22-OWGV-N0007, Disposition of Comments for SC22 N3913

Document: 22-OWGV-N0007

Disposition of Comments for SC22 N 3913, "New Work Item Proposal for Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use"

Date: 2006-03-13

Description: Disposition of comments for SC 22 N 3913

Netherlands

NE 1: the scope is too wide and too vague; as described, and seeing the list of documents to be considered, it is not difficult to fill a 1000+ page TR. We prefer a smaller, less ambitious project plan with a first edition of the TR within 2-3 years. Based on such a document, further editions covering other areas could be considered.
Response: The goal as stated in the NP document N3913 is to produce a TR in the normal 36 month schedule. This time constraint will help limit the scope and the size of the initial TR. The number of documents on the OWG:Vulnerabilities web page is overwhelming at first glance, but many if not most will be used for reference and education not as a basis for the TR.
NE 2: the relationship with the proposed work as described in SC22 N3886 (Report of 2005-03-31 Sc22 Ad Hoc on Future Directions) under point 1 is unclear. The Netherlands opposes to develop more than one TR in this area.
Response: The document N3913 is a refinement of Ad Hoc meeting report and is the only NP to come forward from this document.

United Kingdom

UK 1: Q1: Comments: UK notes that ‘it is proposed to use experts appointed by each existing working groups’. If such experts do not actively participate in the project, then the resulting technical report will be yet another worthy effort destined to lie ignored and unread. UK will change its vote to "YES" when at least two SC22 working groups have agreed to actively participate in the project.
Response: At the 2005 plenary meeting of SC 22, the UK delegation noted that the No vote for Question 1 has been changed to a Yes, see Resolutions Prepared at the Eighteenth Plenary Meeting of ISO/IEC JTC 1/SC 22 resolution 05-14.
UK 2: Q2: Comments: UK notes that ‘it is proposed to use experts appointed by each existing working groups’. If such experts do not actively participate in the project, then the resulting technical report will be yet another worthy effort destined to lie ignored and unread. UK will change its vote to "YES" when at least two SC22 working groups have agreed to actively participate in the project.
Response: At the 2005 plenary meeting of SC 22, the UK delegation noted that the No vote for Question 2 has been changed to a Yes, see Resolutions Prepared at the Eighteenth Plenary Meeting of ISO/IEC JTC 1/SC 22 resolution 05-14.
UK 3: Q3: Comments: UK will participate while at least two SC22 working groups actively participate in the project.
Response: At the 2005 plenary meeting of SC 22, two working group conveners (WG 9 and WG 14) stated that their working groups would participate. At the meeting, the UK Head of Delegation stated that this would satisfy the UK concerns. Actions taken by BSI suggest that the UK is following through on that verbal agreement.
UK 4: Q6. Comments: www.knosof.co.uk/cbook/cbook1_0b.pdf is a very relevant commentary on C.
Response: Document is listed on the OWG:Vulnerabilities web page.