IETF Logo Mail Archive

Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review

Eliot Lear <lear@cisco.com> Wed, 13 September 2023 07:18 UTC

Return-Path: <lear@cisco.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C991FC151073; Wed, 13 Sep 2023 00:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.607
X-Spam-Level:
X-Spam-Status: No, score=-9.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axd0Y5-07XSn; Wed, 13 Sep 2023 00:18:36 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3874AC14CEE3; Wed, 13 Sep 2023 00:18:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8547; q=dns/txt; s=iport; t=1694589516; x=1695799116; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=qykLPTZN8+7ak+6u0w9Y0yWXs6tBG3idPkDQhbsMm+Y=; b=VdxyvmaiV7whZPSMEAxx6SmDE1JfsjaJJuWg9yiVjVAusCkdR86OqOpv qFEY823cwWVzsILVbCokg/MSko3xxhLMJDn7ac0lCEK3KsTxus5/YQF2H KyZ1ZwqxRKGwwwppCKI5hZHOeAq4wGgplySukVbXPHuZSBJKGwZuynJgH E=;
X-CSE-ConnectionGUID: Hc49QHj5QMWqiXymsu+Igw==
X-CSE-MsgGUID: Xwii3EQyRgGO1wkR6r1/9g==
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos; i="6.02,142,1688428800"; d="asc'?scan'208"; a="8895319"
Received: from aer-iport-nat.cisco.com (HELO aer-core-8.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Sep 2023 07:15:31 +0000
Received: from smtpclient.apple ([10.61.156.22]) by aer-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 38D7FUBX013117 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Wed, 13 Sep 2023 07:15:31 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_C4BDB509-2812-428C-ADBD-9CE3592F372C"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Eliot Lear <lear@cisco.com>
In-Reply-To: <2F1A389E-ABED-4C37-B41A-79A9E15D59CA@amsl.com>
Date: Wed, 13 Sep 2023 09:15:20 +0200
Cc: "Rose, Scott W. (Fed)" <scott.rose=40nist.gov@dmarc.ietf.org>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, RFC Editor <rfc-editor@rfc-editor.org>, opsawg-ads@ietf.org, opsawg-chairs@ietf.org, bill.wu@huawei.com, auth48archive@rfc-editor.org
Message-Id: <1D2F40E4-3276-49E3-B70C-D6FC5FAC0430@cisco.com>
References: <20230908232621.2FE7CE5EA7@rfcpa.amsl.com> <BE129746-6B47-4FA8-A918-44B728F347C3@nist.gov> <2F1A389E-ABED-4C37-B41A-79A9E15D59CA@amsl.com>
To: Sarah Tarrant <starrant@amsl.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-Outbound-SMTP-Client: 10.61.156.22, [10.61.156.22]
X-Outbound-Node: aer-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/2rZn-ekjpzrGjzg9KF_HlgXej2I>
Subject: Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2023 07:18:40 -0000

Hi Sarah and thanks!  Please see below.

> On 12 Sep 2023, at 20:50, Sarah Tarrant <starrant@amsl.com> wrote:
> 
> Hello Eliot, Scott, and Rob*,
> 
> *Rob, as AD, please review the change in the last paragraph of Section 1.3 and let us know if you approve. The change is best viewed in this diff file: https://www.rfc-editor.org/authors/rfc9472-auth48diff.html. Also, please let us know your thoughts on this question (note that RFCs 6242, 8341, and 8446 are included in the template at https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines):
> 
>> 10) <!-- [rfced] *[AD] Section 6: The Security Considerations section does not
>> follow the requirements listed on
>> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, which says
>> "This section MUST be patterned after the latest approved template."
>> Please confirm if the current text is acceptable per the context of the
>> document or if any further updates are needed in order to follow the
>> template.
>> 
>> Also, please confirm if it is acceptable that RFCs 6242, 8341, and
>> 8446 are not listed in the Normative References section or if they
>> should be added.
>> —>
> 
> 
> Eliot and Scott, thank you for your replies; we have updated the document accordingly. We have a few followup questions:
> 
> 1) We added the sentence in ii) per your reply to this question. We also added RFC 7231 as a normative reference. Please confirm that this is correct. Or should it be informative instead?

That’s correct.

