CVE Board Meeting Summary - 7 February 2018

CVE Board Meeting 7 February 2018

Board Members in Attendance

Andy Balinsky (Cisco)

Mark Cox (Red Hat)

William Cox (Black Duck)

Beverly Finch (Lenovo)

Tim Keanini (Cisco)

Kent Landfield (McAfee)

Pascal Meunier (CERIAS/Purdue University)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT/CC)

Dave Waltermire (NIST)

Ken Williams (CA)

Members of MITRE CVE Team in Attendance

Nick Caron

Chris Coffin

Christine Deal

Jonathan Evans

Kevin Greene

Joe Sain

George Theall

Alex Tweed

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups 
     Strategic Planning – Kent Landfield

·  Issues

·  Actions

·  Board Decisions

     Automation – George Theall

·  Issues

·  Actions

·  Board Decisions

2:25 – 2:45: CNA Update
     DWF – Kurt Seifried

·  Issues

·  Actions

·  Board Decisions

     General – Jonathan Evans, Nick Caron

·  Issues

·  Actions

·  Board Decisions

2:45 – 3:30: Continuation of the discussion on CVE Board Membership, alternates, and succession planning – Chris Coffin

3:30 – 3:40: CVE CNA Summit Status – Joe Sain

3:40 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

·  PREVIOUS ACTION ITEM: MITRE will add Pascal Meunier to the CVE Strategic Working Group mailing list

• STATUS: Done 1/24/18
• PREVIOUS ACTION ITEM: Kurt Seifried will begin documentation for Git Pilot JSON format handling
  • STATUS: In progress; discussion not specific to JSON

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

ISSUES: Kent Landfield sent out a revised deck that had some of what was discussed in the last Strategic Planning Working Group (SPWG) meeting. Started with roles that Dave Waltermire created and the SPWG has been working to expand the roles and provide additional detail. That was the real focus of the last two meetings. There was a lot of participation in the last meeting, which is good. We found some things that were missing, so we added a terminology slide and an automation slide, which will be included in next version of the deck. Consensus is that we are heading in the right direction.

ACTIONS: Discuss use cases for CVE ID assignment now and in the future at the next meeting.

BOARD DECISIONS: N/A

 Automation Working Group (George Theall)

ISSUES: Discussed CNA list proposal, focused on unique identifiers for CNAs. Consensus was reached on using a universal unique identifier (for file names). We intend to update the existing CVE JSON files to include that identifier. There was also some discussion about how to express points of contact. We are concerned with how we might pass information back and forth via forms or emails—what does it have to look like? That discussion continues. Would be helpful to spell out what is NOT required.

ACTIONS: None

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: No updates. The more structured data the better.

ISSUES/DISCUSSION: None

ACTIONS: None

MITRE (CVE Team)

STATUS: We made Facebook and Hikvision CNAs. Samsung Mobile contacted us recently to become a CNA.

DISCUSSION: None

ACTIONS: None

Continuation of the discussion on CVE Board Membership, alternates, and succession planning – Chris Coffin

DISCUSSION:

Dave Waltermire: We discussed last time the possibility of being able to provide instructions to someone to stand in as an alternate if a Board Member must be away for an extended amount of time.

Kent Landfield: Many other Boards allow a proxy (who would be an existing Board member).

TK Keanini: If we are just talking about voting, I think the proxy idea works well. It’s a different problem if we are talking about something other than voting.

Andy Balinsky: There are very different issues if you know what the vote issue is and can advise the proxy how to vote on your behalf or if you just tell someone to vote on your behalf for whatever comes up.

Pascal Meunier: This may be a moot problem. We haven’t really had the need for a proxy before, have we?

Kent: There have been times where we have had close votes, and so there may be a time where a proxy will be needed. There are 22 current Board members.

Chris C: The last vote we had was the best I’ve ever seen with regards to how quickly votes were cast and the numbers of votes received.

Dave: If you know you’re going to be gone and there is a vote coming up, we can handle that by pre-voting. A proxy would be needed only if it’s an unanticipated leave of absence.

TK: Plus, the proxy will be a trusted associate and most likely be able to get in touch with you before casting a vote.

ACTION: (MITRE) Add words regarding proxy voting into the charter and send around to the Board for comments and a vote.

CVE CNA Summit Planning – Joe Sain

STATUS:

• Preparations are in the final phases; working with Security Services, A/V, and Meeting Logistics staff.
• The project will not be providing food; MITRE Café is close to the meeting location.
• 39 in-person attendees, including MITRE, CVE Board members, and CNA representatives from the following:

DISCUSSION:

Non-US citizens are not permitted to bring personal electronic devices into the meeting.

Dave W: We need to think longer and harder about a more suitable venue where we don’t have to deal with these security issues.

Joe Sain: We agree completely, and our wrap-up session will cover the location for future events.

Chris C: I put together some basic slides. We have some input on the discussions, but we’d like to keep each discussion just that—discussions versus presentations. If anyone has thoughts on anything you’d like to add, please let me know.

Dave W: We can hold this at the National Cybersecurity Center of Excellence (NCCoE) next time.

ACTIONS: Chris C to send out slide deck for review and comments.

Open Discussion

Kent L: Maybe we could have a SPWG face to face meeting to talk about roles. Perhaps we could do this on Wednesday (after summit) for anyone wanting to stay for a deeper conversation.

Dave W: Yes, doing some whiteboarding may be a quick way to capture some of the processes and how things are working / how they might work with a different division of roles. Would be helpful to have Chris C and Jonathan present.

Chris: Agreed; it may be better to do this later in the evening on Tuesday. Jonathan pointed out we have the room for both entire days and we don’t have a full day scheduled for Wednesday, so we could perhaps do this the afternoon of Wednesday.

Mark Cox: We will be submitting all future things in JSON. It’s a first test, really. If it works out, then the next step is to do it through Apache.

Kent L: As discussed in the last SPWG meeting, we have historically used block allocation of IDs, but they require a lot of resources for MITRE to keep track of them (40 hours a year). The reality is, with the proper services environment, we may be able to do this in a much more automated way. Allow CNAs, through a trusted mechanism, to retrieve the number of CVE IDs they need when they need them. A byproduct with be centralization, which is both a positive and a negative. The question is, we need to think of taking humans out of the process where they don’t need to be in the process (automate). We can put the real work that requires the human in the right place. 

Kurt: If we do the automation, would it be only root CNAs? That kind of decision would have to be made.

Chris: We’ve talked about federation and you as a root get a block that you re-assign down the line, but if we went to automation and you could get IDs on demand, would it even go to the roots first, or could anybody go to the service and request IDs as they need them?

Kurt: Can we do a hybrid model?

Dave W: The payoff for something like this is when we start to implement a more robust reporting system as part of the ID allocation and the business processes around it. Technically, you’re supposed to collect statistics around what your CNAs are doing and provide that back, which is an additional workload that you’re taking on currently.

Kent: We could discuss this more at the SPWG face to face after the summit.

Summary of Action Items

• MITRE to draft words for charter to support proxy voting
• Chris will send out draft slides for the summit
• SPWG to discuss use cases for CVE ID assignment now and in the future
• Let Summit attendees know that we will be having the SPWG face to face meeting after the summit on Wednesday afternoon

Significant Decisions:

None