OVAL - OVAL Board Minutes: Teleconference 2006-05-05

OVAL Board Minutes

2006-05-05

Attendees

Mark Gergely - CA
Alan Ridgeway - CA
Dave Waltermire - Center for Internet Security
Kent Landfield - Citadel
Melissa McAvoy - Department of Defense
Jon Baker - MITRE
Steve Boczenowski - MITRE
Drew Buttner - MITRE
Dave Proulx - MITRE
Matthew Wojcik - MITRE
Mark Cox - Red Hat
Andrew Bove - Secure Elements

Agenda

Status Update
Version 5 Transition Plan
Compatibility
Developer Days
Board Participation

Meeting Summary

OVAL Status Update

Welcome Mark Gergely of CA and Gary Miliefsky of NetClarity, who have joined the OVAL Board.
Version 5 is due to become official on June 16th 2006. Progress towards that milestone continues on track. Release Candidate 1 was published March 16th, followed by RC2 on April 6th. The primary change in RC2 was the introduction of a common Linux schema, and the removal of separate schemas for Red Hat and Debian distributions. This followed discussion on the Developer list.
There will be a Release Candidate 3 published in the near future. RC3 will primarily address the schema documentation, following requests for clarification via email to the Developer list. The organizational namespace for identifiers will also be changed to allow alphanumeric rather than simple alphabetic values. This is to accommodate domain names that include numbers, since Version 5 adopts a reverse DNS style for that portion of the identifier.
MITRE doesn't feel it is necessary to push back the date of Version 5's adoption as official, since all of the changes in Version 5 since RC1 have been relatively minor. If there are any concerns with the timeframe, they should be sent to the Developer or Board lists.
Schematron directives have been added to the schema for Version 5, as of RC1. Schematron allows for additional validation of XML documents beyond the limits of XML schema validation.
MITRE held the 2nd round of OVAL Compatibility testing on January 24th 2006. Three organizations were awarded compatibility, bringing the total to 10 officially OVAL Compatible products and services from six organizations.
The compatibility section of the web site has been updated to better showcase the compatible products, and differentiate them from the products that have declared compatibility but not yet completed the certification process.
Recently there has been a welcome increase in feedback on the definitions in the OVAL Repository on the Discussion list.

Version 5 Transition

MITRE is working through a fairly long list of tasks related to the transition to Version 5. Documentation and web pages are being updated and clarified, Version 5 Beta 2 of the Definition Interpreter has been released, back-end database and web site development is in progress to support the OVAL Repository's transition to Version 5, and a tool to convert the Repository definitions from Version 4 to Version 5 is nearing completion. All Windows and Red Hat content in the Repository has been converted using an early version of this tool, and is available under "Sample Downloads" on the Version 5 schema page at

http://oval.mitre.org/oval/download/schema/version5/index.html

Those samples should not be considered the final versions. In particular, there is a desire to create inventory definitions for operating system and possibly application version checks, and update the repository to use those in place of the current tests. Related to that, there is still the outstanding issue of standardized names for operating systems and applications. The OVAL team expects to provide some input on that issue to the group working on the proposed XCCDF-P specification.

Landfield asked how long MITRE intends to support Version 4 content after Version 5 becomes official.

Wojcik replied that the plan is to have all current content converted to Version 5 on June 16th, when V5 becomes official. Version 4 Repository content, schemas, and interpreters would be archived on the web site. No new content would be created, published, or accepted as submissions to the Repository in Version 4 format after June 16th, 2006.

This follows the procedure approved by the Board for the transition from Version 3 to Version 4. There are many practical reasons for this approach, as well. The amount of work necessary to fully support two versions of the language at once is prohibitive. There are also new features in V5 that simply don't exist in V4, so backporting content in some cases would be impossible.

If there are significant problems with this approach, comment is welcome on the mailing lists or directly to MITRE. Board members present made no objections. Landfield noted that this should be very clearly stated on the web site.

Compatibility

The transition from Version 4 to Version 5 raises some issues regarding the OVAL Compatibility program. Vendors publicly declare which version(s) of the schema they support, and those certified as OVAL Compatible have been tested against a specific version (Version 4 for all currently certified). That certification will not automatically translate to different versions of the language, so currently Compatible products and services will have to be retested to be certified Compatible with Version 5, if desired.

No date has been set for any retesting yet. MITRE recognizes the expense of Compatibility testing, and would like to minimize the effort involved in retesting, since many core capabilities should not have to change for a new OVAL version.

Landfield asked if the web site would show all versions with which a product is compatible. Wojcik replied that the Compatibility Questionnaire includes the OVAL versions supported, and is available on the site. The Compatible Products and Services listing will probably be updated to include schema versions directly, as well.

[N.B. After the teleconference, Wojcik double-checked the web site and found that the questionnaires do not currently mention specific schema versions. These will be updated in consultation with the Compatible vendors, and updated questionnaires posted.]

Landfield suggested holding a round of Compatibility testing in conjunction with OVAL Developer Days, for re-certification with Version 5. This is an excellent idea and MITRE will see if it's feasible.

MITRE also announced that it does not expect to perform any more Compatibility testing against OVAL Version 4.

The OVAL team at MITRE has been considering various compatibility use cases for which we don't have definitive answers, and would like to present them to the Board for opinions.

Adding an 'OVAL Supporter' section to the web site is also under consideration, for products or services that do not qualify for OVAL Compatibility. Databases that reference OVAL IDs but do not produce or directly use OVAL content are one example. The listing of users of OVAL IDs has already been deemphasized on the web site, to better reflect the significantly lower level of effort as compared to OVAL Compatibility.

Landfield noted that in the past there was mention of making available a standard set of test cases to allow vendors to do some self-testing on our tools. Is there still the intention to make these available? These would include examples of SC and Results files as well as definition content. Buttner replied that MITRE is working on this with the update of the compatibility section of the web site.

Developer Days

The two-day OVAL Developer Days conference held at MITRE's Bedford, Massachusetts location in July 2005 was very successful. It provided an opportunity for the OVAL community to discuss the initiative in depth, and gave a tremendous amount of input to the direction of OVAL Version 5 in particular. MITRE is considering holding Developer Days again this year, and is looking for interest, and feedback on the proposed agenda.

There was comment from a number of Board members who attended last year that Developer Days was very worthwhile and they would attend again.

One issue with planning for the conference is what would be the main topics. Developer Days 2005 focused primarily on work towards Version 5: new feature requests, structural changes needed in the language, etc. The OVAL team is working for increased stability of the language with the release of V5, so hopefully there won't be the need for immediate discussion of major new features and a proposed Version 6. Too much churn in the language will seriously hurt adoption.

Waltermire: I agree that that is a good idea, and I think that we've made the major changes necessary already with Version 5.

McAvoy: Expanding OVAL to configuration guidance forced lots of changes. With those changes in, I don't believe there is much more that needs to change in the near future.

Wojcik: Adding support for new OSes is an acceptable change and will be necessary, but beyond that, we're hoping for at most minor changes for a while.

Waltermire: We have to be sure to maintain structural backwards compatibility.

A proposed agenda for Developer Days 2006 will be sent out shortly.

Board Participation

The OVAL Board has been growing since the inception of the project, as new organizations request to participate and be represented. Some Board members are of course more active than others. While the Board hasn't gotten so large it is unwieldy, MITRE would like to encourage more involvement from the Board, and to have more active participants. This could mean that some inactive Board members are removed or asked to suggest someone who might be a more appropriate representative.

MITRE is looking to more formally define Board member expectations. Proposals will be circulated on the Board mailing list for comment and feedback.