Raw minutes from chat meeting #4 on 2017-FEB-22

["Mr. Stefan Hagen" <stefan@hagen.link>]

OASIS Common Security Advisory Framework (CSAF) TC Weekly Meeting (Conference Call) #4
- Wednesday, 22 February 2017, 01:00pm to 02:00pm EST (UTC-5)
  - i.e. 2017-02-22 19:00 to 20:00 CET (UTC+1)
  - i.e. 2017-02-23 04:00 to 05:00 AEST (UTC+10)
  - other timezone? Try eg.:
    - http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=2&day=22&hour=18&min=0&sec=0&p1=47&p2=69&p3=179

Meeting Member URL:
- URL = https://www.oasis-open.org/apps/org/workgroup/csaf/event.php?event_id=44453
  - Please use starting approx. 15 minutes before the meeting for self registration. Thanks.
    - Self registration link (as a service):
      - https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1 

Agenda-Draft E-Mail URL:
- E-Mail Public URL = https://lists.oasis-open.org/archives/csaf/201702/msg00009.html

Minutes Draft Public URL (previous meeting):
- URL = https://www.oasis-open.org/committees/download.php/59880/csaf-minutes-20170125-meeting-3.html

Voice and Screenshare (WEBEX MEETING):
- Join By URL: 
  - https://cisco.webex.com/cisco/j.php?MTID=mef3d86408c9d05079621625195aad613
  - Meeting number (access code): 205 963 971
  - Host key: 448505
  - Meeting password: 32KbRC2A (32527222 from phones)
- Join By Phone (ISO 3166-1 alpha-3 letter codes):
  -  +61.2.8446.5260 (Toll) [AUS, Sydney]
  -  +32.2.704.5072 (Toll) [BEL, Brussels]
  -  +49.619.6773.9002 (Toll) [DEU, Eschborn] 
  -  +44.20.7496.3743 (Toll) [GBR, London]
  -     0120.312271 (Toll-Free) [JPN]
  -  +81.3.5763.9394 (Toll) [JPN, Tokyo]
  -  +31.20.357.1487 (Toll) [NLD, Amsterdam]
  - +966.1.218.2666 (Toll) [SAU, Riyadh]
  -   +1.866.432.9903 (Toll-free) [USA|CAN]
  -   +1.408.525.6800 (Toll) [US|CAN]

Agenda:
- Roll Call (please register yourselves short before the meeting - thanks)
  - URL = https://www.oasis-open.org/apps/org/workgroup/csaf/record_my_attendance.php?event_id=44453&confirmed=1
- Approval of Agenda
- Approval of Minutes from Previous Meeting #3 (2017-01-25)
  - URL = https://www.oasis-open.org/committees/download.php/59880/csaf-minutes-20170125-meeting-3.html
- Status of current activities and contributions
  - Review of version 1.2 candidate
- Current Open JIRA Issues
- Any Other Business
- Adjourn

Chat:
  - URL = http://webconf.soaphub.org/conf/room/csaf  # <-- this place 

[18:46] Stefan Hagen: ParticipantRegInfo{Voting Members: 1 of 22 (4%) (used for quorum calculation)}
[18:52] anonymous morphed into Zach Turk
[18:53] Stefan Hagen: ParticipantRegInfo{Voting Members: 2 of 22 (9%) (used for quorum calculation)}
[18:54] Stefan Hagen: @anonymous1: Please use ^^^Settings tab on top of main chat window, to set name - thanks
[18:55] anonymous1 morphed into Feng Cao
[18:57] anonymous morphed into Omar Santos (Cisco)
[18:58] anonymous morphed into Sarah K.
[18:58] anonymous morphed into Harold
[18:59] Stefan Hagen: ParticipanRegInfo{Voting Members: 4 of 22 (18%) (used for quorum calculation)}
[19:00] Stefan Hagen: ParticipantRegInfo{Voting Members: 7 of 22 (31%) (used for quorum calculation)}
[19:00] anonymous morphed into Eric Johnson
[19:00] Sarah K.: Why is there a separate chat apart from the webex?
[19:00] anonymous1 morphed into Karen Scarfone
[19:01] Stefan Hagen: @Sarah: We want something in the minutes that survives a telco-session end and it is a proven chat (already established in the first meetings.
[19:02] Stefan Hagen: @Omar: 1 Participant missing until quorum 
[19:02] Stefan Hagen: ParticipantRegInfo{Voting Members: 11 of 22 (50%) (used for quorum calculation)}
[19:03] anonymous morphed into Pete Allor
[19:04] Harold morphed into Harold Booth
[19:04] anonymous morphed into Jamison M. Day
[19:05] Stefan Hagen: We are quorate 
[19:05] anonymous1 morphed into Jerome Athias
[19:05] Stefan Hagen: ParticipantRegInfo{Voting Members: 12 of 22 (54%) (used for quorum calculation)}
[19:07] Stefan Hagen: Rollcall passed
[19:07] Stefan Hagen: Omar presents the agenda draft
[19:07] anonymous1 morphed into Bruce Rich
[19:09] Stefan Hagen: Agenda approved unchanged as published.
[19:10] Stefan Hagen: Next approval of meeting minutes from previous meeting #3
[19:10] Stefan Hagen: Minutes approved unchanged as published
[19:11] Stefan Hagen: Next status of current activities
[19:11] Stefan Hagen: Omar: topic CVRF 1.2 candidate - not much discussion / feedback observed
[19:11] anonymous1 morphed into Denny Page
[19:12] Stefan Hagen: Feng mentions still open questions
[19:15] Stefan Hagen: Omar asks, if the namespace questions block moving forward with CVRF to enable CVSv3
[19:15] Stefan Hagen: Harold doubts, that we can add backward compatibility, as we regardless have to make a breaking change
[19:16] Stefan Hagen: Lothar shares this result and thinks, it is to decide, just how breaking the change should be.
[19:16] Stefan Hagen: Feng states, that the namespace will refer to an OASIS CVRF 1.2 URL instead of an ICASI URL (as in v1.1)
[19:17] Stefan Hagen: Pete suggests to bootstrap the CVSSv3 capability, by adding the CVRF 1.2 with a namespace URL hosted at OASIS to trigger the change for the clients of the schema
[19:18] Stefan Hagen: Pete proposes this and moves
[19:18] Stefan Hagen: Jamison seconds
[19:18] Stefan Hagen: No objections unanimous consent, the motion carries
[19:19] Stefan Hagen: Omar asks for suggestion for where to best present the schema ...
[19:20] Stefan Hagen: Allen wonders, if anything else, than OASIS website is reasonable?
[19:21] Stefan Hagen: Stefan adds, that this is the place, for the schema URL, any marketing or other non-normative secondary documents can go elsewhere, but the classical XML schema URL will be determined by OASIS staff upon issue submittal.
[19:21] Stefan Hagen: All agree to go for the OASIS website (standard process)
[19:22] Stefan Hagen: Next topic Review and Release Timeframe
[19:23] Stefan Hagen: Omar asks on members view on march aas next milestone
[19:23] Stefan Hagen: All agree to love March
[19:23] Stefan Hagen: Omar volunteers to work on the dictionary of elements update
[19:23] Stefan Hagen: Dito on additional documentation
[19:24] Stefan Hagen: Announcement and documentation will take additional coordination with OASIS and member companies
[19:25] Stefan Hagen: Omar kindly asks for a date, when we target as publication date - would be end of March be OK?
[19:26] Stefan Hagen: Pete asks if there is anything technical to be done, before progressing further (thus that has to fit inside the time window until end of March)
[19:30] Stefan Hagen: All discuss procedures
[19:30] Stefan Hagen: Stefan states, that there is the process that progresses up to OASIS standard
[19:32] Stefan Hagen: Stefan: If we just progress the schema as an artefact as a committee document, we can always store this as public accessible with the status draft. The committee draft as such needs more blessing, as we vote on it, then we can submit to public review (ticket for OASIS staff). OASIS standard needs wider member vote and also abouut a year
[19:36] Stefan Hagen: Bret states, that for IPR lock in the artefacts need CS status (which needs review phase and thus 30 days minimum but realistically 45 days after publication of CSD as the staff may need some time to process the submittal ticket.
[19:37] Stefan Hagen: Stefan notes, that publicly available are the artefacts al the time and thus we can offer as service to the community a fast patch to offer CVSSv3 to the community - but the "true" URL is blessed only (with IPR-lockin) when CSD and CS stage have been accomplished.
[19:38] Stefan Hagen: Omar asks, if we can interpret the CVRF 1.2 as an updated contribution, we might be faster
[19:39] Stefan Hagen: Bret states, that from his experiences with STIX and TAXII minor changes - there is no real fast track
[19:40] Stefan Hagen: Bret suggests to adhere as usual to https://www.oasis-open.org/policies-guidelines/tc-process#standApprovProcess
[19:41] Stefan Hagen: Bret informs on the full majority vote necessary for committee specification level (45 days needed approx.)
[19:46] Stefan Hagen: Bret and Stefan agree that if we go for a CSD it is easy and fast: at the moment the artefacts are frozen, we can start a ballot (even by motion via email) then two weeks later, the outcome (majority yes needed etc. we can request publication by OASIS on the original OASIS website
[19:46] Stefan Hagen: Peter asks Omar, if we are ready and Bret asks for the state of transformation from ICASI into OASIS work product.
[19:47] Stefan Hagen: The officers of the TC can submit for a work product starting doc, and then we will receive the namespaces etc.
[19:49] Stefan Hagen: Stefan asks if editors are already named? These would be good to be named upon request of the work product templates ...
[19:49] Stefan Hagen: Omar asks for editor volunteers
[19:49] Stefan Hagen: Stefan volunteers as editor
[19:50] Stefan Hagen: All discuss the timeline in the light of the changes and formalities needed
[19:51] Stefan Hagen: Art asks for the history behind CVSSv3 in relation to CVRF
[19:51] Stefan Hagen: Pete states, that ICASI stated it was agreed, that this TC could update CVRF from 1.1 as 1.2 by updating from CVSSv2 to CVSSv3
[19:52] Stefan Hagen: All discuss if it would be faster, to request a new contribution from ICASI (that would update the contribution to a new one containing an CVSSv3)
[19:53] Art Manion: I'll suggest that we need a list of artifacts and one/two editors per artifact
[19:53] Art Manion: 1. CSAF 1.2 XML
[19:54] Art Manion: 2. Document in OASIS format describing CSAF use and all the terms/fields
[19:54] Art Manion: 3. ?
[19:54] Stefan Hagen: The current consideration is to kindly expect ICASI to submit an updated CVRF1.2 with the CVSSv3 update contained - as it did receive the CVRF 1.1 contribution
[19:56] Stefan Hagen: David suggests to decide if we want to publish CVRF1.2 as committee specification draft (CSD) or to receive an updated contribution (only)
[19:57] Stefan Hagen: Peter would prefer the CSD (no matter, how we get it)
[19:57] Harold Booth: I am afraid I missed the opportunity to mention concerns...I have one suggested change: line 456 in vuln.xsd should be: <xs:element name="ScoreSetV3" minOccurs="0" maxOccurs="unbounded"> to not require CVSSv3
[19:58] Stefan Hagen: Lothar also thinks, that if it is possible to receive a CVRF v1.2 from ICASI would be OK, to give the TC more time to concentrate on version 2.0
[19:59] Stefan Hagen: @Harold: I do not think the artefacts are frozen yet ...
[20:01] Stefan Hagen: All restate, that no matter where the namespace will be hosted, this will be a different one, as CVRF 1.2 will be incompatible with CVRF 1.1
[20:02] Stefan Hagen: Meeting time reminder
[20:02] Stefan Hagen: Omar asks if there is a motion?
[20:04] Stefan Hagen: Eric thinks that doing it inside the TC would be equally fast compared with another external contribution, as anyhow we need to transform it; but we would be better of internally handling it, as at anytime we can share the state
[20:04] Stefan Hagen: Stefan seconds this
[20:05] Stefan Hagen: I move we progress the schema inside the TC
[20:05] Stefan Hagen: Peter seconds the motion
[20:05] Stefan Hagen: No objections, unanimous consent the motion carries
[20:06] Stefan Hagen: Omar calls to action over the established channels to put the remaining time into good use
[20:07] Stefan Hagen: Stefan: Motion to adjourn
[20:07] Stefan Hagen: Seconded
[20:08] Stefan Hagen: Meeting is adjourned