Raw chat trace of meeting #6 - 2017-APR-26

["Mr. Stefan Hagen" <stefan@hagen.link>]

[19:02] Stefan Hagen: Meeting Started
[19:04] Stefan Hagen: Agenda?
[19:04] Stefan Hagen: Agenda approved unchanged as published
[19:04] Stefan Hagen: Approval of Minutes from Previous Meeting #5 (2017-03-29)
[19:04] Stefan Hagen: - URL = https://www.oasis-open.org/committees/download.php/60592/csaf-minutes-20170329-meeting-5.html
[19:04] Phillip Boles morphed into Phillip Boles (FireEye)
[19:05] anonymous1 morphed into Art Manion
[19:05] Stefan Hagen: Harold moves to approve
[19:05] Stefan Hagen: Lou seconds
[19:05] anonymous1 morphed into Patrick Maroney
[19:07] anonymous1 morphed into Masato
[19:08] Stefan Hagen: Denny and Eric achieve voting rights after meeting #5 - the OASIS tools do indicate otherwise. We will amend the minutes accordingly and Stefan will correct the roster.
[19:08] Stefan Hagen: Given this is changed in the minutes do we have a motion to approve?
[19:09] Stefan Hagen: The amendment is seconded
[19:10] Stefan Hagen: Success - Mr. Denny Page group role has been changed to Voting MemberSuccess - Mr. Eric Johnson group role has been changed to Voting Member
[19:10] Stefan Hagen: Motion carries as ammended
[19:11] Stefan Hagen: Zach Turk also should be augmented then to voting member status.
[19:11] Stefan Hagen: Success - Mr. Zach Turk group role has been changed to Voting Member
[19:11] Stefan Hagen: All three are now updated in roster management
[19:12] Stefan Hagen: RegInfo{Voting Members: 14 of 19 (73%) (used for quorum calculation)}
[19:12] Stefan Hagen: CSAF-28
[19:13] Omar Santos (Cisco): JIRA CSAF-28  - Proposal for CVSS future embrace
https://issues.oasis-open.org/browse/CSAF-28
[19:18] Stefan Hagen: Stefan walks through the proposal
[19:18] Stefan Hagen: All discuss the uniqueness constraint on the product id (D) in the proposal
[19:18] Stefan Hagen: Troy explains the uniqueness
[19:19] Stefan Hagen: Troy explains every vuln relates to only one product (so you do not have contradicting vulns per product
[19:21] Stefan Hagen: Troy suggests to enforce the constraints per versioned score set (thus allowing also v2 and v3 to target the same product id)
[19:24] Stefan Hagen: Omar understands, that we have to allow some flexibility in the cardinalities of the version scores.
[19:25] Stefan Hagen: Art moves to allow 0 or 1 scroreset per csvss version
[19:25] Stefan Hagen: Correction Denny
[19:25] Stefan Hagen: Harold seconds
[19:26] Stefan Hagen: Unanimous consent, the motion carries
[19:26] Stefan Hagen: - Next steps
[19:28] Stefan Hagen: Feng suggests (based on the mail he sent) to change only minimally in v1.2 (and keep the private scale type for v2.0)
[19:29] anonymous1 morphed into Beth Pumo
[19:29] Stefan Hagen: Stefan suggests to then reference cvssv3 for 0 - 10
[19:31] Stefan Hagen: All discuss the proposal in CSAF-28
[19:36] Stefan Hagen: Eric asks if the members of the TC think, the version 1.2 shall accomplish become a OASIS spec fast similar to 1.1 but supporting cvss v3 and thinks xml schema use to embed future compatibility is hard.
[19:37] Stefan Hagen: A.1 (from CSAF-2 is accepted by someone, A.2 might be to far reaching
[19:37] Stefan Hagen: Above: Troy
[19:38] Stefan Hagen: Harold is in favour to stay within narrow scope
[19:39] Stefan Hagen: I move to implement CSAF-28 but without the private type for cvssScoreType for the next working draft revision
[19:40] Stefan Hagen: Harold suggests to also remove D
[19:41] Stefan Hagen: I move to implement CSAF-28 but without the private type for cvssScoreType and without the uniqueness constraint (D) for the next working draft revision
[19:43] Stefan Hagen: I move to implement CSAF-28 but without the private type for cvssScoreType and with the uniqueness constraint (D)changed, so it targets v2 and v3 scores separately thus will allow one unique v2 and one unique v3 score per product id  for the next working draft revision
[19:46] Stefan Hagen: Feng suggests to instead not implement CSAF-28, but instead amend Feng V2 V3 explicit variant with an additional constraint to accommodate for v2/v3 uniqueness and Harold is OK
[19:47] Stefan Hagen: Harold suggests to relax the cardinalities on the v3 score set to allow for 0 occurrences, and to have upper bound of 1 instead of unbounded for v2 and v3
[19:48] Stefan Hagen: Feng suggests to keep unbounded
[19:48] Stefan Hagen: Harold concurs with that
[19:49] Stefan Hagen: I move to keep the existing schema as discussed above with two changes: One is adding a V2 constraint on productID and TWO is relax the minOccur ov SCoreSetV3 from 1 to 0.
[19:50] Stefan Hagen: Vincent seoncds
[19:50] Stefan Hagen: No objections, unanimous consent the motion carries
[19:51] Stefan Hagen: Stefan plans to provide an updated working draft revision available for inspection vote in two weeks time
[19:52] Stefan Hagen: above replace inspection vote with inspection by the members and subsequent vote in the end of may meeting
[19:53] Stefan Hagen: Omar offers help in case the two weeks timeframe is too short, so we can ensure to vote next meeting
[19:53] Stefan Hagen: - Any Other Business
[19:54] Stefan Hagen: Eric asks if there are use case documents available for the 2.0 work or if it is in the issues?
[19:54] Stefan Hagen: Omar confirms in the issues only
[19:54] Stefan Hagen: No other business
[19:54] Stefan Hagen: Meeting adjourned by chair