Minutes: Meeting #26 on Programming Language Vulnerabilities, June 2013

ISO/IEC JTC 1/SC 22/WG 23/N 0456
Minutes: Meeting #26
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
08-10 June 2013

Meeting Times:

08 June 2013: 9:00 am to 4:00 pm (CEST - Central European Summer Time)
09 June 2013: 9:00 am to 4:00 pm (CEST - Central European Summer Time)
10 June 2013: 9:00 am to 12:00 pm (CEST - Central European Summer Time)

Meeting Information:

See document: N 0437

Meeting Location:

See 18^th Ada-Europe 2013

Local Contacts:

Erhard Ploedereder

Email: ploedere@informatik.uni-stuttgart.de

Teleconference information:

See document: N 0451

Agenda

1. Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Clive Pygott UK

Tatsuaki Takebe Japan

Kazuyoshi Korosue Japan

Steve Michell Canada

David Keaton USA

Larry Wagoner USA

Erhard Ploedereder WG 9 Liaison and Meeting Host

Tullio Vardanega Italy

John Benito Convener

1.3 Procedures for this Meeting

Consideration for the participants using the WebEx feature should be given.

1.4 Approval of previous Minutes [N 0441]

Minutes approved without changes.

1.5 Review of actions items and resolutions, Action Item and Decision Logs

#23–01 moved to closed
#24–01 moved to closed

1.6 Approval of Agenda [N 0451]

Agenda approved without changes.

1.7 Future Meeting Schedule

Discussed times to hold the December teleconference, it was decided that 6 am Japan time, 10 pm UK time would work best.


2014
#30	June 2014	Rapperswil, Switzerland	Co-located with WG 21
#29	TBD	Kona, Hawaii, USA

2013
#28	December 09-11	Web conference
#27	September 19-21	Tokyo, Japan	Co-located with SC22 plenary meeting.

2. Reports on Liaison Activities

2.1 SC 22

No Report

2.2 PL22.3/WG5 (Fortran)

No Report

2.3 PL22.4/WG4 (COBOL)

No Report

2.4 WG9 (Ada)

HRG looked at Ada Annex in the TR 24772:2012
A person has been identified to replace Rod Chapman as SPARK liaison

2.5 PL22.11/WG14 (C)

A new study on parallel programming was started at the last WG 14 meeting [cplex]. Enrollment is open, first meeting (teleconference) is 17-June-2013.
Project 16881 part 1 is in PDTS ballot.
Project 17961 has been sent to JTC 1, the DTS ballot has not started yet, but should soon.
Future meetings for WG 14 are:
- Chicago in October 2013
- Parma Italy March/April 2014
- St Louis in October/November 2014

2.6 PL22.16/WG21 (C++)

WG 21 is planning to release an updated C++ Standard every three years.
Currently WG 21 has a NP & CD ballot at SC 22 with the goal to republish the 2011 Standard in 2014.

2.7 Ecma International, TC49/TG2 (C#)

No Report

2.8 Ecma International, TC39 (ECMAScript)

No Report

2.9 MISRA (C)

The 3^rd edition has been released, this version is based on ISO/IEC 9899:1999.
Currently there is a temporary Chairperson
The group is discussing the approach to take to publish the next version of MISRA C based on the language standard ISO/IEC 9899:2011.
AI #26–1, Pygott to review the references to MISRA C in TR 24772 with this new MISRA C as the reference document

