Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
Lynne Bartholomew <lbartholomew@amsl.com> Fri, 23 June 2023 18:05 UTC
Return-Path: <lbartholomew@amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61559C15257C; Fri, 23 Jun 2023 11:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1e_uXEPc9rD0; Fri, 23 Jun 2023 11:05:00 -0700 (PDT)
Received: from c8a.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23747C1524BC; Fri, 23 Jun 2023 11:05:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id 0F36D424CD02; Fri, 23 Jun 2023 11:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96p-EAW7Nvsg; Fri, 23 Jun 2023 11:04:59 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2601:646:8b00:70f0:11ac:36b:b16:623b]) by c8a.amsl.com (Postfix) with ESMTPSA id A2B03424CD01; Fri, 23 Jun 2023 11:04:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Lynne Bartholomew <lbartholomew@amsl.com>
In-Reply-To: <rt-5.0.3-77855-1687542764-114.1275282-37-0@icann.org>
Date: Fri, 23 Jun 2023 11:04:48 -0700
Cc: sacm-chairs@ietf.org, sacm-ads@ietf.org, "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, rdd@cert.org, jmfitz2@cyber.nsa.gov, inacio@cert.org, iana@iana.org, henk.birkholz@sit.fraunhofer.de, david.waltermire@nist.gov, cmschmidt@mitre.org, auth48archive@rfc-editor.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD69E704-5E15-418B-91AF-67E5CCF9A319@amsl.com>
References: <RT-Ticket-1275282@icann.org> <17695_1681508760_6439C997_17695_256_1_20230414214558.B61C755E8F@rfcpa.amsl.com> <SA9PR09MB58216C20EF01CC2E836A14F0AB6D9@SA9PR09MB5821.namprd09.prod.outlook.com> <A77F3234-6279-4566-92C7-1F0481821FB3@amsl.com> <BN2P110MB11072A68AE61CF2227AB824EDC5DA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CD0BDCB2-9155-4F23-B843-24CA53A47219@amsl.com> <9AD0D213-F9EB-4E96-9672-6CEDCBC20D28@amsl.com> <rt-5.0.3-167080-1687475272-847.1275282-37-0@icann.org> <466D93C4-5480-4243-9347-ED25B86E9003@amsl.com> <rt-5.0.3-70314-1687535523-1275.1275282-37-0@icann.org> <rt-5.0.3-77855-1687542764-114.1275282-37-0@icann.org>
To: iana-matrix@iana.org
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/HDcTPWn0cdfTJwvwt0GZ9xbshiU>
Subject: Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 18:05:05 -0000
Hi, Amanda. No worries, and many thanks for fixing! RFC Editor/lb > On Jun 23, 2023, at 10:52 AM, Amanda Baber via RT <iana-matrix@iana.org> wrote: > > Hi, > >> Apologies for the "RFC 9393"s; understood that those should wait until >> after this document is published. We also see that "this document" is >> not sufficiently clear and that "RFC-ietf-sacm-coswid-24, or" instead >> of "or" is needed. >> >> * A request: Can we please change "Software-IDs" to "Software IDs" on >> <https://www.iana.org/assignments/uri-schemes/prov/swid> and >> <https://www.iana.org/assignments/uri-schemes/prov/swidpath> now, so >> that these particular updates don't fall through the cracks later? > > Sorry, these changes are complete now! > > https://www.iana.org/assignments/uri-schemes/prov/swid > > https://www.iana.org/assignments/uri-schemes/prov/swidpath > > thanks, > Amanda > >> The other updates look good, and thank you for those! >> >> RFC Editor/lb >> >> >>> On Jun 22, 2023, at 4:07 PM, Amanda Baber via RT <iana- >>> matrix@iana.org> wrote: >>> >>> Hi, >>> >>> We've made most of these changes, but had to temporarily skip or >>> adjust others. Please see below. >>> >>>> OLD: >>>> Interoperability considerations: Applications MAY ignore any key >>>> value pairs that they do not understand. This allows backwards >>>> compatible extensions to this specification. >>>> >>>> Applications that use this media type: The type is used by software >>>> asset management systems, vulnerability assessment systems, and in >>>> applications that use remote integrity verification. >>>> >>>> Magic number(s): if tagged, first five bytes in hex: da 53 57 49 44 >>>> (see Section 8 in RFC-ietf-sacm-coswid-24) >>>> >>>> Macintosh Universal Type Identifier code: org.ietf.coswid conforms >>>> to >>>> public.data >>>> >>>> Restrictions on usage: None >>>> >>>> NEW: >>>> Interoperability considerations: Applications MAY ignore any key >>>> value pairs that they do not understand. This allows backwards- >>>> compatible extensions to this specification. >>>> >>>> Applications that use this media type: The type is used by software >>>> asset management systems and vulnerability assessment systems and >>>> is used in applications that use remote integrity verification. >>>> >>>> Magic number(s): If tagged, the first five bytes in hex: da 53 57 >>>> 49 44 (see Section 8 of RFC-ietf-sacm-coswid-24). >>>> >>>> Macintosh Universal Type Identifier code: org.ietf.coswid >>>> conforms to public.data. >>>> >>>> Restrictions on usage: none >>> >>> These changes are complete: >>> >>> https://www.iana.org/assignments/media-types/application/swid+cbor >>> >>>> = = = = = = = = >>>> >>>> Per updates to Section 6.6.1, please update the following on >>>> <https://www.iana.org/assignments/uri-schemes/prov/swid>: >>>> >>>> OLD: >>>> Applications/protocols that use this scheme name: Applications that >>>> require Software-IDs (SWIDs) or Concise Software-IDs (CoSWIDs); see >>>> Section 5.1 of RFC-ietf-sacm-coswid-24. >>>> >>>> Reference: Section 5.1 in RFC-ietf-sacm-coswid-24 >>>> >>>> NEW: >>>> Applications/protocols that use this scheme name: Applications that >>>> require Software IDs (SWIDs) or Concise Software IDs (CoSWIDs); >>>> see Section 5.1 of RFC 9393. >>>> >>>> Reference: Section 5.1 of RFC 9393 >>> >>> We were unable to make these reference changes. Our policy is to wait >>> to replace draft strings with RFC numbers until the RFC has been >>> published. >>> >>>> Also, please update the following on >>>> <https://www.iana.org/assignments/uri-schemes/expert-notes/swid- >>>> expert-notes>: >>>> >>>> OLD: >>>> This scheme has been documented by an IETF working group, and is >>>> mentioned in an IETF standard specification. But as it describes a >>>> locally scoped, limited purpose, form of identification, it does not >>>> fully meet the requirements for permanent registration. >>>> >>>> As long as the specification (RFC-ietf-sacm-coswid-24, or >>>> successors) >>>> that describes this scheme is a current IETF specification, this >>>> scheme should be considered to be "in use" and not considered for >>>> removal from the registry. >>>> >>>> NEW: >>>> Note: This scheme has been documented by an IETF working group >>>> and is mentioned in an IETF Standard specification. However, >>>> as it describes a locally scoped, limited-purpose form of >>>> identification, it does not fully meet the requirements for >>>> permanent registration. >>>> >>>> As long as this specification (or any successors that describe >>>> this scheme) is a current IETF specification, this scheme >>>> should be considered to be "in use" and not considered for >>>> removal from the registry. >>> >>> We updated this note, but because there is no other indication as to >>> the identity of "this document" at >>> https://www.iana.org/assignments/uri-schemes/expert-notes/swid- >>> expert-notes, replaced "(or any successors that describe this >>> scheme)" with "(RFC-ietf-sacm-coswid-24, or any successors that >>> describe this scheme)." >>> >>>> = = = = = = = = >>>> >>>> Per updates to Section 6.6.2, please update the following on >>>> <https://www.iana.org/assignments/uri-schemes/prov/swidpath>: >>>> >>>> OLD: >>>> Applications/protocols that use this scheme name: Applications that >>>> require Software-IDs (SWIDs) or Concise Software-IDs (CoSWIDs); see >>>> Section 5.2 of RFC-ietf-sacm-coswid-24. >>>> >>>> Reference: Section 5.2 in RFC-ietf-sacm-coswid-24 >>>> >>>> NEW: >>>> Applications/protocols that use this scheme name: Applications that >>>> require Software IDs (SWIDs) or Concise Software IDs (CoSWIDs); >>>> see Section 5.2 of RFC 9393. >>>> >>>> Reference: Section 5.2 of RFC 9393 >>> >>> We can't make these reference changes until the RFC has been >>> published. >>> >>>> Also, please update the following on >>>> <https://www.iana.org/assignments/uri-schemes/expert-notes/swidpath- >>>> expert-notes>: >>>> >>>> OLD: >>>> This scheme has been documented by an IETF working group, and is >>>> mentioned in an IETF standard specification. But as it describes a >>>> locally scoped, limited purpose, form of identification, it does not >>>> fully meet the requirements for permanent registration. >>>> >>>> As long as the specification (RFC-ietf-sacm-coswid-24, or >>>> successors) >>>> that describes this scheme is a current IETF specification, this >>>> scheme should be considered to be "in use" and not considered for >>>> removal from the registry. >>>> >>>> NEW: >>>> Note: This scheme has been documented by an IETF working group >>>> and is mentioned in an IETF Standard specification. However, >>>> as it describes a locally scoped, limited-purpose form of >>>> identification, it does not fully meet the requirements for >>>> permanent registration. >>>> >>>> As long as this specification (or any successors that describe >>>> this scheme) is a current IETF specification, this scheme >>>> should be considered to be "in use" and not considered for >>>> removal from the registry. >>> >>> We updated this note, but as above, replaced "(or any successors that >>> describe this scheme)" with "(RFC-ietf-sacm-coswid-24, or any >>> successors that describe this scheme)." See >>> >>> https://www.iana.org/assignments/uri-schemes/expert-notes/swidpath- >>> expert-notes >>> >>> thanks, >>> >>> Amanda Baber >>> IANA Operations Manager >>> >>>> Thank you! >>>> >>>> RFC Editor/lb >>>> >>>>> On Jun 21, 2023, at 1:31 PM, Lynne Bartholomew >>>>> <lbartholomew@amsl.com> wrote: >>>>> >>>>> Hi, Roman. We have noted your approval: >>>>> >>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>> >>>>> We will email IANA shortly and ask them to make some updates so >>>>> that >>>>> relevant information on their site matches the corresponding >>>>> entries >>>>> in this document. After those updates are completed, we will >>>>> prepare >>>>> this document for publication. >>>>> >>>>> Thank you! >>>>> >>>>> RFC Editor/lb >>>>> >>>>>> On Jun 21, 2023, at 8:39 AM, Roman Danyliw <rdd@cert.org> wrote: >>>>>> >>>>>> Hi! >>>>>> >>>>>> Approved. Thanks for all of the work here. >>>>>> >>>>>> Thanks, >>>>>> Roman >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>> Sent: Friday, June 16, 2023 2:57 PM >>>>>>> To: Roman Danyliw <rdd@cert.org>; sacm-ads@ietf.org >>>>>>> Cc: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; >>>>>>> jmfitz2@cyber.nsa.gov; henk.birkholz@sit.fraunhofer.de; Schmidt, >>>>>>> Charles M. >>>>>>> <cmschmidt@mitre.org>; rfc-editor@rfc-editor.org; sacm- >>>>>>> chairs@ietf.org; Chris >>>>>>> Inacio <inacio@cert.org>; auth48archive@rfc-editor.org >>>>>>> Subject: *[AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm- >>>>>>> coswid- >>>>>>> 24> for >>>>>>> your review >>>>>>> >>>>>>> Hi, Roman. >>>>>>> >>>>>>> A reminder that the question listed below is still pending. >>>>>>> Please >>>>>>> advise. >>>>>>> >>>>>>> The AUTH48 status page is here: >>>>>>> >>>>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>>>> >>>>>>> Thank you! >>>>>>> >>>>>>> RFC Editor/lb >>>>>>> >>>>>>>> On Jun 8, 2023, at 8:38 AM, Lynne Bartholomew >>>>>>>> <lbartholomew@amsl.com> >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi, Roman. >>>>>>>> >>>>>>>> Please note that this question for you is still pending: >>>>>>>> >>>>>>>> <!-- [rfced] *AD - This document underwent two version changes >>>>>>>> since >>>>>>>> version -22, which we edited last year; we later received >>>>>>>> notifications for versions -23 and -24. >>>>>>>> >>>>>>>> We manually incorporated the updates by looking at the diff >>>>>>>> between >>>>>>>> version -22 and version -24 on the Datatracker. >>>>>>>> >>>>>>>> Please review the changes to Sections 5 and 6 carefully, and let >>>>>>>> us >>>>>>>> know if you approve. --> >>>>>>>> >>>>>>>> The latest files are posted here (with month updated to June): >>>>>>>> >>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html >>>>>>>> >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html >>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html >>>>>>>> >>>>>>>> The AUTH48 status page is here: >>>>>>>> >>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>>>>> >>>>>>>> Thank you! >>>>>>>> >>>>>>>> RFC Editor/lb >>>>>>>> >>>>>>>>> On Jun 8, 2023, at 8:29 AM, Lynne Bartholomew >>>>>>> <lbartholomew@amsl.com> wrote: >>>>>>>>> >>>>>>>>> Hi, Dave. No worries; thank you for the email. >>>>>>>>> >>>>>>>>> We have noted your approval on the AUTH48 status page: >>>>>>>>> >>>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>>>>>> >>>>>>>>> Thanks again! >>>>>>>>> >>>>>>>>> RFC Editor/lb >>>>>>>>> >>>>>>>>>> On Jun 6, 2023, at 7:23 PM, Waltermire, David A. (Fed) >>>>>>> <david.waltermire@nist.gov> wrote: >>>>>>>>>> >>>>>>>>>> Lynne, >>>>>>>>>> >>>>>>>>>> Sorry for the delay. I approve. Thanks. >>>>>>>>>> >>>>>>>>>> Dave >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>> Sent: Friday, June 2, 2023 11:27 AM >>>>>>>>>> To: jmfitz2@cyber.nsa.gov; henk.birkholz@sit.fraunhofer.de >>>>>>>>>> Cc: Schmidt, Charles M. <cmschmidt@mitre.org>; rfc-editor@rfc- >>>>>>> editor.org; Waltermire, David A. (Fed) >>>>>>> <david.waltermire@nist.gov>; >>>>>>> sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>> ietf- >>>>>>>>>> sacm- >>>>>>> coswid-24> for your review >>>>>>>>>> >>>>>>>>>> Hi, Jess and Henk. >>>>>>>>>> >>>>>>>>>> We have noted your approvals on the AUTH48 status page: >>>>>>>>>> >>>>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>>>>>>> >>>>>>>>>> Thank you! >>>>>>>>>> >>>>>>>>>> RFC Editor/lb >>>>>>>>>> >>>>>>>>>>> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> >>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>> ietf- >>>>>>>>>>> sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>> Date: June 1, 2023 at 7:52:42 AM PDT >>>>>>>>>>> To: Lynne Bartholomew <lbartholomew@amsl.com>, Charles M >>>>>>>>>>> Schmidt >>>>>>> <cmschmidt@mitre.org> >>>>>>>>>>> Cc: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, >>>>>>> "jmfitz2@cyber.nsa.gov" <jmfitz2@cyber.nsa.gov>, "Waltermire, >>>>>>> David" >>>>>>> <david.waltermire@nist.gov>, "sacm-ads@ietf.org" <sacm- >>>>>>> ads@ietf.org>, >>>>>>> "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "Inacio, >>>>>>> Christopher" >>>>>>> <inacio@cert.org>, "rdd@cert.org" <rdd@cert.org>, >>>>>>> "auth48archive@rfc- >>>>>>> editor.org" <auth48archive@rfc-editor.org> >>>>>>>>>>> >>>>>>>>>>> Hi Lynne, >>>>>>>>>>> >>>>>>>>>>> thanks for all the help. Ship it! