Acting chair: Omar
Chat transcript from room: csaf From 2017-02-22 18:07 UTC until 19:08 UTC
Omar Santos called the meeting to order @ 1:07 EST (18:07 UTC).
A roll call was taken,and also recorded on the OASIS meeting calendar
All particiapnts are kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page
or directly visit the per event direct "record my attendace link": https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1.
Adam Montville (CIS) Allan Thomson (LookingGlass) Art Manion (Carnegie Mellon University) Beth Pumo (Kaiser Permanente) Duncan Sparrell (sFractal Consulting LLC) Feng Cao (Oracle) Harold Booth (NIST) Jamison Day (LookingGlass) Karen Scarfone (Individual) Lothar Braun (Siemens AG) Omar Santos (Cisco Systems) Paul Patrick (FireEye, Inc.) Sarah Kelley (CIS) Stefan Hagen (Individual) Vincent Danen (Red Hat)
Note: While the default rule requires attendance at 3 of the 5 most recent meetings, only 2 meetings have been held thus far. Voting members must have attended at least 2 of the last 2 meetings. The following members will gain voting rights after the next meeting, in case of participation.
Bret Jordan (Symantec Corp.) Bruce Rich (Cryptsoft Pty Ltd.) David Waltermire (NIST) Denny Page (TIBCO Software Inc.) Eric Johnson (TIBCO Software Inc.) Jerome Athias (Individual) Jonathan Bitle (Kaiser Permanente) Patrick Maroney (Wapack Labs LLC) Peter Allor (IBM) Phillip Boles (FireEye, Inc.) Zach Turk (Microsoft)
Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
Bret Jordan (Symantec Corp.) Bruce Rich (Cryptsoft Pty Ltd.) David Waltermire (NIST) Patrick Maroney (Wapack Labs LLC) Phillip Boles (FireEye, Inc.) Jonathan Bitle (Kaiser Permanente)
Sarah Kelley (CIS) - (left the group)
Agenda approved unchanged as published.
Meeting minutes of Monthly TC Meeting #3 on 2017-01-25.
Minutes approved unchanged as published.
Omar: Topic CVRF 1.2 candidate - not much discussion / feedback observed
Feng: Mentions still open questions
Omar: Asks, if the namespace questions block moving forward with CVRF to enable CVSv3
Harold: Doubts, that we can add backward compatibility, as we regardless have to make a breaking change
Lothar: Shares this result and thinks, it is to decide, just how breaking the change should be.
Feng: States, that the namespace will refer to an OASIS CVRF 1.2 URL instead of an ICASI URL (as in v1.1)
Peter: I move to bootstrap the CVSSv3 capability, by adding the CVRF 1.2 with a namespace URL hosted at OASIS to trigger the change for the clients of the schema. Jamison seconds.
Omar: No objections unanimous consent, the motion carries
Omar: Asks for suggestion for where to best present the schema ...
Allen: Wonders, if anything else, than OASIS website is reasonable?
Stefan: Adds, that this is the place, for the schema URL, any marketing or other non-normative secondary documents can go elsewhere, but the classical XML schema URL will be determined by OASIS staff upon issue submittal.
All agree to go for the OASIS website (standard process)
Omar: Next topic Review and Release Timeframe
Omar: Asks on members view on march aas next milestone
All agree to love March
Omar: Volunteers to work on the dictionary of elements update
Stefan: Dito on additional documentation
Stefan: Announcement and documentation will take additional coordination with OASIS and member companies
Omar: Kindly asks for a date, when we target as publication date - would be end of March be OK?
Peter: Asks if there is anything technical to be done, before progressing further (thus that has to fit inside the time window until end of March)
All discuss procedures
Stefan: States, that there is the process that progresses up to OASIS standard
Stefan: If we just progress the schema as an artefact as a committee document, we can always store this as public accessible with the status draft. The committee draft as such needs more blessing, as we vote on it, then we can submit to public review (ticket for OASIS staff). OASIS standard needs wider member vote and also abouut a year
Bret: States, that for IPR lock in the artefacts need CS status (which needs review phase and thus 30 days minimum but realistically 45 days after publication of CSD as the staff may need some time to process the submittal ticket.
