Scope Suggestions from Expert CERT on OpenChain Security Assurance Specification 1.0 (WG3 N2348) 2022-09-07

[shanecoughlan]

Please see attached document for scope adjustment suggestions.

Source: Expert CERT on OpenChain Security Assurance (WG3 N2348) 2022-09-17 Scope Suggestions from Expert CERT on OpenChain Security Assurance Specification 1.0 (WG3 N2348) 2022-09-07.docx

[stephenkilbaneadi]

CERT-02 Seem like good additions. CERT-03 Is the first addition a single item to add, or three? Supporting these extra elements might make this spec harder to adopt. CERT-04 No objection.

[jthDEV]

CERT-02: I like the definitions of remediate and mitigate. But we do not make use of them in the document. SO I am not sure whether it is of benefit adding them. Only in 3.2.2 #4 the word "remediate" appears. Maybe we should not dive into that? CERT-03: The requirement is covered in 3.2.1. We might add a reference as an example to ISO/IEC 29147:2018 but should not require it. First the other ISO it is not open, which would somehow limit the openness of this standard and second it would require another test. Same with the handling standard ISO/IEC 30111:2019 CERT-04: As mentioned above, I feel good in providing a sample reference, but would not leverage it as a requirement.

[shanecoughlan]

These comments were reviewed on our work group call on 2022-09-27 and were either included as editorial feedback or marked out of scope for OpenChain Security Assurance Specification 1.0, with a memo to return to them when working on OpenChain Security Assurance Specification 2.0.

Rationale:

==

We will hold a special call to discuss ISO/IEC WG/SC27 comments on Tuesday the 27th of September 2022 at 08:00 UTC.

We are providing some guidance on the review of these comments and suggestions.

(1) Our specification was completed after a multi-month process in March 2022, and it was ratified by our board for ISO/IEC JTC-1 PAS submission on the 14th of September 2022 (2) Therefore OpenChain Security Assurance Specification 1.0 is functionally complete (3) We should review the ISO/IEC WG comments with this perspective (4) We are looking for editorial adjusts for clarity and errors (5) We are not looking to change the scope or function of OpenChain Security Assurance Specification 1.0 or any immediate clarity / error adjusted successor (6) This is because we want to proceed with our JTC-1 PAS submission as approved by the OpenChain Governing Board (7) But we can place any comments for scope and function adjustment into a deferred status (8) And we will return to them for discussion around inclusion in OpenChain Security Assurance Specification 2.0

[shanecoughlan]

All outstanding items moved to Spec 2.0 discussion.

[shanecoughlan]

This issue is now closed as the material has been split into three other smaller issues to address.