2.10 MISRA (C++)

No Report

2.11 SPARK

No Report

2.12 SC7/WG19 (UML)

No Report

2.13 Other Liaison Activities or National body reports

None

3. Document Review

Baseline draft of TR Edition 3 [N 0450]
- It was decided to move the clause 8 vulnerabilities into clause 7 after 6.57 [MEM]
Support document for UK comments on CD 17960 [N 0449]
- It was decided that this document did not support the statement "numerous known problems with digital signatures" in the UK comment.
JISC Comments on CD 17960 [N 0448]
- The Japanese NB would like to see a detailed rationale on why the NP and the document balloted do not match, or a new NP with the current project being canceled.
- The Japanese NB does not want the current NP to be altered (if that can even be possible), because that would start a dangerous precedence.
UK Comments on CD 17960 [N 0447]
- The UK comments were discussed, see [N 0455], project editor to fill in the comments as they are applied to the document. This new document will be used in the review for the document.
- Each comments was discussed, and the project editor was given guidance on text to use, the comment text was not available for review in some cases.
Ballot results for CD 17960 [N 0446]
- Ballot failed, with two NO votes (UK and Japan).
Comments on N 0454, see [N 0457]
- Introduction (paragraph 2) should use the term "Authentication".
- Long discussion about the some of the basic premises of the Code Signing document. Decisions that had been reached in the past were questioned. No real set direction has been decided upon.
- Decided that there is a need to look at existing practice, sanity check.
- AI #26–2, Pygott, reword 4.12 to remove the word verbatim.
- AI #26–3, Pygott and Benito to look at existing practice.
- Convener pointed out that review needed to happen between meetings, at the September meeting the Committee should decide what is next for this project (17960). This very important decision can not happen unless there is a current document that reflects the decisions of this meeting.
- Schedule for review:
  - 24-June, review copy to Convener
  - 08-July, all comments from review to Convener
  - 15-17 July, teleconference if needed
- Review committee:
  - Clive Pygott
  - Steve Michell
  - Larry Wagoner
  - Erhard Ploedereder
  - John Benito
Recommendations from section 6.x.5 [N 0457]
- The committee had no chance to review this document before the meeting.
- One suggestion was to add some form of this data to Section 5.
- It was suggested that an outline format be used to represent the data instead of the initial form that is along the lines of Top 22 recommendations.
- The general feeling is that more work needs be done.
- Everyone was positive about adding some form of this data to the 3^rd revision of TR 24772.

4. Other Business

4.1 Promotion of WG23 Products, Steve Michell, per Action Item #21–6

Clive – Abstract for symposium in UK, the Convener should send the Power Point used in the past.

The link to the freely available ISO/IEC TR 24772:2012 is now on the WG 5, WG 9, WG 14, and WG 21 web sites. Also there is a link in the CWE web site.

5. Resolutions

Three new action items where identified, #26–1, #26–2, #26–3.

6. Adjournment

Thanks was expressed to the Host, Erhard Ploedereder for great facilities and good food!

Clive Pygott		UK
Tatsuaki Takebe		Japan
Kazuyoshi Korosue		Japan
Steve Michell		Canada
David Keaton		USA
Larry Wagoner		USA
Erhard Ploedereder		WG 9 Liaison and Meeting Host
Tullio Vardanega		Italy
John Benito		Convener

ISO/IEC JTC 1/SC 22/WG 23/N 0456 Minutes: Meeting #26 ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities 08-10 June 2013

Meeting Times:

Meeting Information:

Meeting Location:

Local Contacts:

Teleconference information:

Agenda

1. Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes [N 0441]

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N 0451]

1.7 Future Meeting Schedule

2. Reports on Liaison Activities

2.1 SC 22

2.2 PL22.3/WG5 (Fortran)

2.3 PL22.4/WG4 (COBOL)

2.4 WG9 (Ada)

2.5 PL22.11/WG14 (C)

2.6 PL22.16/WG21 (C++)

2.7 Ecma International, TC49/TG2 (C#)

2.8 Ecma International, TC39 (ECMAScript)

2.9 MISRA (C)

2.10 MISRA (C++)

2.11 SPARK

2.12 SC7/WG19 (UML)

2.13 Other Liaison Activities or National body reports

3. Document Review

4. Other Business

4.1 Promotion of WG23 Products, Steve Michell, per Action Item #21–6

5. Resolutions

6. Adjournment

ISO/IEC JTC 1/SC 22/WG 23/N 0456
Minutes: Meeting #26
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
08-10 June 2013