OASIS Common Security Advisory Framework (CSAF) TC Meeting #4 Feb 22, 2017

Acting chair: Omar

Chat transcript from room: csaf
From 2017-02-22 18:07 UTC until 19:08 UTC

1. Call to Order and Welcome

Omar Santos called the meeting to order @ 1:07 EST (18:07 UTC).

2. Roll call

A roll call was taken,and also recorded on the OASIS meeting calendar

All particiapnts are kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page
or directly visit the per event direct "record my attendace link": https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1.

Details cf. normative attendance sheet for this meeting (event_id=44453).

2.1 Participants

2.1.1 Voting Members Present

Adam Montville (CIS)
Allan Thomson (LookingGlass)
Art Manion (Carnegie Mellon University)
Beth Pumo (Kaiser Permanente)
Duncan Sparrell (sFractal Consulting LLC)
Feng Cao (Oracle)
Harold Booth (NIST)
Jamison Day (LookingGlass)
Karen Scarfone (Individual)
Lothar Braun (Siemens AG)
Omar Santos (Cisco Systems)
Paul Patrick (FireEye, Inc.)
Sarah Kelley (CIS)
Stefan Hagen (Individual)
Vincent Danen (Red Hat)

2.1.2 Members Present

Note: While the default rule requires attendance at 3 of the 5 most recent meetings, only 2 meetings have been held thus far. Voting members must have attended at least 2 of the last 2 meetings. The following members will gain voting rights after the next meeting, in case of participation.

Bret Jordan (Symantec Corp.)
Bruce Rich (Cryptsoft Pty Ltd.)
David Waltermire (NIST)
Denny Page (TIBCO Software Inc.)
Eric Johnson (TIBCO Software Inc.)
Jerome Athias (Individual)
Jonathan Bitle (Kaiser Permanente)
Patrick Maroney (Wapack Labs LLC)
Peter Allor (IBM)
Phillip Boles (FireEye, Inc.)
Zach Turk (Microsoft)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.


2.2 Voting Right Changes Effective After The Meeting

2.2.1 Members that Gained Voting Rights

Bret Jordan (Symantec Corp.)
Bruce Rich (Cryptsoft Pty Ltd.)
David Waltermire (NIST)
Patrick Maroney (Wapack Labs LLC)
Phillip Boles (FireEye, Inc.)
Jonathan Bitle (Kaiser Permanente)

2.2.2 Members that Lost Voting Rights

Sarah Kelley (CIS) - (left the group)

3. The meeting agenda was reviewed

Agenda approved unchanged as published.

4. Approval of Minutes from Previous Meeting #3 (2017-01-25)

Meeting minutes of Monthly TC Meeting #3 on 2017-01-25.

Minutes approved unchanged as published.

5. Status of Current Activities and Contributions

Omar: Topic CVRF 1.2 candidate - not much discussion / feedback observed

Feng: Mentions still open questions

Omar: Asks, if the namespace questions block moving forward with CVRF to enable CVSv3

Harold: Doubts, that we can add backward compatibility, as we regardless have to make a breaking change

Lothar: Shares this result and thinks, it is to decide, just how breaking the change should be.

Feng: States, that the namespace will refer to an OASIS CVRF 1.2 URL instead of an ICASI URL (as in v1.1)

Peter: I move to bootstrap the CVSSv3 capability, by adding the CVRF 1.2 with a namespace URL hosted at OASIS to trigger the change for the clients of the schema. Jamison seconds.

Omar: No objections unanimous consent, the motion carries

Omar: Asks for suggestion for where to best present the schema ...

Allen: Wonders, if anything else, than OASIS website is reasonable?

Stefan: Adds, that this is the place, for the schema URL, any marketing or other non-normative secondary documents can go elsewhere, but the classical XML schema URL will be determined by OASIS staff upon issue submittal.

All agree to go for the OASIS website (standard process)

Omar: Next topic Review and Release Timeframe

Omar: Asks on members view on march aas next milestone

All agree to love March

Omar: Volunteers to work on the dictionary of elements update

Stefan: Dito on additional documentation

Stefan: Announcement and documentation will take additional coordination with OASIS and member companies

Omar: Kindly asks for a date, when we target as publication date - would be end of March be OK?

