[art] Artart last call review of draft-ietf-sacm-coswid-18

Rich Salz via Datatracker <noreply@ietf.org> Mon, 02 August 2021 19:55 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Rich Salz via Datatracker <noreply@ietf.org>
To: art@ietf.org
Cc: draft-ietf-sacm-coswid.all@ietf.org, last-call@ietf.org, sacm@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <162793413326.28486.5313832718804831776@ietfa.amsl.com>
Reply-To: Rich Salz <rsalz@akamai.com>
Date: Mon, 02 Aug 2021 12:55:33 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/adGh-_pOSDVJObN06Qps2Scilts>
Subject: [art] Artart last call review of draft-ietf-sacm-coswid-18

Reviewer: Rich Salz
Review result: Ready with Nits

I am the ART directorate reviewer for this document. The comments are mainly
for the ADs, but others should treat them like any other last-call comments.

I did not shell at the 187 CHF for the SWID specification.  Kudo's to the
authors for doing something that seems (claims?) to be compatible, in an
infoset way, and is also much more compact.  A couple of minor things.

In 2.3, why are there three separate bools for corpus/patch/supplemental as
opposed to a single enumeration? Can the tag-id be a digest of the source file?
What are the implications of it not being unique? That should be listed in the
security considerations.

The expert review guidelines seem like "specification required" with some
additional requirements on things like what the specification must say.

I was surprised to see Carsten's full contact information given, as if he were
a co-author.

[art] Artart last call review of draft-ietf-sacm-… Rich Salz via Datatracker
Re: [art] [Last-Call] Artart last call review of … Francesca Palombini
Re: [art] [Last-Call] Artart last call review of … Rob Sayre