Document: 22-OWGV-N0007
Disposition of Comments for SC22 N 3913, "New Work Item
Proposal for Guidance to Avoiding Vulnerabilities in Programming
Languages through Language Selection and Use"
Date: 2006-03-13
Description: Disposition of comments for SC
22 N 3913
Netherlands
  - NE 1
 
- the scope is too wide and too vague; as described, and seeing
  the list of documents to be considered, it is not difficult to
  fill a 1000+ page TR. We prefer a smaller, less ambitious project
  plan with a first edition of the TR within 2-3 years. Based on
  such a document, further editions covering other areas could
  be considered.
  
 
- Response
 
- The goal as stated in the NP document N3913
  is to produce a TR in the normal 36 month schedule. This
  time constraint will help limit the scope and the size of the
  initial TR. The number of documents on the OWG:Vulnerabilities
  web page is overwhelming at first glance, but many if not most
  will be used for reference and education not as a basis for the
  TR.
  
 
- NE 2
  
- the relationship with the proposed work as described in SC22
  N3886 (Report of 2005-03-31 Sc22 Ad Hoc on Future Directions)
  under point 1 is unclear. The Netherlands opposes to develop
  more than one TR in this area.
  
 
- Response
  
- The document N3913
  is a refinement of Ad
  Hoc meeting report and is the only NP to come forward from
  this document.
United Kingdom
  - UK 1
  
- Q1: Comments: UK notes that ‘it is proposed to use
  experts appointed by each existing working groups’. If
  such experts do not actively participate in the project, then
  the resulting technical report will be yet another worthy effort
  destined to lie ignored and unread. UK will change its vote to
  "YES" when at least two SC22 working groups have agreed
  to actively participate in the project.
  
 
- Response
  
- At the 2005 plenary meeting of SC 22, the UK delegation noted
  that the No vote for Question 1 has been
  changed to a Yes, see Resolutions
  Prepared at the Eighteenth Plenary Meeting of ISO/IEC JTC 1/SC
  22 resolution 05-14.
  
 
- UK 2
  
- Q2: Comments: UK notes that ‘it is proposed to use
  experts appointed by each existing working groups’. If
  such experts do not actively participate in the project, then
  the resulting technical report will be yet another worthy effort
  destined to lie ignored and unread. UK will change its vote to
  "YES" when at least two SC22 working groups have agreed
  to actively participate in the project.
  
 
- Response
  
- At the 2005 plenary meeting of SC 22, the UK delegation noted
  that the No vote for Question 2 has been
  changed to a Yes, see Resolutions
  Prepared at the Eighteenth Plenary Meeting of ISO/IEC JTC 1/SC
  22 resolution 05-14.
  
 
- UK 3
  
- Q3: Comments: UK will participate while at least two SC22
  working groups actively participate in the project.
  
 
- Response
  
- At the 2005 plenary meeting of SC 22, two working group conveners
  (WG 9 and WG 14) stated that their working groups would participate.
  At the meeting, the UK Head of Delegation stated that this would
  satisfy the UK concerns. Actions taken by BSI suggest that the
  UK is following through on that verbal agreement.
  
 
- UK 4
  
- Q6. Comments: www.knosof.co.uk/cbook/cbook1_0b.pdf is a very
  relevant commentary on C.
  
 
- Response
  
- Document is listed on the OWG:Vulnerabilities
  web page.