Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review
"Rose, Scott W. (Fed)" <scott.rose@nist.gov> Mon, 11 September 2023 18:07 UTC
Return-Path: <scott.rose@nist.gov>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5F8C151719; Mon, 11 Sep 2023 11:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.107
X-Spam-Level:
X-Spam-Status: No, score=-3.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aih1-2JLcgid; Mon, 11 Sep 2023 11:07:02 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20720.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::720]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C798C140675; Mon, 11 Sep 2023 11:07:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e6/a1T4hYuPuAuQrPzoSiLNzrv4tGYxPSCP3GHCMkUqfDGzxzGAPn+Mo34rfD+cioOK4I6m3myZt5mOlUtqWsil1023xAJtL7z49rAmGoYC3KCfGtRux+zsyo92NDFi4kjdKuy/028hcyyCiXwDlFQ0LfHGJVwLrWXsKFAId7TaidSypKKt9taTqVTolQZD7QFov5MW5oxlcGk7u8Q9hIdq+opb6yPsnh6LAS3DIMlLlxnX7DceGHmTuAauT3mlEgga5JtEpSbZ2i5Ud8S273zGGfItSrztMJEkF8CvBNgiZnJyI3X9IaUqeN/8pc3vfbXdc3oJddBREFtxBGYW/8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GvEYMKNsDfhXMwmZvDTpXJx1aWeNsmqO1d0k/k5FxOI=; b=cLf77ZhYYdH7vCrakbC/j0KaSMxTM9ywo6pwFRNyyseU9SRv4n2kqHPnOXApl/LV0xZJN4e9PY2cyrgyDO4sJ85GrftlsR0UbATR2HI12Sm3l0/ZdbMfu6ZyP4RfsITc4XzRHWgk0gXy6IyLBGhlFQA0++sry2uQ0ylefq1yakA+A7D57dUEvdJOSY7l3CACvFPzC1Upwr9NY2OnC1UhYhBfszo8TGHmc5oYpJkMlVjQr5irLMsRehMzG0iHLc+h7qJPFZn+5XFlY920zXIvzq9Uz90CiCz8Rh8+FS8PPxXREcWpxbFcRLADgd3tSQJDefzD6TZDqSHlc3K5rFfWrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.18.29) smtp.rcpttodomain=rfc-editor.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GvEYMKNsDfhXMwmZvDTpXJx1aWeNsmqO1d0k/k5FxOI=; b=XnwB8p1ZPAV08qcZiz2EuBktZ9VgQt/witU/de1yc04eyfmYRbSzfWL7lZNdKqszBoupT4FHnQQ6pp4MOWGbhf4fCboJZMgrXs8Q6NgaqY8HGp2VjOB3cGxT9zSBbvRQeZ0xikLoHll7tgP7hk73aq5mywJrldRXkoPzteY/mj27uAkY/xM9V3sF6TqCRUo3KBhMbAu2LvG1/FyeF4tO7bUYWIxeP0LdxU48MDlDVKdqmJKwnsZQ5ORjY968I9/KPk3bKRyy92q0rPxYmX9QY+c/uHtTdbmzGXCyzIl4OoSISVMmIs1wSBwu6mXBo+od2Z0IJu2LWtWqPdvVaWi0Dg==
Received: from DM6PR09CA0002.namprd09.prod.outlook.com (2603:10b6:5:160::15) by BLAPR09MB6355.namprd09.prod.outlook.com (2603:10b6:208:2a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.35; Mon, 11 Sep 2023 18:06:57 +0000
Received: from BL0GCC02FT025.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d05::200) by DM6PR09CA0002.outlook.office365.com (2603:10b6:5:160::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.35 via Frontend Transport; Mon, 11 Sep 2023 18:06:56 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.18.29) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.18.29 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.18.29; helo=smtp1.nist.gov; pr=C
Received: from smtp1.nist.gov (129.6.18.29) by BL0GCC02FT025.mail.protection.outlook.com (10.97.10.190) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.16 via Frontend Transport; Mon, 11 Sep 2023 18:06:56 +0000
Received: from [129.6.108.197] ([129.6.108.197]) by smtp1.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Mon, 11 Sep 2023 14:06:55 -0400
From: "Rose, Scott W. (Fed)" <scott.rose@nist.gov>
To: rfc-editor@rfc-editor.org
Cc: opsawg-ads@ietf.org, opsawg-chairs@ietf.org, bill.wu@huawei.com, rwilton@cisco.com, auth48archive@rfc-editor.org, Eliot Lear <lear@cisco.com>
Date: Mon, 11 Sep 2023 14:06:55 -0400
X-Mailer: MailMate (1.14r5937)
Message-ID: <585A7E3F-7707-4D8E-BFE8-2D99229CAA82@nist.gov>
In-Reply-To: <8B56C7CE-0268-45FE-A343-493D04D3ADD5@cisco.com>
References: <20230908232621.2FE7CE5EA7@rfcpa.amsl.com> <8B56C7CE-0268-45FE-A343-493D04D3ADD5@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_8ADD7014-A71E-4833-B7BA-6211C75130B4_="
Embedded-HTML: [{"plain":[276, 21191], "uuid":"0D8F728E-E435-4890-BC61-71FE731BD078"}]
X-OriginalArrivalTime: 11 Sep 2023 18:06:55.0672 (UTC) FILETIME=[BFD79380:01D9E4DA]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL0GCC02FT025:EE_|BLAPR09MB6355:EE_
X-MS-Office365-Filtering-Correlation-Id: 0f669175-0be4-4288-a956-08dbb2f1e2ca
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mUMpjsv5n3yW/Ull3V+WyK/7P125mmz8cR2TVMxhZH70OZb8dnHlt3vK7iBpQoDYMrjrmVOztTWLXyG1JbKvF+zNLum4nwfsMGO+xnnltIUgPuGY+HBf+hMbMiiHJk4pbg53iCOYOCTobiCEtWIDgXek9qHoj7gconfWMNfgoHK+TEZQQemMUa4myJxFvJglEjIWwrgDFQtjB5ZdTYQHbBSrVCrhlgDmtyv9mVrQDDdMaOV0+LF0d2SqGjr/yLIbu7tOonzmi5Oczz6+k43zVcVMQZqKhgUqCrhBWYEPedlVC9cV+D7zPgVJH6jS7RhJDJw7dYrnxwrlJWC5CTYr/UEKhQNPNWS3yvAQIJvYBgZO4/nqp5NJQpVCwj/prxVkjHEW9Gb9Tn2u/Nr1UC7MSo2KrDPPs8NprVuG0Am6zQWYdDS4MXxAXhaT4iwG8Ci7ofTACCs10P/C4ulkdQ1drKYw6Jsvs1hZCQAyfmxj8MuEXHYzG73owz77aBw6mUC9DNDGjLinWZL3sSQT7DS6XiNkUD2i5xP+Vvr0cEVnI9dCzJRbSbl4t8TaBSevthMQp7lhtpaxBCwbEKqlcUjTsjEqzq1nEbseYH4DyFExp1C+kW3akdzTb5iZ9rBAY5dlHU2vHL/Y68aHyCxt2Dpj5N472mbZa0KWkAs0D5vChYynS9CKFarDvkqw0Bfumx6EgsLSnZCSDTUp91o+3qcsUoxjPPyziTdYoVkv3sYWDUs=
X-Forefront-Antispam-Report: CIP:129.6.18.29; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp1.nist.gov; PTR:smtp1.nist.gov; CAT:NONE; SFS:(13230031)(4636009)(451199024)(82310400011)(186009)(1800799009)(36840700001)(46966006)(40470700004)(7596003)(7636003)(53546011)(33964004)(356005)(36756003)(40460700003)(82960400001)(40140700001)(86362001)(33656002)(166002)(36860700001)(47076005)(2616005)(956004)(336012)(30864003)(2906002)(66574015)(426003)(83380400001)(966005)(508600001)(26005)(316002)(70206006)(8936002)(450100002)(8676002)(4326008)(107886003)(5660300002)(6916009)(6706004)(579004)(559001)(19607625013); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2023 18:06:56.4695 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f669175-0be4-4288-a956-08dbb2f1e2ca
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.18.29]; Helo=[smtp1.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-BL0GCC02FT025.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6355
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/LeUZWFm3DoDIB6lrWpBVo2_lX10>
Subject: Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2023 18:07:07 -0000
I do not have anything else to add to the edits/changes suggested (and Eliot’s responses). I am ok with publishing after the edits. As previously mentioned, I don’t see any edits needed for inclusive language. Thanks, Scott On 11 Sep 2023, at 7:56, Eliot Lear wrote: > [One for Rob Wilton below] > > Hi RFC Editor! > >> On 9 Sep 2023, at 01:26, rfc-editor@rfc-editor.org wrote: >> >> Authors and *AD, >> >> While reviewing this document during AUTH48, please resolve (as >> necessary) the following questions, which are also in the XML file. >> >> *AD, please review question #10 (re: Section 6). >> >> 1) <!-- [rfced] This document's title and short title (that spans the >> header of the pdf) do not follow the style of other YANG RFCs >> (although we see that RFCs 8783 and 9132 are exceptions). For >> example: >> >> RFC 9094 - A YANG Data Model for Wavelength Switched Optical >> Networks >> (WSONs) >> RFC 9093 - A YANG Data Model for Layer 0 Types >> RFC 9067 - A YANG Data Model for Routing Policy >> >> Please consider the suggested updates below and let us know if one of >> these options is agreeable or if you prefer otherwise. >> >> Document title >> Original: >> Discovering and Retrieving Software Transparency and Vulnerability >> Information >> >> Perhaps: >> a) A YANG Data Model for Reporting Software Bills of Materials >> (SBOMs) and Vulnerability Information >> or >> >> b) A YANG Data Model Augmentation for Reporting Software Bills >> of Materials (SBOMs) and Vulnerability Information > > I like (a). > >> >> ... >> Short title >> Original: >> Discovering SBOMs and Vuln. Info >> >> Perhaps: >> A YANG Data Model for SBOMs and Vuln. Info >> --> > > That’s fine. > >> >> >> 2) <!-- [rfced] Please insert any keywords (beyond those that appear >> in the >> title) for use on https://www.rfc-editor.org/search. >> --> >> > I propose: > > sbom, discovery, mud, vex, chaff > >> >> 3) <!--[rfced] Please clarify "A number of activities have been >> working >> to". Have the activities improved visibility (option A) or is >> this a work in progress (option B)? >> >> Original: >> A number of activities have been working to improve visibility to >> what software is running on a system, and what vulnerabilities that >> software may have [EO2021]. >> >> Perhaps: >> A) A number of activities have been effective in improving the >> visibility >> of what software is running on a system and what vulnerabilities >> that >> software may have [EO2021]. >> >> or >> >> B) A number of activities are being implemented to improve the >> visibility >> of what software is running on a system and what vulnerabilities >> that >> software may have [EO2021]. >> --> > > How about (C) >> >> C)) A number of activities taken place to improve the visibility >> of what software is running on a system and what vulnerabilities >> that >> software may have [EO2021]. >> --> > >> >> > >> 4) <!--[rfced] May we replace "vulnerable" with "open" as follows to >> avoid redundancy? >> >> Original: >> * Is this system vulnerable to a particular vulnerability? >> >> Perhaps: >> * Is this system open to a particular vulnerability? >> —> > > I think a better word is “susceptible". > >> >> >> 5) <!--[rfced] Would you like to create a new section for the >> requirements language instead of including it at the end of >> Section 1? It would become Section 1.1 as follows: >> >> Original: >> Further queries may be necessary based on the content and structure >> of the >> response. >> >> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", >> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", >> and >> "OPTIONAL" in this document are to be interpreted as described in >> BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all >> capitals, as shown here. >> >> Perhaps: >> Further queries may be necessary based on the content and structure >> of the >> response. >> >> Section 1.1 Requirements Language >> >> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", >> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", >> and >> "OPTIONAL" in this document are to be interpreted as described in >> BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all >> capitals, as shown here. >> --> >> >> > > That would be fine. > > >> 6) <!--[rfced] May we change "rather than retrieving it twice" to >> "rather >> than the resource being retrieved twice" for clarity? Please let >> us know if this retains the intended meaning. > > >> >> Original: >> Network management systems retrieving this information MUST >> take note that the identical resource is being retrieved >> rather than retrieving it twice. >> >> Perhaps: >> Network management systems retrieving this information MUST >> take note that the identical resource is being retrieved >> rather than the resource being retrieved twice. >> --> > > Hmm. I suggest the following: > >> Network management systems MUST take note of when the SBOM >> and vulnerability information are accessible via the same resource, >> and not retrieve the resource a second time. > > >> >> >> 7) <!--[rfced] Could the title of Section 3 be updated slightly to >> reduce >> redundancy? Please let us know if option A or B may be preferable. >> >> Original: >> The mud-transparency Extension Model Extension >> >> Perhaps: >> A) The mud-transparency Extension >> >> or >> >> B) The mud-transparency Model Extension >> --> >> > > Let’s go for A. > >> >> 8) <!-- [rfced] For the benefit of international readership, may we >> update "N.B." >> to "Note that" as follows? >> >> Original: >> N.B., this schema extension is intended to be used wherever it >> might >> be appropriate (e.g., not just MUD). >> >> Perhaps: >> Note that this schema extension is intended to be used wherever it >> might be appropriate (e.g., not just with MUD). >> --> > > That’s fine. > >> >> >> 9) <!-- [rfced] Section 4. Please review the following questions >> about >> the YANG module and section title. >> >> a) FYI: We updated one instance of "YANG model" to "YANG Data Model" >> in this section's title per guidance from Benoit Claise and the >> YANG Doctors, as "YANG module" and "YANG data model" are preferred. >> Please review. >> >> Original: >> The mud-sbom augmentation to the MUD YANG model >> >> Current: >> The mud-sbom Augmentation to the MUD YANG Data Model > > That’s fine. > >> >> >> b) Note that the YANG module has been updated per the formatting >> option of pyang. Please let us know any concerns. >> >> c) FYI: We added titles to the reference entries for RFCs 6991 >> and 8520 for consistency. >> >> d) May we include reference entries in the YANG module for >> RFCs 7231, 7252, and 9110 since these RFCs are mentioned in >> the description clauses? > > All good with b, c, and d. > >> >> e) We note that RFCs 6991 and 7231 are only referenced in the YANG >> module and not in the running text. In order to have a 1:1 matchup >> between the references section and the text, may we add an >> introductory >> sentence before the YANG module that includes these citations (option >> i)? >> Alternatively, you may reference all of the RFCs that are mentioned >> (option ii). Please let us know your preference. >> >> Perhaps: >> i) This YANG module references [RFC6991] and [RFC7231]. >> or >> ii) This YANG module references [RFC6991], [RFC7231], [RFC7252], >> [RFC8520], and [RFC9110]. > > > ii seems complete. > > >> >> f) We note that RFC 7231 has been obsoleted by RFC 9110. May we >> replace >> RFC 7231 with RFC 9110 in the following instance? >> >> Current: >> "Use http (RFC 7231) (insecure) to retrieve SBOM information. >> This method is NOT RECOMMENDED but may be unavoidable for >> certain classes of deployment where TLS has not or >> cannot be implemented."; >> --> >> >> > > I think in this case, it is best to leave it as is, because we are > indeed recommending against its use ;-) > > >> 10) <!-- [rfced] *[AD] Section 6: The Security Considerations section >> does not >> follow the requirements listed on >> https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, which >> says >> "This section MUST be patterned after the latest approved template." >> Please confirm if the current text is acceptable per the context of >> the >> document or if any further updates are needed in order to follow the >> template. > > Rob, would you mind staring at this? > >> >> Also, please confirm if it is acceptable that RFCs 6242, 8341, and >> 8446 are not listed in the Normative References section or if they >> should be added. >> --> >> > > I don’t see them referenced in the text. > >> >> 11) <!--[rfced] Is this sentence intended to be an ordered list >> (option A) >> or are "any change in a URL" and "any change to the authority >> section" the 2 risks that are being referred to (option B)? >> >> Original: >> To address either risk, any change in a URL, and in particular to >> the >> authority section, two approaches may be used: >> >> Perhaps: >> A) To address either risk, any change in a URL, and particularly any >> change >> to the authority section, two approaches may be used: >> >> or >> >> B) To address either risk, i.e., any change in a URL and, in >> particular, to >> the authority section, two approaches may be used: >> --> > > How about: > >> (C) To address either risk, any change in a URL, and in particular >> to the >> authority section; two approaches may be used: > > ? > > >> >> >> 12) <!-- [rfced] We have included some clarifications about the IANA >> text below. In addition to reviewing those, please review all >> of the IANA-related updates carefully and let us know if any >> further updates are needed. >> >> a) Section 7.2. FYI: We have added the defining RFCs for each of the >> registries >> as follows and have added the corresponding reference entries to the >> Normative References section. >> >> Original: >> The IANA is requested to add "transparency" to the MUD extensions >> registry as follows: >> >> Current: >> IANA has added "transparency" to the "MUD Extensions" registry >> [RFC8520] >> as follows: >> >> ... >> Original: >> The following YANG module should be registered in the "YANG Module >> Names" registry: >> >> Current: >> IANA has registered the following YANG module in the "YANG Module >> Names" registry [RFC6020]: >> >> ... >> Original: >> The following XML registration is requested: >> >> Current: >> The following URI has been registered in the "IETF XML Registry" >> [RFC3688]: > > All good. > >> >> b) Section 7.2. FYI: In the entry under the "YANG Module Names" >> registry, we removed "Registration Contact" since it is not listed >> in the registry, and we added "Maintained by IANA: N" since it is >> listed in the registry; please see >> https://www.iana.org/assignments/yang-parameters/. >> >> Original: >> Name: ietf-mud >> URN: urn:ietf:params:xml:ns:yang:ietf-mud-transparency >> Prefix: mudtx >> Registrant contact: The IESG >> Reference: This memo >> >> Current: >> Name: ietf-mud >> URN: urn:ietf:params:xml:ns:yang:ietf-mud-transparency >> Maintained by IANA: N >> Prefix: mudtx >> Reference: RFC 9472 > > Ok > >> >> c) Section 7.3. FYI: We have added "Status: permanent" to the entry >> for the "Well-Known URIs" registry to match the IANA >> registry at https://www.iana.org/assignments/well-known-uris/. >> >> Original: >> URI suffix: "sbom" >> Change controller: "IETF" >> Specification document: This memo >> Related information: See ISO/IEC 5962:2021 and SPDX.org >> >> Current: >> URI Suffix: sbom >> Change Controller: IETF >> Reference: RFC 9472 >> Status: permanent >> Related information: See ISO/IEC 5962:2021 and SPDX.org >> --> >> >> > > Ok > >> 13) <!-- [rfced] References >> >> a) We updated the title for reference [EO2021] to match the following >> URL: >> https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/ >> executive-order-on-improving-the-nations-cybersecurity/. Please let >> us know >> if this is correct or if the intension is to point to a different >> article >> (perhaps >> https://www.nist.gov/itl/executive-order-14028-improving-nations- >> cybersecurity). >> >> Original: >> [EO2021] Biden, J., "Executive Order 14028, Improving the Nations >> Cybersecurity", May 2021. >> >> Current: >> [EO2021] Biden, J., "Executive Order on Improving the Nation's >> Cybersecurity", EO 14028, May 2021. >> >> > > Ok > >> b) FYI: We updated the title of the reference [CycloneDX12] to match >> the >> title at "https://cyclonedx.org/docs/1.2/xml" and included a direct >> URL. >> Please let us know of any objections. >> >> Original: >> [CycloneDX12] >> cyclonedx.org, "CycloneDX XML Reference v1.2", May 2020. >> >> Current: >> [CycloneDX12] >> CycloneDX, "CycloneDX v1.2 XML Reference", Version >> 1.2.1, >> <https://cyclonedx.org/docs/1.2/xml/> . >> --> > > Ok, this one needs updating. The reference should now be > > [CycloneDX15] CycloneDX, “CycloneDX v1.5 JSON Reference”, Version > 1.5, > <https://cyclonedx.org/docs/1.5/json> > > And this will need updating in the introduction. Time passes, eh? > > >> >> >> 14) <!-- [rfced] Throughout the text, the following terminology >> appears to be capitalized >> inconsistently. May we update to "Content-Type" to match past RFCs, >> including use in >> RFCs 7252, 8615, 8040, 9110? >> >> Content-Type vs. Content-type vs. content-type >> > > Yes. > > >> >> 15) <!-- [rfced] The following lines exceed the 72-character limit >> for >> sourcecode. Please let us know how these lines can be modified. >> >> Section 5.1 (1 character over): >> "systeminfo": "retrieving vuln and SBOM info via a cloud service", >> >> Section 5.2 (1 character over): >> "systeminfo": "mixed example: SBOM on device, vuln info in cloud", >> >> Section 5.3 (2 characters over): >> "contact-info": "https://iot-device.example.com/contact-info.html", >> >> Section 5.3 (1 character over): >> "systeminfo": "retrieving vuln and SBOM info via a cloud service", >> --> >> > > Would you mind out-denting these lines? > > >> 16) <!-- [rfced] Please review the "type" attributes for the >> sourcecode elements >> in the XML file for correctness. If the current list of preferred >> values for >> "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) >> does not >> contain an applicable type, then feel free to suggest a new one. >> Also, >> it is acceptable to leave the "type" attribute not set. >> --> >> > > You can use “json” for examples, yang tree for the yang tree, and > yang for the yang. > > >> >> 17) <!-- [rfced] FYI: We have added expansions for the following >> abbreviations >> per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each >> expansion in the document carefully to ensure correctness. >> >> Access Control Lists (ACLs) >> Constrained Application Protocol (CoAP) >> Internet of Things (IoT) >> —> >> >> > > All good. > >> 18) <!-- [rfced] Please review the "Inclusive Language" portion of >> the online >> Style Guide >> <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> >> and let us know if any changes are needed. > > Ok. I’ll do this on the next pass. > > Thanks, > > Eliot >> >> Note that our script did not flag any words in particular, but this >> should >> still be reviewed as a best practice. >> --> >> >> >> Thank you. >> >> RFC Editor/st/kc >> >> >> On Sep 8, 2023, at 4:23 PM, rfc-editor@rfc-editor.org wrote: >> >> *****IMPORTANT***** >> >> Updated 2023/09/08 >> >> RFC Author(s): >> -------------- >> >> Instructions for Completing AUTH48 >> >> Your document has now entered AUTH48. Once it has been reviewed and >> approved by you and all coauthors, it will be published as an RFC. >> If an author is no longer available, there are several remedies >> available as listed in the FAQ (https://www.rfc-editor.org/faq/). >> >> You and you coauthors are responsible for engaging other parties >> (e.g., Contributors or Working Group) as necessary before providing >> your approval. >> >> Planning your review >> --------------------- >> >> Please review the following aspects of your document: >> >> * RFC Editor questions >> >> Please review and resolve any questions raised by the RFC Editor >> that have been included in the XML file as comments marked as >> follows: >> >> <!-- [rfced] ... --> >> >> These questions will also be sent in a subsequent email. >> >> * Changes submitted by coauthors >> >> Please ensure that you review any changes submitted by your >> coauthors. We assume that if you do not speak up that you >> agree to changes submitted by your coauthors. >> >> * Content >> >> Please review the full content of the document, as this cannot >> change once the RFC is published. Please pay particular attention >> to: >> - IANA considerations updates (if applicable) >> - contact information >> - references >> >> * Copyright notices and legends >> >> Please review the copyright notice and legends as defined in >> RFC 5378 and the Trust Legal Provisions >> (TLP – https://trustee.ietf.org/license-info/). >> >> * Semantic markup >> >> Please review the markup in the XML file to ensure that elements of >> content are correctly tagged. For example, ensure that <sourcecode> >> and <artwork> are set correctly. See details at >> <https://authors.ietf.org/rfcxml-vocabulary> . >> >> * Formatted output >> >> Please review the PDF, HTML, and TXT files to ensure that the >> formatted output, as generated from the markup in the XML file, is >> reasonable. Please note that the TXT will have formatting >> limitations compared to the PDF and HTML. >> >> >> Submitting changes >> ------------------ >> >> To submit changes, please reply to this email using ‘REPLY ALL’ >> as all >> the parties CCed on this message need to see your changes. The >> parties >> include: >> >> * your coauthors >> >> * rfc-editor@rfc-editor.org (the RPC team) >> >> * other document participants, depending on the stream (e.g., >> IETF Stream participants are your working group chairs, the >> responsible ADs, and the document shepherd). >> >> * auth48archive@rfc-editor.org, which is a new archival mailing >> list >> to preserve AUTH48 conversations; it is not an active discussion >> list: >> >> * More info: >> https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc >> >> * The archive itself: >> https://mailarchive.ietf.org/arch/browse/auth48archive/ >> >> * Note: If only absolutely necessary, you may temporarily opt out >> of the archiving of messages (e.g., to discuss a sensitive >> matter). >> If needed, please add a note at the top of the message that you >> have dropped the address. When the discussion is concluded, >> auth48archive@rfc-editor.org will be re-added to the CC list >> and >> its addition will be noted at the top of the message. >> >> You may submit your changes in one of two ways: >> >> An update to the provided XML file >> — OR — >> An explicit list of changes in this format >> >> Section # (or indicate Global) >> >> OLD: >> old text >> >> NEW: >> new text >> >> You do not need to reply with both an updated XML file and an >> explicit >> list of changes, as either form is sufficient. >> >> We will ask a stream manager to review and approve any changes that >> seem >> beyond editorial in nature, e.g., addition of new text, deletion of >> text, >> and technical changes. Information about stream managers can be >> found in >> the FAQ. Editorial changes do not require approval from a stream >> manager. >> >> >> Approving for publication >> -------------------------- >> >> To approve your RFC for publication, please reply to this email >> stating >> that you approve this RFC for publication. Please use ‘REPLY >> ALL’, >> as all the parties CCed on this message need to see your approval. >> >> >> Files >> ----- >> >> The files are available here: >> https://www.rfc-editor.org/authors/rfc9472.xml >> https://www.rfc-editor.org/authors/rfc9472.html >> https://www.rfc-editor.org/authors/rfc9472.pdf >> https://www.rfc-editor.org/authors/rfc9472.txt >> >> Diff file of the text: >> https://www.rfc-editor.org/authors/rfc9472-diff.html >> https://www.rfc-editor.org/authors/rfc9472-rfcdiff.html (side by >> side) >> >> Diff of the XML: >> https://www.rfc-editor.org/authors/rfc9472-xmldiff1.html >> >> The following files are provided to facilitate creation of your own >> diff files of the XML. >> >> Initial XMLv3 created using XMLv2 as input: >> https://www.rfc-editor.org/authors/rfc9472.original.v2v3.xml >> >> XMLv3 file that is a best effort to capture v3-related format updates >> only: >> https://www.rfc-editor.org/authors/rfc9472.form.xml >> >> >> Tracking progress >> ----------------- >> >> The details of the AUTH48 status of your document are here: >> https://www.rfc-editor.org/auth48/rfc9472 >> >> Please let us know if you have any questions. >> >> Thank you for your cooperation, >> >> RFC Editor >> >> -------------------------------------- >> RFC9472 (draft-ietf-opsawg-sbom-access-18) >> >> Title : Discovering and Retrieving Software Transparency >> and Vulnerability Information >> Author(s) : E. Lear, S. Rose >> WG Chair(s) : Henk Birkholz, Joe Clarke, Tianran Zhou >> Area Director(s) : Warren Kumari, Robert Wilton >> >> >> ================================== Scott Rose NIST/CTL scott.rose@nist.gov ph: +1-301-975-8439 (w) +1-571-249-3761 (GoogleVoice) ==================================
- [auth48] AUTH48: RFC-to-be 9472 <draft-ietf-opsaw… rfc-editor
- [auth48] [AD] Re: AUTH48: RFC-to-be 9472 <draft-i… rfc-editor
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- [auth48] [IANA] Re: [AD] AUTH48: RFC-to-be 9472 <… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- [auth48] Fwd: [IANA #1282204] [IANA] Re: [AD] AUT… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant