Draft minutes TAB meeting 10 October 2018

Action items

- Chet - find out and communicate when next year's July F2F will be

- Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial.

- Chet to check with Jamie on risks posed by embargoes of vulnerability reports

- Chet to consider publishing the white paper to the TAB web page

- Chet see how we might gain query access to shadow databases

Agenda

1) Roll call

2) Approve agenda

3) Approve minutes

4) Status of public reviews

5) Status of action items

6) Update on self-certification

7) VEL charter

8 ) TAB ideas for proposing TC web page improvements

9) Ideas for work items for the coming year

10) AOB

Minutes

1) Roll call

Trey Darley
Jacques Durand
Patrick Durusau
Chet Ensign
Stefan Hagen

Invited expert: Ashok Malhotra

2) Approve agenda

No discussion of agenda. No objections to approval. Agenda approved.

3) Approve minutes

26 Sept. 2018: https://www.oasis-open.org/apps/org/workgroup/tab/email/archives/201810/msg00001.html

No discussion of minutes. No objections to approval. Minutes approved.

4) Status of public reviews

No first reviews open at this time.

5) Status of action items

- Chet - find out and communicate when next year's July F2F will be. Still open.

- Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial. Still open.

- Chet to check with Jamie on risks posed by embargoes of vulnerability reports. Still open.

- Chet to consider publishing the white paper of vulnerability to the TAB web page. Still open.

- Patrick to collect examples of other organizations' approaches to embargoes and share with the TAB. Closed.

- Chet see how we might gain query access to shadow databases. Still open.

6) Update on self-certification

Provided white paper and summary of the CTI STIX Preferred program to Dr. Carol Cosgrove-Sacks who forwarded on to interested parties at ENISA (European Union Agency for Network and Information Security). They may be interested in learning more.

Discussion about self-certification and upcoming events. Discussion of how the STIX Preferred program will work in particular.

7) VEL charter update

Discussion about the new OASIS Variability Exchange Language (VEL) TC charter that has gone out for call for comment.

8 ) TAB ideas for proposing TC web page improvements

Chet explained the shadow databases as he understands it. Chet has an AI to get info on the shadow dbs from Scott. Agreement that improving the look and features of the OASIS web site would be a big improvement.

Chet to follow up with Scott / Jessie

9) Ideas for work items for the coming year

Tabled until the next meeting.

10) AOB

No other business was raised.

Next meeting will be 24 October 2018 at 16:00 UTC. No conflict with daylight savings time for that meeting.

Minutes submitted by Chet Ensign, 17 October 2018.

Chat log

Chet: Proposed agenda:

Chet: 1) Roll call

2) Approve agenda

3) Approve minutes

26 Sept. 2018: https://www.oasis-open.org/apps/org/workgroup/tab/email/archives/201810/msg00001.html

4) Status of public reviews

5) Status of action items

- Chet - find out and communicate when next year's July F2F will be

- Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial.

- Chet to check with Jamie on risks posed by embargoes of vulnerability reports

- Chet to consider publishing the white paper of vulnerability to the TAB web page

- Patrick to collect examples of other organizations' approaches to embargoes and share with the TAB

- Chet see how we might gain query access to shadow databases

6) Update on self-certification

Provided white paper and summary of the CTI STIX Preferred program to Dr. Carol Cosgrove-Sacks who forwarded on to interested parties at ENISA (European Union Agency for Network and Information Security)

7) VEL charter

8 ) TAB ideas for proposing TC web page improvements

9) Ideas for work items for the coming year

10) AOB
anonymous morphed into Patrick
Chet: Attending: Trey, Patrick, Stefan, Jacques, Chet and Ashok
Chet: Agenda: no discussion. no obj. agenda approved
Chet: Minutes: no discussion. no obj. minutes approved.
Chet: Public reviews - no new
Chet: Action items:
Chet: - Chet - find out and communicate when next year's July F2F will be - open
Chet: - Chet to follow up with the Swaggerhub guys, provide feedback on our discussion and ask about using free license to trial - open
Chet: Andreas providing feedback on the OpenAPI v3.0 issues - so ongoing
Chet: Splitting time w/ that and next spec doc
Chet: - Chet to check with Jamie on risks posed by embargoes of vulnerability reports - open
Chet: - Chet to consider publishing the white paper of vulnerability to the TAB web page - open
Chet: - Patrick to collect examples of other organizations' approaches to embargoes and share with the TAB - closed
Chet: Chet proposes adding Patricks feedback into the white paper and producing an updatee
Chet: AI - Chet / Patrick - incorporating
Chet: - Chet see how we might gain query access to shadow databases - open
Chet: Update on self-cert
Chet: Chet recaps Dr. Carol's conversation w/ ENISA
Chet: Trey: event coming up early November w/ other organizations. Trey is one of the SMEs invited to speak on STIX 2.0. A lot of potential to drive adoption
Chet: Jacques: re self-cert, other orgs have done that in the past. Does seem to be the way to go. Self-cert is a first step, doesn't stop later more formal efforts.
Chet: Chet - send white paper link to Trey
Chet: Trey - waiting on what? Chet - the code of conduct for reviewers
Chet: Trey - thinking about how it will work practically - having a similar situation in a program committee where they may ask a reviewer to recuse themselves. for folks reviewing STIX Preferred, it is a volunteer driven effort - so invariably there will be direct competitors reviewing results.
Chet: Trey - as an alternative to allowing a submitter to ask that someone recuse themselves, we should also have an appeals process
Chet: That is critical to ensure credibility and transparency
Chet: Patrick: appeals processes can be burdensome. what if we have a submitter have the ability to say 'here is who i know has conflicts' - so the reviewer has to ack they are competitors. Trey: the problem is that negative results don't get passed
Chet: Patrick: a status of 'questioned'? and you'd get links to the results
Chet: Trey: this is workable.
Chet: VEL charter
Chet: recap
Chet: Ashok: I couldn't figure out what the proposers want to do. Patrick, can you explain?
Chet: Patrick: i *think* they have an unspecified workflow one part of which is a way of exchanging values in xml - they don't seem to be defining what happens before or after. Unclear what they have in mind - seemed like an odd use of xml - closed workflow
Chet: Trey: it sounds like sw equivalent of regulatory capture - why would somebody pay to standardize something like that?
Chet: Trey: are they all from a single organization? No - but happy to work in their own group
Jacques (Fujitsu): I'll have to leave early today 10mn before hour.
Chet: Jacques: rules - 5 people, 2 org members represented - any way OASIS can stop? no - but we definitely recruit
Chet: TAB ideas for proposing TC web page improvements
Chet: Chet needs to get more info on shadow databases per AI above
Chet: having a better UI htat shows whats important, guides you in to what the TC is doing would be a big step forward
Chet: P: get a better reaction if we have something concrete to put before them
Chet: Trey: shadow databases? chet explains
Chet: and we do have access to Drupal
Chet: Chet to follow up with Scott / Jessie
Chet: Ideas for work items for the coming year
Jacques (Fujitsu): have to leave now - bye.
Chet: Question to raise with board: criteria for quorum on a member ballot - where the member is paying but not active
Chet: persistent non-voting Organizational Member

20181010 (last edited 2018-10-17 21:32:04 by chet.ensign)