OASIS Common Security Advisory Framework (CSAF) TC Meeting #5 Mar 29, 2017

Acting chair: Omar

Chat transcript from room: csaf
From 2017-03-29 18:04 UTC until 18:26 UTC

1. Call to Order and Welcome

Omar: Called the meeting to order @ 1:04 EST (18:04 UTC).

Omar: Announces that without quorum we will start with informative items

1.1 Persistent non-voting Member Status

To avoid future complications, if you plan to not participate regularly, please do consider to become a persistent non-voting member.

  1. This avoids periodically gaining and losing voting rights for the member requesting, and
  2. facilitates the groups work through reducing the risk of non-quorate meetings.

To become a persistent non-voting member is easy:

  1. A simple mail to the officers stating that request will suffice for the requester.
  2. The officers will subsequently edit the roster accordingly
  3. and inform the requester about the changed status. Thanks!

2. Roll call

A roll call was taken,and also recorded on the OASIS meeting calendar - quorum was not reached!
The minutes are provided to document the participation and to inform on what was discussed among the participants during the meeting.

All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44454&confirmed=1, Thanks

Details cf. normative attendance sheet for this meeting (event_id=44454).

2.1 Participants

2.1.1 Voting Members Present

Art Manion (Carnegie Mellon University)
Beth Pumo (Kaiser Permanente)
Chok Poh (Oracle)
Feng Cao (Oracle)
Harold Booth (NIST)
Jonathan Bitle (Kaiser Permanente)
Karen Scarfone (Individual)
Louis Ronnau (Cisco Systems)
Omar Santos (Cisco Systems)
Phillip Boles (FireEye, Inc.)
Stefan Hagen (Individual)

2.1.2 Members Present

Note: While the default rule requires attendance at 3 of the 5 most recent meetings, only 4 meetings have been held before this meeting. Voting members must have attended at least 2 of the last 4 meetings.

Denny Page (TIBCO Software Inc.)
Eric Johnson (TIBCO Software Inc.)
Jared Semrau (FireEye, Inc.)
Masato Terada (Hitachi, Ltd.)
Troy Fridley (Cisco Systems)
Zach Turk (Microsoft)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

None

2.2 Voting Right Changes Effective After The Meeting

2.2.1 Members who gained Voting Rights


2.2.2 Members who lost Voting Rights

Bret Jordan (Symantec Corp.)
Bruce Rich (Cryptsoft Pty Ltd.)
David Waltermire (NIST)
Jason Keirstead (IBM) - (left the group)
Kent Landfield (Intel Corporation)
Mark-David McLaughlin (Cisco Systems)
Nicole Gong (Mitre Corporation)
Patrick Maroney (Wapack Labs LLC)

3. The meeting agenda was not reviewed

Meeting not quorate.

4. Approval of Minutes from Previous Meeting #4 (2017-02-22)

Meeting minutes of Monthly TC Meeting #4 on 2017-02-22.

Minute approval requested via mailing list:

  1. Motion requested per mail to the TC list by Stefan on "Wed, 29 Mar 2017 10:30:07 -0700 (PDT)" with subject:
    "Motion to approve the Minutes from Previous Meeting #4 (2017-02-22)"
  2. Seconded per mail to the TC list by Harold on "Wed, 29 Mar 2017 10:55:40 -0700 (PDT)" with subject
    "RE: [csaf] Motion to approve the Minutes from Previous Meeting #4 (2017-02-22)"
  3. No additional mails received regarding that motion until "Tue, 25 Apr 2017 02:06:28 -0700 (PDT)" thus a mail was sent to the TC list by Stefan on "Tue, 25 Apr 2017 02:06:28 -0700 (PDT)" with subject
    "Minutes approved - Re: [csaf] Motion to approve the Minutes from Previous Meeting #4 (2017-02-22)" documenting the conclusion, that the minutes have been approved unchanged as published.

Minutes approved unchanged as published

5. Informative Items

Eric: Raised some nits on mailing list but does not consider those ax blocking a first public comments release

Harold: Asks if CSAF-21 has been applied?

Stefan: States that yes (noted in the slides snet around and published in kavi before the meeting)

Feng and Harold discuss the v1.1 situation w.r.t mandatory or optional CVSSScoreSets

Feng suggests to leave cvss3 mandatory and if some vendor only supports v2 CVSS they should stay with cvrf v1.1 so couple CSAF CVRF v1.2 with mandatory CVSS v3

All discuss the 2 dimensional version matrix combinations and the implication

Art: Asks for if CSAF CVRF 1.2 should require 0 or more of both versions CVSS?

Feng: Suggests to have 1 or more CVSS v3 and 0 or more CVSS v2

Art: Suggests to have a vote

Omar: Notes this must be via mail as meeting is not quorate

Art will do

Update after the meeting: There has been some discussion on the mailing list, but no vote has been requested
(and participation in that discussion did show contributions mostly from proponents of one variant).

6. Next Meetings

6.1 Next Meeting

Next Meeting #6 will be on Wednesday, April 26, 2017

Wednesday, 26 April 2017, 01:00pm to 02:00pm EST (UTC-5)
  - i.e. 2017-04-26 19:00 to 20:00 CEST (UTC+2)

Event page: Meeting Id 44455

Self-Registration link (available from approx. 15 minutes before meeting start):
https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44455&confirmed=1

6.2 Other Subsequent Meetings

All meetings monthly on last Wednesday during:

01:00pm to 02:00pm EST (UTC-5)
  - 19:00 to 20:00 CEST (UTC+2)

7. Any other business

The chair opened the floor for questions, there were none.

8. Adjourn

The meeting was adjourned at 01:26 EST (18:26 UTC).