> 
>>> e) We note that RFCs 6991 and 7231 are only referenced in the YANG
>>> module and not in the running text. In order to have a 1:1 matchup
>>> between the references section and the text, may we add an introductory
>>> sentence before the YANG module that includes these citations (option i)?
>>> Alternatively, you may reference all of the RFCs that are mentioned
>>> (option ii). Please let us know your preference.
>>> 
>>> Perhaps:
>>> i)  This YANG module references [RFC6991] and [RFC7231].
>>> or
>>> ii) This YANG module references [RFC6991], [RFC7231], [RFC7252],
>>>   [RFC8520], and [RFC9110].
>> 
>> 
>> ii seems complete.
> 
> 
> 2) Regarding this question:
> 
>>> 11) <!--[rfced] Is this sentence intended to be an ordered list (option A)
>>> or are "any change in a URL" and "any change to the authority
>>> section" the 2 risks that are being referred to (option B)?
>>> 
>>> Original:
>>> To address either risk, any change in a URL, and in particular to the
>>> authority section, two approaches may be used:
>>> 
>>> Perhaps:
>>> A) To address either risk, any change in a URL, and particularly any change
>>> to the authority section, two approaches may be used:
>>> 
>>> or
>>> 
>>> B) To address either risk, i.e., any change in a URL and, in particular, to
>>> the authority section, two approaches may be used:
>>> -->
>> 
>> How about:
>> 
>>> (C)  To address either risk, any change in a URL, and in particular to the
>>> authority section; two approaches may be used:
>> 
>> ?
> 
> We are still having trouble understanding this sentence. (Note that the text before the semicolon in (C) is not a complete sentence.) Would something like the following work?
> 
> Perhaps:
> Two approaches may be used to address these risks and any change in a URL (particularly in the
> authority section):
> 

Ok, having re-read the context, the authority section phrase is redundant, so we can say:

> To address either of these risks or any tampering of a URL:



> 
> 3) Regarding this question:
> 
>>> 15) <!-- [rfced] The following lines exceed the 72-character limit for
>>> sourcecode. Please let us know how these lines can be modified.
>>> 
>>> Section 5.1 (1 character over):
>>> "systeminfo": "retrieving vuln and SBOM info via a cloud service",
>>> 
>>> Section 5.2 (1 character over):
>>> "systeminfo": "mixed example: SBOM on device, vuln info in cloud",
>>> 
>>> Section 5.3 (2 characters over):
>>> "contact-info": "https://iot-device.example.com/contact-info.html",
>>> 
>>> Section 5.3 (1 character over):
>>> "systeminfo": "retrieving vuln and SBOM info via a cloud service",
>>> -->
>>> 
>> 
>> Would you mind out-denting these lines?
> 
> Please confirm that we updated these correctly. We moved the lines in each example mentioned above one or two spaces (as appropriate) to the left to meet the character limit, though we couldn’t not move the “{“ at the beginning and end of each example as these were already at the left margin.


That’s okay.

Aside: this 72 character limit was VERY important when printers could only print 80 columns, but that was on its way out even when *I* was a student in the 80s (I never saw an actual line printer after college).

Regards,

Eliot

> 
> ______________
> 
> Updated XML file:
> http://www.rfc-editor.org/authors/rfc9472.xml
> 
> Updated output files:
> https://www.rfc-editor.org/authors/rfc9472.html
> https://www.rfc-editor.org/authors/rfc9472.txt
> https://www.rfc-editor.org/authors/rfc9472.pdf
> 
> Diff file showing all changes made during AUTH48:
> https://www.rfc-editor.org/authors/rfc9472-auth48diff.html
> 
> Diff files showing all changes:
> https://www.rfc-editor.org/authors/rfc9472-diff.html
> https://www.rfc-editor.org/authors/rfc9472-rfcdiff.html (side-by-side diff)
> 
> Note that it may be necessary for you to refresh your browser to view the most recent version.
> 
> For the AUTH48 status of this document, please see:
> https://www.rfc-editor.org/auth48/rfc9472
> 
> Thank you,
> 
> RFC Editor/st
> 
>> On Sep 11, 2023, at 12:23 PM, Rose, Scott W. (Fed) <scott.rose=40nist.gov@dmarc.ietf.org> wrote:
>> 
>> On 8 Sep 2023, at 19:26, rfc-editor@rfc-editor.org wrote:
>> 
>>> Authors and *AD,
>>> 
>>> While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file.
>>> 
>> 
>>> 
>>> 17) <!-- [rfced] FYI: We have added expansions for the following abbreviations
>>> per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each
>>> expansion in the document carefully to ensure correctness.
>>> 
>>> Access Control Lists (ACLs)
>>> Constrained Application Protocol (CoAP)
>>> Internet of Things (IoT)
>>> -->
>>> 
>>> 
>>> 18) <!-- [rfced] Please review the "Inclusive Language" portion of the online
>>> Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
>>> and let us know if any changes are needed.
>>> 
>>> Note that our script did not flag any words in particular, but this should
>>> still be reviewed as a best practice.
>>> -->
>>> 
>> 
>> FWIW, I did a pass through to match against the NIST inclusive language guidance and did not find anything that needed to be addressed.  Future changes may change that (not likely, but maybe).
>> 
>> Thanks
>> Scott
>> 
>> 
>> 
>> 
>> ==================================
>> Scott Rose NIST/CTL
>> scott.rose@nist.gov
>> ph: +1-301-975-8439 (w)
>>  +1-571-249-3761 (GoogleVoice)
>> ==================================
>

v2.23.0 | Report a Bug | By Email