-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
94dbd70
commit ac3ca89
Showing
1 changed file
with
152 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
|  | ||
|
|
||
| # Common Security Advisory Framework (CSAF) Technical Committee Working Meeting | ||
|
|
||
| - Meeting Date: September 27, 2023 | ||
| - Time: 1:00 pm US EDT | ||
|
|
||
| ## Call to Order and Welcome | ||
|
|
||
| Meeting called to order @ 1:06 PM US EDT | ||
|
|
||
| ## Roll call | ||
|
|
||
| All participants recorded their attendance on the OASIS meeting calendar. | ||
| All participants were kindly encouraged to register themselves to optimize the use of the shared time during the meeting in one of two ways: | ||
| - Clicking the link with the text "Register my attendance" on the top of the event page. | ||
| - Or directly visiting the per event direct "record my attendance link." | ||
|
|
||
| Quorum was NOT reached. | ||
|
|
||
|
|
||
| ## Participants | ||
|
|
||
| | Company | Name | Role | | ||
| |--------------------------------------------------|------------------------|----------------| | ||
| | Individual | Stefan Hagen | Voting Member | | ||
| | Cisco Systems | Rhonda Levy | Voting Member | | ||
| | Siemens AG | Tobias Limmer | Voting Member | | ||
| | TNO | Luca Morgese Zangrandi | Member | | ||
| | DHS/CISA | Justin Murphy | Voting Member | | ||
| | Individual | Denny Page | Voting Member | | ||
| | Dell | Michael Reeder | Voting Member | | ||
| | Cisco Systems | Thomas Schaffer | Voting Member | | ||
| | BSI | Thomas Schmidt | Voting Member | | ||
| | TIBCO Software Inc. | Russ Selph | Voting Member | | ||
| | Blackberry Limited | Tyler Townes | Observer | | ||
| | BSI | Dina Truxius | Voting Member | | ||
| | Huawei Technologies Co., Ltd. | Sonny van Lingen | Voting Member | | ||
| | Oracle | Feng Cao | Voting Member | | ||
|
|
||
|
|
||
| ### Observers present | ||
|
|
||
| None | ||
|
|
||
| Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab. | ||
|
|
||
| ## Agenda | ||
| - Roll Call via self-registration. | ||
| - Approve May Meeting Minutes from August 2023 | ||
| - Requests open | ||
| - GitHub issues | ||
| - Discuss next steps. | ||
| - Adjourn | ||
|
|
||
| ## Meeting Notes | ||
| - Stefan Hagen set motion to make Thomas Schmidt the "acting chair" for this meeting only as Omar was not in attendance. | ||
| - Justin second the motion. | ||
| - Motion for Thomas Schimdt to be active temporary chair for this meeting passed. | ||
|
|
||
| - Thomas Schaffer set motion to approve the agenda as noted above. | ||
| - Justin second motion. | ||
| - Motion for agenda listed above passed. | ||
|
|
||
| - Quorum was reached but the minutes for August 202 3 were not distributed to TC members; therefore, no motion was set to approve the minutes of August 2023. | ||
|
|
||
| - Justin – for all advisories moving forward via ICS in CSAP format, they are all converted and there are still human readable advisories. | ||
| - They will be in the [GitHub repository](https://github.com/oasis-tcs/csaf/pull/655). | ||
| - And a blog post to announce this; however, may be a delay as a federal employee but will try and get the blog post out asap. | ||
| - Thomas – | ||
| - Great to see that. CSAF is getting more people involved. | ||
| - Tyler ahead of blog post announcement can we share with team. | ||
| - Justin - please wait until the blog post comes out and will send an email the TC (and in GitHub too). | ||
| - Action items – | ||
| - One task of editors is to convert FAQ under CSAF, and it has been merged with change in wording. | ||
| - Merged by Stephen and can review in markdown. | ||
| - Guidance and FAQ added some parts TOP version 1. CSAF distribution. | ||
|
|
||
| - With no concerns or issues regarding pull request [#655](https://github.com/oasis-tcs/csaf/pull/655) | ||
| - Thomas Schmidt set motion to accept text addition to guidance documents as given. | ||
| - Write CSAF 2.1 will support version 2. TOP version 2. | ||
| - Will add sentence to text of FAQ and update pull request. | ||
| - Thomas Schafer Second the motion. | ||
| - Motion passed. | ||
|
|
||