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Viele Grüße, >>>>>>>>>>> >>>>>>>>>>> Henk >>>>>>>>>> >>>>>>>>>>> On Jun 1, 2023, at 6:14 AM, jmfitz2@cyber.nsa.gov wrote: >>>>>>>>>>> >>>>>>>>>>> This looks good to me, Lynne. Thanks for helping us get it >>>>>>>>>>> all >>>>>>>>>>> done. >>>>>>>>>>> >>>>>>>>>>> Jess >>>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>> Sent: Tuesday, May 30, 2023 5:09 PM >>>>>>>>>>> To: Charles Schmidt (MITRE) <cmschmidt@mitre.org> >>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>>>>>> Jessica >>>>>>> Fitzgerald-McKay (GOV) <jmfitz2@cyber.nsa.gov>; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm-ads@ietf.org; sacm- >>>>>>> chairs@ietf.org; Inacio, >>>>>>> Christopher <inacio@cert.org>; rdd@cert.org; auth48archive@rfc- >>>>>>> editor.org >>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>> ietf- >>>>>>>>>>> sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>> >>>>>>>>>>> Hi, Charles. >>>>>>>>>>> >>>>>>>>>>> We have made further updates per your notes below. >>>>>>>>>>> >>>>>>>>>>> The latest files are posted here: >>>>>>>>>>> >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html >>>>>>>>>>> >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html >>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html >>>>>>>>>>> >>>>>>>>>>> Thank you! >>>>>>>>>>> >>>>>>>>>>> RFC Editor/lb >>>>>>>>>>> >>>>>>>>>>>> On May 25, 2023, at 12:48 PM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello Lynne, >>>>>>>>>>>> >>>>>>>>>>>> Thank you for providing the updated drafts. The reordering >>>>>>>>>>>> looks great. >>>>>>>>>>>> >>>>>>>>>>>> Regarding some of your other comments from earlier, we >>>>>>>>>>>> identified a >>>>>>> few editorial tweaks we would like to make to improve clarity. >>>>>>>>>>>> >>>>>>>>>>>> Section 2.9.1 - clarify the relationship between hash and >>>>>>>>>>>> thumbprint >>>>>>>>>>>> OLD: >>>>>>>>>>>> CoSWID adds explicit support for the representation of hash >>>>>>>>>>>> entries >>>>>>> using algorithms that are >>>>>>>>>>>> registered in the IANA "Named Information Hash Algorithm >>>>>>>>>>>> Registry" >>>>>>> [IANA.named-information] >>>>>>>>>>>> using the hash member (index 7) and the corresponding hash- >>>>>>>>>>>> entry type >>>>>>>>>>>> >>>>>>>>>>>> NEW: >>>>>>>>>>>> CoSWID adds explicit support for the representation of hash >>>>>>>>>>>> entries >>>>>>> using algorithms that are >>>>>>>>>>>> registered in the IANA "Named Information Hash Algorithm >>>>>>>>>>>> Registry" >>>>>>> [IANA.named-information]. >>>>>>>>>>>> This array is used by both the hash (index 7) and thumbprint >>>>>>>>>>>> (index 34) >>>>>>> values. >>>>>>>>>>>> >>>>>>>>>>>> Section 2.9.2 - revise description of the location element >>>>>>>>>>>> OLD: >>>>>>>>>>>> location (index 23): The filesystem path where a file is >>>>>>>>>>>> expected to be >>>>>>> located when installed or >>>>>>>>>>>> copied. The location MUST be either relative to the location >>>>>>>>>>>> of the >>>>>>> parent directory item >>>>>>>>>>>> (preferred) or relative to the location of the CoSWID tag >>>>>>>>>>>> (as >>>>>>>>>>>> indicated in >>>>>>> the location value in >>>>>>>>>>>> the evidence entry map) if no parent is defined. The >>>>>>>>>>>> location >>>>>>>>>>>> MUST NOT >>>>>>> include a file's name, >>>>>>>>>>>> which is provided by the fs-name item. >>>>>>>>>>>> >>>>>>>>>>>> NEW: >>>>>>>>>>>> location (index 23): The filesystem path where a file is >>>>>>>>>>>> expected to be >>>>>>> located when installed or >>>>>>>>>>>> copied. The location MUST either be an absolute path, or a >>>>>>>>>>>> path relative to the path value included in the parent >>>>>>>>>>>> directory item >>>>>>>>>>>> (preferred), or a path relative to the location of the >>>>>>>>>>>> CoSWID >>>>>>>>>>>> tag if no >>>>>>>>>>>> parent is defined. The location MUST NOT include a file's >>>>>>>>>>>> name, >>>>>>>>>>>> which is provided by the fs-name item. >>>>>>>>>>>> >>>>>>>>>>>> Section 2.9.2 - Add hash = 7 to the code: >>>>>>>>>>>> OLD: >>>>>>>>>>>> resource-entry = { >>>>>>>>>>>> type => text, >>>>>>>>>>>> * $$resource-extension, >>>>>>>>>>>> global-attributes, >>>>>>>>>>>> } >>>>>>>>>>>> directory = 16 >>>>>>>>>>>> file = 17 >>>>>>>>>>>> process = 18 >>>>>>>>>>>> resource = 19 >>>>>>>>>>>> >>>>>>>>>>>> NEW: >>>>>>>>>>>> resource-entry = { >>>>>>>>>>>> type => text, >>>>>>>>>>>> * $$resource-extension, >>>>>>>>>>>> global-attributes, >>>>>>>>>>>> } >>>>>>>>>>>> hash = 7 >>>>>>>>>>>> directory = 16 >>>>>>>>>>>> file = 17 >>>>>>>>>>>> process = 18 >>>>>>>>>>>> resource = 19 >>>>>>>>>>>> >>>>>>>>>>>> Section 2.9.2 - Update the description of the hash item >>>>>>>>>>>> OLD: >>>>>>>>>>>> hash (index 7): A hash of the file as described in Section >>>>>>>>>>>> 2.9.1. >>>>>>>>>>>> >>>>>>>>>>>> NEW: >>>>>>>>>>>> hash (index 7): Value that provides a hash of a file. This >>>>>>>>>>>> item provides an >>>>>>>>>>>> integrity measurement with respect to a specific file. See >>>>>>>>>>>> Section 2.9.1 >>>>>>>>>>>> for more details on the use of the hash-entry data >>>>>>>>>>>> structure. >>>>>>>>>>>> >>>>>>>>>>>> Section 2.9.4 - clarify location description by >>>>>>>>>>>> acknowledging >>>>>>>>>>>> previous >>>>>>> description and the different use in this location >>>>>>>>>>>> OLD: >>>>>>>>>>>> location (index 23): The absolute file path of the location >>>>>>>>>>>> of >>>>>>>>>>>> the CoSWID >>>>>>> tag generated as >>>>>>>>>>>> evidence. (Location values in filesystem-item instances in >>>>>>>>>>>> the >>>>>>>>>>>> payload >>>>>>> can be expressed >>>>>>>>>>>> relative to this location.) >>>>>>>>>>>> >>>>>>>>>>>> NEW: >>>>>>>>>>>> location (index 23): The filesystem path of the location of >>>>>>>>>>>> the CoSWID >>>>>>> tag generated as >>>>>>>>>>>> evidence. This path is always an absolute file path (unlike >>>>>>>>>>>> the value of a location item found within a filesystem-item >>>>>>>>>>>> described >>>>>>>>>>>> in Section 2.9.2, which can be either a relative path or an >>>>>>>>>>>> absolute path). >>>>>>>>>>>> >>>>>>>>>>>> Please let us know if you have any questions or concerns >>>>>>>>>>>> about >>>>>>>>>>>> these >>>>>>> changes. I believe the remaining questions you had are addressed >>>>>>> by >>>>>>> the >>>>>>> clarification that descriptions are not being moved across >>>>>>> sections, but just >>>>>>> being re-ordered within them. >>>>>>>>>>>> >>>>>>>>>>>> Thanks a bunch, >>>>>>>>>>>> Charles >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>>> Sent: Wednesday, May 24, 2023 5:46 PM >>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> >>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>> jmfitz2@cyber.nsa.gov; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>>> ietf-sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>>> >>>>>>>>>>>> Hi, Charles. >>>>>>>>>>>> >>>>>>>>>>>> We have ordered the index-number listings within each >>>>>>>>>>>> section, >>>>>>>>>>>> per your >>>>>>> note below. Please review our updates carefully, and let us know >>>>>>> if anything is >>>>>>> incorrect. >>>>>>>>>>>> >>>>>>>>>>>> The latest files are posted here. Please refresh your >>>>>>>>>>>> browser: >>>>>>>>>>>> >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html >>>>>>>>>>>> >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html >>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html >>>>>>>>>>>> >>>>>>>>>>>> We will look forward to receiving the additional updates >>>>>>>>>>>> later >>>>>>>>>>>> on. >>>>>>>>>>>> >>>>>>>>>>>> Thank you! >>>>>>>>>>>> >>>>>>>>>>>> RFC Editor/lb >>>>>>>>>>>> >>>>>>>>>>>>> On May 24, 2023, at 11:57 AM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Lynne, >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you for confirming. We are just about set with our >>>>>>>>>>>>> response to >>>>>>> the other questions (one more outstanding detail to go). I hope >>>>>>> to >>>>>>> have the >>>>>>> other items to you tomorrow. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Charles >>>>>>>>>>>>> >>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>>>> Sent: Wednesday, May 24, 2023 1:54 PM >>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> >>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>> jmfitz2@cyber.nsa.gov; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>>>> ietf-sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, Charles. >>>>>>>>>>>>> >>>>>>>>>>>>> Regarding >>>>>>>>>>>>> >>>>>>>>>>>>>> Overall, our intent was that, *within a given section*, >>>>>>>>>>>>>> the >>>>>>>>>>>>>> descriptions >>>>>>> would appear in index order, but only within their own section >>>>>>> since >>>>>>> descriptions only appear in sections for which the code snippets >>>>>>> specify the >>>>>>> term and index. We never intended for any descriptions to be >>>>>>> moved >>>>>>> to >>>>>>> different sections. >>>>>>>>>>>>> >>>>>>>>>>>>> We did indeed misunderstand your request. We will make the >>>>>>> necessary corrections and email you again when we've finished. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you for clarifying! >>>>>>>>>>>>> >>>>>>>>>>>>> RFC Editor/lb >>>>>>>>>>>>> >>>>>>>>>>>>>> On May 23, 2023, at 1:12 PM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Lynne, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We are working on the edits to address the issues you >>>>>>>>>>>>>> identified. >>>>>>> However, we have one question for you regarding your comment >>>>>>> number >>>>>>> 3: >>>>>>>>>>>>>> >>>>>>>>>>>>>> ===== >>>>>>>>>>>>>> 3. In Section 2.9.4, we see the following: >>>>>>>>>>>>>> >>>>>>>>>>>>>> date = 35 >>>>>>>>>>>>>> device-id = 36 >>>>>>>>>>>>>> >>>>>>>>>>>>>> ... >>>>>>>>>>>>>> >>>>>>>>>>>>>> date (index 35): The date and time the information was >>>>>>>>>>>>>> collected >>>>>>>>>>>>>> pertaining to the evidence item in epoch-based date/time >>>>>>>>>>>>>> format as >>>>>>>>>>>>>> specified in Section 3.4.2 of [RFC8949]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> device-id (index 36): The endpoint's string identifier >>>>>>>>>>>>>> from >>>>>>>>>>>>>> which >>>>>>>>>>>>>> the evidence was collected. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If indices 35 and 36 are moved to a previous section, will >>>>>>>>>>>>>> this create >>>>>>> confusion? Should we add, somewhere in the text, one or more >>>>>>> citations for >>>>>>> Section 2.9.4, to point readers to more information regarding >>>>>>> these >>>>>>> two >>>>>>> indices? >>>>>>>>>>>>>> >>>>>>>>>>>>>> ====== >>>>>>>>>>>>>> >>>>>>>>>>>>>> Our question was why indices 35 and 36 were getting moved >>>>>>>>>>>>>> at >>>>>>>>>>>>>> all. >>>>>>> Section 2.9.4 is where these two elements are listed in the code >>>>>>> reference so it >>>>>>> makes sense that they would be described in that section. >>>>>>> Overall, >>>>>>> our intent >>>>>>> was that, *within a given section*, the descriptions would appear >>>>>>> in index >>>>>>> order, but only within their own section since descriptions only >>>>>>> appear in >>>>>>> sections for which the code snippets specify the term and index. >>>>>>> We >>>>>>> never >>>>>>> intended for any descriptions to be moved to different sections. >>>>>>> So >>>>>>> the bottom >>>>>>> line is we do not understand why indices 35 and 36 were being >>>>>>> moved >>>>>>> to a >>>>>>> previous section in the first place. Could you explain? (And I >>>>>>> apologize if my >>>>>>> original request was unclear on this point.) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> Charles >>>>>>>>>>>>>> >>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>>>>> Sent: Thursday, May 11, 2023 3:30 PM >>>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> >>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>> jmfitz2@cyber.nsa.gov; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>>>>> ietf-sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, Charles. >>>>>>>>>>>>>> >>>>>>>>>>>>>> We started reordering the "(index ..)" listings in >>>>>>>>>>>>>> Sections >>>>>>>>>>>>>> 2.3, 2.7, >>>>>>> 2.9.2, and 2.9.4, but we stopped after almost finishing the >>>>>>> ordering in Section >>>>>>> 2.3, because we have some follow-up questions that we would like >>>>>>> to >>>>>>> resolve >>>>>>> before we continue: >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. We see that this list in Section 2.3 does not include >>>>>>>>>>>>>> index 7. >>>>>>> Assuming that we should move the "hash (index 7)" entry from >>>>>>> Section 2.9.2 to >>>>>>> Section 2.3, should we also add "hash = 7" to the list, between >>>>>>> the >>>>>>> payload and >>>>>>> corpus entries? >>>>>>>>>>>>>> >>>>>>>>>>>>>> tag-id = 0 >>>>>>>>>>>>>> software-name = 1 >>>>>>>>>>>>>> entity = 2 >>>>>>>>>>>>>> evidence = 3 >>>>>>>>>>>>>> link = 4 >>>>>>>>>>>>>> software-meta = 5 >>>>>>>>>>>>>> payload = 6 >>>>>>>>>>>>>> corpus = 8 >>>>>>>>>>>>>> patch = 9 >>>>>>>>>>>>>> media = 10 >>>>>>>>>>>>>> supplemental = 11 >>>>>>>>>>>>>> tag-version = 12 >>>>>>>>>>>>>> software-version = 13 >>>>>>>>>>>>>> version-scheme = 14 >>>>>>>>>>>>>> >>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2. We also see two entries each for "media (index 10)" and >>>>>>>>>>>>>> "location >>>>>>> (index 23)" in this document. Should there only be one of each, >>>>>>> or >>>>>>> is it correct >>>>>>> to have the two entries each for these two items? >>>>>>>>>>>>>> >>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>> >>>>>>>>>>>>>> 3. In Section 2.9.4, we see the following: >>>>>>>>>>>>>> >>>>>>>>>>>>>> date = 35 >>>>>>>>>>>>>> device-id = 36 >>>>>>>>>>>>>> >>>>>>>>>>>>>> ... >>>>>>>>>>>>>> >>>>>>>>>>>>>> date (index 35): The date and time the information was >>>>>>>>>>>>>> collected >>>>>>>>>>>>>> pertaining to the evidence item in epoch-based date/time >>>>>>>>>>>>>> format as >>>>>>>>>>>>>> specified in Section 3.4.2 of [RFC8949]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> device-id (index 36): The endpoint's string identifier >>>>>>>>>>>>>> from >>>>>>>>>>>>>> which >>>>>>>>>>>>>> the evidence was collected. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If indices 35 and 36 are moved to a previous section, will >>>>>>>>>>>>>> this create >>>>>>> confusion? Should we add, somewhere in the text, one or more >>>>>>> citations for >>>>>>> Section 2.9.4, to point readers to more information regarding >>>>>>> these >>>>>>> two >>>>>>> indices? >>>>>>>>>>>>>> >>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>> >>>>>>>>>>>>>> We will wait to hear from you before proceeding. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>> >>>>>>>>>>>>>> RFC Editor/lb >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On May 10, 2023, at 1:41 PM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello Lynne, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you very much for the updated copy of the document. >>>>>>>>>>>>>>> In our >>>>>>> final review, we noted two minor tweaks: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> #1 >>>>>>>>>>>>>>> Section 1.1: The paragraph above and the paragraph below >>>>>>>>>>>>>>> figure 1 >>>>>>> are indented. These paragraphs should not be indented but should >>>>>>> be >>>>>>> the same >>>>>>> indentation as the surrounding paragraphs. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> #2 >>>>>>>>>>>>>>> In sections 2.3, 2.7, 2.9.2, and 2.9.4, the description >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> the items are >>>>>>> almost but not quite in index order. (E.g., in 2.9.2 the >>>>>>> description of index 7 is >>>>>>> between indices 21 and 22; in 2.7 the description of index 10 is >>>>>>> between >>>>>>> indices 38 and 39.) It would probably be more intuitive for >>>>>>> readers >>>>>>> for the >>>>>>> descriptions to be presented in index order, from lowest to >>>>>>> greatest. Would it >>>>>>> be possible to make this change? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Both of these are largely cosmetic at the end of the day, >>>>>>>>>>>>>>> so if >>>>>>> implementing them will be a problem then please disregard. >>>>>>> However, >>>>>>> if >>>>>>> possible to implement these last-second changes, it would be >>>>>>> nice. >>>>>>> Please let >>>>>>> me know if this is possible. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks a bunch, >>>>>>>>>>>>>>> Charles >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>>>>>> Sent: Tuesday, May 9, 2023 6:09 PM >>>>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> >>>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>> jmfitz2@cyber.nsa.gov; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 >>>>>>>>>>>>>>> <draft- >>>>>>>>>>>>>>> ietf- >>>>>>> sacm-coswid-24> for your review >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, Charles. Thank you for your latest reply! We have >>>>>>>>>>>>>>> further >>>>>>> updated this document per your notes below. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The latest files are posted here (please refresh your >>>>>>>>>>>>>>> browser): >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- >>>>>>>>>>>>>>> auth48diff.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- >>>>>>>>>>>>>>> lastrfcdiff.html >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks again! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> RFC Editor/lb >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On May 9, 2023, at 5:18 AM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks for the follow up. Responses below: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 8) The indenting scheme shown in the PDF (it looks like >>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>> is a 2-level >>>>>>> indent) looks good. Please go with what you proposed. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 24) We are not a fan of having to split the comment over >>>>>>>>>>>>>>>> two lines. >>>>>>> We propose the following change, shortening the comment: >>>>>>>>>>>>>>>> Section 2.10 >>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>> ; supplemental=11 ; already defined in the >>>>>>>>>>>>>>>> ; "global map member" integer indices >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>> ; supplemental=11 ; already defined >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 41) Missed and updated text normalization >>>>>>>>>>>>>>>> Global: >>>>>>>>>>>>>>>> OLD: (missed normalization from before) >>>>>>>>>>>>>>>> version scheme name >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>> Version Scheme Name >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Global: (XML Schema capitalization - we'll defer to >>>>>>>>>>>>>>>> W3C's >>>>>>> conventions) >>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>> XML schema >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>> XML Schema >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Section 7: (suggest just re-using previously defined >>>>>>>>>>>>>>>> acronym in >>>>>>> section 7) >>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>> Cryptographic signatures can make any modification of >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> tag >>>>>>> detectable, which is especially important if the integrity of the >>>>>>> tag is important, >>>>>>> such as when the tag is providing reference integrity >>>>>>> measurements >>>>>>> for files. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>> Cryptographic signatures can make any modification of >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> tag >>>>>>> detectable, which is especially important if the integrity of the >>>>>>> tag is important, >>>>>>> such as when the tag is providing RIMs for files. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I believe that covers everything. Thank you for the >>>>>>>>>>>>>>>> thorough review. >>>>>>> Please let us know if you have any further questions or >>>>>>> suggestions. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Take care, >>>>>>>>>>>>>>>> Charles >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> >>>>>>>>>>>>>>>> Sent: Friday, May 5, 2023 4:41 PM >>>>>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> >>>>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; >>>>>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; >>>>>>> jmfitz2@cyber.nsa.gov; Waltermire, David >>>>>>> <david.waltermire@nist.gov>; sacm- >>>>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher >>>>>>> <inacio@cert.org>; >>>>>>> rdd@cert.org; auth48archive@rfc-editor.org >>>>>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 >>>>>>>>>>>>>>>> <draft- >>>>>>>>>>>>>>>> ietf- >>>>>>> sacm-coswid-24> for your review >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, Charles. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you very much for the email and answers to our >>>>>>>>>>>>>>>> many >>>>>>> questions! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We have updated this document per your notes below. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We have a few follow-up items for you: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regarding this request to indent the first "Note:" >>>>>>>>>>>>>>>> paragraph: >>>>>>> xml2rfcv3 does not permit us to indent the <aside> text one level >>>>>>> in this >>>>>>> particular case; we could only either have no indentation or two >>>>>>> levels of >>>>>>> indentation. Please review the current layout, and let us know >>>>>>> if >>>>>>> you prefer >>>>>>> that the <aside> text be outdented two levels. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 8) All "Note:" entries should be <aside>s. >>>>>>>>>>>>>>>>> Section 1.1: The paragraph that starts with "Note" >>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>> be an >>>>>>> <aside>. Also, it should be indented but without a lead bullet. >>>>>>> The >>>>>>> Note >>>>>>> paragraph is a second paragraph that is part of the preceding >>>>>>> bullet on >>>>>>> Software Upgrading. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regarding this item from our question 24): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> ; supplemental=11 ; already defined in the "global map >>>>>>>>>>>>>>>>> member" >>>>>>> integer indices >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The new comment text made the line length too long. We >>>>>>>>>>>>>>>> made it >>>>>>> a multi-line comment. Please review, and let us know if the line >>>>>>> breaks should >>>>>>> be placed differently. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Question 41): We did not see a reply regarding the use >>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> the >>>>>>> lowercase form "version scheme name" in running text. Please let >>>>>>> us know any >>>>>>> concerns. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regarding this item from our question 41): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> XML Schema >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> XML schema >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Apologies for not noticing earlier that, with one >>>>>>>>>>>>>>>> exception, >>>>>>> [W3C.REC-xmlschema-2-20041028] uses "XML Schema". Would you like >>>>>>> this >>>>>>> document to follow the capitalization style in [W3C.REC- >>>>>>> xmlschema- >>>>>>> 2- >>>>>>> 20041028] or stay with "XML schema"? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regarding this item from question 41): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Remote Attestation, which requires a link between >>>>>>>>>>>>>>>>> reference >>>>>>> integrity measurements (RIM) and Attester-produced event logs >>>>>>> that >>>>>>> complement attestation evidence [I-D.ietf-rats-architecture]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Remote Attestation, which requires a link between >>>>>>>>>>>>>>>>> Reference >>>>>>> Integrity Manifests (RIM) and Attester-produced event logs that >>>>>>> complement >>>>>>> attestation evidence [I-D.ietf-rats-architecture]. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We have updated this document to use "Reference >>>>>>>>>>>>>>>> Integrity >>>>>>> Manifests (RIMs)". Please let us know if "reference integrity >>>>>>> measurements" in >>>>>>> Section 7 should be updated. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> = = = = = >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The latest files are posted here. Please refresh your >>>>>>>>>>>>>>>> browser: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- >>>>>>>>>>>>>>>> auth48diff.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- >>>>>>>>>>>>>>>> lastrfcdiff.html >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html >>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks again for your help! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> RFC Editor/lb >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On May 4, 2023, at 9:08 AM, Charles M Schmidt >>>>>>> <cmschmidt@mitre.org> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you for the feedback. I've included responses to >>>>>>>>>>>>>>>>> all questions >>>>>>> in this email. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 1) This question is directed at Roman >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2) Please add the zip code for Jessica: >>>>>>>>>>>>>>>>> Author' Addresses: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Jessica Fitzgerald-McKay >>>>>>>>>>>>>>>>> National Security Agency >>>>>>>>>>>>>>>>> 9800 Savage Road >>>>>>>>>>>>>>>>> Ft. Meade, Maryland >>>>>>>>>>>>>>>>> United States of America >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Jessica Fitzgerald-McKay >>>>>>>>>>>>>>>>> National Security Agency >>>>>>>>>>>>>>>>> 9800 Savage Road >>>>>>>>>>>>>>>>> Ft. Meade, Maryland 20755 >>>>>>>>>>>>>>>>> United States of America >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 3) Email of 5/2 noted that this question is removed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 4) Agree with proposed change: >>>>>>>>>>>>>>>>> Abstract: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> CoSWID supports a similar set of semantics and features >>>>>>>>>>>>>>>>> as SWID >>>>>>> tags, as well as new semantics that allow CoSWIDs to describe >>>>>>> additional types >>>>>>> of information, all in a more memory efficient format. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> CoSWID supports a set of semantics and features that >>>>>>>>>>>>>>>>> are >>>>>>>>>>>>>>>>> similar >>>>>>> to those for SWID tags, as well as new semantics that allow >>>>>>> CoSWIDs >>>>>>> to >>>>>>> describe additional types of information, all in a more memory- >>>>>>> efficient format. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 5) Agree with proposed change: >>>>>>>>>>>>>>>>> Section 1.1 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> The SWID specification and supporting guidance provided >>>>>>>>>>>>>>>>> in NIST >>>>>>> Internal Report (NISTIR) 8060: Guidelines for the Creation of >>>>>>> Interoperable >>>>>>> SWID Tags [SWID-GUIDANCE] defines four types of SWID tags: >>>>>>> primary, >>>>>>> patch, >>>>>>> corpus, and supplemental. The following text is paraphrased >>>>>>> from >>>>>>> these >>>>>>> sources. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> The SWID specification and supporting guidance provided >>>>>>>>>>>>>>>>> in NIST >>>>>>> Internal Report (NISTIR) 8060 ("Guidelines for the Creation of >>>>>>> Interoperable >>>>>>> Software Identification (SWID) Tags") [SWID-GUIDANCE] define four >>>>>>> types of >>>>>>> SWID tags: primary, patch, corpus, and supplemental. The >>>>>>> following >>>>>>> text is >>>>>>> paraphrased from these sources. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 6) Text is correct as is. A primary tag is indicated by >>>>>>>>>>>>>>>>> not setting any >>>>>>> of the other indices for other tags. As such, it does not need >>>>>>> its >>>>>>> own index. >>>>>>> Primary tags are described in section 1.1. NO CHANGE. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 7) Agree with proposed text (with a slight change in >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> comma >>>>>>> position at the end): >>>>>>>>>>>>>>>>> Section 1.1: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Tags are deployed and previously deployed tags that are >>>>>>>>>>>>>>>>> typically >>>>>>> removed (indicated by an "x" prefix) at each lifecycle stage, as >>>>>>> follows: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Tags are deployed, and previously deployed tags are >>>>>>>>>>>>>>>>> typically >>>>>>> removed (indicated by an "x" prefix), at each lifecycle stage as >>>>>>> follows: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 8) All "Note:" entries should be <aside>s. >>>>>>>>>>>>>>>>> Section 1.1: The paragraph that starts with "Note" >>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>> be an >>>>>>> <aside>. Also, it should be indented but without a lead bullet. >>>>>>> The >>>>>>> Note >>>>>>> paragraph is a second paragraph that is part of the preceding >>>>>>> bullet on >>>>>>> Software Upgrading. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> - Software Upgrading. As a software component is >>>>>>>>>>>>>>>>> upgraded >>>>>>>>>>>>>>>>> to a >>>>>>>>>>>>>>>>> new version, new primary and supplemental tags replace >>>>>>>>>>>>>>>>> existing tags, enabling timely and accurate tracking of >>>>>>>>>>>>>>>>> updates to software inventory. While not illustrated in >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> figure, a corpus tag can also provide information about >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> upgrade installer and dependencies that need to be >>>>>>>>>>>>>>>>> installed >>>>>>>>>>>>>>>>> before the upgrade. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Note: In the context of software tagging software >>>>>>>>>>>>>>>>> patching and >>>>>>>>>>>>>>>>> updating differ in an important way. When installing a >>>>>>>>>>>>>>>>> patch, a set >>>>>>>>>>>>>>>>> of file modifications are made to pre-installed >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> which do >>>>>>>>>>>>>>>>> not alter the version number or the descriptive >>>>>>>>>>>>>>>>> metadata >>>>>>>>>>>>>>>>> of an >>>>>>>>>>>>>>>>> installed software component. An update can also make a >>>>>>>>>>>>>>>>> set of >>>>>>> file >>>>>>>>>>>>>>>>> modifications, but the version number or the >>>>>>>>>>>>>>>>> descriptive >>>>>>>>>>>>>>>>> metadata >>>>>>> of >>>>>>>>>>>>>>>>> an installed software component are changed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> - Software Upgrading. As a software component is >>>>>>>>>>>>>>>>> upgraded >>>>>>>>>>>>>>>>> to a >>>>>>>>>>>>>>>>> new version, new primary and supplemental tags replace >>>>>>>>>>>>>>>>> existing tags, enabling timely and accurate tracking of >>>>>>>>>>>>>>>>> updates to software inventory. While not illustrated in >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> figure, a corpus tag can also provide information about >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> upgrade installer and dependencies that need to be >>>>>>>>>>>>>>>>> installed >>>>>>>>>>>>>>>>> before the upgrade. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Note: In the context of software tagging software >>>>>>>>>>>>>>>>> patching and >>>>>>>>>>>>>>>>> updating differ in an important way. When installing a >>>>>>>>>>>>>>>>> patch, a set >>>>>>>>>>>>>>>>> of file modifications are made to pre-installed >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> which do >>>>>>>>>>>>>>>>> not alter the version number or the descriptive >>>>>>>>>>>>>>>>> metadata >>>>>>>>>>>>>>>>> of an >>>>>>>>>>>>>>>>> installed software component. An update can also make a >>>>>>>>>>>>>>>>> set of >>>>>>> file >>>>>>>>>>>>>>>>> modifications, but the version number or the >>>>>>>>>>>>>>>>> descriptive >>>>>>>>>>>>>>>>> metadata >>>>>>> of >>>>>>>>>>>>>>>>> an installed software component are changed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Section 3: Make the whole paragraph that starts with >>>>>>>>>>>>>>>>> "Note" an >>>>>>> <aside>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Section 6.2.4: Make the sentence that starts with >>>>>>>>>>>>>>>>> "Note:" >>>>>>>>>>>>>>>>> an >>>>>>> <aside>. Only this sentence should be an aside. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 9) Agree with proposed text: >>>>>>>>>>>>>>>>> Section 2: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> The integer values are defined in a registry specific >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> the kind of >>>>>>> value; the text values are not intended for interchange and >>>>>>> exclusively meant >>>>>>> for private use as defined in Section 6.2.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> The integer values are defined in a registry specific >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> the kind of >>>>>>> value; the text values are not intended for interchange and are >>>>>>> exclusively >>>>>>> meant for private use as defined in Section 6.2.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 10) Types need to be updated: >>>>>>>>>>>>>>>>> Global (in the xml lines 362, 366, 371, 382, 567, 735, >>>>>>>>>>>>>>>>> 759, 830, >>>>>>> 995, 1089, 1105, 1197, 1214)): >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> <sourcecode type="cddl"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" name="coswid-exposition.cddl"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XML line 1243: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" name="concise-swid-tag.cddl" >>>>>>> markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XML line 2900: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" name="sign1.cddl" >>>>>>>>>>>>>>>>> markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XML line 2938: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" name="sign.cddl" >>>>>>>>>>>>>>>>> markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XML line 2999: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> <sourcecode type="cddl" name="tags.cddl" >>>>>>>>>>>>>>>>> markers="true"> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 11) The author comment has been resolved and can be >>>>>>>>>>>>>>>>> removed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 12) This is not a verbatim quote. The quotation marks >>>>>>>>>>>>>>>>> should be >>>>>>> removed. >>>>>>>>>>>>>>>>> Section 2.1: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major >>>>>>>>>>>>>>>>> type 3, >>>>>>> which represents "a string of Unicode characters that [are] >>>>>>> encoded as UTF-8 >>>>>>> [RFC3629]" (see Section 3.1 of [RFC8949]). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major >>>>>>>>>>>>>>>>> type 3, >>>>>>> which represents a string of Unicode characters that [are] >>>>>>> encoded >>>>>>> as UTF-8 >>>>>>> [RFC3629] (see Section 3.1 of [RFC8949]). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 13) We request no change. Unlike the entity-entry and >>>>>>>>>>>>>>>>> link-entry >>>>>>> values, the version-scheme is relatively straightforward and >>>>>>> doesn't have or >>>>>>> need a section dedicated to it. We feel a reference from section >>>>>>> 4.1 is >>>>>>> unnecessary and (since only a small portion of that section deals >>>>>>> with version- >>>>>>> scheme) potentially confusing. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 14) The MUST NOT only applies to the "right part" of >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> value in >>>>>>> 6.7. Proposing the following change to avoid ambiguity. >>>>>>>>>>>>>>>>> Section 2.3: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> A textual tag-id MUST NOT contain a sequence of two >>>>>>>>>>>>>>>>> underscores >>>>>>> ("__", see Section 6.7). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> A textual tag-id value MUST NOT contain a sequence of >>>>>>>>>>>>>>>>> two >>>>>>> underscores ("__"). This is because a sequence of two underscores >>>>>>> is used to >>>>>>> separate the TAG_CREATOR_REGID value and UNIQUE_ID value in a >>>>>>> Software >>>>>>> Identifier and a sequence of two underscores in a tag-id value >>>>>>> could create >>>>>>> ambiguity when parsing this identifier. See Section 6.7. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 15) Replace confusing parenthetical >>>>>>>>>>>>>>>>> Section 2.3: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> - version-scheme (index 14): An integer or textual >>>>>>>>>>>>>>>>> value >>>>>>> representing the versioning scheme used for the software-version >>>>>>> item, as an >>>>>>> integer label with text escape (Section 2, for the "Version >>>>>>> Scheme" >>>>>>> registry >>>>>>> Section 4.1). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> - version-scheme (index 14): An integer or textual >>>>>>>>>>>>>>>>> value >>>>>>> representing the versioning scheme used for the software-version >>>>>>> item, as an >>>>>>> integer label with text escape. For the "Version Scheme" values, >>>>>>> see Section >>>>>>> 4.1. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 16) Agree with proposed change. >>>>>>>>>>>>>>>>> Section 2.3 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> link (index 4): Provides a means to establish >>>>>>>>>>>>>>>>> relationship arcs >>>>>>> between the tag and another items. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> link (index 4): Provides a means to establish >>>>>>>>>>>>>>>>> relationship arcs >>>>>>> between the tag and another item. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 17) Delete the confusing sentence. >>>>>>>>>>>>>>>>> Section 2.4 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> If all of the corpus, patch, and supplemental items are >>>>>>>>>>>>>>>>> "false", or if >>>>>>> the corpus item is set to "true", then a software-version item >>>>>>> MUST >>>>>>> be included >>>>>>> with a value set to the version of the software component. This >>>>>>> ensures that >>>>>>> primary and corpus tags have an identifiable software version. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> If all of the corpus, patch, and supplemental items are >>>>>>>>>>>>>>>>> "false", or if >>>>>>> the corpus item is set to "true", then a software-version item >>>>>>> MUST >>>>>>> be included >>>>>>> with a value set to the version of the software component. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 18) Agree with proposed change. >>>>>>>>>>>>>>>>> Section 2.6: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with text >>>>>>> escape, see Section 2) representing the relationship(s) between >>>>>>> the >>>>>>> entity, and >>>>>>> this tag or the referenced software component. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with text >>>>>>> escape; see Section 2) representing the relationship(s) between >>>>>>> the >>>>>>> entity and >>>>>>> this tag or the referenced software component. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 19) Should be 256..65536. >>>>>>>>>>>>>>>>> Section 2.7: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> $rel /= -356..65536 / text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> $rel /= -256..65536 / text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 20) Rephrase two bullets: >>>>>>>>>>>>>>>>> Section 2.7: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> - a URI-like expression with "swid:" as the scheme >>>>>>>>>>>>>>>>> refers >>>>>>>>>>>>>>>>> to >>>>>>> another SWID or CoSWID by the referenced tag's tag-id. This >>>>>>> expression needs >>>>>>> to be resolved in the context of the endpoint by software that >>>>>>> can >>>>>>> lookup other >>>>>>> SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6- >>>>>>> f7dddd1ade4c" references the tag with the tag-id value "2df9de35- >>>>>>> 0aff-4a86- >>>>>>> ace6-f7dddd1ade4c". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - a URI-like expression with "swidpath:" as the scheme, >>>>>>>>>>>>>>>>> which >>>>>>> refers to another software tag via an XPATH query [W3C.REC- >>>>>>> xpath20- >>>>>>> 20101214] that matches items in that tag (Section 5.2). This >>>>>>> scheme >>>>>>> is >>>>>>> provided for compatibility with [SWID]. This specification does >>>>>>> not >>>>>>> define how >>>>>>> to resolve an XPATH query in the context of CBOR, see Section >>>>>>> 5.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> - a URI-like expression with "swid:" as the scheme >>>>>>>>>>>>>>>>> refers >>>>>>>>>>>>>>>>> to >>>>>>> another SWID or CoSWID by the referenced tag's tag-id. This >>>>>>> expression needs >>>>>>> to be resolved in the context of the endpoint by software that >>>>>>> can >>>>>>> lookup other >>>>>>> SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6- >>>>>>> f7dddd1ade4c" references the tag with the tag-id value "2df9de35- >>>>>>> 0aff-4a86- >>>>>>> ace6-f7dddd1ade4c". See Section 5.1 for guidance on the "swid" >>>>>>> expression. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - a URI-like expression with "swidpath:" as the scheme, >>>>>>>>>>>>>>>>> which >>>>>>> refers to another software tag via an XPATH query [W3C.REC- >>>>>>> xpath20- >>>>>>> 20101214] that matches items in that tag (Section 5.2). This >>>>>>> scheme >>>>>>> is >>>>>>> provided for compatibility with [SWID]. This specification does >>>>>>> not >>>>>>> define how >>>>>>> to resolve an XPATH query in the context of CBOR. See Section 5.2 >>>>>>> for guidance >>>>>>> on the "swidpath" expression. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 21) Agree with proposed changes. >>>>>>>>>>>>>>>>> Section 2.7: >>>>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID >>>>>>>>>>>>>>>>> Link >>>>>>>>>>>>>>>>> Ownership Values" registry Section 4.3) used when the >>>>>>>>>>>>>>>>> "href" item >>>>>>>>>>>>>>>>> references another software component to indicate the >>>>>>>>>>>>>>>>> degree of >>>>>>>>>>>>>>>>> ownership between the software component referenced by >>>>>>>>>>>>>>>>> the >>>>>>> CoSWID >>>>>>>>>>>>>>>>> tag and the software component referenced by the link. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * rel (index 40): An integer or textual value that >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID >>>>>>>>>>>>>>>>> Link Link >>>>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) identifies >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> relationship between this CoSWID and the target >>>>>>>>>>>>>>>>> resource >>>>>>>>>>>>>>>>> identified by the "href" item. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * use (index 42): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape, see Section 2, for the "Software ID Link >>>>>>>>>>>>>>>>> Link >>>>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) used to >>>>>>>>>>>>>>>>> determine if >>>>>>>>>>>>>>>>> the referenced software component has to be installed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> installing the software component identified by the >>>>>>>>>>>>>>>>> COSWID tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape; see Section 2). See Section 4.3 for >>>>>>>>>>>>>>>>> the list >>>>>>>>>>>>>>>>> of values available for this item. This item is used >>>>>>>>>>>>>>>>> when the >>>>>>>>>>>>>>>>> href item references another software component to >>>>>>>>>>>>>>>>> indicate the >>>>>>>>>>>>>>>>> degree of ownership between the software component >>>>>>>>>>>>>>>>> referenced >>>>>>> by >>>>>>>>>>>>>>>>> the CoSWID tag and the software component referenced by >>>>>>>>>>>>>>>>> the >>>>>>> link. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * rel (index 40): An integer or textual value >>>>>>>>>>>>>>>>> (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.4 for the >>>>>>>>>>>>>>>>> list of >>>>>>>>>>>>>>>>> values available for this item. This item identifies >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> relationship between this CoSWID and the target >>>>>>>>>>>>>>>>> resource >>>>>>>>>>>>>>>>> identified by the href item. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * use (index 42): An integer or textual value >>>>>>>>>>>>>>>>> (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.5 for the >>>>>>>>>>>>>>>>> list of >>>>>>>>>>>>>>>>> values available for this item. This item is used to >>>>>>>>>>>>>>>>> determine >>>>>>>>>>>>>>>>> if the referenced software component has to be >>>>>>>>>>>>>>>>> installed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> installing the software component identified by the >>>>>>>>>>>>>>>>> CoSWID tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 22) Change i.e. to e.g. >>>>>>>>>>>>>>>>> Section 2.8: >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial >>>>>>>>>>>>>>>>> number, >>>>>>> product key, or license key. For values that relate to a given >>>>>>> software >>>>>>> component install (i.e., license key), a supplemental tag will >>>>>>> typically contain >>>>>>> this information. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial >>>>>>>>>>>>>>>>> number, >>>>>>> product key, or license key. For values that relate to a given >>>>>>> software >>>>>>> component install (e.g., license key), a supplemental tag will >>>>>>> typically contain >>>>>>> this information. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 23) "$$software-meta-extension" is correct >>>>>>>>>>>>>>>>> Section 2.8: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> $$meta-extension: This CDDL socket can be used to >>>>>>>>>>>>>>>>> extend >>>>>>>>>>>>>>>>> the >>>>>>> software-meta-entry group model. See Section 2.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> $$software-meta-extension: This CDDL socket can be used >>>>>>>>>>>>>>>>> to >>>>>>> extend the software-meta-entry group model. See Section 2.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 24) 65536 is correct >>>>>>>>>>>>>>>>> Section 2.10: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> $rel /= -256..64436 / text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> $rel /= -256..65536 / text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> ; supplemental=11 ; already defined in the "global map >>>>>>>>>>>>>>>>> member" >>>>>>> integer indices >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 25) Revised text >>>>>>>>>>>>>>>>> Section 3: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Note: Multiple of the corpus, patch, and supplemental >>>>>>>>>>>>>>>>> items can >>>>>>> have values set as "true". The rules above provide a means to >>>>>>> determine the >>>>>>> tag's type in such a case. For example, a SWID or CoSWID tag for >>>>>>> a patch >>>>>>> installer might have both corpus and patch items set to "true". >>>>>>> In such a case, >>>>>>> the tag is a "Corpus Tag". The tag installed by this installer >>>>>>> would have only >>>>>>> the patch item set to "true", making the installed tag type a >>>>>>> "Patch Tag". