Minutes for SACM at interim-2015-sacm-1
minutes-interim-2015-sacm-1-9

Meeting Minutes Security Automation and Continuous Monitoring (sacm) WG
Title Minutes for SACM at interim-2015-sacm-1
State Active
Other versions plain text
Last updated 2015-01-10

Meeting Minutes
minutes-interim-2015-sacm-1

   SACM_Virtual_Interim_Notes_2015-01-05

Agenda
*10:00 - Admin, Note Takers, Agenda Bashing
*10:05 - Status (chairs)
*10:10 - Endpoint ID Design Team report and discussions (David W.)
*11:00 - Architecture I-D (Nancy CW)
*11:15 - Requirements I-D (Nancy CW)
*11:30 - GitHub presentation and demo (Aziz), followed by tracker discussion
*11:50 - New milestones and way forward (chairs)

Administravia
Note takers - Josh Lubell and David Waltermier (short of Endpoint discussion)

Status
We are going to update the use case draft as part of Feb2015.  (Altering "way
forward" from IETF 91) Chairs are going to get together and draft a new set of
milestones to propose to the group. (Action required by chairs) No further
discussion on status.

Endpoint ID Design Team Presentation
The Endpoint ID Design Team (EIDT) has met twice since the last meeting. 
Several terms have been proposed within that design team, including:
Identifying Attribute, Endpoint Attribute Assertion, Alias, and Label.  Ira is
wondering about adding "endpoint identity assertion", the specific subset of
endpoint attributes that can be used to create the set.  It's different from
endpoint attribute assertion in that it is, in effect, authorizing those
endpoint attributes that can be used as a basis for identity.  He will post
this to the list.

There is still contention about scope in EIDT and extensibility, issues that
will continue to be worked on as the EIDT continues to meet between virtual and
face-to-face meetings.  Dave is suggesting an IANA registry to help handle
extensibility concerns, and Lisa is saying that this approach might be good
enough.  This came up as part of the primary/secondary goal discussion.

Trouble with the term "confidence" from secondary goals.  We need to simply
find the term of art in, perhaps, risk management circles to drive this to a
conclusion.  We are concerned about "confidence" but in what exactly?

EIDT meetings will continue to be organized and driven by Dave W.

Architecture Draft
Basically addressed nits and such.  Updates focused primarily on Security
Considerations.  Dave W. suggested that 3.1.3 be reworded to increase clarity
that a data store could be a separate component.

Requirements Draft
Nancy folded requirements from use cases into the information and transport
sections.  She tried to beef up the Security Considerations section as well. 
Nancy is explicitly calling for Security Considerations review (as well as the
rest of the document).

Dan has some comments.  General comment: We have inconsistent use of
capitalized keywords, which can be confusion - suggesting that this is
corrected the next revision of the draft (proper capitalization is important
for understandability).  Dan will send Nancy a more detailed review.  Section
2.3 is still talking about data models and information models at the same time,
which are different things - we need to distinguish these things, or otherwise
make the intent of the document clear at this point.

GitHub Discussion
Overview of GitHub describing different interaction clients (e.g. browsers,
mobile) and features (e.g. wikis, feature requests, etc.).  There are paid and
free accounts.  Paid can be made private.  Free is public.  They do host
open-source projects.  Git is user-centric as opposed to server-centric - it's
P2P over client-server.

Dan asked Aziz about fitness of GitHub for SACM's goals,  where the goals are
principally to manage comments, tracking, etc.  Aziz believes GitHub is good
for the job.  It specifically allows concurrent document edits.  We can track
things specifically...  This is easy in GitHub.

Dan is mentioning that other working groups are leveraging GitHub also, so we
can look into those groups to look at the archives to see how they work, etc.

Chris is mentioning markdown-to-RFC.  Kathleen will get a current answer from
other AD's to get things right.  Chris is saying that this would make a big
difference.

There is some concern about issue tracking, which is a somewhat different
problem to solve.

Dan is going to propose some questions to the list for this consideration and
we'll move forward from there.

Way Forward
*Avoid serialization
*Work to meet short term milestones
  -Update Use Case document (Feb 2015)
  -Submit Requirements to IESG (Feb 2015)
    -Data model broken into two sections
    -Security Considerations finalized
  -Submit Architecture to IESG (March 2015)
    -Security Considerations finalized
  -Submit Information Model to IESG (March 2015)
*Set new WG milestones
*EIDT will continue...
*Second interim in February (probably something like 2nd/3rd week - weeks of
2/9 and 2/16)

There's a bit of discussion about whether we should progress the Use Case
document through IESG.  There is apparently some problem with this in IESG.  We
are, however, referencing the Use Case document in other drafts, so having this
published seems warranted.

Attendees (at start):
*Adam Montville
*Dan Romascanu
*Aziz Mohaisen
*Carolin Latze
*Charles Schmidt
*Clifford Kahn
*Danny Haynes
*David Waltermire
*Henk Birkholz
*Ira McDonald
*Jarrett Lu
*Jessica Fitzgerald-McKay
*Jim Bieda
*Josh Lubell
*Kathleen Moriarty
*Lisa Lorenzin
*Nancy Cam-Winget
*Ron Colvin
*Call-in User_6 (Carolin Latze)
*Call-in User_7 (Charles Schmidt)
*Call-in User_9 (Chris Inacio)