Peter: Asks if there is anything technical to be done, before progressing further (thus that has to fit inside the time window until end of March)

All discuss procedures

Stefan: States, that there is the process that progresses up to OASIS standard

Stefan: If we just progress the schema as an artefact as a committee document, we can always store this as public accessible with the status draft. The committee draft as such needs more blessing, as we vote on it, then we can submit to public review (ticket for OASIS staff). OASIS standard needs wider member vote and also abouut a year

Bret: States, that for IPR lock in the artefacts need CS status (which needs review phase and thus 30 days minimum but realistically 45 days after publication of CSD as the staff may need some time to process the submittal ticket.

Stefan: Notes, that publicly available are the artefacts al the time and thus we can offer as service to the community a fast patch to offer CVSSv3 to the community - but the "true" URL is blessed only (with IPR lock in) when CSD and CS stage have been accomplished.

Omar: Asks, if we can interpret the CVRF 1.2 as an updated contribution, we might be faster

Bret: States, that from his experiences with STIX and TAXII minor changes - there is no real fast track

Bret: Suggests to adhere as usual to https://www.oasis-open.org/policies-guidelines/tc-process#standApprovProcess

Bret: Informs on the full majority vote necessary for committee specification level (45 days needed approx.)

Bret and Stefan: Agree that if we go for a CSD it is easy and fast: at the moment the artefacts are frozen, we can start a ballot (even by motion via email) then two weeks later, the outcome (majority yes needed etc. we can request publication by OASIS on the original OASIS website

Peter: Asks Omar, if we are ready and Bret asks for the state of transformation from ICASI into OASIS work product.

Stefan: The officers of the TC can submit for a work product starting doc, and then we will receive the namespaces etc.

Stefan: Asks if editors are already named? These would be good to be named upon request of the work product templates ...

Omar: Asks for editor volunteers

Stefan: Volunteers as editor

No objection unanimous consent

All discuss the timeline in the light of the changes and formalities needed

Art: Asks for the history behind CVSSv3 in relation to CVRF

Peter: States, that ICASI stated it was agreed, that this TC could update CVRF from 1.1 as 1.2 by updating from CVSSv2 to CVSSv3

All discuss if it would be faster, to request a new contribution from ICASI (that would update the contribution to a new one containing an CVSSv3)

Art: I'll suggest that we need a list of artifacts and one/two editors per artifact
1. CSAF 1.2 XML
2. Document in OASIS format describing CSAF use and all the terms/fields
3. ?

Stefan: The current consideration is to kindly expect ICASI to submit an updated CVRF1.2 with the CVSSv3 update contained - as it did receive the CVRF 1.1 contribution

David: Suggests to decide if we want to publish CVRF1.2 as committee specification draft (CSD) or to receive an updated contribution (only)

Peter: Would prefer the CSD (no matter, how we get it)

Harold: I am afraid I missed the opportunity to mention concerns... I have one suggested change: line 456 in vuln.xsd should be (to not require CVSSv3):

<xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> 

Lothar: Also thinks, that if it is possible to receive a CVRF v1.2 from ICASI would be OK, to give the TC more time to concentrate on version 2.0

Stefan: (To Harold's change request): I do not think the artefacts are frozen yet ...

All restate, that no matter where the namespace will be hosted, this will be a different one, as CVRF 1.2 will be incompatible with CVRF 1.1

Stefan: Meeting time reminder

Omar: Asks if there is a motion?

Eric: Thinks that doing it inside the TC would be equally fast compared with another external contribution, as anyhow we need to transform it; but we would be better of internally handling it, as at anytime we can share the state

Stefan: Seconds this

Stefan: I move we progress the schema inside the TC. Peter seconds.

Omar: No objections, unanimous consent the motion carries

Omar: Calls to action over the established channels to put the remaining time into good use

6. Next Meetings

6.1 Next Meeting

Next Meeting #5 will be on Wednesday, March 29, 2017

Wednesday, 29 March 2017, 01:00pm to 02:00pm EST (UTC-5)
  - i.e. 2017-03-29 19:00 to 20:00 CEST (UTC+2)

Event page: Meeting Id 44454

Self-Registration link (available from approx. 15 minutes before meeting start): https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44454&confirmed=1

6.2 Other Subsequent Meetings

All meetings monthly on last Wednesday during:

01:00pm to 02:00pm EST (UTC-5)
  - 19:00 to 20:00 CEST (UTC+2)

7. Any other business

The chair opened the floor for questions, there were none.

8. Adjourn

The meeting was adjourned at 02:08 EST (20:08 UTC).