Minutes for SACM at interim-2014-sacm-3
minutes-interim-2014-sacm-3-1

SACM virtual meeting 28/05
Present (18):
Dan Romasccanu
Adam Montville

Nancy Cam Winget
Lisa Lorenzin
Panos Kampanakis
Matt Hansbury
Juan Gonzalez
Jarret Lu
Ira McDonald
Gunnar Engelbach
Danny Haynes

Note Takers:
Dave Misell
+1 Hour Josh Lubell
Gunnar Engelbach

WG Status:

Still lagging on milestones - behind on protocol and data format work
Requirements and architecture need more work

Terminology:

Nancy Cam-Winget has updated the Draft updated based on feedback - more
terminology anticipated once an architecture is in place.  Making a distinction
between "Posture" and "Posture Attribute" for example, and removing references
to some terms like "vulnerability."  Work on Terminology will continue as the
WG progresses.

Use Cases WGLC:

No presentation (Dave Waltermire had an emergent situation pre-empt his ability
to particpate in this interim).

Requiremeents and Architecture related discussion:

The list of possible new requirements (sent on 2014-05-20 by Lisa Lorenzin)
were discussed, and agreed additions will be added to the Information Model
section of the requirements draft.

Data Integrity and Data Protection separated into two new requirements. 
Consensus is to include both as requirements, with the idea that both must be
available but their use is not required.  Some discussion on "Data Privacy"
vice "Data Protection" with the latter being used due to it being broader. 
Also some discussion of including requirements for data at rest as well as data
in motion.  No conclusion here -- it is expected that this will be discussed
further once the requirements are written up.

Support for discovery of capabilities accepted as a requirement. This would
allow a SACM node to make inquiries about capabilities of other nodes on the
SACM network.  This is a potentially large ability on its own and it was
accepted that an attempt will be made to limit it to keep it manageable.

Make explicit support for peer-to-peer:  no objections to adding this as well.

Ability to partition data -- accepted as a requirement, but as with data
integrity/protection this would be required to be supported but the usage is
not required.  This requirement would allow implementations to define silo
boundaries that SACM data would not cross.

A few other additions were discussed.  Adding a modularity requirement evovled
from Lisa's suggestion of negotiating version and capabilities as part of the
protocols.  Among other things, this helps allow for future updates to the
standards while preserving backward compatibility.  We also added time stamping
as a requirement.

Discussion of making the ability to detect time discrepancies between nodes. 
After some discussion it was felt that if each node in the chain timestamped
receipt/transmittal of a data item that would be sufficient to determine a
clock skew of any node.  At the risk of adding too many "nice to haves" to the
requirements, it was also felt that the original requirement of explicitly
supporting time discrepancies should be part of the requirements document as it
was easier to drop extra requirements later than it is to add them.

Way Forward

2014-05-25 – Terminology Update (not final)
2014-05-25 – Requirements Update Submitted
2014-05-25 – Architecture I-D submitted
2014-04-30 – Start Use Case WGLC
2014-06-15 – Adopt Requirements I-D
2014-06-30 – Adopt Architecture I-D
2014-07-04 – Initial Submissions for the Information Model