Date Sent: 5/15/2014 Date Completed: 5/29/2014 Ballot: * Item 1: To include the win-def:license_test in the official 5.11 version of the OVAL Language. Overal Results: Yes: 11 No: 2 Total Organizations: 24 Quorum Required: 13 Total Vote: 13 Individual Results: Organization Vote -------------------------------------------------------------------------------------- Assuria Limited Y BeyondTrust, Inc. IBM Corporation Y INADEV Corporation Y Lancope, Inc. -------------------------------------------------------------------------------------- jOVAL.org Y McAfee, Inc. N Modulo Y Qualysys, Inc. Y RSA Security -------------------------------------------------------------------------------------- SecPod Technologies Symatec Corporation Y ThreatGuard, Inc. N Cisco Systems, Inc. Microsoft Corporation -------------------------------------------------------------------------------------- Red Hat, Inc. Y Center for Internet Security Y Depository Trust & Clearing Corporation (DTCC) Rockport Systems Unified Compliance -------------------------------------------------------------------------------------- Nils Puhlmann (individual) National Institute of Standards and Technology SPAWAR, U.S. Navy Y MITRE Corporation Y -------------------------------------------------------------------------------------- Background: David Solin of jOVAL proposed and added to the sandbox, the win-def:license_test to allow for the assessment of details about the specific Windows license for an endpoint. The attached form contains detailed information about the proposal. During a couple discussion periods on this test, we’ve had some lengthy conversation on this topic. A few of the relevant points: • While there was initially some concerns about the usage of an undocumented format for this test, a supported Microsoft API to access this information was discovered: http://msdn.microsoft.com/en-us/library/aa965834%28v=vs.85%29.aspx • There has been some question on whether this test was security relevant. Some folks believe that it is and others have reservations. David has stated that the test is relevant for the Security Advisory Distribution, Patch Management, and System Inventory use cases found on the OVAL web site: http://oval.mitre.org/adoption/usecasesguide.html