CVE Board Meeting 7 February 2018
Board Members in Attendance
Andy Balinsky (Cisco)
Mark Cox (Red Hat)
William Cox (Black Duck)
Beverly Finch (Lenovo)
Tim Keanini (Cisco)
Kent Landfield (McAfee)
Pascal Meunier (CERIAS/Purdue University)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Ken Williams (CA)
Members of MITRE CVE Team in Attendance
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:25:
· Board Decisions
Automation – George Theall
· Board Decisions
2:25 – 2:45:
· Board Decisions
General – Jonathan Evans, Nick Caron
· Board Decisions
2:45 – 3:30: Continuation of the discussion on CVE Board Membership, alternates, and succession planning – Chris Coffin
3:30 – 3:40: CVE CNA Summit Status – Joe Sain
3:40 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
· PREVIOUS ACTION ITEM: MITRE will add Pascal Meunier to the CVE Strategic Working Group mailing list
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: Kent Landfield sent out a revised deck that had some of what was discussed in the last Strategic Planning Working Group (SPWG) meeting. Started with roles that Dave Waltermire created and the SPWG has been working to expand the roles and provide additional detail. That was the real focus of the last two meetings. There was a lot of participation in the last meeting, which is good. We found some things that were missing, so we added a terminology slide and an automation slide, which will be included in next version of the deck. Consensus is that we are heading in the right direction.
ACTIONS: Discuss use cases for CVE ID assignment now and in the future at the next meeting.
BOARD DECISIONS: N/A
Automation Working Group (George Theall)
ISSUES: Discussed CNA list proposal, focused on unique identifiers for CNAs. Consensus was reached on using a universal unique identifier (for file names). We intend to update the existing CVE JSON files to include that identifier. There was also some discussion about how to express points of contact. We are concerned with how we might pass information back and forth via forms or emails—what does it have to look like? That discussion continues. Would be helpful to spell out what is NOT required.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: No updates. The more structured data the better.
MITRE (CVE Team)
STATUS: We made Facebook and Hikvision CNAs. Samsung Mobile contacted us recently to become a CNA.
Continuation of the discussion on CVE Board Membership, alternates, and succession planning – Chris Coffin
Dave Waltermire: We discussed last time the possibility of being able to provide instructions to someone to stand in
as an alternate if a Board Member must be away for an extended amount of time.
Kent Landfield: Many other Boards allow a proxy (who would be an existing Board member).
TK Keanini: If we are just talking about voting, I think the proxy idea works well. It’s a different problem if we are talking about something other than voting.
Andy Balinsky: There are very different issues if you know what the vote issue is and can advise the proxy how to vote on your behalf or if you just tell someone to vote on your behalf for whatever comes up.
Pascal Meunier: This may be a moot problem. We haven’t really had the need for a proxy before, have we?
Kent: There have been times where we have had close votes, and so there may be a time where a proxy will be needed. There are 22 current Board members.
Chris C: The last vote we had was the best I’ve ever seen with regards to how quickly votes were cast and the numbers of votes received.
Dave: If you know you’re going to be gone and there is a vote coming up, we can handle that by pre-voting. A proxy would be needed only if it’s an unanticipated leave of absence.
TK: Plus, the proxy will be a trusted associate and most likely be able to get in touch with you before casting a vote.
ACTION: (MITRE) Add words regarding proxy voting into the charter and send around to the Board for comments and a vote.
CVE CNA Summit Planning – Joe Sain
Non-US citizens are not permitted to bring personal electronic devices into the meeting.
Dave W: We need to think longer and harder about a more suitable venue where we don’t have to deal with these security issues.
Joe Sain: We agree completely, and our wrap-up session will cover the location for future events.
Chris C: I put together some basic slides. We have some input on the discussions, but we’d like to keep each discussion just that—discussions versus presentations. If anyone has thoughts on anything you’d like to add, please let me know.
Dave W: We can hold this at the National Cybersecurity Center of Excellence (NCCoE) next time.
ACTIONS: Chris C to send out slide deck for review and comments.
Kent L: Maybe we could have a SPWG face to face meeting to talk about roles. Perhaps we could do this on Wednesday (after summit) for anyone wanting to stay for a deeper conversation.
Dave W: Yes, doing some whiteboarding may be a quick way to capture some of the processes and how things are working / how they might work with a different division of roles. Would be helpful to have Chris C and Jonathan present.
Chris: Agreed; it may be better to do this later in the evening on Tuesday. Jonathan pointed out we have the room for both entire days and we don’t have a full day scheduled for Wednesday, so we could perhaps do this the afternoon of Wednesday.
Mark Cox: We will be submitting all future things in JSON. It’s a first test, really. If it works out, then the next step is to do it through Apache.
Kent L: As discussed in the last SPWG meeting, we have historically used block allocation of IDs, but they require a lot of resources for MITRE to keep track of them (40 hours a year). The reality is, with the proper services environment, we may be able to do this in a much more automated way. Allow CNAs, through a trusted mechanism, to retrieve the number of CVE IDs they need when they need them. A byproduct with be centralization, which is both a positive and a negative. The question is, we need to think of taking humans out of the process where they don’t need to be in the process (automate). We can put the real work that requires the human in the right place.
Kurt: If we do the automation, would it be only root CNAs? That kind of decision would have to be made.
Chris: We’ve talked about federation and you as a root get a block that you re-assign down the line, but if we went to automation and you could get IDs on demand, would it even go to the roots first, or could anybody go to the service and request IDs as they need them?
Kurt: Can we do a hybrid model?
Dave W: The payoff for something like this is when we start to implement a more robust reporting system as part of the ID allocation and the business processes around it. Technically, you’re supposed to collect statistics around what your CNAs are doing and provide that back, which is an additional workload that you’re taking on currently.
Kent: We could discuss this more at the SPWG face to face after the summit.
Summary of Action Items
CVE Board Meeting 7 February 2018.docx (36K) Download Attachment
|Free forum by Nabble||Edit this page|