| - Consider for CSAF – [#639](https://github.com/oasis-tcs/csaf/issues/639) | ||
| - With no concerns or issues regarding the above pull request #639, | ||
| - Thomas Schmidt set motion for CSAF 2.1 and will register and include as stated by Stefen above. | ||
| - Thomas Shafer second motion. | ||
| - Motion passed. | ||
|
|
||
| - Clarify that blocking on user-agents is not allowed pull request #635. | ||
| - Thomas Schmidt – can block be based on user agents or does it need a specific user agent for CSAF files? This restriction of a certain set could hinder the adoption of CSAF user agent. Suggested not having these restrictions. | ||
| - With no concerns or issues regarding the above, | ||
| - Thomas Schmidt set motion to add #635 a statement to 2.1 is not allowed and add statement to FAQ too. | ||
| - Thomas Shafer seconded the motion. | ||
| - Motion passed. | ||
|
|
||
| - Mandate Access-Control-Allow Origin: * for files available in public to allow browser-based client [#653](https://github.com/oasis-tcs/csaf/issues/653) | ||
| - This issue is with CORS resource-sharing and includes data from a different domain in a course header to allow origin header. | ||
| - Client application on GitHub, could not gather data from Java Script. | ||
| - Mandate all CSAF providers inclusion with their data. | ||
| - Stefen said it is important to keep public. | ||
| - Thomas Schmidt is not a big fan of this suggestion. | ||
| - Mandate that everyone use in an insecure way is contradicting using “secure by design.” | ||
| - Sonny agrees. Does not lead to increased risk and it’s public anyway. | ||
| - Thomas Schmidt says its important about public files, CND providers, mandate this special instruction, an additional burden to the provider and no automation part. | ||
| - Just browser-based client and Java script in browsers only and not our main concern. | ||
| - Stefen questioned how we could maintain this. It’s not really progress with automation. | ||
| - Do not see as version 2.0 standard sends wrong message. | ||
| - Not increasing or using automation. Pull it back from now revisit later. | ||
| - Thomas Schmidt set motion to write a comment and label the issue CSAF 2.x and have a TC discussion needed and label to come back later. | ||
| - Do not include proposal in 2.1 and look at for 2.X. | ||
| - Thomas Schaffer seconds the motion. | ||
| - Motion to hold off passed. | ||
|
|
||
| - Pull request #647 team agreed to postpone discussion. | ||
|
|
||
| - Add new relationship to our bulk of relationship categories pull request #631. | ||
| - The Structure is a bit more complex but matches tools better and is an improvement. | ||
| - Feng says schema could fail and it excluded certain versions in CP screen. | ||
| - Thomas will look into this again to determine if it would be an issue. | ||
| - Take this at home and think about the issues over the next month and discuss at the next meeting. | ||
| - All TC members agreed to look at #631 and have a discussion during the next meeting. | ||
|
|
||
| - With no concerns or issues regarding pull request #629 to Clarify Markdown, | ||
| - Thomas Schmidt set motion to make changes: can be different markdowns so we should clarify which ones using – 2.1 use GitHub markdown. | ||
| - Denny second the motion. | ||
| - Motion passed and Stefen will make updates after this meeting. | ||
|
|
||
| - Pull request #626 – Raise file size softlimit. | ||
| - Thomas set motion to approve change. | ||
| - Stefen second the motion. | ||
| - Motion passed. | ||
|
|
||
| - Pull request #624 – Feature request: Add source (reference) to CVSS. | ||
| - Thomas Schaffer set motion to approve change. | ||
| - Stefen Agrees to implement featured procedure in 2.1. | ||
| - Denny and Thomas Schmid Second motion. | ||
| - Motion passed. | ||
|
|
||
| ## Next Steps | ||
| - Add Feng to meeting Rhonda to do if possible. | ||
| - Have discussions on issues listed above. | ||
|
|
||
| ## Adjourn | ||
| - The meeting adjourned at 1:59 PM US EDT | ||
|
|
||
|
|
||
|
|
||
| Note: All monthly meetings take place on the last Wednesday of each month at 1:00 PM US EDT. | ||
| The next meeting will be held on October 25, 2023. |