE examples use a top-level E.g., this graph is a graph with one triple, and can be interpreted as a graph with one quad, where the graph-identifer is anonymous: {
"@graph": {
"@id": "http://example.org/kb/File-1",
"@type": "https://ontology.unifiedcyberontology.org/uco/observable/File"
}
} What follows is an illustration of data conversion and round-tripping, which happens to use
This graph is a graph with one quad: {
"@id": "http://example.org/kb/NamedGraph-1",
"@graph": {
"@id": "http://example.org/kb/File-1",
"@type": "https://ontology.unifiedcyberontology.org/uco/observable/File"
}
}
To confirm preservation, here is the round-tripping:
Last, the JSON-LD {
"@id": "http://example.org/kb/File-1",
"@type": "https://ontology.unifiedcyberontology.org/uco/observable/File"
}
Footnotes
|
In the discussion last week, there was some question about the gradation of these statuses. Another interpretation of the "status" of an object could be "Everything is 'Draft,' until it is inconsistent." There was an expressed desire for this to be an optional property. As proposed and sketched, it is. |
This comment is posted as part of solutions discussion - posted early because it might have an impact on requirements. Sean already posted a SHACL implementation, but it has a side effect of altering UCO's imports - I think there is a further specification we will need to make in OWL before we consider the right SHACL approach - deciding whether "maturity status" should be represented as a class (well, three classes, from Sean's sketch), a datatype property, or an annotation property. This comment explores the three options. My personal leaning is that Sean's initial suggested solution is not quite what should be implemented. At the least, I suggest instead of a Representing object status with classesThis draws design from OWL's UCO could add three mutually-disjoint subclasses of
SHACL could then be written the way we've handled other class disjointedness, such as how we're handling in Issue 586. This has the following benefits:
Objects would still not be required to designate themselves in any of these "status" classes. (I.e., a status would remain "opt-in" through a type assertion.) Using classes has a data-design implication that would nudge JSON-LD graphs further into needing to always have their These classes shares a risk described further below in the "Annotation property" section, where there's a bit of muddying between the graph representing reality and the graph talking about itself. (As an aside for @plbt5 and/or anyone read up on gUFO: I think these classes are suggestive of both Representing with a propertyWhether with an These implementation risks are present with any property-based approach:
Representing with a datatype propertyThis is as Sean initially proposed. If using a datatype property, Sean's sketched proposal suggests this analogous OWL specification: core:UcoObject
rdfs:subClassOf [
a owl:Restriction ;
owl:onProperty core:objectStatus ;
owl:cardinality "1"^^xsd:nonNegativeInteger ;
] ;
. Speaking to the open-world view, this means there exists exactly one "object status" for any UcoObject. It's fine if the graph doesn't say what it is. The worldview is inconsistent if two are ever found on the same object. Representing with an annotation propertyI'm mentioning this because "maturity status" feels like one of those properties that makes vague the distinction between the graph object and the real-world thing proxied by the graph object. This is related to two points in modeling languages UCO has as foundations: First is the discussion (under construction) in Issue 606, which re-introduces "Information resource" and "Non-information resource" from some of the early modeling in RDF. Second is this distinction from OWL, explained in the OWL Primer:
If a graph node is defined for a person ( One implementation implication for annotation properties is that they cannot be restricted in OWL class design. I.e., that While this is relevant for an OWL-specific decision on which property-type to use, this happens to not be relevant for SHACL, because SHACL property constraints are indifferent to the distinction between, My belief is that |
I think the above comments around "makes vague the distinction between the graph object and the real-world thing proxied by the graph object" are overly simplifying the true situation. While owl:AnnotationProperty defines annotation properties as properties for characterizing classes, properties, individuals, and ontology headers within an ontology definition (seeming like they are only defined and "set" within the ontology graph) the OWL spec does specifically list five annotation properties predefined by OWL: owl:versionInfo, rdfs:label, rdfs:comment, rdfs:seeAlso, rdfs:isDefinedBy. Several of these are very commonly used within RDF data graphs as properties on objects. I would vote against a class-based approach for this issue as it makes everything significantly more complicated: 1) adding new values in the future would involve class-level semantic structure rather than simply adding new values, 2) eventual solutions for tracking changes over time would require semantic complexities rather than simply a literal value change of a property, 3) any implementations of labeled property graph representations or UIs for setting/changing/checking object status would be significantly more complicated, etc. I do not believe it offers any significant value to outweight the added complexity it brings. Net-Net:
|
