Hi Eliot, thank you for the fast reply. Each document lists a preferred variant (see citation format - copied here as service): [CVRF-v1.2] CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2. Edited by Stefan Hagen. 13 September 2017. OASIS Committee Specification 01. http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/cs01/csaf-cvrf-v1.2-cs01.html. Latest version: http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html. [csaf-v2.0] Common Security Advisory Framework Version 2.0. Edited by Langley Rock, Stefan Hagen, and Thomas Schmidt. 18 November 2022. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html. Feel free to do all capitals ([CSAF-v2.0]) - I guess that fits better into the way references are usually linked. -- Thomas Schmidt > -----Original Message----- > From: Eliot Lear <elear@xxxxxxxxx> > Sent: Monday, March 6, 2023 6:04 PM > To: Schmidt, Thomas <thomas.schmidt@xxxxxxxxxxx> > Cc: last-call@xxxxxxxx; scott.rose@xxxxxxxx > Subject: Re: Last Call: (Discovering and Retrieving Software Transparency and > Vulnerability Information) to Proposed Standard > > Thank you for these, Thomas. We will make these changes. If you have a > preferred bibliographic reference, we can use that. > > Eliot > > > On 6 Mar 2023, at 17:47, Schmidt, Thomas <thomas.schmidt@xxxxxxxxxxx> > wrote: > > > > Dear colleagues, > > > > the draft currently lists in section 9.2 a reference to CSAF: > > > >> [CSAF] OASIS, "Common Security Advisory Format", July 2021, > >> <https://github.com/oasis-tcs/csaf>. > > > > The correct name is "Common Security Advisory Framework". Please also > update the link to the standard to https://docs.oasis- > open.org/csaf/csaf/v2.0/csaf-v2.0.html or https://docs.oasis- > open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html > > > > Suggested: > >> [CSAF] OASIS, "Common Security Advisory Framework Version 2.0", > November 2022, > >> <https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html>. > > > > I guess a similar comment applies to CVRF which is currently listed as: > > > >> [CVRF] Santos, O., Ed., "Common Vulnerability Reporting Framework > >> (CVRF) Version 1.2", September 2017, <https://docs.oasis- > >> open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.pdf>. > > > > But instead should be: > > > >> [CVRF] OASIS , "Common Vulnerability Reporting Framework > >> (CVRF) Version 1.2", September 2017, <https://docs.oasis- > >> open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.pdf>. > > > > You could add the editors for both as well - but I'm not too sure what the > recommended format from IEFT looks like. > > > > Kind regards, > > Thomas Schmidt > > > > -- > > Thomas Schmidt > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
