RE: CSAF draft to JTC 1 SC 27, for any nits or improvement. Target to send: 31 July

["Schmidt, Thomas" <thomas.schmidt@bsi.bund.de>]

Dear Jamie,
thank you for the document. Here are a few remarks if you are still seeking input:

I noticed that the year in section 7.4.1.4 b) was missing. Depending, what exactly could be the earliest date, we could argue:
- 2022 (as CSAF 2.0 was unchanged after that)
- 2021 (as it was already implemented and used while still being specified)
- 2017 (as CVRF 1.2, the predecessor, was used at that time)
- 2012 (as CVRF 1.1 was used at that time)
Iâm currently unsure, what the best date would be â I leave that for Chet and you to decide.

In section 7.4.3.1., we could mention that ISO 29147 already refers to the predecessor CVRF in section 7.6 â e.g. add the following text: âISO 29147 (2018) already refers in section 7.6 to CVRF, the predecessor of the submitted CSAF specification, as the machine-readable advisory format.â
We could also add âWe kindly request, during the next update of ISO 29147 to update CVRF to CSAF.â

Please submit the document as possible (if you havenât done yet already) to keep the timeline. Many thanks in advance.

Best wishes,
Thomas

From: Jamie Clark <jamie.clark@oasis-open.org> 
Sent: Wednesday, July 26, 2023 7:14 PM
To: Omar Santos (osantos) <osantos@cisco.com>; Schmidt, Thomas <thomas.schmidt@bsi.bund.de>; csaf@lists.oasis-open.org; Stefan Hagen <stefan@dilettant.eu>
Cc: Chet Ensign <chet.ensign@oasis-open.org>; Kelly Cullinane <kelly.cullinane@oasis-open.org>; Murphy, Justin <justin.murphy@cisa.dhs.gov>
Subject: CSAF draft to JTC 1 SC 27, for any nits or improvement. Target to send: 31 July

Dear CSAF TC:Â Attached please find a draft explanatory report, in preparation for submission directly to ISO/IEC JTC 1, which we would like to send ahead in draft form to its cybersecurity panel SC 27 now, as previously discussed, to give them the advance look we discussed and facilitate their feedback and acceptance during the voting phase.Â

Note that once we launch an official PAS ballot, it goes to the full JTC 1 committee, not their cybersecurity experts in SC 27, which cuts off some opportunity to consider any nits or further comments for that round of approval. Â As you know, we would not in any case accept substantive technical changes, as the work is already approved;Â but would certainly take comments on board, consider fixing any nits, and ask you to consider committing to reviewing substantive suggestions in future rounds.

We're not the first group to run proposed cybersecurity PAS standards first briefly past SC27, so this is a tested consultation path.

If no one on the TC has issues or improvements to this attached draft, which we believe is complete, we will plan to send it to SC 27 on or about the 31st of July, so as to be able to ask them to react within one month, and then send the final PAS vote request no later than the first week of September. 

All suggestions welcomed; please direct to Chet and myself. Regards JBC