Skip to main content

OVAL and the SACM Information Model

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Expired & archived
Authors, Daniel Haynes , Juan Gonzalez
Last updated 2015-11-06 (Latest revision 2015-05-05)
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The OVAL community has spent more than ten years developing and employing the OVAL Language. During this time, the community has made a number of design decisions and learned a number of lessons that should be leveraged as next generation endpoint posture assessment is formulated. There are a number of places throughout the SACM Information Model document that could be fulfilled by portions of the OVAL Language, either in its current state or, in some cases, with modifications. Another output of the work executed under the OVAL project is a number of lessons that are applicable to the SACM work. These lessons include a clear separation of data collection and evaluation; a call to focus on ensuring both primary source vendors and third party security experts feel invited to the discussion and are empowered to leverage their unique domain knowledge; and to strive for simplicity and flexibility, where possible. Finally, the OVAL community has a set of clear recommendations with respect to which parts of OVAL should be used by SACM as a means to make best use of the efforts of those that have worked on and supported OVAL over the past ten years. Those recommendations are: o Use the OVAL System Characteristics Model as a base data model for at least one way to provide data collection. o Use the OVAL Definitions Model in parts as a base data model for both evaluation and collection guidance. o Do not use the OVAL Results Model for a data model to encode evaluation results.

Daniel Haynes
Juan Gonzalez

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)