OASIS Common Security Advisory Framework (CSAF) TC Meeting #3 Jan 25, 2017

Acting chair: Omar

Chat transcript from room: csaf
From 2017-01-25 18:06 UTC until 18:48 UTC

1. Call to Order and Welcome

Omar Santos called the meeting to order @ 13:06 EST (18:06 UTC).

2. Roll call

The meeting attendance was recorded on the OASIS meeting calendar.

As usual, all participants were kindly encouraged to registrate themselves in one of two ways (to optimize the use of the shared time during the meeting):
Either to click the link with the text "Register my attendance" on the top of the event page
or to directly visit the per event direct "record my attendace link": https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=43849&confirmed=1.

Details cf. normative attendance sheet for this meeting (event_id=43849).

2.1 Participants

2.1.1 Voting Members Present

Adam Montville (Center for Internet Security (CIS))
Art Manion (Carnegie Mellon University)
Aukjan van Belkum (EclecticIQ)
Beth Pumo (Kaiser Permanente)
Chok Poh (Oracle)
Duncan Sparrell (sFractal Consulting LLC)
Feng Cao (Oracle)
Jamison Day (LookingGlass)
Karen Scarfone (Individual)
Lothar Braun (Siemens AG)
Louis Ronnau (Cisco Systems)
Nicole Gong (Mitre Corporation)
Omar Santos (Cisco Systems)
Ritwik Ghoshal (Oracle)
Sarah Kelley (Center for Internet Security (CIS))
Stefan Hagen (Individual)
Vincent Danen (Red Hat)

2.1.2 Members Present

Note: While the default rule requires attendance at 3 of the 5 most recent meetings, only 2 meetings have been held thus far. Voting members must have attended at least 2 of the last 3 meetings.

David Waltermire (NIST)
Harold Booth (NIST)
Jonathan Bitle (Kaiser Permanente)
Kent Landfield (Intel Corporation)
Patrick Maroney (Wapack Labs LLC)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

Jonathan Baker (Mitre Corporation)
Lawrence Lamers (VMware, Inc.)
Skye Rogers (U.S. Bank)

2.2 Voting Right Changes Effective After The Meeting

2.2.1 Members that Gained Voting Rights

Harold Booth (NIST)
Kent Landfield (Intel Corporation)

2.2.2 Members that Lost Voting Rights

Bernd Grobauer (Siemens AG)
Greg Scott (Cryptsoft Pty Ltd.)
Jason Masters (TELUS)
Jessica Fitzgerald-McKay (National Security Agency)
Rich Reybok (ServiceNow)
Richard Struse (DHS Office of Cybersecurity and Communications (CS&C))
Robert Coderre (VeriSign)
Rupert Wimmer (Siemens AG)
Sanjiv Kalkar (Individual)
Tony Cox (Cryptsoft Pty Ltd.)

2.2.3 Members that entered Inactive Member Status (and Lost Voting Rights)

Mark Clancy (Soltra)

3. The meeting agenda was reviewed

Omar: Some slides have been prepared, these will be shown in the WebEx screen share, to support the discussion

Update: Slides have been uploaded to kavi. Format: PDF, PPTX (source).

Agenda approved unchanged as published.

4. Approval of Minutes from Previous Meeting #2 (2016-12-14)

Meeting minutes of Inaugural TC Meeting #2 on 2016-12-14.

Minutes approved unchanged as published.

5. SoapHub CSAF TC Chat

The TC meeting chat at http://webconf.soaphub.org/conf/room/csaf was used during the meeting and the raw trace has been archived as a message to the TC mailing list at https://lists.oasis-open.org/archives/csaf/201701/msg00019.html directly after the meeting and as usual.

6. Status of Current Activities and Contributions

6.1 Sandbox Created in TC repository at github and First Contribution

URL of sandbox for browsing: https://github.com/oasis-tcs/csaf

Omar: Suggests all review and give feedback via mail to the TC list or Slack channel at https://csaf-tc-collab.slack.com

Note: Direct link to eg. the "general" channel: https://csaf-tc-collab.slack.com/messages/general/

No questions so far

6.2 First Contribution - CVRF 1.2 draft

Note: Direct link to the "cvrf_v-1-2" channel: https://csaf-tc-collab.slack.com/messages/cvrf_v-1-2/

Lothar: Went through the schema and - as a potential provider - had no open questions.

Lothar: In addition talked with consumers of CVRF and received feedback and requests for further additions to aid in consistency

Lothar: Based on his assessment of the nature of these requested additions, he suggests to provide those already along with CVRF v1.2

All discuss how to best consolidate the feedback to channel it into the upcoming revision

Vincent: Would like to have a CVRF 1.1 also inside the sandbox so we can provide a diff of the changes

All agree this is a good idea to at least provide the diff

Note: Someone has to actually either 1) check in the CVRF 1.1 original side by side with the new draft or 2) recommit all changes leading to the current v1.2 draft but ensure to "start" from the original 1.1 version.

6.3 Release and Review timeframe for CVRF 1.2

Omar: Presents table with table of items and timeframes (slide 6/8)

====================================================+===============================
Item                                                | Timeframe
----------------------------------------------------+-------------------------------
Potential release date                              | TBD
Review timeframe                                    | Mid-February (i.e., Feb 15th)?
CVRF 1.2 Dictionary of Elements update              | TBD
Additional documentation that needs to be updated?  | TBD
Announcement and communications                     | TBD
----------------------------------------------------+-------------------------------
====================================================+===============================

Vincent: Thinks Mid-February is reasonable as review timeframe

The presented slide on the roadmap proposes, that all other related dates ar still TBD

Harold: Asks what other changes will be part of CVRF changes, other than the CVRF v1.2 suggested CVSS v2 -> v3?

Omar: Shortly mentions XML to other format(s) changes, signatures etc.

Omar: Suggests to read and write JIRA issues for keeping note of other possible / proposed changes

Omar: Reminds everyone, that until now all agreed to shift these changes at least to v2.0 of CVRF (or then CSAF)

Stefan: I move to constrain changes for 1.2 on CVSSv3 related ones. Motion is seconded.

Omar: Unanimous consent, motion carries

Omar: Highlights that also announcements etc. should be well planned ahead and together with OASIS staff

6.4 Compatibility discussion

Feng: We have to discuss compatibility: New version documents will have to be validated against the new schema, old ones against the old one, so no old stuff needs to remain in the new schema

All discuss namespaces and backward compatibility

Lothar: Points out, score set is mandatory, so if we add version 3 ...

Feng: Suggests to make version 2 optional

All discuss, if it is currently optional or mandatory ...

Omar: Suggests to move the conversation to email or slack

Louis: I move to set the review timeframe to Februaryy 15

Lothar: Asks what happens if we find out, the changes will be compatibility breaking?

Omar and Lothar discuss, that whatever comes out at 2017-02-15, will be input for subsequent meeting so we can decide, as the next scheduled meeting is one week after that date 22, February

All understand, that this gives time to consolidate

Stefan: I move to keep it at Feb 15 (the review deadline). Lothar seconds.

Omar: Unanimous consent, the motion carries.

Omar: Kindly suggests to all willing to contribute and participate do so using mailing list, slack channels and also by contributing to JIRA in opening or commenting on issues

7. Current JIRA Issues

7.1 Issues for Target version CVRF 1.2 in Status New or Open

7.1.1 CSAF-19 - define targetNamespace, schemaLocation and namespace for CVRF 1.2

CSAF-19 is not yet OPEN

Omar: Received comments on CSAF-19 from Stefan

Feng: Highlights, that in the OASIS namespace naming conventions, the tc name becomes the protocol name, while they are used to keep it as CVRF

Vincent: Suggests to keep CVRF and later only switch to CSAF (TC name) to not confuse for minor changes

Harold: Seconds to keep the namespace

Duncan: Chimes in that in sync with only changing minor version number, we should keep the namespace, thus if it is backward compatible, keep it.

7.1.2 CSAF-14 - Add CVSSv3 support to CVRF

CSAF-14 is not yet OPEN

All discuss on CVSSv2 versus v3

Vincent: Would be against breaking changes in 1.2 (that would be CVSS v2 moving to v3)

Lothar: Understands the proposed changes for 1.2 as exactly doing this, a mix-in is suggested to work around the v2 colliding with v3 problematic

8. Next Meetings

8.1 Next Meeting

Next Meeting #4 will be on Wednesday, Feb 22, 2017

Wednesday, 22 February 2017, 01:00pm to 02:00pm EST (UTC-5)
  - i.e. 2017-02-22 19:00 to 20:00 CET (UTC+1)
  - i.e. 2017-02-23 04:00 to 05:00 AEST (UTC+10)

Event page: Meeting Id 44453

Self-Registration link (available from approx. 15 minutes before meeting start): https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1

8.2 Other Subsequent Meetings

All meetings monthly on last Wednesday during:

01:00pm to 02:00pm EST (UTC-5)
  - 19:00 to 20:00 CET (UTC+1)
  - 04:00 to 05:00 AEST (UTC+10)

9. Any other business

The chair opened the floor for questions, there were none.

10. Adjourn

The meeting was adjourned at 13:48 EST (18:48 UTC).