OASIS Common Security Advisory Framework (CSAF) TC

Hi all, I just noticed TLP 2.0 had been used since Aug 2022, but CSAF 2.0 still lists TLP 1.0. I don't recall we had any discussion to address it. Is it too late to upgrade CSAF 2.0 to cover TLP 2.0? Or is there any future plan for a quick release of CSAF 2.1 for such an issue? BTW, the future schema design can be enhanced to include the versions of tlp, and add "anyOf"/"oneOf" for the user to select the proper version of TLP. Thanks, --Feng

We can probably do a quick release if 2.1 to address TLP 2.0. Unfortunately, it’s too late since we already have the ball rolling for the final step to publish the standard.  Regards, Omar Santos Cisco PSIRT os@cisco.com  PGP: 3AF27EDC From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Feng Cao <feng.cao@oracle.com> Sent: Wednesday, November 9, 2022 5:16:56 PM To: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> Subject: [csaf] still TLP 1.0 in CSAF 2.0?   Hi all, I just noticed TLP 2.0 had been used since Aug 2022, but CSAF 2.0 still lists TLP 1.0. I don't recall we had any discussion to address it. Is it too late to upgrade CSAF 2.0 to cover TLP 2.0? Or is there any future plan for a quick release of CSAF 2.1 for such an issue? BTW, the future schema design can be enhanced to include the versions of tlp, and add "anyOf"/"oneOf" for the user to select the proper version of TLP. Thanks, --Feng --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Feng, CSAF 2.0 (in its current version) was released 1st Aug 2022, TLP v2 according to members of the FIRST TLP SIG 2nd Aug 2022. As we are in the process to become an OASIS standard, we can't change that right now. (As a quick reminder: Please request your primary contacts to vote for that.) I would suggest to include that change with CSAF 2.1. I had already a chat with the FIRST TLP SIG to design a JSON schema for TLP. Right now, except from TLP:AMBER+STRICT, TLP v2 can already be used by pointing to the TLP v2 URL. The meaning of the labels stayed the same, only TLP:WHITE was renamed into TLP:CLEAR. Best wishes, Thomas -- Thomas Schmidt >
Original Message----- > From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> On Behalf Of > Feng Cao > Sent: Wednesday, November 9, 2022 11:17 PM > To: csaf@lists.oasis-open.org > Subject: [csaf] still TLP 1.0 in CSAF 2.0? > > Hi all, > > I just noticed TLP 2.0 had been used since Aug 2022, but CSAF 2.0 still > lists TLP 1.0. I don't recall we had any discussion to address it. > > Is it too late to upgrade CSAF 2.0 to cover TLP 2.0? Or is there any > future plan for a quick release of CSAF 2.1 for such an issue? > > BTW, the future schema design can be enhanced to include the versions of > tlp, and add "anyOf"/"oneOf" for the user to select the proper version > of TLP. > > Thanks, > > --Feng > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php