Action items

- Chet - find out and communicate when next year's July F2F will be

- Stefan to talk to members of SARIF and DSSX TCs to see who might be interested in trialing SwaggerHub for an API.

- Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial.

- NEW - Chet to check with Jamie on risks posed by embargoes of vulnerability reports

- NEW - Chet to consider publishing the white paper to the TAB web page

- NEW - Patrick to collect examples of other organizations' approaches to embargoes and share with the TAB

- NEW - Chet see how we might gain query access to shadow databases

Agenda

1) Roll call

2) Approve agenda

3) Approve minutes

4) Status of public reviews

- XACML REST Profile v1.1 and JSON Profile of XACML 3.0 v1.1 - ends Oct. 20th

- Digital Signature Service Core Protocols, Elements, and Bindings Version 2.0 - ends September 28th

5) Status of Swaggerhub proposal

6) Status of OASIS handling of security flaws white paper

7) Feedback from Scott on website update ideas

8 ) Brainstorming work items for 2018/2019

9) AOB

Minutes

1) Roll call

Jacques Durand
Patrick Durusau
Chet Ensign
Stefan Hagen

Regrets: Trey Darley

Invited expert: Ashok Malhotra

2) Approve agenda

No discussion of agenda. No objections to unanimous approval. Agenda approved.

3) Approve minutes

Sept 12th: https://lists.oasis-open.org/archives/tab/201809/msg00022.html

No discussion of minutes. No objections to unanimous approval. Minutes approved.

4) Status of public reviews

Patrick and Jacques will provide feedback on Digital Signature Service Core Protocols, Elements, and Bindings Version 2.0, sticking to the main structural issues usually reviewed (e.g. references, conformance clauses).

6) Status of OASIS handling of security flaws white paper

Chet reported that the TAB white paper on handling reports of vulnerabilities was sent to the Board Process Committee for consideration. The committee was introduced to it at their most recent meeting and will consider next steps (e.g. using it as the basis for a formal policy document) at its next.

Stefan noted one concern with how we choose to handle an embargo on reporting: impacts/risks to OASIS. If a company is using a product based on an OASIS standard and they get hacked and the hack is traced back to a flaw in the standard, does OASIS have any legal liability?

Discussion about whether TAB can post the white paper before Board final action. Chet agrees to follow up.

Patrick notes that there are documented practices by other organizations for embargoes - e.g. Google gives 90 days. We could reference that material. Patrick will find links and share them with the TAB.

5) Status of Swaggerhub proposal

Chet reports that a free account has been opened. Stefan and Andreas have been notified. Stefan reports that Andreas is on vacation and will report back after he returns.

7) Feedback from Scott on website update ideas

Chet reports on talk with Scott. Regarding an API to Kavi, that is an open issue with the vendor. However, Scott reports that we have shadow databases of all the records that could be queried. Scott also is happy for any feedback that the TAB can provide on what TC members, officers, or outside parties might be interested in seeing on new TC web pages.

Chet to find out how we might query those shadow databases.

8 ) Brainstorming ideas for next year

TAB could review and give suggestions on new charters.

Jacques notes we should consider next steps for the Google sheet.

9) AOB

No other business brought up.

Next meeting will be 10 October 2018 at 16:00 UTC.

Minutes submitted by Chet Ensign, 01 October 2018.

Chat log

Chet: Standing by waiting on the Zoom meeting.
Ashok: Please semd Zoom login info
Chet: Will do.
Ashok: OK. Standing by
Chet: Jacques, Ashok, looks like Trey is running a meeting on his Zoom account. We're standing by at the moment.
Chet: Looks like we'll need to make a different arrangement. Let me see what else I can use.
Chet: Trey is in NYC at a CTI F2F and they are using his Zoom account for that meeting.
Chet: I am sending an email to the TAB mailing list with different dial in info
Stefan Hagen: @chet: zoom tells me, that the moderator has an ongoing "different" meeting - what should I do?
Stefan Hagen: Ah ok, reading is such an underused cultural asset - sorry for the nise
Chet: OK, let's all try these numbers:
Chet: Conference Dial-in Number: (641) 715-3580

Stefan, I have Switzerland dial in as 044 595 90 34
Chet: Stefan, pls let me know if this number works.
Stefan Hagen: Will have to find a device with Skype (no phone at hand - do not laugh )
anonymous morphed into Patrick
Chet: Stefan if you need a different number let me know
Chet: Stefan, we'll go ahead and start talking and hold off on the good stuff until you can join us
Chet: Attending: Ashok, Chet, Jacques, Patrick, Stefan (via soaphub) - regrets Trey
Stefan Hagen: (y)
Chet: Agenda - no discussion, no objections to unanimous approval
Chet: Minutes - no discussion, no objections. minutes approved.
Chet: 4. Public reviews
Chet: Patrick may be able to look at the DSS public review for the formal stuff
Chet: Jacques will have a look as well
Chet: Announcement for DSS-X: https://www.oasis-open.org/news/announcements/invitation-to-comment-on-digital-signature-service-core-protocols-elements-and-bi
Chet: XACML: https://www.oasis-open.org/news/announcements/invitation-to-comment-on-xacml-rest-profile-v1-1-and-json-profile-of-xacml-3-0-v1
Chet: Switching order: 6) Status of vul white paper
Chet: Chet recaps
Chet: Stefan: one hard use case should be impacts/risks to OASIS
Chet: e.g. Bank of America using a product that uses DSS-X and are hacked
Chet: would the embargo put us at risk? how would the responsibility be distributed among the players
Chet: I want to know that OASIS will survive - if we knew but still had it under embargo
Chet: Ashok: when they say policy document what do they mean? BPC will draft an official policy document
Chet: So here is what I am worrying about: it could take a year or more to do this and our document wouldn't be availalbe until then. Ashok would like to see it available earlier
Chet: AI Chet to ask BPC if we can publicize the paper earlier
Chet: Patrick:
Chet: There are standard practices for embargos - e.g. Google gives 90 days - so that may be something we can point to
Chet: AI to Patrick - find links and share them with teh TAB
Chet: Stefan: Our problem may be a bit more difficult - we might be the ones given the 90 day embargo. We have more to look at than just code - we need time to not only find the fix but publish it as well
Chet: AI Chet - ask Jamie about the legal risk
Stefan Hagen: researcher finds bug -> notifies vendors + n days embargo -> after n days goes public -> exploitable
Chet: 5) Status of Swaggerhub
Stefan Hagen: researcher finds bug in protocol -> notifies OASIS + n days embargo -> after n days goes public, BUT what should oasis do? create fixed standard according to TC process rules (possibly reaching up to ISO and ITU ..., and vendors have to be identified (that is a tough ponit)
Stefan Hagen: So: Risk of being sued by vendors not found, sued by customers of venders impacted that simply do not fix, etc. (just to make my point hopefully clearer)
Chet: Chet recaps
Chet: where we are
Chet: Stefan: Andreas is on vacation right now. He'll get back after
Chet: Jacques: this may incentivize TCs to develop APIs more
Chet: Might this influence the spec work? How many candidates today?
Chet: Stefan: very relevant for CSAF, SARIF, and OData
Chet: Also see this as good for Open Projects
Chet: 8 ) brainstorming
Chet: Ashok: one idea for the coming year - out of the box - open job position for OP Community facilitator
Chet: e.g. tab give suggestions on charters
Chet: J: we should consider next steps for the Google sheet
Sent transcript to: chet.ensign@oasis-open.org

20180926 (last edited 2018-10-01 18:07:54 by chet.ensign)