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Note: It is possible for some or all of the corpus, >>>>>>>>>>>>>>>>> patch, and >>>>>>> supplemental items to simultaneously have values set as "true". >>>>>>> The >>>>>>> rules >>>>>>> above provide a means to determine the tag's type in such a case. >>>>>>> For >>>>>>> example, a SWID or CoSWID tag for a patch installer might have >>>>>>> both >>>>>>> corpus >>>>>>> and patch items set to "true". In such a case, the tag is a >>>>>>> "Corpus Tag". The tag >>>>>>> installed by this installer would have only the patch item set to >>>>>>> "true", making >>>>>>> the installed tag type a "Patch Tag". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 26) Agree with proposed text >>>>>>>>>>>>>>>>> Section 4: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> This section defines a number of kinds of indexed label >>>>>>>>>>>>>>>>> values that >>>>>>> are maintained in a registry each (Section 6). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> This section defines multiple kinds of indexed label >>>>>>>>>>>>>>>>> values that are >>>>>>> maintained in several IANA registries. See Section 6 for >>>>>>> details. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 27) Agree with proposed text >>>>>>>>>>>>>>>>> Table 6: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> | 10 | supersedes | The link references >>>>>>>>>>>>>>>>> another >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> | | | software that this >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> | | | replaces. A patch tag >>>>>>>>>>>>>>>>> (see >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> | 10 | supersedes | The link references other >>>>>>>>>>>>>>>>> software | >>>>>>>>>>>>>>>>> | | | (e.g., an older software >>>>>>>>>>>>>>>>> version) | >>>>>>>>>>>>>>>>> | | | that this software >>>>>>>>>>>>>>>>> replaces. A path tag (see | >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 28) Agree with proposed text: >>>>>>>>>>>>>>>>> Section 6.2.1: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a >>>>>>>>>>>>>>>>> single >>>>>>>>>>>>>>>>> uint_8t in >>>>>>> CBOR, and values -25 to -256 to be expressed using an additional >>>>>>> uint_8t in >>>>>>> CBOR. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a >>>>>>>>>>>>>>>>> single >>>>>>>>>>>>>>>>> uint8_t in >>>>>>> CBOR, and values -25 to -256 to be expressed using an additional >>>>>>> uint8_t in >>>>>>> CBOR. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 29) Agree with proposed text: >>>>>>>>>>>>>>>>> Sections 6.2.4 through 6.2.8 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Version >>>>>>>>>>>>>>>>> Scheme >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> version scheme names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> entity role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Ownership >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> entity role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Relationship Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> link >>>>>>> relationship values defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use >>>>>>>>>>>>>>>>> Values" registry >>>>>>> are provided below, which are derived from the link relationship >>>>>>> values >>>>>>> defined in [SWID]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Version >>>>>>>>>>>>>>>>> Scheme >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> version scheme names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual entity >>>>>>> role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Ownership >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual entity >>>>>>> role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Relationship Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> link >>>>>>> relationship values defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use >>>>>>>>>>>>>>>>> Values" registry >>>>>>> are provided below and are derived from the link relationship >>>>>>> values defined in >>>>>>> [SWID]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 30) Use "software-version item" >>>>>>>>>>>>>>>>> Section 6.2.4 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> define a value space for the corresponding version item >>>>>>>>>>>>>>>>> that is >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> define a value space for the corresponding software- >>>>>>>>>>>>>>>>> version item >>>>>>> that is >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 31) Change to underscore >>>>>>>>>>>>>>>>> Sections 7 and 8 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> COSE-Sign1-coswid<payload> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> COSE_Sign1-coswid<payload> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> COSE-Sign-coswid<payload> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> COSE_Sign-coswid<payload> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 32) Agree with proposed removal of extraneous space. >>>>>>>>>>>>>>>>> Section 7: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> signature : bstr --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> signature: bstr --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 33) Agree with proposed text: >>>>>>>>>>>>>>>>> Section 8: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Consecutively, the CBOR tag for CoSWID tags defined in >>>>>>>>>>>>>>>>> Table 21 >>>>>>> SHOULD be used in conjunction with CBOR data items that are a >>>>>>> CoSWID tags. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Consequently, the CBOR tag defined by this document >>>>>>>>>>>>>>>>> (Table 21) >>>>>>> for CoSWID tags SHOULD be used in conjunction with CBOR data >>>>>>> items >>>>>>> that are >>>>>>> CoSWID tags. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 34) Rephrase >>>>>>>>>>>>>>>>> Section 8 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> a tagged CoSWID tag >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> a CBOR-tagged CoSWID tag >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 35) Agree with proposed text >>>>>>>>>>>>>>>>> Section 9: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has >>>>>>>>>>>>>>>>> been >>>>>>> validated can be relied upon to be unchanged since it was signed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has >>>>>>>>>>>>>>>>> been >>>>>>> validated can be relied upon to be unchanged since the time at >>>>>>> which it was >>>>>>> signed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 36) Agree with the first proposed text. >>>>>>>>>>>>>>>>> Section 9: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> A certification path between a trust anchor and a >>>>>>>>>>>>>>>>> certificate >>>>>>> including a public key enabling the validation of a tag signature >>>>>>> can realize the >>>>>>> assessment of trustworthiness of an authoritative tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> A certification path between a trust anchor and a >>>>>>>>>>>>>>>>> certificate, >>>>>>> including a public key enabling the validation of a tag >>>>>>> signature, >>>>>>> can realize the >>>>>>> assessment of trustworthiness of an authoritative tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 37) Reword >>>>>>>>>>>>>>>>> Section 9: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> This requires an association between the signature and >>>>>>>>>>>>>>>>> the tag's >>>>>>> entity item associated corresponding to the software provider. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> This requires verifying that party that signed the tag >>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>> the same >>>>>>> party given in the software-creator role of the tag's entity >>>>>>> item. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 38) Replace with "limited to" >>>>>>>>>>>>>>>>> Section 9: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Access to the collection of an endpoint's CoSWID tags >>>>>>>>>>>>>>>>> needs to be >>>>>>> appropriately controlled to authorized applications and users >>>>>>> using >>>>>>> an >>>>>>> appropriate access control mechanism. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Access to the collection of an endpoint's CoSWID tags >>>>>>>>>>>>>>>>> needs to be >>>>>>> limited to authorized applications and users using an appropriate >>>>>>> access control >>>>>>> mechanism. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 39) Agree with proposed text >>>>>>>>>>>>>>>>> References: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] >>>>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- >>>>>>>>>>>>>>>>> mediaqueries- >>>>>>> 20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, >>>>>>> <https://www.w3.org/TR/2012/REC-css3-mediaqueries-20120619/>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] >>>>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- >>>>>>>>>>>>>>>>> mediaqueries- >>>>>>> 20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, >>>>>>> <https://www.w3.org/TR/mediaqueries-3/>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 40) Document was reviewed for inclusive language. >>>>>>>>>>>>>>>>> Authors >>>>>>>>>>>>>>>>> did >>>>>>> not identify any other issues. In looking for a replacement for >>>>>>> "whitespace", >>>>>>> none of the proposed replacements were seen as adequate because >>>>>>> they were >>>>>>> not sufficiently comprehensive to include all the types of >>>>>>> characters that fall >>>>>>> under the general term of "whitespace". If you have a suggestion >>>>>>> we >>>>>>> would be >>>>>>> open to using it, but currently do not have an adequate >>>>>>> replacement. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 41) Normalizations: >>>>>>>>>>>>>>>>> Global: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> URI-scheme >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> URI scheme >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Note: one instance of "URI-scheme" is in a URL, and >>>>>>>>>>>>>>>>> thus should >>>>>>> not be changed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> XPATH >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> XPath >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Private Use >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> private use >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * NOTE: one instance of "Private Use" is in a section >>>>>>>>>>>>>>>>> title and >>>>>>> should not be changed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> XML Schema >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> XML schema >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * NOTE: one instance of "XML Schema" is in the title of >>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>> reference >>>>>>> and it should not be changed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> indexes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> indices >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> "href" item >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> href item >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> "role" item >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW >>>>>>>>>>>>>>>>> role item >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Section 1: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> Remote Attestation, which requires a link between >>>>>>>>>>>>>>>>> reference >>>>>>> integrity measurements (RIM) and Attester-produced event logs >>>>>>> that >>>>>>> complement attestation evidence [I-D.ietf-rats-architecture]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> Remote Attestation, which requires a link between >>>>>>>>>>>>>>>>> Reference >>>>>>> Integrity Manifests (RIM) and Attester-produced event logs that >>>>>>> complement >>>>>>> attestation evidence [I-D.ietf-rats-architecture]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I believe this addresses all of your questions and >>>>>>>>>>>>>>>>> feedback. Please >>>>>>> let me know if I missed anything or if any part of this response >>>>>>> is >>>>>>> unclear. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks a bunch, >>>>>>>>>>>>>>>>> Charles >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>>>>> From: rfc-editor@rfc-editor.org <rfc-editor@rfc- >>>>>>>>>>>>>>>>> editor.org> >>>>>>>>>>>>>>>>> Sent: Friday, April 14, 2023 4:46 PM >>>>>>>>>>>>>>>>> To: henk.birkholz@sit.fraunhofer.de; >>>>>>>>>>>>>>>>> jmfitz2@cyber.nsa.gov; >>>>>>> Charles M Schmidt <cmschmidt@mitre.org>; Waltermire, David >>>>>>> <david.waltermire@nist.gov> >>>>>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; sacm-ads@ietf.org; sacm- >>>>>>> chairs@ietf.org; Inacio, Christopher <inacio@cert.org>; >>>>>>> rdd@cert.org; >>>>>>> auth48archive@rfc-editor.org >>>>>>>>>>>>>>>>> Subject: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- >>>>>>>>>>>>>>>>> ietf-sacm- >>>>>>> coswid-24> for your review >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Authors and *Roman (AD), >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> While reviewing this document during AUTH48, please >>>>>>>>>>>>>>>>> resolve (as >>>>>>> necessary) the following questions, which are also in the XML >>>>>>> file. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *AD, please see question #1. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 1) <!-- [rfced] *AD - This document underwent two >>>>>>>>>>>>>>>>> version >>>>>>>>>>>>>>>>> changes >>>>>>> since version -22, which we edited last year; we later received >>>>>>> notifications for >>>>>>> versions -23 and -24. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> We manually incorporated the updates by looking at the >>>>>>>>>>>>>>>>> diff >>>>>>> between version -22 and version -24 on the Datatracker. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the changes to Sections 5 and 6 >>>>>>>>>>>>>>>>> carefully, >>>>>>>>>>>>>>>>> and let us >>>>>>> know if you approve. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2) <!-- [rfced] Authors' Addresses: Jessica >>>>>>>>>>>>>>>>> Fitzgerald- >>>>>>>>>>>>>>>>> McKay's >>>>>>> contact information is the only listing that does not include a >>>>>>> postal code. >>>>>>>>>>>>>>>>> If you would like us to include a postal code, please >>>>>>>>>>>>>>>>> provide it. >>>>>>>>>>>>>>>>> (We see "20755" used in >>>>>>>>>>>>>>>>> draft-ietf-rats-tpm-based-network-device-attest.) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Jessica Fitzgerald-McKay >>>>>>>>>>>>>>>>> National Security Agency >>>>>>>>>>>>>>>>> 9800 Savage Road >>>>>>>>>>>>>>>>> Ft. Meade, Maryland >>>>>>>>>>>>>>>>> United States of America >>>>>>>>>>>>>>>>> Email: jmfitz2@cyber.nsa.gov --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 3) <!-- [rfced] As it appears that "LocalWords" as >>>>>>>>>>>>>>>>> listed after the >>>>>>> Acknowledgments section in the original XML file refers to "key >>>>>>> words" as >>>>>>> defined in RFC 2119, we list them here as key words and have >>>>>>> added >>>>>>> them to >>>>>>> our database record for this document. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If this is incorrect, please insert any keywords >>>>>>>>>>>>>>>>> (beyond >>>>>>>>>>>>>>>>> those that >>>>>>> appear in the title) for use on <https://www.rfc- >>>>>>> editor.org/search>, >>>>>>>>>>>>>>>>> and we will update the <keyword> settings here and in >>>>>>>>>>>>>>>>> our >>>>>>> database record accordingly. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> LocalWords: SWID verifier TPM filesystem discoverable >>>>>>>>>>>>>>>>> CoSWID -- >>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 4) <!-- [rfced] Abstract: To what does "similar" refer >>>>>>>>>>>>>>>>> in this >>>>>>> sentence? If the suggested text is not correct, please provide >>>>>>> clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> CoSWID supports a similar set of >>>>>>>>>>>>>>>>> semantics and features as SWID tags, as well as new >>>>>>>>>>>>>>>>> semantics >>>>>>> that allow CoSWIDs to describe additional types of information, >>>>>>> all in a more >>>>>>> memory efficient format. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested: >>>>>>>>>>>>>>>>> CoSWID supports a set of >>>>>>>>>>>>>>>>> semantics and features that are similar to those for >>>>>>>>>>>>>>>>> SWID >>>>>>>>>>>>>>>>> tags, as >>>>>>> well as new semantics that allow CoSWIDs to describe additional >>>>>>> types of >>>>>>> information, all in a more memory-efficient format. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 5) <!-- [rfced] Section 1.1: Because we see >>>>>>>>>>>>>>>>> "paraphrased >>>>>>>>>>>>>>>>> from >>>>>>> these sources", we changed "defines" to "define" in the sentence >>>>>>> that precedes >>>>>>> it. If this is incorrect, please provide clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> The SWID specification and supporting guidance provided >>>>>>>>>>>>>>>>> in NIST >>>>>>> Internal Report (NISTIR) 8060: Guidelines for the Creation of >>>>>>> Interoperable >>>>>>> SWID Tags [SWID-GUIDANCE] defines four types of SWID >>>>>>>>>>>>>>>>> tags: primary, patch, corpus, and supplemental. The >>>>>>>>>>>>>>>>> following text >>>>>>> is paraphrased from these sources. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> The SWID specification and supporting guidance provided >>>>>>>>>>>>>>>>> in NIST >>>>>>> Internal Report (NISTIR) 8060 ("Guidelines for the Creation of >>>>>>> Interoperable >>>>>>> Software Identification (SWID) Tags") [SWID-GUIDANCE] define >>>>>>> four >>>>>>> types of >>>>>>> SWID tags: primary, patch, corpus, and supplemental. The >>>>>>> following text is >>>>>>> paraphrased from these sources. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 6) <!-- [rfced] Section 1.1: Section 2.3 does not >>>>>>>>>>>>>>>>> contain a >>>>>>> description of the primary tag type. We also see that the >>>>>>> primary >>>>>>> tag type does >>>>>>> not have an index number, as do the other three types. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please confirm that (1) the lack of a description for >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> primary tag >>>>>>> type in Section 2.3 will not be an issue for readers and (2) the >>>>>>> primary tag type >>>>>>> should not have an index number. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original ("four tags types" has been changed to "four >>>>>>>>>>>>>>>>> tag >>>>>>>>>>>>>>>>> types"): >>>>>>>>>>>>>>>>> A detailed description of the four >>>>>>>>>>>>>>>>> tags types is provided in Section 2.3. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 7) <!-- [rfced] Section 1.1: This sentence did not >>>>>>>>>>>>>>>>> parse. We >>>>>>> changed "that are typically removed" to "are typically removed". >>>>>>> If this is >>>>>>> incorrect, please provide clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Tags are deployed and >>>>>>>>>>>>>>>>> previously deployed tags that are typically removed >>>>>>>>>>>>>>>>> (indicated by >>>>>>> an "x" prefix) at each lifecycle stage, as follows: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> Tags are deployed, and >>>>>>>>>>>>>>>>> previously deployed tags are typically removed >>>>>>>>>>>>>>>>> (indicated >>>>>>>>>>>>>>>>> by an "x" >>>>>>>>>>>>>>>>> prefix) at each lifecycle stage, as follows: --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 8) <!-- [rfced] Please review whether any of the >>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>> "Note:" >>>>>>>>>>>>>>>>> paragraphs in this document should be in the <aside> >>>>>>>>>>>>>>>>> element. >>>>>>>>>>>>>>>>> <aside> is defined as "a container for content that is >>>>>>>>>>>>>>>>> semantically >>>>>>> less important or tangential to the content that surrounds it" >>>>>>>>>>>>>>>>> (https://authors.ietf.org/en/rfcxml-vocabulary#aside) >>>>>>>>>>>>>>>>> --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 9) <!-- [rfced] Section 2: It appears that one or more >>>>>>>>>>>>>>>>> words are >>>>>>> missing from this sentence. Should "and exclusively meant" be >>>>>>> "and >>>>>>> are >>>>>>> exclusively meant"? If not, please provide clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> The integer values are defined in a registry specific >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> the kind of >>>>>>> value; the text values are not intended for interchange and >>>>>>> exclusively meant >>>>>>> for private use as defined in Section 6.2.2. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 10) <!-- [rfced] Please review the "type" attribute of >>>>>>>>>>>>>>>>> each >>>>>>> sourcecode element in the XML file to ensure correctness. If the >>>>>>> current list of >>>>>>> preferred values for "type" >>>>>>>>>>>>>>>>> (https://www.rfc-editor.org/materials/sourcecode- >>>>>>>>>>>>>>>>> types.txt) >>>>>>>>>>>>>>>>> does not contain an applicable type, please let us >>>>>>>>>>>>>>>>> know. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Also, please review the remaining two instances of the >>>>>>>>>>>>>>>>> artwork >>>>>>> element. Should any of the artwork elements be tagged as >>>>>>> sourcecode or >>>>>>> another type of element? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please note that (1) for the ABNF in Section 6.7, we >>>>>>>>>>>>>>>>> changed >>>>>>> artwork to sourcecode with type="abnf" and (2) we changed the >>>>>>> instances of >>>>>>> sourcecode types "cddl;example" to "cddl", as "cddl;example" is >>>>>>> not >>>>>>> included >>>>>>> on <https://www.rfc-editor.org/materials/sourcecode-types.txt>. >>>>>>>>>>>>>>>>> Please let us know any concerns. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 11) <!-- [rfced] Please let us know if any updates are >>>>>>>>>>>>>>>>> needed >>>>>>> regarding this author comment as seen in the original approved >>>>>>> document. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Hmm, duplicate detection doesn't work in CDDL tool >>>>>>>>>>>>>>>>> here. >>>>>>>>>>>>>>>>> --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 12) <!-- [rfced] Section 2.1: Because this text is >>>>>>>>>>>>>>>>> quoted, we >>>>>>> searched RFCs 3629 and 8949 but could not find this text in >>>>>>> either >>>>>>> RFC. To >>>>>>> avoid possible reader confusion, may we either rephrase as >>>>>>> suggested or >>>>>>> remove the quotes? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major >>>>>>>>>>>>>>>>> type 3, >>>>>>> which represents "a string of Unicode characters that [are] >>>>>>> encoded as >>>>>>>>>>>>>>>>> UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested (per RFC 8949): >>>>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major >>>>>>>>>>>>>>>>> type 3, >>>>>>> which represents a string of Unicode characters that are >>>>>>> "encoded >>>>>>> as >>>>>>>>>>>>>>>>> UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 13) <!-- [rfced] Table 2: All "$" entries in this >>>>>>>>>>>>>>>>> table, >>>>>>>>>>>>>>>>> except for >>>>>>> $version-scheme, are indirectly cited in their respective >>>>>>> subsections of Section >>>>>>> 4. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Per the pattern of indirect citations used for the >>>>>>>>>>>>>>>>> other >>>>>>>>>>>>>>>>> entries >>>>>>> (where the other entries point to Sections 2.6 ("The entity-entry >>>>>>>>>>>>>>>>> Map") and 2.7 ("The link-entry Map")), may we update >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> first >>>>>>> sentence of Section 4.1 so that the sentence cites Section 2.3 >>>>>>> ("The concise- >>>>>>> swid-tag Map")? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original (Table 2 and Section 4.1): >>>>>>>>>>>>>>>>> | version-scheme | $version-scheme | Section 4.1 | >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> The following table contains a set of values for use in >>>>>>>>>>>>>>>>> the concise- >>>>>>> swid-tag group's version-scheme item. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested (Section 4.1): >>>>>>>>>>>>>>>>> The following table contains a set of values for use in >>>>>>>>>>>>>>>>> the concise- >>>>>>> swid-tag group's version-scheme item (see Section 2.3). --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 14) <!-- [rfced] Section 2.3: This sentence seems to >>>>>>>>>>>>>>>>> contradict the >>>>>>> cited information in Section 6.7. If the text below is correct >>>>>>> as >>>>>>> is, please >>>>>>> confirm that "... MUST NOT contain a sequence of two underscores" >>>>>>> and "... are >>>>>>> connected with a double underscore (_)" >>>>>>>>>>>>>>>>> will be clear to readers. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> A textual >>>>>>>>>>>>>>>>> tag-id MUST NOT contain a sequence of two underscores >>>>>>>>>>>>>>>>> ("__", see >>>>>>>>>>>>>>>>> Section 6.7). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> From Section 6.7: >>>>>>>>>>>>>>>>> If the tag-id item's >>>>>>>>>>>>>>>>> value is expressed as a 16-byte binary string, the >>>>>>>>>>>>>>>>> UNIQUE_ID MUST >>>>>>> be represented using the UUID string representation defined in >>>>>>> [RFC4122] >>>>>>> including the "urn:uuid:" prefix. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The TAG_CREATOR_REGID and the UNIQUE_ID are connected >>>>>>>>>>>>>>>>> with >>>>>>> a double underscore (_), without any other connecting character >>>>>>> or >>>>>>> whitespace. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 15) <!-- [rfced] Section 2.3: We had trouble following >>>>>>>>>>>>>>>>> the meaning >>>>>>> of the parenthetical phrase in this sentence. Also, we could not >>>>>>> find a '"Version >>>>>>> Scheme" registry'; this appears to refer to the "Software ID >>>>>>> Version Scheme >>>>>>> Values" registry, as mentioned a few lines after this sentence. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If the suggested text is not correct, please provide >>>>>>>>>>>>>>>>> text >>>>>>>>>>>>>>>>> that >>>>>>> clarifies the meaning of "(Section 2, for the "Version Scheme" >>>>>>>>>>>>>>>>> registry Section 4.1)". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> * version-scheme (index 14): An integer or textual >>>>>>>>>>>>>>>>> value >>>>>>>>>>>>>>>>> representing the versioning scheme used for the >>>>>>>>>>>>>>>>> software- >>>>>>>>>>>>>>>>> version >>>>>>>>>>>>>>>>> item, as an integer label with text escape (Section 2, >>>>>>>>>>>>>>>>> for the >>>>>>>>>>>>>>>>> "Version Scheme" registry Section 4.1). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested: >>>>>>>>>>>>>>>>> * version-scheme (index 14): An integer or textual >>>>>>>>>>>>>>>>> value >>>>>>>>>>>>>>>>> representing the versioning scheme used for the >>>>>>>>>>>>>>>>> software- >>>>>>>>>>>>>>>>> version >>>>>>>>>>>>>>>>> item, as an integer label with text escape (Section 2). >>>>>>>>>>>>>>>>> See >>>>>>>>>>>>>>>>> Section 4.1 for the list of values available for this >>>>>>>>>>>>>>>>> item. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 16) <!-- [rfced] Section 2.3: As it appears that >>>>>>>>>>>>>>>>> "another items" >>>>>>> should be "another item", we updated this sentence accordingly. >>>>>>> If >>>>>>> this is >>>>>>> incorrect, please clarify this text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> * link (index 4): Provides a means to establish >>>>>>>>>>>>>>>>> relationship arcs >>>>>>>>>>>>>>>>> between the tag and another items. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> link (index 4): Provides a means to establish >>>>>>>>>>>>>>>>> relationship arcs >>>>>>>>>>>>>>>>> between the tag and another item. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 17) <!-- [rfced] Section 2.4: Does "software version" >>>>>>>>>>>>>>>>> here refer to >>>>>>> the software-version item or to a software version in general? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This ensures that primary and corpus tags have an >>>>>>>>>>>>>>>>> identifiable >>>>>>> software version. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 18) <!-- [rfced] Section 2.6: As it appears that this >>>>>>>>>>>>>>>>> sentence means >>>>>>> "... between (1) the entity and (2) this tag or the referenced >>>>>>> software >>>>>>> component", we removed the comma after "entity" to avoid reader >>>>>>> confusion. >>>>>>> If this is incorrect (e.g., the intent is to say "between >>>>>>> entities"), please provide >>>>>>> clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> * role (index 33): An integer or textual value >>>>>>>>>>>>>>>>> (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape, see Section 2) representing the >>>>>>>>>>>>>>>>> relationship(s) >>>>>>>>>>>>>>>>> between the entity, and this tag or the referenced >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> component. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape; see Section 2) representing the >>>>>>>>>>>>>>>>> relationship(s) >>>>>>>>>>>>>>>>> between the entity and this tag or the referenced >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> component. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 19) <!-- [rfced] Section 2.7: Please confirm that "- >>>>>>>>>>>>>>>>> 356..65536" and >>>>>>> not "-256..65535" is correct here. We ask because we do not see >>>>>>> this range >>>>>>> used anywhere else. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> $rel /= -356..65536 / text --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 20) <!-- [rfced] Section 2.7: We do not see CBOR >>>>>>>>>>>>>>>>> mentioned in >>>>>>> Section 5.2. Please confirm that this citation is correct and >>>>>>> will >>>>>>> be clear to >>>>>>> readers. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This specification >>>>>>>>>>>>>>>>> does not define how to resolve an XPATH query in the >>>>>>>>>>>>>>>>> context of >>>>>>> CBOR, see Section 5.2. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Possibly (perhaps the intent was to point to the XPath >>>>>>>>>>>>>>>>> query or >>>>>>>>>>>>>>>>> expression?): >>>>>>>>>>>>>>>>> This specification does not define how to resolve an >>>>>>>>>>>>>>>>> XPath >>>>>>> expression (Section 5.2) in the context of CBOR. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 21) <!-- [rfced] Section 2.7: We had trouble following >>>>>>>>>>>>>>>>> the three >>>>>>> instances of "... registry Section 4.3" in this section. If the >>>>>>> suggested text is not >>>>>>> correct, please provide text that clarifies the meanings of these >>>>>>> citations. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please note that in the second and third suggestions we >>>>>>>>>>>>>>>>> (1) suggest different section numbers, as there appear >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> be some >>>>>>> section-number mismatches and (2) changed "COSWID" to "CoSWID". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID >>>>>>>>>>>>>>>>> Link >>>>>>>>>>>>>>>>> Ownership Values" registry Section 4.3) used when the >>>>>>>>>>>>>>>>> "href" item >>>>>>>>>>>>>>>>> references another software component to indicate the >>>>>>>>>>>>>>>>> degree of >>>>>>>>>>>>>>>>> ownership between the software component referenced by >>>>>>>>>>>>>>>>> the >>>>>>> CoSWID >>>>>>>>>>>>>>>>> tag and the software component referenced by the link. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * rel (index 40): An integer or textual value that >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID >>>>>>>>>>>>>>>>> Link Link >>>>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) identifies >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> relationship between this CoSWID and the target >>>>>>>>>>>>>>>>> resource >>>>>>>>>>>>>>>>> identified by the "href" item. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * use (index 42): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape, see Section 2, for the "Software ID Link >>>>>>>>>>>>>>>>> Link >>>>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) used to >>>>>>>>>>>>>>>>> determine if >>>>>>>>>>>>>>>>> the referenced software component has to be installed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> installing the software component identified by the >>>>>>>>>>>>>>>>> COSWID tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested: >>>>>>>>>>>>>>>>> ownership (index 39): An integer or textual value >>>>>>>>>>>>>>>>> (integer label >>>>>>>>>>>>>>>>> with text escape; see Section 2). See Section 4.3 for >>>>>>>>>>>>>>>>> the list >>>>>>>>>>>>>>>>> of values available for this item. This item is used >>>>>>>>>>>>>>>>> when the >>>>>>>>>>>>>>>>> href item references another software component to >>>>>>>>>>>>>>>>> indicate the >>>>>>>>>>>>>>>>> degree of ownership between the software component >>>>>>>>>>>>>>>>> referenced >>>>>>> by >>>>>>>>>>>>>>>>> the CoSWID tag and the software component referenced by >>>>>>>>>>>>>>>>> the >>>>>>> link. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> rel (index 40): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.4 for the >>>>>>>>>>>>>>>>> list of >>>>>>>>>>>>>>>>> values available for this item. This item identifies >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> relationship between this CoSWID and the target >>>>>>>>>>>>>>>>> resource >>>>>>>>>>>>>>>>> identified by the href item. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> use (index 42): An integer or textual value (integer >>>>>>>>>>>>>>>>> label with >>>>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.5 for the >>>>>>>>>>>>>>>>> list of >>>>>>>>>>>>>>>>> values available for this item. This item is used to >>>>>>>>>>>>>>>>> determine >>>>>>>>>>>>>>>>> if the referenced software component has to be >>>>>>>>>>>>>>>>> installed >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> installing the software component identified by the >>>>>>>>>>>>>>>>> CoSWID tag. -- >>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 22) <!-- [rfced] Section 2.8: Should "i.e.," (that is) >>>>>>>>>>>>>>>>> be "e.g.," (for >>>>>>>>>>>>>>>>> example) here? In other words are license keys the >>>>>>>>>>>>>>>>> only >>>>>>>>>>>>>>>>> applicable >>>>>>> category as related to a given software component install, or >>>>>>> would >>>>>>> serial >>>>>>> numbers or product keys also be applicable? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial >>>>>>>>>>>>>>>>> number, >>>>>>> product key, or license key. For values that relate to a given >>>>>>> software >>>>>>> component install (i.e., license key), a supplemental tag will >>>>>>> typically contain >>>>>>> this information. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 23) <!-- [rfced] Section 2.8: There appears to be a >>>>>>>>>>>>>>>>> string mismatch >>>>>>> for "$$meta-extension" versus "$$software-meta-extension". Table >>>>>>> 1, the >>>>>>> CDDL earlier in this section, and Section 2.10 use "$$software- >>>>>>> meta-extension". >>>>>>> Which string is correct? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> | software-meta-entry | $$software-meta-extension >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> Section >>>>>>> | >>>>>>>>>>>>>>>>> | | >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> 2.8 | >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * $$software-meta-extension, >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * $$meta-extension: This CDDL socket can be used to >>>>>>>>>>>>>>>>> extend the >>>>>>>>>>>>>>>>> software-meta-entry group model. See Section 2.2. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> * $$software-meta-extension, --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 24) <!-- [rfced] Section 2.10: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> a) Please confirm that "64436" is correct here. We ask >>>>>>>>>>>>>>>>> because we >>>>>>> do not see this value used anywhere else. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> $rel /= -256..64436 / text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> b) "already defined earlier" reads oddly. Should a >>>>>>>>>>>>>>>>> specific section >>>>>>> number be cited here? If not, would "already defined" or >>>>>>> "defined >>>>>>> earlier" be >>>>>>> sufficient? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 25) <!-- [rfced] Section 3: We had trouble following >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> meaning >>>>>>> of "Multiple of" here. Does "Multiple of" mean "Multiples of", >>>>>>> "Multiple", or >>>>>>> something else? Please clarify. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Note: Multiple of the corpus, patch, and supplemental >>>>>>>>>>>>>>>>> items can >>>>>>> have values set as "true". The rules above provide a means to >>>>>>> determine the >>>>>>> tag's type in such a case. For example, a SWID or CoSWID tag for >>>>>>> a patch >>>>>>> installer might have both corpus and patch items set to "true". >>>>>>> In such a case, >>>>>>> the tag is a "Corpus Tag". The tag installed by this installer >>>>>>> would have only >>>>>>> the patch item set to "true", making the installed tag type a >>>>>>> "Patch Tag". --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 26) <!-- [rfced] Section 4: We could not follow the >>>>>>>>>>>>>>>>> meaning of >>>>>>> "that are maintained in a registry each". Does this mean "that >>>>>>> are >>>>>>> each >>>>>>> maintained in separate IANA registries (Section 6)", "that are >>>>>>> maintained in >>>>>>> several IANA registries (Section 6)", or something else? If the >>>>>>> suggested text is >>>>>>> not correct, please clarify. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This section defines a number of kinds of indexed label >>>>>>>>>>>>>>>>> values that >>>>>>> are maintained in a registry each (Section 6). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested: >>>>>>>>>>>>>>>>> This section defines a number of kinds of indexed label >>>>>>>>>>>>>>>>> values that >>>>>>> are maintained in several IANA registries. See Section 6 for >>>>>>> details. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 27) <!-- [rfced] Table 6: We had trouble following >>>>>>>>>>>>>>>>> "another >>>>>>> software that" here. We updated the text. If this update is >>>>>>> incorrect, please >>>>>>> clarify this sentence. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> | 10 | supersedes | The link references >>>>>>>>>>>>>>>>> another >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> | | | software that this >>>>>>>>>>>>>>>>> software >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> | | | replaces. A patch tag >>>>>>>>>>>>>>>>> (see >>>>>>>>>>>>>>>>> | >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> | 10 | supersedes | The link references other >>>>>>>>>>>>>>>>> software | >>>>>>>>>>>>>>>>> | | | (e.g., an older software >>>>>>>>>>>>>>>>> version) | >>>>>>>>>>>>>>>>> | | | that this software >>>>>>>>>>>>>>>>> replaces. A | --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 28) <!-- [rfced] Section 6.2.1: Should "uint_8t" be >>>>>>>>>>>>>>>>> "uint8_t" here? >>>>>>>>>>>>>>>>> We ask because we do not see any instances of "uint_8t" >>>>>>>>>>>>>>>>> in any >>>>>>> RFC. >>>>>>>>>>>>>>>>> However, we see "uint8_t" in RFC 8949. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a >>>>>>>>>>>>>>>>> single >>>>>>>>>>>>>>>>> uint_8t in >>>>>>> CBOR, and values -25 to -256 to be expressed using an additional >>>>>>> uint_8t in >>>>>>> CBOR. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 29) <!-- [rfced] Sections 6.2.4 through 6.2.8: As it >>>>>>>>>>>>>>>>> appears that >>>>>>> "which" in these sentences refers to the initial registrations >>>>>>> derived from >>>>>>> names or values defined in [SWID], and not to the registries >>>>>>> themselves, we >>>>>>> updated the sentences accordingly. If these updates are >>>>>>> incorrect, >>>>>>> please >>>>>>> provide clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Version >>>>>>>>>>>>>>>>> Scheme >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> version scheme names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> entity role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Ownership >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> entity role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Relationship Values" >>>>>>>>>>>>>>>>> registry are provided below, which are derived from the >>>>>>>>>>>>>>>>> link >>>>>>> relationship values defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use >>>>>>>>>>>>>>>>> Values" registry >>>>>>> are provided below, which are derived from the link relationship >>>>>>> values >>>>>>> defined in [SWID]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Version >>>>>>>>>>>>>>>>> Scheme >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual >>>>>>> version scheme names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual entity >>>>>>> role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Ownership >>>>>>>>>>>>>>>>> Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> textual entity >>>>>>> role names defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link >>>>>>>>>>>>>>>>> Relationship Values" >>>>>>>>>>>>>>>>> registry are provided below and are derived from the >>>>>>>>>>>>>>>>> link >>>>>>> relationship values defined in [SWID]. >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use >>>>>>>>>>>>>>>>> Values" registry >>>>>>> are provided below and are derived from the link relationship >>>>>>> values defined in >>>>>>> [SWID]. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 30) <!-- [rfced] Section 6.2.4: Should "version item" >>>>>>>>>>>>>>>>> here be >>>>>>> "software-version item"? We do not see "version item" used >>>>>>> anywhere else in >>>>>>> this document. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Designated experts MUST also ensure that newly >>>>>>>>>>>>>>>>> requested >>>>>>>>>>>>>>>>> entries >>>>>>> define a value space for the corresponding version item that is >>>>>>> unique from >>>>>>> other previously registered entries. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 31) <!-- [rfced] Sections 7 and 8: >>>>>>>>>>>>>>>>> Should "COSE-Sign1-coswid<payload>" and "COSE-Sign- >>>>>>> coswid<payload>" >>>>>>>>>>>>>>>>> be "COSE_Sign1-coswid<payload>" and "COSE_Sign- >>>>>>> coswid<payload>" >>>>>>>>>>>>>>>>> (i.e., underscores after "COSE" instead of hyphens)? >>>>>>>>>>>>>>>>> We >>>>>>>>>>>>>>>>> ask >>>>>>> because we see "COSE_Sign1" and "COSE_Sign" used in the second >>>>>>> paragraph >>>>>>> of Section 7. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> COSE-Sign1-coswid<payload> = [ >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> COSE-Sign-coswid<payload> = [ >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> signed-coswid-for<payload> = #6.18(COSE-Sign1- >>>>>>>>>>>>>>>>> coswid<payload>) >>>>>>>>>>>>>>>>> / #6.98(COSE-Sign-coswid<payload>) --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 32) <!-- [rfced] Section 7: Should "signature :" be >>>>>>>>>>>>>>>>> "signature:" >>>>>>> here? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> signature : bstr --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 33) <!-- [rfced] Section 8: We had trouble following >>>>>>>>>>>>>>>>> this sentence. >>>>>>>>>>>>>>>>> If the suggested update is not correct, please provide >>>>>>>>>>>>>>>>> text that >>>>>>> clarifies the meaning of "Consecutively" and "a CoSWID tags". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Consecutively, the CBOR tag for CoSWID tags defined in >>>>>>>>>>>>>>>>> Table 21 >>>>>>> SHOULD be used in conjunction with CBOR data items that are a >>>>>>> CoSWID tags. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Suggested: >>>>>>>>>>>>>>>>> Consequently, the CBOR tag defined by this document >>>>>>>>>>>>>>>>> (Table 21) >>>>>>> for CoSWID tags SHOULD be used in conjunction with CBOR data >>>>>>> items >>>>>>> that >>>>>>> are CoSWID tags. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 34) <!-- [rfced] Section 8: "a tagged CoSWID tag" >>>>>>>>>>>>>>>>> reads >>>>>>>>>>>>>>>>> oddly. >>>>>>> Please confirm that the text is correct and will be clear to >>>>>>> readers (e.g., are any >>>>>>> words missing?). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This specification allows for a tagged CoSWID tag to >>>>>>>>>>>>>>>>> reside in a >>>>>>> COSE envelope that is also tagged with a CoSWID CBOR tag. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 35) <!-- [rfced] Section 9: To prevent some readers >>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>> possibly >>>>>>> interpreting "since" as "because", we changed "since it was >>>>>>> signed" >>>>>>>>>>>>>>>>> in this sentence to "since the time at which it was >>>>>>>>>>>>>>>>> signed". Please >>>>>>> let us know any concerns. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has >>>>>>>>>>>>>>>>> been >>>>>>> validated can be relied upon to be unchanged since it was signed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has >>>>>>>>>>>>>>>>> been >>>>>>> validated can be relied upon to be unchanged since the time at >>>>>>> which it was >>>>>>> signed. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 36) <!-- [rfced] Section 9: Does "including a public >>>>>>>>>>>>>>>>> key" refer to the >>>>>>> certification path or the certificate? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> A certification path between a trust anchor and a >>>>>>>>>>>>>>>>> certificate >>>>>>> including a public key enabling the validation of a tag signature >>>>>>> can realize the >>>>>>> assessment of trustworthiness of an authoritative tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Perhaps (certification path that includes): >>>>>>>>>>>>>>>>> A certification path between a trust anchor and a >>>>>>>>>>>>>>>>> certificate, >>>>>>> including a public key enabling the validation of a tag >>>>>>> signature, >>>>>>> can realize the >>>>>>> assessment of trustworthiness of an authoritative tag. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Or possibly (certificate that includes): >>>>>>>>>>>>>>>>> A certification path between (1) a trust anchor and (2) >>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>> certificate >>>>>>> that includes a public key enabling the validation of a tag >>>>>>> signature can realize >>>>>>> the assessment of trustworthiness of an authoritative tag. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 37) <!