I had an extensibility concern with the first draft of this proposal: the semi-open vocabulary design pattern UCO uses can't support a value that specializes From @sbarnum 's comment, I see the intent around Sean has suggested another extension strategy for maturity statuses: anyone wishing to use object-maturity statuses outside the UCO-supplied vocabulary would need to use their own set of strings and their own property. Together, these are one way to address my extensibility concern. Classes also would have addressed my extensibility concern, but I appreciate they carry other issues. I have no remarks on the labeled property graph issues Sean alluded to. |
At this point in the discussion thread, I think the Requirements on this proposal don't need to change. |
Re:
I intend to add to the implementation a constraint that the object maturity status property only ever go on core:objectStatus-subjects-shape
a sh:NodeShape;
sh:class core:UcoObject ;
sh:targetSubjectsOf core:objectStatus ;
. I think this is more a discussion point for the solutions period than the requirements period, but I see a slim chance it influences requirements discussion today. Do we want to have a limit on where this property can be used? |
I would agree with a constraint that the property is only used on UcoObject. |
In drafting another proposal, I arrived at another possible status. Would the structure of this proposal be able to support an object that is rejected? Or would we need some other practice that rejects an object by marking it "Deprecated" and then doing other things? |
A follow-on patch will normalize. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will normalize. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
This follows a committee decision to keep core as a namespace with no import-dependencies. No effects were observed on Make-managed files. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * #549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#549 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#549 * ucoProject/UCO#593 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 * ucoProject/UCO#593 * ucoProject/UCO#612 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#549 * ucoProject/UCO#593 * ucoProject/UCO#612 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#549 * ucoProject/UCO#593 * ucoProject/UCO#612 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 * ucoProject/UCO#593 * ucoProject/UCO#612 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#549 * ucoProject/UCO#593 * ucoProject/UCO#612 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
Background
UCO currently lacks any mechanism for a producer to explicitly assert the maturity status of a UcoObject to help manage status of maturation of the object and to provide context to any consumers on how they should view and treat the object. A mechanism is needed to assert such status on any UcoObject to at a minimum convey if the object is "Draft"(the object is asserted by the producer to be in an incomplete or evolving state that should not be treated as operationally valid), "Final"(the object is asserted by the producer to be in a state that is complete and correct enough to be treated as operationally valid), or "Deprecated"(the object is asserted by the producer to have no current or future significance while not invalidating any past significance).
Requirements
Requirement 1
UcoObject MUST be able to express a object producer asserted maturity status of 'draft' for the object.
Requirement 2
UcoObject MUST be able to express a object producer asserted maturity status of 'final' for the object.
Requirement 3
UcoObject MUST be able to express a object producer asserted maturity status of 'deprecated' for the object.
Requirement 4
A single UcoObject MUST be able to have different asserted maturity status at different times.
Requirement 5
UcoObject MUST have at most a single maturity status asserted at any given time.
Risk / Benefit analysis
Benefits
Improved context for consumers
Consumers of UCO will have a clearer understanding of the maturity level of each UcoObject. The maturity status directly communicates whether an object is considered operationally valid. This aids consumers in deciding whether to rely on specific UcoObjects for their cybersecurity operations.
Simplified Object Lifecycle Management
With a maturity status mechanism, producers can explicitly declare the state of their objects, helping them and other stakeholders track the progress and evolution of cyber information. Objects can be marked as "Deprecated" when they are no longer significant, streamlining the process of identifying and handling outdated information without invalidating historical references.
Risks
Competencies demonstrated
Competency 1
Ability to query graph of CDO content to identify "Draft" state object, "Final" state objects and any derivation-based relationships between them.
Competency Question 1.1
What are all objects in this CASE investigation's chain of custody that are designated as "Final," but derived from some "Draft" object?
Result 1.1
Solution suggestion
Implementation of the proposed solution is available in #549
Within the
core
namespace:vocabulary:ObjectStatusVocab
vocabularycore:objectStatus
property asxsd:string
core:UcoObject
forcore:objectStatus
with cardinality max=1Solution discussion
The proposed new
core:objectStatus
provides a simple mechanism for expressing object maturity (Requirement 1).The proposed new
vocabulary:ObjectStatus
provides capability to support Requirement 1.The proposed new associated property shapes on
core:UcoObject
forcore:objectStatus
Coordination
owl:onDatatype
incorrectly #593 assessed - (Not incorporating before its Solutions Approval vote)xsd:string
s #629 assessed - (Not incorporating before its Solutions Approval vote)develop
for the next releasedevelop
state with backwards-compatible implementation merged intodevelop-2.0.0
develop-2.0.0
(N/A)develop
branch updated to track UCO's updateddevelop
branchdevelop-2.0.0
branch updated to track UCO's updateddevelop-2.0.0
branchThe text was updated successfully, but these errors were encountered: