[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 04/06/2017, at 0:23 AM, Mr. Stefan Hagen wrote:
Hi Stefan, sorry for the slow response to this. It's been a bit hectic here and I'm just catching up on things.Hello Vincent, On 04/04/17 22:09, Vincent Danen wrote:On 04/04/2017, at 13:31 PM, Mr. Stefan Hagen wrote:Dear Members, to enable a clearly documented decision on this crucialquestion if we enforce CVSSv3 scoring with CSAF CVRF v1.2, I move, that the chair of the TC shall request a ballot for a full majority vote from administration with the ballot question: "Every vuln:CVSSScoreSets element if present MUST contain zero or more CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the answers "yes", "no", and "abstain".How do we vote on this or are we waiting for the next meeting? I thinkthe above is reasonable and would vote for it.as I understand our abilities/rules as OASIS TC, we are allowed to perform motions via this TC mailing list. This requires someone who moves (done by me in this case), and at least another member that seconds the motion.Vincent, your above statement could be interpreted as seconding, but misses the clear form, that you second. So please rephrase, if you intended to do so.I sense personally, that both "camps" have expressed valid reasoning and I do not have knowledge (or stakes) enough even how I could weight one against the other (from severeness of impact) so, I cannot even name now, what *I* would vote in the ballot, but this is to me the major open issue blocking publishing of the CSD01 WD01 and:a) We could conduct voting over the mailing list, but I think we should in this case *not* use the mailing list for *collecting messages" with yes, no, abstain - say over one week some - as this even in such a mid sized committee may become a mess and peoples messages may get lost ... - thus a proposed ballotb) Personally, the sharp controversy at this point in time, is to me a tad surprising, as I remember everyone entered in a rush, saying this (the contributions together) is *ready*, we must be fast to enable the market to start using CVSS v3 ... and now we see: It is *not*c) We *could* discuss this in the next meeting (as was done in the last) but the trouble with monthly meetings is, that (cf. b) this is not what I understand as fast ;-) having said that: Personally, I am always in favor of discussions during the meeting, so we talk with each other and me as officer, facilitating this for all members, is my core job.d) Maybe the discussion here brought already valuable enough outcome of the quest for a ballot via the mailing list, and we can come during the next meeting to a decision, that would be great, (and I have always time). It would be great, because if we do not come to a shared position, the alternative - a ballot if not unanimous in its outcome - has quite some detraction effect in my experience ...e) Note: At least one strong proponent of the "MUST include one or more ScoreSetV3 if CVSSScoreSets given in v1.2 document" has not engaged himself in this mailing list discussion (albeit he spoke up clearly during the last meeting) ...Despite the "to vote or not to vote" question, I see currently two major discussion topics aggravating (speaking as editor):1) A publisher (MUST or SHOULD) include a CVSSv3 ScoreSetV3 element if CVSSScoreSets is given in a valid CSAF CVRF v1.2 document ?2) What SHOULD allow the model of the ScoreSetVx element to meet expectations from scoring the vuln and relating to products ? (Brought up through the "why should there be more ScoreSet elements for any specific version"? question)Speaking as editor, I do suggest to publish a CSD01 WD01 and start a public comment phase only after these two points (1) and (2) have been resolved inside this committee (ideally unanimously).@Chet: Please advise, if I stated something wrong about our mailing list capabilities, the formal procedures to clarify this kind of questions mixing mailing list or the ballot requesting formalities (esp. must it be a full majority ballot explicitly named in the motion, or does ballot suffice ...)? Thanks.[... - - 8< - - ...]
I've also read some of the other mails and other concerns raised. On the basis of that I would not vote for what was proposed above (one or more CVSSv3, zero or more CVSSv2). Having read what others mentioned, I think one or more of either CVSSv2 OR CVSSv3 is probably the most prudent course forward. As others have pointed out, it may be useful to continue having or using CVSSv2 as it may fit their needs better.
I don't think CVRF 1.2 is meant to _mandate_ CVSSv3 (which is what it would do as presented) but more to enable the use of it, which is what is missing in CVRF 1.1 right now. So 1.2 should allow the use of _only_ CVSSv2 if that is what is desired, and leave that to the end org to determine as to what suits their needs best.
Changes to mandate CVSSv3 are probably better suited for CSAF 2.0 but I still think it should be optional or we paint ourselves into a corner when CVSSv4 comes out or some other scoring framework someone wants to use (ideally CSAF would be scoring mechanism agnostic and just be made to present the score that someone chooses to use as best meets their needs).
Based on timing, this probably means we should clarify and discuss. I feel like it's been a while since we've had a call -- do we have one scheduled? I missed the call last month where it looks like this was discussed but there were not enough people to establish a vote.
-- Vincent Danen / Red Hat Product Security
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]