#SACM-112		9-Nov-21

Chris Inacio (Chair)
Karen O'Donoghue (Chair)
Roman Danyliw (AD)
Kathleen Moriarty
Adam Montville
Dave Waltermire
Henk Birkholz
Michael Rosa
Jessica Fitzgerald-McKay



## COSWID Update
[draft-ietf-sacm-coswid-19](https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/)

* Henk thanks Roman for his patience for the final updates of the COSWID draft.
* IANA issues in the current draft need to resolved, generated from the area reviews of the draft.
	- Which registry should this go in, SWID or COSWID?
	- The issue is the combination of change control of elements (ISO has change control of SWID, vs IETF for COSWID) and that COSWID has superset capability over SWID so how to not limit COSWID evolution by limiting it to SWID.
	
	- Dave: wants the best of both worlds - ability to keep in synch with ISO on SWID but also the ability of COSWD to evolve more beyond.  That is why the current text has both standards control (for capturing ISO updates) and expert review to allow COSWID evolution.  Thus the various registries and rules.
	
	- The feedback from area reviews was really about which registry (singular) should be used. (see [email](https://mailarchive.ietf.org/arch/msg/sacm/l-WgSI8rWQZPramFcUlTHzxe_4Y/) for the details).
	
	- If there should still be two IANA registries (SWID & COSWD) then better explanation text needs to be written.  This should be determined by the working group.
	
	- Dave and Henk commit to an update with new explanation / text or/and adjustment to registries by **19-Nov-2021**.
	
* All other issues unresolved from the area reviews will also be handled.  (See email above.) Targeting a new update to bring to the 14-Dec telechat.


## Architecture Update
[draft-ietf-sacm-arch-13](https://datatracker.ietf.org/doc/draft-ietf-sacm-arch/)

* open issues:
	- Kathleen: willing to help on the attestation/assessment text wanted to contribute
	- Henk: comment on use of the term attestation; Kathleen: its broad here, but also should reference back to RATS

* Adam is looking for additional help
	- work is happening in [Open Cybersecurity Alliance PACE](https://github.com/opencybersecurityalliance/PACE) - under the OASIS umbrella
* Rosa: OCA PACE is trying to instantiate the SACM architecture; willing to volunteer to help more
* Henk: following PACE, but can't be sure what stage of development PACE is at (e.g. requirements definition, implementation, etc.)
	- Rosa will follow up with Henk offline
* Still looking for more volunteers, will take that to the list

## Way Forward

* Chairs & AD: discernible lack of energy and progress in the working group.
	- cannot see enough energy to complete the architecture
	- had a close date of Jan. 2021, no evidence that we shouldn't stick to that date
* Henk: 
	- let us finish COSWID before we close
	- maybe salvage the effort of what was been developed in SACM to the PACE effort
* Kathleen: like to give Adam & Rosa a chance to wrap it up, with a hard deadline
* Roman (AD): 
	- Jan deadline set a few meetings ago; so this isn't new
	- we can get COSWID done; but 3 months to fix area review comments on doc is too slow
	- but couldn't even get people to commit to architecture draft review in this meeting
* Jessica: moving the work to PACE with more energy might be the right thing

* could change the architecture draft from `Proposed Standard` to `Informational` to get what we have published
	- need to talk to Adam about that possibility
	- leave remaining open issues unresolved but publish what exists