STIX 2.1 spec problems with integers #336
Description
Section 2.10:
https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_k1goo4u2qjpb
says:
Unless otherwise specified, all integers MUST be capable of being represented as a signed 54-bit value ([-(2**53)+1, (2**53)-1]) as defined in [RFC7493] .
This is quoting an RFC7493 mistake. The part of the RFC it is quoting has an errata:
https://www.rfc-editor.org/errata/eid5354
The RFC is supposed to say:
An I-JSON sender cannot expect a receiver to treat an integer whose absolute value is greater than 9007199254740992 (i.e., that is outside the range [-(2**53), (2**53)]) as an exact value.
However, the range of values given in the errata includes 2**54+1 distinct values, and therefore can't be represented by a 54-bit signed int. In particular, 2**53 wouldn't be within the traditional range of a 54-bit signed int. The range would be [-(2**53), 2**53-1]. That means implementations can't be compliant with the spec defined integer range if they limit to that of a 54-bit signed int. In fact, the original (erroneous) range includes 2**54-1 distinct values, so it is smaller than the aforementioned range. If implementations used a signed 54-bit int, it would include -(2**53), which is below the minimum, and therefore non-compliant. So a 54-bit signed integer has incorrect numeric limits in both cases.
I think what RFC7493 is trying to do is limit integers to those which are exactly representable by double precision floats. So the RFC's stated range is based on floats, not ints. The STIX spec's wording: "signed 54-bit value ([-(2**53)+1, (2**53)-1]) as defined in [RFC7493]" implies that the RFC defines a 54-bit signed int. That is misrepresenting what it does. Neither of the stated ranges (erroneous or corrected) matches that of a 54-bit signed int, so it seems clear that was not the intent.
The STIX spec may require range restriction to that of a 54-bit signed int, and it can say that decision is based on RFC7493, but it should not imply that the RFC defines that requirement. In this case, it should perhaps be made clear that the STIX and RFC ranges don't exactly align, to avoid confusion. Or, the STIX spec may require exactly the range limit given in RFC7493 (in the errata), but then it can't also require representability as a 54-bit signed int, because those ranges are different.