-- [rfced] Section 9: We had trouble following >>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>> sentence. >>>>>>>>>>>>>>>>> Please provide text that clarifies the meaning of >>>>>>>>>>>>>>>>> "associated >>>>>>> corresponding to". >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> This requires an association between the signature and >>>>>>>>>>>>>>>>> the tag's >>>>>>> entity item associated corresponding to the software provider. >>>>>>> --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 38) <!-- [rfced] Section 9: "controlled to authorized >>>>>>>>>>>>>>>>> applications >>>>>>> and users" reads oddly. Should "controlled to" be "controlled >>>>>>> for" >>>>>>> or perhaps >>>>>>> "limited to"? If not, please provide clarifying text. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> Access to the collection of an >>>>>>>>>>>>>>>>> endpoint's CoSWID tags needs to be appropriately >>>>>>>>>>>>>>>>> controlled to >>>>>>> authorized applications and users using an appropriate access >>>>>>> control >>>>>>> mechanism. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 39) <!-- [rfced] When accessing the page corresponding >>>>>>>>>>>>>>>>> to >>>>>>> [W3C.REC-css3-mediaqueries-20120619], we got a red popup saying >>>>>>> "This >>>>>>> version is outdated!" Because the citations in this document are >>>>>>> general in >>>>>>> nature, we updated the citation string and reference listing as >>>>>>> follows. Please >>>>>>> let us know any concerns. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Original: >>>>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] >>>>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- >>>>>>>>>>>>>>>>> mediaqueries-20120619, W3C REC-css3-mediaqueries- >>>>>>>>>>>>>>>>> 20120619, >>>>>>>>>>>>>>>>> 19 June 2012, <https://www.w3.org/TR/2012/REC-css3- >>>>>>>>>>>>>>>>> mediaqueries-20120619/>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Currently: >>>>>>>>>>>>>>>>> [W3C.REC-mediaqueries-3-20220405] >>>>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries Level 3", W3C >>>>>>>>>>>>>>>>> Recommendation REC-mediaqueries-3-20220405, 5 April >>>>>>>>>>>>>>>>> 2022, >>>>>>>>>>>>>>>>> <https://www.w3.org/TR/mediaqueries-3/>. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 40) <!-- [rfced] Please review the "Inclusive Language" >>>>>>>>>>>>>>>>> portion of >>>>>>> the online Style Guide at <https://www.rfc- >>>>>>> editor.org/styleguide/part2/#inclusive_language>, >>>>>>>>>>>>>>>>> and let us know if any changes are needed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> For example, please consider whether the following >>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>> be >>>>>>> updated: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> whitespace --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 41) <!-- [rfced] Please let us know if any changes are >>>>>>>>>>>>>>>>> needed for >>>>>>> the >>>>>>>>>>>>>>>>> following: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> a) The following terms were used inconsistently in this >>>>>>>>>>>>>>>>> document. >>>>>>>>>>>>>>>>> We chose to use the latter forms. Please let us know >>>>>>>>>>>>>>>>> any >>>>>>> objections. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> URI-scheme (titles of Sections 6.6.1 and 6.6.2) / URI >>>>>>>>>>>>>>>>> Scheme >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Version Scheme Name / version scheme name (in running >>>>>>>>>>>>>>>>> text) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XPATH / XPath (per usage elsewhere in this document and >>>>>>>>>>>>>>>>> per >>>>>>> W3C) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> b) The following terms appear to be used inconsistently >>>>>>>>>>>>>>>>> in this >>>>>>> document. Please let us know which form is preferred. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> private use / Private Use (e.g., "for private use", >>>>>>>>>>>>>>>>> "for >>>>>>>>>>>>>>>>> Private Use") >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XML schema / XML Schema >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> c) The following terms appear to be used inconsistently >>>>>>>>>>>>>>>>> in this >>>>>>> document and the companion documents. Please let us know which >>>>>>> form >>>>>>> is >>>>>>> preferred. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> indices / indexes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> reference integrity measurements (RIM) / reference >>>>>>>>>>>>>>>>> measurements >>>>>>> (RIMs) / >>>>>>>>>>>>>>>>> Reference Integrity Manifests (RIMs) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> d) Quoting of item names was inconsistent. For >>>>>>>>>>>>>>>>> example: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> href item vs. "href" item >>>>>>>>>>>>>>>>> role item vs. "role" item >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> We removed the quotes, as item names were mostly >>>>>>>>>>>>>>>>> unquoted. >>>>>>>>>>>>>>>>> Please let us know any objections. --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> RFC Editor/lb/kc >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Apr 14, 2023, at 2:41 PM, rfc-editor@rfc-editor.org >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *****IMPORTANT***** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Updated 2023/04/14 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> RFC Author(s): >>>>>>>>>>>>>>>>> -------------- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Instructions for Completing AUTH48 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Your document has now entered AUTH48. Once it has been >>>>>>> reviewed and approved by you and all coauthors, it will be >>>>>>> published as an RFC. >>>>>>>>>>>>>>>>> If an author is no longer available, there are several >>>>>>>>>>>>>>>>> remedies >>>>>>> available as listed in the FAQ (https://www.rfc-editor.org/faq/). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You and you coauthors are responsible for engaging >>>>>>>>>>>>>>>>> other >>>>>>>>>>>>>>>>> parties >>>>>>> (e.g., Contributors or Working Group) as necessary before >>>>>>> providing >>>>>>> your >>>>>>> approval. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Planning your review >>>>>>>>>>>>>>>>> --------------------- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the following aspects of your document: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * RFC Editor questions >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review and resolve any questions raised by the >>>>>>>>>>>>>>>>> RFC >>>>>>>>>>>>>>>>> Editor >>>>>>>>>>>>>>>>> that have been included in the XML file as comments >>>>>>>>>>>>>>>>> marked as >>>>>>>>>>>>>>>>> follows: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <!-- [rfced] ... --> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> These questions will also be sent in a subsequent >>>>>>>>>>>>>>>>> email. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Changes submitted by coauthors >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please ensure that you review any changes submitted by >>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>> coauthors. We assume that if you do not speak up that >>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>> agree to changes submitted by your coauthors. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Content >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the full content of the document, as this >>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>> change once the RFC is published. Please pay >>>>>>>>>>>>>>>>> particular >>>>>>>>>>>>>>>>> attention >>>>>>> to: >>>>>>>>>>>>>>>>> - IANA considerations updates (if applicable) >>>>>>>>>>>>>>>>> - contact information >>>>>>>>>>>>>>>>> - references >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Copyright notices and legends >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the copyright notice and legends as >>>>>>>>>>>>>>>>> defined >>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>> RFC 5378 and the Trust Legal Provisions >>>>>>>>>>>>>>>>> (TLP - https://trustee.ietf.org/license-info/). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Semantic markup >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the markup in the XML file to ensure that >>>>>>>>>>>>>>>>> elements >>>>>>> of >>>>>>>>>>>>>>>>> content are correctly tagged. For example, ensure that >>>>>>> <sourcecode> >>>>>>>>>>>>>>>>> and <artwork> are set correctly. See details at >>>>>>>>>>>>>>>>> <https://authors.ietf.org/rfcxml-vocabulary>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Formatted output >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please review the PDF, HTML, and TXT files to ensure >>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> formatted output, as generated from the markup in the >>>>>>>>>>>>>>>>> XML >>>>>>>>>>>>>>>>> file, is >>>>>>>>>>>>>>>>> reasonable. Please note that the TXT will have >>>>>>>>>>>>>>>>> formatting >>>>>>>>>>>>>>>>> limitations compared to the PDF and HTML. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Submitting changes >>>>>>>>>>>>>>>>> ------------------ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> To submit changes, please reply to this email using >>>>>>>>>>>>>>>>> 'REPLY ALL' as >>>>>>> all the parties CCed on this message need to see your changes. >>>>>>> The >>>>>>> parties >>>>>>>>>>>>>>>>> include: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * your coauthors >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * rfc-editor@rfc-editor.org (the RPC team) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * other document participants, depending on the stream >>>>>>>>>>>>>>>>> (e.g., >>>>>>>>>>>>>>>>> IETF Stream participants are your working group chairs, >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> responsible ADs, and the document shepherd). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * auth48archive@rfc-editor.org, which is a new >>>>>>>>>>>>>>>>> archival >>>>>>>>>>>>>>>>> mailing >>>>>>> list >>>>>>>>>>>>>>>>> to preserve AUTH48 conversations; it is not an active >>>>>>>>>>>>>>>>> discussion >>>>>>>>>>>>>>>>> list: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * More info: >>>>>>>>>>>>>>>>> https://mailarchive.ietf.org/arch/msg/ietf- >>>>>>>>>>>>>>>>> announce/yb6lpIGh- >>>>>>> 4Q9l2USxIAe6P8O4Zc >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * The archive itself: >>>>>>>>>>>>>>>>> https://mailarchive.ietf.org/arch/browse/auth48archive/ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> * Note: If only absolutely necessary, you may >>>>>>>>>>>>>>>>> temporarily opt out >>>>>>>>>>>>>>>>> of the archiving of messages (e.g., to discuss a >>>>>>>>>>>>>>>>> sensitive matter). >>>>>>>>>>>>>>>>> If needed, please add a note at the top of the message >>>>>>>>>>>>>>>>> that you >>>>>>>>>>>>>>>>> have dropped the address. When the discussion is >>>>>>>>>>>>>>>>> concluded, >>>>>>>>>>>>>>>>> auth48archive@rfc-editor.org will be re-added to the CC >>>>>>>>>>>>>>>>> list and >>>>>>>>>>>>>>>>> its addition will be noted at the top of the message. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You may submit your changes in one of two ways: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> An update to the provided XML file >>>>>>>>>>>>>>>>> - OR - >>>>>>>>>>>>>>>>> An explicit list of changes in this format >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Section # (or indicate Global) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> OLD: >>>>>>>>>>>>>>>>> old text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> NEW: >>>>>>>>>>>>>>>>> new text >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You do not need to reply with both an updated XML file >>>>>>>>>>>>>>>>> and an >>>>>>> explicit list of changes, as either form is sufficient. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> We will ask a stream manager to review and approve any >>>>>>>>>>>>>>>>> changes >>>>>>> that seem beyond editorial in nature, e.g., addition of new text, >>>>>>> deletion of >>>>>>> text, and technical changes. Information about stream managers >>>>>>> can >>>>>>> be found >>>>>>> in the FAQ. Editorial changes do not require approval from a >>>>>>> stream manager. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Approving for publication >>>>>>>>>>>>>>>>> -------------------------- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> To approve your RFC for publication, please reply to >>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>> email >>>>>>> stating that you approve this RFC for publication. Please use >>>>>>> 'REPLY ALL', as all >>>>>>> the parties CCed on this message need to see your approval. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Files >>>>>>>>>>>>>>>>> ----- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The files are available here: >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Diff file of the text: >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html >>>>>>>>>>>>>>>>> (side by >>>>>>> side) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Diff of the XML: >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- >>>>>>>>>>>>>>>>> xmldiff1.html >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> XMLv3 file that is a best effort to capture v3-related >>>>>>>>>>>>>>>>> format >>>>>>> updates >>>>>>>>>>>>>>>>> only: >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.form.xml >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Tracking progress >>>>>>>>>>>>>>>>> ----------------- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The details of the AUTH48 status of your document are >>>>>>>>>>>>>>>>> here: >>>>>>>>>>>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Please let us know if you have any questions. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you for your cooperation, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> RFC Editor >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -------------------------------------- >>>>>>>>>>>>>>>>> RFC9393 (draft-ietf-sacm-coswid-24) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Title : Concise Software Identification Tags >>>>>>>>>>>>>>>>> Author(s) : H. Birkholz, J. Fitzgerald-McKay, C. >>>>>>>>>>>>>>>>> Schmidt, D. >>>>>>> Waltermire >>>>>>>>>>>>>>>>> WG Chair(s) : Karen O'Donoghue, Christopher Inacio >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Area Director(s) : Roman Danyliw, Paul Wouters >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>> >
- [auth48] AUTH48: RFC-to-be 9393 <draft-ietf-sacm-… rfc-editor
- [auth48] [AD] Re: AUTH48: RFC-to-be 9393 <draft-i… rfc-editor
- Re: [auth48] [AD] AUTH48: RFC-to-be 9393 <draft-i… Lynne Bartholomew
- Re: [auth48] [EXT] Re: [AD] AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] AUTH48: RFC-to-be 9393 <d… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… jmfitz2@cyber.nsa.gov
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Henk Birkholz
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Waltermire, David A. (Fed)
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Roman Danyliw
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Lynne Bartholomew
- [auth48] [IANA] Re: AUTH48: RFC-to-be 9393 <draft… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew