Acting chair: Omar
Chat transcript from room: csaf From 2017-01-25 18:06 UTC until 18:48 UTC
Omar Santos called the meeting to order @ 13:06 EST (18:06 UTC).
The meeting attendance was recorded on the OASIS meeting calendar.
As usual, all participants were kindly encouraged to registrate themselves in one of two ways (to optimize the use of the shared time during the meeting):
Either to click the link with the text "Register my attendance" on the top of the event page
or to directly visit the per event direct "record my attendace link": https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=43849&confirmed=1.
Adam Montville (Center for Internet Security (CIS)) Art Manion (Carnegie Mellon University) Aukjan van Belkum (EclecticIQ) Beth Pumo (Kaiser Permanente) Chok Poh (Oracle) Duncan Sparrell (sFractal Consulting LLC) Feng Cao (Oracle) Jamison Day (LookingGlass) Karen Scarfone (Individual) Lothar Braun (Siemens AG) Louis Ronnau (Cisco Systems) Nicole Gong (Mitre Corporation) Omar Santos (Cisco Systems) Ritwik Ghoshal (Oracle) Sarah Kelley (Center for Internet Security (CIS)) Stefan Hagen (Individual) Vincent Danen (Red Hat)
Note: While the default rule requires attendance at 3 of the 5 most recent meetings, only 2 meetings have been held thus far. Voting members must have attended at least 2 of the last 3 meetings.
David Waltermire (NIST) Harold Booth (NIST) Jonathan Bitle (Kaiser Permanente) Kent Landfield (Intel Corporation) Patrick Maroney (Wapack Labs LLC)
Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
Jonathan Baker (Mitre Corporation) Lawrence Lamers (VMware, Inc.) Skye Rogers (U.S. Bank)
Harold Booth (NIST) Kent Landfield (Intel Corporation)
Bernd Grobauer (Siemens AG) Greg Scott (Cryptsoft Pty Ltd.) Jason Masters (TELUS) Jessica Fitzgerald-McKay (National Security Agency) Rich Reybok (ServiceNow) Richard Struse (DHS Office of Cybersecurity and Communications (CS&C)) Robert Coderre (VeriSign) Rupert Wimmer (Siemens AG) Sanjiv Kalkar (Individual) Tony Cox (Cryptsoft Pty Ltd.)
Mark Clancy (Soltra)
Omar: Some slides have been prepared, these will be shown in the WebEx screen share, to support the discussion
Agenda approved unchanged as published.
Meeting minutes of Inaugural TC Meeting #2 on 2016-12-14.
Minutes approved unchanged as published.
The TC meeting chat at http://webconf.soaphub.org/conf/room/csaf was used during the meeting and the raw trace has been archived as a message to the TC mailing list at https://lists.oasis-open.org/archives/csaf/201701/msg00019.html directly after the meeting and as usual.
URL of sandbox for browsing: https://github.com/oasis-tcs/csaf
Omar: Suggests all review and give feedback via mail to the TC list or Slack channel at https://csaf-tc-collab.slack.com
Note: Direct link to eg. the "general" channel: https://csaf-tc-collab.slack.com/messages/general/
No questions so far
Note: Direct link to the "cvrf_v-1-2" channel: https://csaf-tc-collab.slack.com/messages/cvrf_v-1-2/
Lothar: Went through the schema and - as a potential provider - had no open questions.
Lothar: In addition talked with consumers of CVRF and received feedback and requests for further additions to aid in consistency
Lothar: Based on his assessment of the nature of these requested additions, he suggests to provide those already along with CVRF v1.2
All discuss how to best consolidate the feedback to channel it into the upcoming revision
Vincent: Would like to have a CVRF 1.1 also inside the sandbox so we can provide a diff of the changes
All agree this is a good idea to at least provide the diff
Note: Someone has to actually either 1) check in the CVRF 1.1 original side by side with the new draft or 2) recommit all changes leading to the current v1.2 draft but ensure to "start" from the original 1.1 version.
Omar: Presents table with table of items and timeframes (slide 6/8)
====================================================+=============================== Item | Timeframe ----------------------------------------------------+------------------------------- Potential release date | TBD Review timeframe | Mid-February (i.e., Feb 15th)? CVRF 1.2 Dictionary of Elements update | TBD Additional documentation that needs to be updated? | TBD Announcement and communications | TBD ----------------------------------------------------+------------------------------- ====================================================+===============================
Vincent: Thinks Mid-February is reasonable as review timeframe
The presented slide on the roadmap proposes, that all other related dates ar still TBD
Harold: Asks what other changes will be part of CVRF changes, other than the CVRF v1.2 suggested CVSS v2 -> v3?
Omar: Shortly mentions XML to other format(s) changes, signatures etc.
Omar: Suggests to read and write JIRA issues for keeping note of other possible / proposed changes
Omar: Reminds everyone, that until now all agreed to shift these changes at least to v2.0 of CVRF (or then CSAF)
Stefan: I move to constrain changes for 1.2 on CVSSv3 related ones. Motion is seconded.
Omar: Unanimous consent, motion carries
Omar: Highlights that also announcements etc. should be well planned ahead and together with OASIS staff
Feng: We have to discuss compatibility: New version documents will have to be validated against the new schema, old ones against the old one, so no old stuff needs to remain in the new schema
All discuss namespaces and backward compatibility
Lothar: Points out, score set is mandatory, so if we add version 3 ...
Feng: Suggests to make version 2 optional
All discuss, if it is currently optional or mandatory ...
Omar: Suggests to move the conversation to email or slack
Louis: I move to set the review timeframe to Februaryy 15
Lothar: Asks what happens if we find out, the changes will be compatibility breaking?
Omar and Lothar discuss, that whatever comes out at 2017-02-15, will be input for subsequent meeting so we can decide, as the next scheduled meeting is one week after that date 22, February
All understand, that this gives time to consolidate
Stefan: I move to keep it at Feb 15 (the review deadline). Lothar seconds.
Omar: Unanimous consent, the motion carries.
Omar: Kindly suggests to all willing to contribute and participate do so using mailing list, slack channels and also by contributing to JIRA in opening or commenting on issues
CSAF-19 is not yet OPEN
Omar: Received comments on CSAF-19 from Stefan
Feng: Highlights, that in the OASIS namespace naming conventions, the tc name becomes the protocol name, while they are used to keep it as CVRF
Vincent: Suggests to keep CVRF and later only switch to CSAF (TC name) to not confuse for minor changes
Harold: Seconds to keep the namespace
Duncan: Chimes in that in sync with only changing minor version number, we should keep the namespace, thus if it is backward compatible, keep it.
CSAF-14 is not yet OPEN
All discuss on CVSSv2 versus v3
Vincent: Would be against breaking changes in 1.2 (that would be CVSS v2 moving to v3)
Lothar: Understands the proposed changes for 1.2 as exactly doing this, a mix-in is suggested to work around the v2 colliding with v3 problematic
Next Meeting #4 will be on Wednesday, Feb 22, 2017
Wednesday, 22 February 2017, 01:00pm to 02:00pm EST (UTC-5) - i.e. 2017-02-22 19:00 to 20:00 CET (UTC+1) - i.e. 2017-02-23 04:00 to 05:00 AEST (UTC+10)
Event page: Meeting Id 44453
Self-Registration link (available from approx. 15 minutes before meeting start): https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1
All meetings monthly on last Wednesday during:
01:00pm to 02:00pm EST (UTC-5) - 19:00 to 20:00 CET (UTC+1) - 04:00 to 05:00 AEST (UTC+10)
The chair opened the floor for questions, there were none.
The meeting was adjourned at 13:48 EST (18:48 UTC).