Stefan: Notes, that publicly available are the artefacts al the time and thus we can offer as service to the community a fast patch to offer CVSSv3 to the community - but the "true" URL is blessed only (with IPR lock in) when CSD and CS stage have been accomplished.
Omar: Asks, if we can interpret the CVRF 1.2 as an updated contribution, we might be faster
Bret: States, that from his experiences with STIX and TAXII minor changes - there is no real fast track
Bret: Suggests to adhere as usual to https://www.oasis-open.org/policies-guidelines/tc-process#standApprovProcess
Bret: Informs on the full majority vote necessary for committee specification level (45 days needed approx.)
Bret and Stefan: Agree that if we go for a CSD it is easy and fast: at the moment the artefacts are frozen, we can start a ballot (even by motion via email) then two weeks later, the outcome (majority yes needed etc. we can request publication by OASIS on the original OASIS website
Peter: Asks Omar, if we are ready and Bret asks for the state of transformation from ICASI into OASIS work product.
Stefan: The officers of the TC can submit for a work product starting doc, and then we will receive the namespaces etc.
Stefan: Asks if editors are already named? These would be good to be named upon request of the work product templates ...
Omar: Asks for editor volunteers
Stefan: Volunteers as editor
No objection unanimous consent
All discuss the timeline in the light of the changes and formalities needed
Art: Asks for the history behind CVSSv3 in relation to CVRF
Peter: States, that ICASI stated it was agreed, that this TC could update CVRF from 1.1 as 1.2 by updating from CVSSv2 to CVSSv3
All discuss if it would be faster, to request a new contribution from ICASI (that would update the contribution to a new one containing an CVSSv3)
Art: I'll suggest that we need a list of artifacts and one/two editors per artifact
1. CSAF 1.2 XML
2. Document in OASIS format describing CSAF use and all the terms/fields
Stefan: The current consideration is to kindly expect ICASI to submit an updated CVRF1.2 with the CVSSv3 update contained - as it did receive the CVRF 1.1 contribution
David: Suggests to decide if we want to publish CVRF1.2 as committee specification draft (CSD) or to receive an updated contribution (only)
Peter: Would prefer the CSD (no matter, how we get it)
Harold: I am afraid I missed the opportunity to mention concerns... I have one suggested change: line 456 in vuln.xsd should be (to not require CVSSv3):
<xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded">
Lothar: Also thinks, that if it is possible to receive a CVRF v1.2 from ICASI would be OK, to give the TC more time to concentrate on version 2.0
Stefan: (To Harold's change request): I do not think the artefacts are frozen yet ...
All restate, that no matter where the namespace will be hosted, this will be a different one, as CVRF 1.2 will be incompatible with CVRF 1.1
Stefan: Meeting time reminder
Omar: Asks if there is a motion?
Eric: Thinks that doing it inside the TC would be equally fast compared with another external contribution, as anyhow we need to transform it; but we would be better of internally handling it, as at anytime we can share the state
Stefan: Seconds this
Stefan: I move we progress the schema inside the TC. Peter seconds.
Omar: No objections, unanimous consent the motion carries
Omar: Calls to action over the established channels to put the remaining time into good use
Next Meeting #5 will be on Wednesday, March 29, 2017
Wednesday, 29 March 2017, 01:00pm to 02:00pm EST (UTC-5) - i.e. 2017-03-29 19:00 to 20:00 CEST (UTC+2)
Event page: Meeting Id 44454
Self-Registration link (available from approx. 15 minutes before meeting start): https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44454&confirmed=1
All meetings monthly on last Wednesday during:
01:00pm to 02:00pm EST (UTC-5) - 19:00 to 20:00 CEST (UTC+2)
The chair opened the floor for questions, there were none.
The meeting was adjourned at 02:08 EST (20:08 UTC).