[auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
Amanda Baber via RT <iana-matrix@iana.org> Fri, 23 June 2023 17:52 UTC
Return-Path: <iana-shared@icann.org>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D52C1524B2; Fri, 23 Jun 2023 10:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.647
X-Spam-Level:
X-Spam-Status: No, score=-6.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tSQzVO_JMHV; Fri, 23 Jun 2023 10:52:46 -0700 (PDT)
Received: from smtp.lax.icann.org (smtp.lax.icann.org [IPv6:2620:0:2d0:201::1:81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A25DC1524AA; Fri, 23 Jun 2023 10:52:46 -0700 (PDT)
Received: from request6.lax.icann.org (request1.lax.icann.org [10.32.11.221]) by smtp.lax.icann.org (Postfix) with ESMTP id 2A946E14AD; Fri, 23 Jun 2023 17:52:45 +0000 (UTC)
Received: by request6.lax.icann.org (Postfix, from userid 48) id 0476A4B0F8; Fri, 23 Jun 2023 17:52:45 +0000 (UTC)
RT-Owner: amanda.baber
From: Amanda Baber via RT <iana-matrix@iana.org>
Reply-To: iana-matrix@iana.org
In-Reply-To: <rt-5.0.3-70314-1687535523-1275.1275282-37-0@icann.org>
References: <RT-Ticket-1275282@icann.org> <17695_1681508760_6439C997_17695_256_1_20230414214558.B61C755E8F@rfcpa.amsl.com> <SA9PR09MB58216C20EF01CC2E836A14F0AB6D9@SA9PR09MB5821.namprd09.prod.outlook.com> <A77F3234-6279-4566-92C7-1F0481821FB3@amsl.com> <BN2P110MB11072A68AE61CF2227AB824EDC5DA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CD0BDCB2-9155-4F23-B843-24CA53A47219@amsl.com> <9AD0D213-F9EB-4E96-9672-6CEDCBC20D28@amsl.com> <rt-5.0.3-167080-1687475272-847.1275282-37-0@icann.org> <466D93C4-5480-4243-9347-ED25B86E9003@amsl.com> <rt-5.0.3-70314-1687535523-1275.1275282-37-0@icann.org>
Message-ID: <rt-5.0.3-77855-1687542764-114.1275282-37-0@icann.org>
X-RT-Loop-Prevention: IANA
X-RT-Ticket: IANA #1275282
X-Managed-BY: RT 5.0.3 (http://www.bestpractical.com/rt/)
X-RT-Originator: amanda.baber@icann.org
To: lbartholomew@amsl.com
CC: sacm-chairs@ietf.org, sacm-ads@ietf.org, rfc-editor@rfc-editor.org, rdd@cert.org, jmfitz2@cyber.nsa.gov, inacio@cert.org, iana@iana.org, henk.birkholz@sit.fraunhofer.de, david.waltermire@nist.gov, cmschmidt@mitre.org, auth48archive@rfc-editor.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Precedence: bulk
Date: Fri, 23 Jun 2023 17:52:44 +0000
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/OtloQr-xB2LX01iBwC7X-Sdy1Z4>
Subject: [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 17:52:51 -0000
Hi, > Apologies for the "RFC 9393"s; understood that those should wait until > after this document is published. We also see that "this document" is > not sufficiently clear and that "RFC-ietf-sacm-coswid-24, or" instead > of "or" is needed. > > * A request: Can we please change "Software-IDs" to "Software IDs" on > <https://www.iana.org/assignments/uri-schemes/prov/swid> and > <https://www.iana.org/assignments/uri-schemes/prov/swidpath> now, so > that these particular updates don't fall through the cracks later? Sorry, these changes are complete now! https://www.iana.org/assignments/uri-schemes/prov/swid https://www.iana.org/assignments/uri-schemes/prov/swidpath thanks, Amanda > The other updates look good, and thank you for those! > > RFC Editor/lb > > > > On Jun 22, 2023, at 4:07 PM, Amanda Baber via RT <iana- > > matrix@iana.org> wrote: > > > > Hi, > > > > We've made most of these changes, but had to temporarily skip or > > adjust others. Please see below. > > > >> OLD: > >> Interoperability considerations: Applications MAY ignore any key > >> value pairs that they do not understand. This allows backwards > >> compatible extensions to this specification. > >> > >> Applications that use this media type: The type is used by software > >> asset management systems, vulnerability assessment systems, and in > >> applications that use remote integrity verification. > >> > >> Magic number(s): if tagged, first five bytes in hex: da 53 57 49 44 > >> (see Section 8 in RFC-ietf-sacm-coswid-24) > >> > >> Macintosh Universal Type Identifier code: org.ietf.coswid conforms > >> to > >> public.data > >> > >> Restrictions on usage: None > >> > >> NEW: > >> Interoperability considerations: Applications MAY ignore any key > >> value pairs that they do not understand. This allows backwards- > >> compatible extensions to this specification. > >> > >> Applications that use this media type: The type is used by software > >> asset management systems and vulnerability assessment systems and > >> is used in applications that use remote integrity verification. > >> > >> Magic number(s): If tagged, the first five bytes in hex: da 53 57 > >> 49 44 (see Section 8 of RFC-ietf-sacm-coswid-24). > >> > >> Macintosh Universal Type Identifier code: org.ietf.coswid > >> conforms to public.data. > >> > >> Restrictions on usage: none > > > > These changes are complete: > > > > https://www.iana.org/assignments/media-types/application/swid+cbor > > > >> = = = = = = = = > >> > >> Per updates to Section 6.6.1, please update the following on > >> <https://www.iana.org/assignments/uri-schemes/prov/swid>: > >> > >> OLD: > >> Applications/protocols that use this scheme name: Applications that > >> require Software-IDs (SWIDs) or Concise Software-IDs (CoSWIDs); see > >> Section 5.1 of RFC-ietf-sacm-coswid-24. > >> > >> Reference: Section 5.1 in RFC-ietf-sacm-coswid-24 > >> > >> NEW: > >> Applications/protocols that use this scheme name: Applications that > >> require Software IDs (SWIDs) or Concise Software IDs (CoSWIDs); > >> see Section 5.1 of RFC 9393. > >> > >> Reference: Section 5.1 of RFC 9393 > > > > We were unable to make these reference changes. Our policy is to wait > > to replace draft strings with RFC numbers until the RFC has been > > published. > > > >> Also, please update the following on > >> <https://www.iana.org/assignments/uri-schemes/expert-notes/swid- > >> expert-notes>: > >> > >> OLD: > >> This scheme has been documented by an IETF working group, and is > >> mentioned in an IETF standard specification. But as it describes a > >> locally scoped, limited purpose, form of identification, it does not > >> fully meet the requirements for permanent registration. > >> > >> As long as the specification (RFC-ietf-sacm-coswid-24, or > >> successors) > >> that describes this scheme is a current IETF specification, this > >> scheme should be considered to be "in use" and not considered for > >> removal from the registry. > >> > >> NEW: > >> Note: This scheme has been documented by an IETF working group > >> and is mentioned in an IETF Standard specification. However, > >> as it describes a locally scoped, limited-purpose form of > >> identification, it does not fully meet the requirements for > >> permanent registration. > >> > >> As long as this specification (or any successors that describe > >> this scheme) is a current IETF specification, this scheme > >> should be considered to be "in use" and not considered for > >> removal from the registry. > > > > We updated this note, but because there is no other indication as to > > the identity of "this document" at > > https://www.iana.org/assignments/uri-schemes/expert-notes/swid- > > expert-notes, replaced "(or any successors that describe this > > scheme)" with "(RFC-ietf-sacm-coswid-24, or any successors that > > describe this scheme)." > > > >> = = = = = = = = > >> > >> Per updates to Section 6.6.2, please update the following on > >> <https://www.iana.org/assignments/uri-schemes/prov/swidpath>: > >> > >> OLD: > >> Applications/protocols that use this scheme name: Applications that > >> require Software-IDs (SWIDs) or Concise Software-IDs (CoSWIDs); see > >> Section 5.2 of RFC-ietf-sacm-coswid-24. > >> > >> Reference: Section 5.2 in RFC-ietf-sacm-coswid-24 > >> > >> NEW: > >> Applications/protocols that use this scheme name: Applications that > >> require Software IDs (SWIDs) or Concise Software IDs (CoSWIDs); > >> see Section 5.2 of RFC 9393. > >> > >> Reference: Section 5.2 of RFC 9393 > > > > We can't make these reference changes until the RFC has been > > published. > > > >> Also, please update the following on > >> <https://www.iana.org/assignments/uri-schemes/expert-notes/swidpath- > >> expert-notes>: > >> > >> OLD: > >> This scheme has been documented by an IETF working group, and is > >> mentioned in an IETF standard specification. But as it describes a > >> locally scoped, limited purpose, form of identification, it does not > >> fully meet the requirements for permanent registration. > >> > >> As long as the specification (RFC-ietf-sacm-coswid-24, or > >> successors) > >> that describes this scheme is a current IETF specification, this > >> scheme should be considered to be "in use" and not considered for > >> removal from the registry. > >> > >> NEW: > >> Note: This scheme has been documented by an IETF working group > >> and is mentioned in an IETF Standard specification. However, > >> as it describes a locally scoped, limited-purpose form of > >> identification, it does not fully meet the requirements for > >> permanent registration. > >> > >> As long as this specification (or any successors that describe > >> this scheme) is a current IETF specification, this scheme > >> should be considered to be "in use" and not considered for > >> removal from the registry. > > > > We updated this note, but as above, replaced "(or any successors that > > describe this scheme)" with "(RFC-ietf-sacm-coswid-24, or any > > successors that describe this scheme)." See > > > > https://www.iana.org/assignments/uri-schemes/expert-notes/swidpath- > > expert-notes > > > > thanks, > > > > Amanda Baber > > IANA Operations Manager > > > >> Thank you! > >> > >> RFC Editor/lb > >> > >>> On Jun 21, 2023, at 1:31 PM, Lynne Bartholomew > >>> <lbartholomew@amsl.com> wrote: > >>> > >>> Hi, Roman. We have noted your approval: > >>> > >>> https://www.rfc-editor.org/auth48/rfc9393 > >>> > >>> We will email IANA shortly and ask them to make some updates so > >>> that > >>> relevant information on their site matches the corresponding > >>> entries > >>> in this document. After those updates are completed, we will > >>> prepare > >>> this document for publication. > >>> > >>> Thank you! > >>> > >>> RFC Editor/lb > >>> > >>>> On Jun 21, 2023, at 8:39 AM, Roman Danyliw <rdd@cert.org> wrote: > >>>> > >>>> Hi! > >>>> > >>>> Approved. Thanks for all of the work here. > >>>> > >>>> Thanks, > >>>> Roman > >>>> > >>>>> -----Original Message----- > >>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>> Sent: Friday, June 16, 2023 2:57 PM > >>>>> To: Roman Danyliw <rdd@cert.org>; sacm-ads@ietf.org > >>>>> Cc: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; > >>>>> jmfitz2@cyber.nsa.gov; henk.birkholz@sit.fraunhofer.de; Schmidt, > >>>>> Charles M. > >>>>> <cmschmidt@mitre.org>; rfc-editor@rfc-editor.org; sacm- > >>>>> chairs@ietf.org; Chris > >>>>> Inacio <inacio@cert.org>; auth48archive@rfc-editor.org > >>>>> Subject: *[AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm- > >>>>> coswid- > >>>>> 24> for > >>>>> your review > >>>>> > >>>>> Hi, Roman. > >>>>> > >>>>> A reminder that the question listed below is still pending. > >>>>> Please > >>>>> advise. > >>>>> > >>>>> The AUTH48 status page is here: > >>>>> > >>>>> https://www.rfc-editor.org/auth48/rfc9393 > >>>>> > >>>>> Thank you! > >>>>> > >>>>> RFC Editor/lb > >>>>> > >>>>>> On Jun 8, 2023, at 8:38 AM, Lynne Bartholomew > >>>>>> <lbartholomew@amsl.com> > >>>>> wrote: > >>>>>> > >>>>>> Hi, Roman. > >>>>>> > >>>>>> Please note that this question for you is still pending: > >>>>>> > >>>>>> <!-- [rfced] *AD - This document underwent two version changes > >>>>>> since > >>>>>> version -22, which we edited last year; we later received > >>>>>> notifications for versions -23 and -24. > >>>>>> > >>>>>> We manually incorporated the updates by looking at the diff > >>>>>> between > >>>>>> version -22 and version -24 on the Datatracker. > >>>>>> > >>>>>> Please review the changes to Sections 5 and 6 carefully, and let > >>>>>> us > >>>>>> know if you approve. --> > >>>>>> > >>>>>> The latest files are posted here (with month updated to June): > >>>>>> > >>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html > >>>>>> > >>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html > >>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html > >>>>>> > >>>>>> The AUTH48 status page is here: > >>>>>> > >>>>>> https://www.rfc-editor.org/auth48/rfc9393 > >>>>>> > >>>>>> Thank you! > >>>>>> > >>>>>> RFC Editor/lb > >>>>>> > >>>>>>> On Jun 8, 2023, at 8:29 AM, Lynne Bartholomew > >>>>> <lbartholomew@amsl.com> wrote: > >>>>>>> > >>>>>>> Hi, Dave. No worries; thank you for the email. > >>>>>>> > >>>>>>> We have noted your approval on the AUTH48 status page: > >>>>>>> > >>>>>>> https://www.rfc-editor.org/auth48/rfc9393 > >>>>>>> > >>>>>>> Thanks again! > >>>>>>> > >>>>>>> RFC Editor/lb > >>>>>>> > >>>>>>>> On Jun 6, 2023, at 7:23 PM, Waltermire, David A. (Fed) > >>>>> <david.waltermire@nist.gov> wrote: > >>>>>>>> > >>>>>>>> Lynne, > >>>>>>>> > >>>>>>>> Sorry for the delay. I approve. Thanks. > >>>>>>>> > >>>>>>>> Dave > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>> Sent: Friday, June 2, 2023 11:27 AM > >>>>>>>> To: jmfitz2@cyber.nsa.gov; henk.birkholz@sit.fraunhofer.de > >>>>>>>> Cc: Schmidt, Charles M. <cmschmidt@mitre.org>; rfc-editor@rfc- > >>>>> editor.org; Waltermire, David A. (Fed) > >>>>> <david.waltermire@nist.gov>; > >>>>> sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>> ietf- > >>>>>>>> sacm- > >>>>> coswid-24> for your review > >>>>>>>> > >>>>>>>> Hi, Jess and Henk. > >>>>>>>> > >>>>>>>> We have noted your approvals on the AUTH48 status page: > >>>>>>>> > >>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 > >>>>>>>> > >>>>>>>> Thank you! > >>>>>>>> > >>>>>>>> RFC Editor/lb > >>>>>>>> > >>>>>>>>> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> > >>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>> ietf- > >>>>>>>>> sacm- > >>>>> coswid-24> for your review > >>>>>>>>> Date: June 1, 2023 at 7:52:42 AM PDT > >>>>>>>>> To: Lynne Bartholomew <lbartholomew@amsl.com>, Charles M > >>>>>>>>> Schmidt > >>>>> <cmschmidt@mitre.org> > >>>>>>>>> Cc: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, > >>>>> "jmfitz2@cyber.nsa.gov" <jmfitz2@cyber.nsa.gov>, "Waltermire, > >>>>> David" > >>>>> <david.waltermire@nist.gov>, "sacm-ads@ietf.org" <sacm- > >>>>> ads@ietf.org>, > >>>>> "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "Inacio, > >>>>> Christopher" > >>>>> <inacio@cert.org>, "rdd@cert.org" <rdd@cert.org>, > >>>>> "auth48archive@rfc- > >>>>> editor.org" <auth48archive@rfc-editor.org> > >>>>>>>>> > >>>>>>>>> Hi Lynne, > >>>>>>>>> > >>>>>>>>> thanks for all the help. Ship it! > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Viele Grüße, > >>>>>>>>> > >>>>>>>>> Henk > >>>>>>>> > >>>>>>>>> On Jun 1, 2023, at 6:14 AM, jmfitz2@cyber.nsa.gov wrote: > >>>>>>>>> > >>>>>>>>> This looks good to me, Lynne. Thanks for helping us get it > >>>>>>>>> all > >>>>>>>>> done. > >>>>>>>>> > >>>>>>>>> Jess > >>>>>>>>> > >>>>>>>>> -----Original Message----- > >>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>> Sent: Tuesday, May 30, 2023 5:09 PM > >>>>>>>>> To: Charles Schmidt (MITRE) <cmschmidt@mitre.org> > >>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>>>>>> Jessica > >>>>> Fitzgerald-McKay (GOV) <jmfitz2@cyber.nsa.gov>; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm-ads@ietf.org; sacm- > >>>>> chairs@ietf.org; Inacio, > >>>>> Christopher <inacio@cert.org>; rdd@cert.org; auth48archive@rfc- > >>>>> editor.org > >>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>> ietf- > >>>>>>>>> sacm- > >>>>> coswid-24> for your review > >>>>>>>>> > >>>>>>>>> Hi, Charles. > >>>>>>>>> > >>>>>>>>> We have made further updates per your notes below. > >>>>>>>>> > >>>>>>>>> The latest files are posted here: > >>>>>>>>> > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html > >>>>>>>>> > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html > >>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html > >>>>>>>>> > >>>>>>>>> Thank you! > >>>>>>>>> > >>>>>>>>> RFC Editor/lb > >>>>>>>>> > >>>>>>>>>> On May 25, 2023, at 12:48 PM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>> > >>>>>>>>>> Hello Lynne, > >>>>>>>>>> > >>>>>>>>>> Thank you for providing the updated drafts. The reordering > >>>>>>>>>> looks great. > >>>>>>>>>> > >>>>>>>>>> Regarding some of your other comments from earlier, we > >>>>>>>>>> identified a > >>>>> few editorial tweaks we would like to make to improve clarity. > >>>>>>>>>> > >>>>>>>>>> Section 2.9.1 - clarify the relationship between hash and > >>>>>>>>>> thumbprint > >>>>>>>>>> OLD: > >>>>>>>>>> CoSWID adds explicit support for the representation of hash > >>>>>>>>>> entries > >>>>> using algorithms that are > >>>>>>>>>> registered in the IANA "Named Information Hash Algorithm > >>>>>>>>>> Registry" > >>>>> [IANA.named-information] > >>>>>>>>>> using the hash member (index 7) and the corresponding hash- > >>>>>>>>>> entry type > >>>>>>>>>> > >>>>>>>>>> NEW: > >>>>>>>>>> CoSWID adds explicit support for the representation of hash > >>>>>>>>>> entries > >>>>> using algorithms that are > >>>>>>>>>> registered in the IANA "Named Information Hash Algorithm > >>>>>>>>>> Registry" > >>>>> [IANA.named-information]. > >>>>>>>>>> This array is used by both the hash (index 7) and thumbprint > >>>>>>>>>> (index 34) > >>>>> values. > >>>>>>>>>> > >>>>>>>>>> Section 2.9.2 - revise description of the location element > >>>>>>>>>> OLD: > >>>>>>>>>> location (index 23): The filesystem path where a file is > >>>>>>>>>> expected to be > >>>>> located when installed or > >>>>>>>>>> copied. The location MUST be either relative to the location > >>>>>>>>>> of the > >>>>> parent directory item > >>>>>>>>>> (preferred) or relative to the location of the CoSWID tag > >>>>>>>>>> (as > >>>>>>>>>> indicated in > >>>>> the location value in > >>>>>>>>>> the evidence entry map) if no parent is defined. The > >>>>>>>>>> location > >>>>>>>>>> MUST NOT > >>>>> include a file's name, > >>>>>>>>>> which is provided by the fs-name item. > >>>>>>>>>> > >>>>>>>>>> NEW: > >>>>>>>>>> location (index 23): The filesystem path where a file is > >>>>>>>>>> expected to be > >>>>> located when installed or > >>>>>>>>>> copied. The location MUST either be an absolute path, or a > >>>>>>>>>> path relative to the path value included in the parent > >>>>>>>>>> directory item > >>>>>>>>>> (preferred), or a path relative to the location of the > >>>>>>>>>> CoSWID > >>>>>>>>>> tag if no > >>>>>>>>>> parent is defined. The location MUST NOT include a file's > >>>>>>>>>> name, > >>>>>>>>>> which is provided by the fs-name item. > >>>>>>>>>> > >>>>>>>>>> Section 2.9.2 - Add hash = 7 to the code: > >>>>>>>>>> OLD: > >>>>>>>>>> resource-entry = { > >>>>>>>>>> type => text, > >>>>>>>>>> * $$resource-extension, > >>>>>>>>>> global-attributes, > >>>>>>>>>> } > >>>>>>>>>> directory = 16 > >>>>>>>>>> file = 17 > >>>>>>>>>> process = 18 > >>>>>>>>>> resource = 19 > >>>>>>>>>> > >>>>>>>>>> NEW: > >>>>>>>>>> resource-entry = { > >>>>>>>>>> type => text, > >>>>>>>>>> * $$resource-extension, > >>>>>>>>>> global-attributes, > >>>>>>>>>> } > >>>>>>>>>> hash = 7 > >>>>>>>>>> directory = 16 > >>>>>>>>>> file = 17 > >>>>>>>>>> process = 18 > >>>>>>>>>> resource = 19 > >>>>>>>>>> > >>>>>>>>>> Section 2.9.2 - Update the description of the hash item > >>>>>>>>>> OLD: > >>>>>>>>>> hash (index 7): A hash of the file as described in Section > >>>>>>>>>> 2.9.1. > >>>>>>>>>> > >>>>>>>>>> NEW: > >>>>>>>>>> hash (index 7): Value that provides a hash of a file. This > >>>>>>>>>> item provides an > >>>>>>>>>> integrity measurement with respect to a specific file. See > >>>>>>>>>> Section 2.9.1 > >>>>>>>>>> for more details on the use of the hash-entry data > >>>>>>>>>> structure. > >>>>>>>>>> > >>>>>>>>>> Section 2.9.4 - clarify location description by > >>>>>>>>>> acknowledging > >>>>>>>>>> previous > >>>>> description and the different use in this location > >>>>>>>>>> OLD: > >>>>>>>>>> location (index 23): The absolute file path of the location > >>>>>>>>>> of > >>>>>>>>>> the CoSWID > >>>>> tag generated as > >>>>>>>>>> evidence. (Location values in filesystem-item instances in > >>>>>>>>>> the > >>>>>>>>>> payload > >>>>> can be expressed > >>>>>>>>>> relative to this location.) > >>>>>>>>>> > >>>>>>>>>> NEW: > >>>>>>>>>> location (index 23): The filesystem path of the location of > >>>>>>>>>> the CoSWID > >>>>> tag generated as > >>>>>>>>>> evidence. This path is always an absolute file path (unlike > >>>>>>>>>> the value of a location item found within a filesystem-item > >>>>>>>>>> described > >>>>>>>>>> in Section 2.9.2, which can be either a relative path or an > >>>>>>>>>> absolute path). > >>>>>>>>>> > >>>>>>>>>> Please let us know if you have any questions or concerns > >>>>>>>>>> about > >>>>>>>>>> these > >>>>> changes. I believe the remaining questions you had are addressed > >>>>> by > >>>>> the > >>>>> clarification that descriptions are not being moved across > >>>>> sections, but just > >>>>> being re-ordered within them. > >>>>>>>>>> > >>>>>>>>>> Thanks a bunch, > >>>>>>>>>> Charles > >>>>>>>>>> > >>>>>>>>>> -----Original Message----- > >>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>>> Sent: Wednesday, May 24, 2023 5:46 PM > >>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> > >>>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>> jmfitz2@cyber.nsa.gov; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>>> ietf-sacm- > >>>>> coswid-24> for your review > >>>>>>>>>> > >>>>>>>>>> Hi, Charles. > >>>>>>>>>> > >>>>>>>>>> We have ordered the index-number listings within each > >>>>>>>>>> section, > >>>>>>>>>> per your > >>>>> note below. Please review our updates carefully, and let us know > >>>>> if anything is > >>>>> incorrect. > >>>>>>>>>> > >>>>>>>>>> The latest files are posted here. Please refresh your > >>>>>>>>>> browser: > >>>>>>>>>> > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-auth48diff.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastrfcdiff.html > >>>>>>>>>> > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html > >>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html > >>>>>>>>>> > >>>>>>>>>> We will look forward to receiving the additional updates > >>>>>>>>>> later > >>>>>>>>>> on. > >>>>>>>>>> > >>>>>>>>>> Thank you! > >>>>>>>>>> > >>>>>>>>>> RFC Editor/lb > >>>>>>>>>> > >>>>>>>>>>> On May 24, 2023, at 11:57 AM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Hi Lynne, > >>>>>>>>>>> > >>>>>>>>>>> Thank you for confirming. We are just about set with our > >>>>>>>>>>> response to > >>>>> the other questions (one more outstanding detail to go). I hope > >>>>> to > >>>>> have the > >>>>> other items to you tomorrow. > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> Charles > >>>>>>>>>>> > >>>>>>>>>>> -----Original Message----- > >>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>>>> Sent: Wednesday, May 24, 2023 1:54 PM > >>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> > >>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>> jmfitz2@cyber.nsa.gov; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>>>> ietf-sacm- > >>>>> coswid-24> for your review > >>>>>>>>>>> > >>>>>>>>>>> Hi, Charles. > >>>>>>>>>>> > >>>>>>>>>>> Regarding > >>>>>>>>>>> > >>>>>>>>>>>> Overall, our intent was that, *within a given section*, > >>>>>>>>>>>> the > >>>>>>>>>>>> descriptions > >>>>> would appear in index order, but only within their own section > >>>>> since > >>>>> descriptions only appear in sections for which the code snippets > >>>>> specify the > >>>>> term and index. We never intended for any descriptions to be > >>>>> moved > >>>>> to > >>>>> different sections. > >>>>>>>>>>> > >>>>>>>>>>> We did indeed misunderstand your request. We will make the > >>>>> necessary corrections and email you again when we've finished. > >>>>>>>>>>> > >>>>>>>>>>> Thank you for clarifying! > >>>>>>>>>>> > >>>>>>>>>>> RFC Editor/lb > >>>>>>>>>>> > >>>>>>>>>>>> On May 23, 2023, at 1:12 PM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hello Lynne, > >>>>>>>>>>>> > >>>>>>>>>>>> We are working on the edits to address the issues you > >>>>>>>>>>>> identified. > >>>>> However, we have one question for you regarding your comment > >>>>> number > >>>>> 3: > >>>>>>>>>>>> > >>>>>>>>>>>> ===== > >>>>>>>>>>>> 3. In Section 2.9.4, we see the following: > >>>>>>>>>>>> > >>>>>>>>>>>> date = 35 > >>>>>>>>>>>> device-id = 36 > >>>>>>>>>>>> > >>>>>>>>>>>> ... > >>>>>>>>>>>> > >>>>>>>>>>>> date (index 35): The date and time the information was > >>>>>>>>>>>> collected > >>>>>>>>>>>> pertaining to the evidence item in epoch-based date/time > >>>>>>>>>>>> format as > >>>>>>>>>>>> specified in Section 3.4.2 of [RFC8949]. > >>>>>>>>>>>> > >>>>>>>>>>>> device-id (index 36): The endpoint's string identifier > >>>>>>>>>>>> from > >>>>>>>>>>>> which > >>>>>>>>>>>> the evidence was collected. > >>>>>>>>>>>> > >>>>>>>>>>>> If indices 35 and 36 are moved to a previous section, will > >>>>>>>>>>>> this create > >>>>> confusion? Should we add, somewhere in the text, one or more > >>>>> citations for > >>>>> Section 2.9.4, to point readers to more information regarding > >>>>> these > >>>>> two > >>>>> indices? > >>>>>>>>>>>> > >>>>>>>>>>>> ====== > >>>>>>>>>>>> > >>>>>>>>>>>> Our question was why indices 35 and 36 were getting moved > >>>>>>>>>>>> at > >>>>>>>>>>>> all. > >>>>> Section 2.9.4 is where these two elements are listed in the code > >>>>> reference so it > >>>>> makes sense that they would be described in that section. > >>>>> Overall, > >>>>> our intent > >>>>> was that, *within a given section*, the descriptions would appear > >>>>> in index > >>>>> order, but only within their own section since descriptions only > >>>>> appear in > >>>>> sections for which the code snippets specify the term and index. > >>>>> We > >>>>> never > >>>>> intended for any descriptions to be moved to different sections. > >>>>> So > >>>>> the bottom > >>>>> line is we do not understand why indices 35 and 36 were being > >>>>> moved > >>>>> to a > >>>>> previous section in the first place. Could you explain? (And I > >>>>> apologize if my > >>>>> original request was unclear on this point.) > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, > >>>>>>>>>>>> Charles > >>>>>>>>>>>> > >>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>>>>> Sent: Thursday, May 11, 2023 3:30 PM > >>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> > >>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>> jmfitz2@cyber.nsa.gov; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>>>>> ietf-sacm- > >>>>> coswid-24> for your review > >>>>>>>>>>>> > >>>>>>>>>>>> Hi, Charles. > >>>>>>>>>>>> > >>>>>>>>>>>> We started reordering the "(index ..)" listings in > >>>>>>>>>>>> Sections > >>>>>>>>>>>> 2.3, 2.7, > >>>>> 2.9.2, and 2.9.4, but we stopped after almost finishing the > >>>>> ordering in Section > >>>>> 2.3, because we have some follow-up questions that we would like > >>>>> to > >>>>> resolve > >>>>> before we continue: > >>>>>>>>>>>> > >>>>>>>>>>>> 1. We see that this list in Section 2.3 does not include > >>>>>>>>>>>> index 7. > >>>>> Assuming that we should move the "hash (index 7)" entry from > >>>>> Section 2.9.2 to > >>>>> Section 2.3, should we also add "hash = 7" to the list, between > >>>>> the > >>>>> payload and > >>>>> corpus entries? > >>>>>>>>>>>> > >>>>>>>>>>>> tag-id = 0 > >>>>>>>>>>>> software-name = 1 > >>>>>>>>>>>> entity = 2 > >>>>>>>>>>>> evidence = 3 > >>>>>>>>>>>> link = 4 > >>>>>>>>>>>> software-meta = 5 > >>>>>>>>>>>> payload = 6 > >>>>>>>>>>>> corpus = 8 > >>>>>>>>>>>> patch = 9 > >>>>>>>>>>>> media = 10 > >>>>>>>>>>>> supplemental = 11 > >>>>>>>>>>>> tag-version = 12 > >>>>>>>>>>>> software-version = 13 > >>>>>>>>>>>> version-scheme = 14 > >>>>>>>>>>>> > >>>>>>>>>>>> = = = = = > >>>>>>>>>>>> > >>>>>>>>>>>> 2. We also see two entries each for "media (index 10)" and > >>>>>>>>>>>> "location > >>>>> (index 23)" in this document. Should there only be one of each, > >>>>> or > >>>>> is it correct > >>>>> to have the two entries each for these two items? > >>>>>>>>>>>> > >>>>>>>>>>>> = = = = = > >>>>>>>>>>>> > >>>>>>>>>>>> 3. In Section 2.9.4, we see the following: > >>>>>>>>>>>> > >>>>>>>>>>>> date = 35 > >>>>>>>>>>>> device-id = 36 > >>>>>>>>>>>> > >>>>>>>>>>>> ... > >>>>>>>>>>>> > >>>>>>>>>>>> date (index 35): The date and time the information was > >>>>>>>>>>>> collected > >>>>>>>>>>>> pertaining to the evidence item in epoch-based date/time > >>>>>>>>>>>> format as > >>>>>>>>>>>> specified in Section 3.4.2 of [RFC8949]. > >>>>>>>>>>>> > >>>>>>>>>>>> device-id (index 36): The endpoint's string identifier > >>>>>>>>>>>> from > >>>>>>>>>>>> which > >>>>>>>>>>>> the evidence was collected. > >>>>>>>>>>>> > >>>>>>>>>>>> If indices 35 and 36 are moved to a previous section, will > >>>>>>>>>>>> this create > >>>>> confusion? Should we add, somewhere in the text, one or more > >>>>> citations for > >>>>> Section 2.9.4, to point readers to more information regarding > >>>>> these > >>>>> two > >>>>> indices? > >>>>>>>>>>>> > >>>>>>>>>>>> = = = = = > >>>>>>>>>>>> > >>>>>>>>>>>> We will wait to hear from you before proceeding. > >>>>>>>>>>>> > >>>>>>>>>>>> Thank you! > >>>>>>>>>>>> > >>>>>>>>>>>> RFC Editor/lb > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> On May 10, 2023, at 1:41 PM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> Hello Lynne, > >>>>>>>>>>>>> > >>>>>>>>>>>>> Thank you very much for the updated copy of the document. > >>>>>>>>>>>>> In our > >>>>> final review, we noted two minor tweaks: > >>>>>>>>>>>>> > >>>>>>>>>>>>> #1 > >>>>>>>>>>>>> Section 1.1: The paragraph above and the paragraph below > >>>>>>>>>>>>> figure 1 > >>>>> are indented. These paragraphs should not be indented but should > >>>>> be > >>>>> the same > >>>>> indentation as the surrounding paragraphs. > >>>>>>>>>>>>> > >>>>>>>>>>>>> #2 > >>>>>>>>>>>>> In sections 2.3, 2.7, 2.9.2, and 2.9.4, the description > >>>>>>>>>>>>> of > >>>>>>>>>>>>> the items are > >>>>> almost but not quite in index order. (E.g., in 2.9.2 the > >>>>> description of index 7 is > >>>>> between indices 21 and 22; in 2.7 the description of index 10 is > >>>>> between > >>>>> indices 38 and 39.) It would probably be more intuitive for > >>>>> readers > >>>>> for the > >>>>> descriptions to be presented in index order, from lowest to > >>>>> greatest. Would it > >>>>> be possible to make this change? > >>>>>>>>>>>>> > >>>>>>>>>>>>> Both of these are largely cosmetic at the end of the day, > >>>>>>>>>>>>> so if > >>>>> implementing them will be a problem then please disregard. > >>>>> However, > >>>>> if > >>>>> possible to implement these last-second changes, it would be > >>>>> nice. > >>>>> Please let > >>>>> me know if this is possible. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Thanks a bunch, > >>>>>>>>>>>>> Charles > >>>>>>>>>>>>> > >>>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>>>>>> Sent: Tuesday, May 9, 2023 6:09 PM > >>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> > >>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>> jmfitz2@cyber.nsa.gov; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 > >>>>>>>>>>>>> <draft- > >>>>>>>>>>>>> ietf- > >>>>> sacm-coswid-24> for your review > >>>>>>>>>>>>> > >>>>>>>>>>>>> Hi, Charles. Thank you for your latest reply! We have > >>>>>>>>>>>>> further > >>>>> updated this document per your notes below. > >>>>>>>>>>>>> > >>>>>>>>>>>>> The latest files are posted here (please refresh your > >>>>>>>>>>>>> browser): > >>>>>>>>>>>>> > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- > >>>>>>>>>>>>> auth48diff.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- > >>>>>>>>>>>>> lastrfcdiff.html > >>>>>>>>>>>>> > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html > >>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html > >>>>>>>>>>>>> > >>>>>>>>>>>>> Thanks again! > >>>>>>>>>>>>> > >>>>>>>>>>>>> RFC Editor/lb > >>>>>>>>>>>>> > >>>>>>>>>>>>>> On May 9, 2023, at 5:18 AM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Hello all, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks for the follow up. Responses below: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> 8) The indenting scheme shown in the PDF (it looks like > >>>>>>>>>>>>>> it > >>>>>>>>>>>>>> is a 2-level > >>>>> indent) looks good. Please go with what you proposed. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> 24) We are not a fan of having to split the comment over > >>>>>>>>>>>>>> two lines. > >>>>> We propose the following change, shortening the comment: > >>>>>>>>>>>>>> Section 2.10 > >>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>> ; supplemental=11 ; already defined in the > >>>>>>>>>>>>>> ; "global map member" integer indices > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>> ; supplemental=11 ; already defined > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> 41) Missed and updated text normalization > >>>>>>>>>>>>>> Global: > >>>>>>>>>>>>>> OLD: (missed normalization from before) > >>>>>>>>>>>>>> version scheme name > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>> Version Scheme Name > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Global: (XML Schema capitalization - we'll defer to > >>>>>>>>>>>>>> W3C's > >>>>> conventions) > >>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>> XML schema > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>> XML Schema > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Section 7: (suggest just re-using previously defined > >>>>>>>>>>>>>> acronym in > >>>>> section 7) > >>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>> Cryptographic signatures can make any modification of > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>> tag > >>>>> detectable, which is especially important if the integrity of the > >>>>> tag is important, > >>>>> such as when the tag is providing reference integrity > >>>>> measurements > >>>>> for files. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>> Cryptographic signatures can make any modification of > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>> tag > >>>>> detectable, which is especially important if the integrity of the > >>>>> tag is important, > >>>>> such as when the tag is providing RIMs for files. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> I believe that covers everything. Thank you for the > >>>>>>>>>>>>>> thorough review. > >>>>> Please let us know if you have any further questions or > >>>>> suggestions. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Take care, > >>>>>>>>>>>>>> Charles > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>>>> From: Lynne Bartholomew <lbartholomew@amsl.com> > >>>>>>>>>>>>>> Sent: Friday, May 5, 2023 4:41 PM > >>>>>>>>>>>>>> To: Charles M Schmidt <cmschmidt@mitre.org> > >>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; > >>>>>>>>>>>>>> henk.birkholz@sit.fraunhofer.de; > >>>>> jmfitz2@cyber.nsa.gov; Waltermire, David > >>>>> <david.waltermire@nist.gov>; sacm- > >>>>> ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher > >>>>> <inacio@cert.org>; > >>>>> rdd@cert.org; auth48archive@rfc-editor.org > >>>>>>>>>>>>>> Subject: Re: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 > >>>>>>>>>>>>>> <draft- > >>>>>>>>>>>>>> ietf- > >>>>> sacm-coswid-24> for your review > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Hi, Charles. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thank you very much for the email and answers to our > >>>>>>>>>>>>>> many > >>>>> questions! > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> We have updated this document per your notes below. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> We have a few follow-up items for you: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Regarding this request to indent the first "Note:" > >>>>>>>>>>>>>> paragraph: > >>>>> xml2rfcv3 does not permit us to indent the <aside> text one level > >>>>> in this > >>>>> particular case; we could only either have no indentation or two > >>>>> levels of > >>>>> indentation. Please review the current layout, and let us know > >>>>> if > >>>>> you prefer > >>>>> that the <aside> text be outdented two levels. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 8) All "Note:" entries should be <aside>s. > >>>>>>>>>>>>>>> Section 1.1: The paragraph that starts with "Note" > >>>>>>>>>>>>>>> should > >>>>>>>>>>>>>>> be an > >>>>> <aside>. Also, it should be indented but without a lead bullet. > >>>>> The > >>>>> Note > >>>>> paragraph is a second paragraph that is part of the preceding > >>>>> bullet on > >>>>> Software Upgrading. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> = = = = = > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Regarding this item from our question 24): > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> ; supplemental=11 ; already defined in the "global map > >>>>>>>>>>>>>>> member" > >>>>> integer indices > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> The new comment text made the line length too long. We > >>>>>>>>>>>>>> made it > >>>>> a multi-line comment. Please review, and let us know if the line > >>>>> breaks should > >>>>> be placed differently. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> = = = = = > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Question 41): We did not see a reply regarding the use > >>>>>>>>>>>>>> of > >>>>>>>>>>>>>> the > >>>>> lowercase form "version scheme name" in running text. Please let > >>>>> us know any > >>>>> concerns. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> = = = = = > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Regarding this item from our question 41): > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> XML Schema > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> XML schema > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Apologies for not noticing earlier that, with one > >>>>>>>>>>>>>> exception, > >>>>> [W3C.REC-xmlschema-2-20041028] uses "XML Schema". Would you like > >>>>> this > >>>>> document to follow the capitalization style in [W3C.REC- > >>>>> xmlschema- > >>>>> 2- > >>>>> 20041028] or stay with "XML schema"? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> = = = = = > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Regarding this item from question 41): > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Remote Attestation, which requires a link between > >>>>>>>>>>>>>>> reference > >>>>> integrity measurements (RIM) and Attester-produced event logs > >>>>> that > >>>>> complement attestation evidence [I-D.ietf-rats-architecture]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Remote Attestation, which requires a link between > >>>>>>>>>>>>>>> Reference > >>>>> Integrity Manifests (RIM) and Attester-produced event logs that > >>>>> complement > >>>>> attestation evidence [I-D.ietf-rats-architecture]. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> We have updated this document to use "Reference > >>>>>>>>>>>>>> Integrity > >>>>> Manifests (RIMs)". Please let us know if "reference integrity > >>>>> measurements" in > >>>>> Section 7 should be updated. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> = = = = = > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> The latest files are posted here. Please refresh your > >>>>>>>>>>>>>> browser: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- > >>>>>>>>>>>>>> auth48diff.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-lastdiff.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- > >>>>>>>>>>>>>> lastrfcdiff.html > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html > >>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-xmldiff2.html > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks again for your help! > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> RFC Editor/lb > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On May 4, 2023, at 9:08 AM, Charles M Schmidt > >>>>> <cmschmidt@mitre.org> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hello, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thank you for the feedback. I've included responses to > >>>>>>>>>>>>>>> all questions > >>>>> in this email. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 1) This question is directed at Roman > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 2) Please add the zip code for Jessica: > >>>>>>>>>>>>>>> Author' Addresses: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Jessica Fitzgerald-McKay > >>>>>>>>>>>>>>> National Security Agency > >>>>>>>>>>>>>>> 9800 Savage Road > >>>>>>>>>>>>>>> Ft. Meade, Maryland > >>>>>>>>>>>>>>> United States of America > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Jessica Fitzgerald-McKay > >>>>>>>>>>>>>>> National Security Agency > >>>>>>>>>>>>>>> 9800 Savage Road > >>>>>>>>>>>>>>> Ft. Meade, Maryland 20755 > >>>>>>>>>>>>>>> United States of America > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 3) Email of 5/2 noted that this question is removed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 4) Agree with proposed change: > >>>>>>>>>>>>>>> Abstract: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> CoSWID supports a similar set of semantics and features > >>>>>>>>>>>>>>> as SWID > >>>>> tags, as well as new semantics that allow CoSWIDs to describe > >>>>> additional types > >>>>> of information, all in a more memory efficient format. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> CoSWID supports a set of semantics and features that > >>>>>>>>>>>>>>> are > >>>>>>>>>>>>>>> similar > >>>>> to those for SWID tags, as well as new semantics that allow > >>>>> CoSWIDs > >>>>> to > >>>>> describe additional types of information, all in a more memory- > >>>>> efficient format. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 5) Agree with proposed change: > >>>>>>>>>>>>>>> Section 1.1 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> The SWID specification and supporting guidance provided > >>>>>>>>>>>>>>> in NIST > >>>>> Internal Report (NISTIR) 8060: Guidelines for the Creation of > >>>>> Interoperable > >>>>> SWID Tags [SWID-GUIDANCE] defines four types of SWID tags: > >>>>> primary, > >>>>> patch, > >>>>> corpus, and supplemental. The following text is paraphrased > >>>>> from > >>>>> these > >>>>> sources. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> The SWID specification and supporting guidance provided > >>>>>>>>>>>>>>> in NIST > >>>>> Internal Report (NISTIR) 8060 ("Guidelines for the Creation of > >>>>> Interoperable > >>>>> Software Identification (SWID) Tags") [SWID-GUIDANCE] define four > >>>>> types of > >>>>> SWID tags: primary, patch, corpus, and supplemental. The > >>>>> following > >>>>> text is > >>>>> paraphrased from these sources. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 6) Text is correct as is. A primary tag is indicated by > >>>>>>>>>>>>>>> not setting any > >>>>> of the other indices for other tags. As such, it does not need > >>>>> its > >>>>> own index. > >>>>> Primary tags are described in section 1.1. NO CHANGE. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 7) Agree with proposed text (with a slight change in > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> comma > >>>>> position at the end): > >>>>>>>>>>>>>>> Section 1.1: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Tags are deployed and previously deployed tags that are > >>>>>>>>>>>>>>> typically > >>>>> removed (indicated by an "x" prefix) at each lifecycle stage, as > >>>>> follows: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Tags are deployed, and previously deployed tags are > >>>>>>>>>>>>>>> typically > >>>>> removed (indicated by an "x" prefix), at each lifecycle stage as > >>>>> follows: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 8) All "Note:" entries should be <aside>s. > >>>>>>>>>>>>>>> Section 1.1: The paragraph that starts with "Note" > >>>>>>>>>>>>>>> should > >>>>>>>>>>>>>>> be an > >>>>> <aside>. Also, it should be indented but without a lead bullet. > >>>>> The > >>>>> Note > >>>>> paragraph is a second paragraph that is part of the preceding > >>>>> bullet on > >>>>> Software Upgrading. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> - Software Upgrading. As a software component is > >>>>>>>>>>>>>>> upgraded > >>>>>>>>>>>>>>> to a > >>>>>>>>>>>>>>> new version, new primary and supplemental tags replace > >>>>>>>>>>>>>>> existing tags, enabling timely and accurate tracking of > >>>>>>>>>>>>>>> updates to software inventory. While not illustrated in > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> figure, a corpus tag can also provide information about > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> upgrade installer and dependencies that need to be > >>>>>>>>>>>>>>> installed > >>>>>>>>>>>>>>> before the upgrade. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Note: In the context of software tagging software > >>>>>>>>>>>>>>> patching and > >>>>>>>>>>>>>>> updating differ in an important way. When installing a > >>>>>>>>>>>>>>> patch, a set > >>>>>>>>>>>>>>> of file modifications are made to pre-installed > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> which do > >>>>>>>>>>>>>>> not alter the version number or the descriptive > >>>>>>>>>>>>>>> metadata > >>>>>>>>>>>>>>> of an > >>>>>>>>>>>>>>> installed software component. An update can also make a > >>>>>>>>>>>>>>> set of > >>>>> file > >>>>>>>>>>>>>>> modifications, but the version number or the > >>>>>>>>>>>>>>> descriptive > >>>>>>>>>>>>>>> metadata > >>>>> of > >>>>>>>>>>>>>>> an installed software component are changed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> - Software Upgrading. As a software component is > >>>>>>>>>>>>>>> upgraded > >>>>>>>>>>>>>>> to a > >>>>>>>>>>>>>>> new version, new primary and supplemental tags replace > >>>>>>>>>>>>>>> existing tags, enabling timely and accurate tracking of > >>>>>>>>>>>>>>> updates to software inventory. While not illustrated in > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> figure, a corpus tag can also provide information about > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> upgrade installer and dependencies that need to be > >>>>>>>>>>>>>>> installed > >>>>>>>>>>>>>>> before the upgrade. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Note: In the context of software tagging software > >>>>>>>>>>>>>>> patching and > >>>>>>>>>>>>>>> updating differ in an important way. When installing a > >>>>>>>>>>>>>>> patch, a set > >>>>>>>>>>>>>>> of file modifications are made to pre-installed > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> which do > >>>>>>>>>>>>>>> not alter the version number or the descriptive > >>>>>>>>>>>>>>> metadata > >>>>>>>>>>>>>>> of an > >>>>>>>>>>>>>>> installed software component. An update can also make a > >>>>>>>>>>>>>>> set of > >>>>> file > >>>>>>>>>>>>>>> modifications, but the version number or the > >>>>>>>>>>>>>>> descriptive > >>>>>>>>>>>>>>> metadata > >>>>> of > >>>>>>>>>>>>>>> an installed software component are changed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Section 3: Make the whole paragraph that starts with > >>>>>>>>>>>>>>> "Note" an > >>>>> <aside>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Section 6.2.4: Make the sentence that starts with > >>>>>>>>>>>>>>> "Note:" > >>>>>>>>>>>>>>> an > >>>>> <aside>. Only this sentence should be an aside. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 9) Agree with proposed text: > >>>>>>>>>>>>>>> Section 2: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> The integer values are defined in a registry specific > >>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>> the kind of > >>>>> value; the text values are not intended for interchange and > >>>>> exclusively meant > >>>>> for private use as defined in Section 6.2.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> The integer values are defined in a registry specific > >>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>> the kind of > >>>>> value; the text values are not intended for interchange and are > >>>>> exclusively > >>>>> meant for private use as defined in Section 6.2.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 10) Types need to be updated: > >>>>>>>>>>>>>>> Global (in the xml lines 362, 366, 371, 382, 567, 735, > >>>>>>>>>>>>>>> 759, 830, > >>>>> 995, 1089, 1105, 1197, 1214)): > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> <sourcecode type="cddl"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> <sourcecode type="cddl" name="coswid-exposition.cddl"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XML line 1243: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> <sourcecode type="cddl" name="concise-swid-tag.cddl" > >>>>> markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XML line 2900: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> <sourcecode type="cddl" name="sign1.cddl" > >>>>>>>>>>>>>>> markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XML line 2938: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> <sourcecode type="cddl" name="sign.cddl" > >>>>>>>>>>>>>>> markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XML line 2999: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> <sourcecode type="cddl" markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> <sourcecode type="cddl" name="tags.cddl" > >>>>>>>>>>>>>>> markers="true"> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 11) The author comment has been resolved and can be > >>>>>>>>>>>>>>> removed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 12) This is not a verbatim quote. The quotation marks > >>>>>>>>>>>>>>> should be > >>>>> removed. > >>>>>>>>>>>>>>> Section 2.1: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major > >>>>>>>>>>>>>>> type 3, > >>>>> which represents "a string of Unicode characters that [are] > >>>>> encoded as UTF-8 > >>>>> [RFC3629]" (see Section 3.1 of [RFC8949]). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major > >>>>>>>>>>>>>>> type 3, > >>>>> which represents a string of Unicode characters that [are] > >>>>> encoded > >>>>> as UTF-8 > >>>>> [RFC3629] (see Section 3.1 of [RFC8949]). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 13) We request no change. Unlike the entity-entry and > >>>>>>>>>>>>>>> link-entry > >>>>> values, the version-scheme is relatively straightforward and > >>>>> doesn't have or > >>>>> need a section dedicated to it. We feel a reference from section > >>>>> 4.1 is > >>>>> unnecessary and (since only a small portion of that section deals > >>>>> with version- > >>>>> scheme) potentially confusing. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 14) The MUST NOT only applies to the "right part" of > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> value in > >>>>> 6.7. Proposing the following change to avoid ambiguity. > >>>>>>>>>>>>>>> Section 2.3: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> A textual tag-id MUST NOT contain a sequence of two > >>>>>>>>>>>>>>> underscores > >>>>> ("__", see Section 6.7). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> A textual tag-id value MUST NOT contain a sequence of > >>>>>>>>>>>>>>> two > >>>>> underscores ("__"). This is because a sequence of two underscores > >>>>> is used to > >>>>> separate the TAG_CREATOR_REGID value and UNIQUE_ID value in a > >>>>> Software > >>>>> Identifier and a sequence of two underscores in a tag-id value > >>>>> could create > >>>>> ambiguity when parsing this identifier. See Section 6.7. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 15) Replace confusing parenthetical > >>>>>>>>>>>>>>> Section 2.3: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> - version-scheme (index 14): An integer or textual > >>>>>>>>>>>>>>> value > >>>>> representing the versioning scheme used for the software-version > >>>>> item, as an > >>>>> integer label with text escape (Section 2, for the "Version > >>>>> Scheme" > >>>>> registry > >>>>> Section 4.1). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> - version-scheme (index 14): An integer or textual > >>>>>>>>>>>>>>> value > >>>>> representing the versioning scheme used for the software-version > >>>>> item, as an > >>>>> integer label with text escape. For the "Version Scheme" values, > >>>>> see Section > >>>>> 4.1. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 16) Agree with proposed change. > >>>>>>>>>>>>>>> Section 2.3 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> link (index 4): Provides a means to establish > >>>>>>>>>>>>>>> relationship arcs > >>>>> between the tag and another items. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> link (index 4): Provides a means to establish > >>>>>>>>>>>>>>> relationship arcs > >>>>> between the tag and another item. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 17) Delete the confusing sentence. > >>>>>>>>>>>>>>> Section 2.4 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> If all of the corpus, patch, and supplemental items are > >>>>>>>>>>>>>>> "false", or if > >>>>> the corpus item is set to "true", then a software-version item > >>>>> MUST > >>>>> be included > >>>>> with a value set to the version of the software component. This > >>>>> ensures that > >>>>> primary and corpus tags have an identifiable software version. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> If all of the corpus, patch, and supplemental items are > >>>>>>>>>>>>>>> "false", or if > >>>>> the corpus item is set to "true", then a software-version item > >>>>> MUST > >>>>> be included > >>>>> with a value set to the version of the software component. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 18) Agree with proposed change. > >>>>>>>>>>>>>>> Section 2.6: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer > >>>>>>>>>>>>>>> label with text > >>>>> escape, see Section 2) representing the relationship(s) between > >>>>> the > >>>>> entity, and > >>>>> this tag or the referenced software component. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer > >>>>>>>>>>>>>>> label with text > >>>>> escape; see Section 2) representing the relationship(s) between > >>>>> the > >>>>> entity and > >>>>> this tag or the referenced software component. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 19) Should be 256..65536. > >>>>>>>>>>>>>>> Section 2.7: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> $rel /= -356..65536 / text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> $rel /= -256..65536 / text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 20) Rephrase two bullets: > >>>>>>>>>>>>>>> Section 2.7: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> - a URI-like expression with "swid:" as the scheme > >>>>>>>>>>>>>>> refers > >>>>>>>>>>>>>>> to > >>>>> another SWID or CoSWID by the referenced tag's tag-id. This > >>>>> expression needs > >>>>> to be resolved in the context of the endpoint by software that > >>>>> can > >>>>> lookup other > >>>>> SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6- > >>>>> f7dddd1ade4c" references the tag with the tag-id value "2df9de35- > >>>>> 0aff-4a86- > >>>>> ace6-f7dddd1ade4c". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - a URI-like expression with "swidpath:" as the scheme, > >>>>>>>>>>>>>>> which > >>>>> refers to another software tag via an XPATH query [W3C.REC- > >>>>> xpath20- > >>>>> 20101214] that matches items in that tag (Section 5.2). This > >>>>> scheme > >>>>> is > >>>>> provided for compatibility with [SWID]. This specification does > >>>>> not > >>>>> define how > >>>>> to resolve an XPATH query in the context of CBOR, see Section > >>>>> 5.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> - a URI-like expression with "swid:" as the scheme > >>>>>>>>>>>>>>> refers > >>>>>>>>>>>>>>> to > >>>>> another SWID or CoSWID by the referenced tag's tag-id. This > >>>>> expression needs > >>>>> to be resolved in the context of the endpoint by software that > >>>>> can > >>>>> lookup other > >>>>> SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6- > >>>>> f7dddd1ade4c" references the tag with the tag-id value "2df9de35- > >>>>> 0aff-4a86- > >>>>> ace6-f7dddd1ade4c". See Section 5.1 for guidance on the "swid" > >>>>> expression. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - a URI-like expression with "swidpath:" as the scheme, > >>>>>>>>>>>>>>> which > >>>>> refers to another software tag via an XPATH query [W3C.REC- > >>>>> xpath20- > >>>>> 20101214] that matches items in that tag (Section 5.2). This > >>>>> scheme > >>>>> is > >>>>> provided for compatibility with [SWID]. This specification does > >>>>> not > >>>>> define how > >>>>> to resolve an XPATH query in the context of CBOR. See Section 5.2 > >>>>> for guidance > >>>>> on the "swidpath" expression. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 21) Agree with proposed changes. > >>>>>>>>>>>>>>> Section 2.7: > >>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID > >>>>>>>>>>>>>>> Link > >>>>>>>>>>>>>>> Ownership Values" registry Section 4.3) used when the > >>>>>>>>>>>>>>> "href" item > >>>>>>>>>>>>>>> references another software component to indicate the > >>>>>>>>>>>>>>> degree of > >>>>>>>>>>>>>>> ownership between the software component referenced by > >>>>>>>>>>>>>>> the > >>>>> CoSWID > >>>>>>>>>>>>>>> tag and the software component referenced by the link. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * rel (index 40): An integer or textual value that > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID > >>>>>>>>>>>>>>> Link Link > >>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) identifies > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> relationship between this CoSWID and the target > >>>>>>>>>>>>>>> resource > >>>>>>>>>>>>>>> identified by the "href" item. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * use (index 42): An integer or textual value (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape, see Section 2, for the "Software ID Link > >>>>>>>>>>>>>>> Link > >>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) used to > >>>>>>>>>>>>>>> determine if > >>>>>>>>>>>>>>> the referenced software component has to be installed > >>>>>>>>>>>>>>> before > >>>>>>>>>>>>>>> installing the software component identified by the > >>>>>>>>>>>>>>> COSWID tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape; see Section 2). See Section 4.3 for > >>>>>>>>>>>>>>> the list > >>>>>>>>>>>>>>> of values available for this item. This item is used > >>>>>>>>>>>>>>> when the > >>>>>>>>>>>>>>> href item references another software component to > >>>>>>>>>>>>>>> indicate the > >>>>>>>>>>>>>>> degree of ownership between the software component > >>>>>>>>>>>>>>> referenced > >>>>> by > >>>>>>>>>>>>>>> the CoSWID tag and the software component referenced by > >>>>>>>>>>>>>>> the > >>>>> link. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * rel (index 40): An integer or textual value > >>>>>>>>>>>>>>> (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.4 for the > >>>>>>>>>>>>>>> list of > >>>>>>>>>>>>>>> values available for this item. This item identifies > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> relationship between this CoSWID and the target > >>>>>>>>>>>>>>> resource > >>>>>>>>>>>>>>> identified by the href item. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * use (index 42): An integer or textual value > >>>>>>>>>>>>>>> (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.5 for the > >>>>>>>>>>>>>>> list of > >>>>>>>>>>>>>>> values available for this item. This item is used to > >>>>>>>>>>>>>>> determine > >>>>>>>>>>>>>>> if the referenced software component has to be > >>>>>>>>>>>>>>> installed > >>>>>>>>>>>>>>> before > >>>>>>>>>>>>>>> installing the software component identified by the > >>>>>>>>>>>>>>> CoSWID tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 22) Change i.e. to e.g. > >>>>>>>>>>>>>>> Section 2.8: > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial > >>>>>>>>>>>>>>> number, > >>>>> product key, or license key. For values that relate to a given > >>>>> software > >>>>> component install (i.e., license key), a supplemental tag will > >>>>> typically contain > >>>>> this information. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial > >>>>>>>>>>>>>>> number, > >>>>> product key, or license key. For values that relate to a given > >>>>> software > >>>>> component install (e.g., license key), a supplemental tag will > >>>>> typically contain > >>>>> this information. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 23) "$$software-meta-extension" is correct > >>>>>>>>>>>>>>> Section 2.8: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> $$meta-extension: This CDDL socket can be used to > >>>>>>>>>>>>>>> extend > >>>>>>>>>>>>>>> the > >>>>> software-meta-entry group model. See Section 2.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> $$software-meta-extension: This CDDL socket can be used > >>>>>>>>>>>>>>> to > >>>>> extend the software-meta-entry group model. See Section 2.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 24) 65536 is correct > >>>>>>>>>>>>>>> Section 2.10: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> $rel /= -256..64436 / text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> $rel /= -256..65536 / text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> ; supplemental=11 ; already defined in the "global map > >>>>>>>>>>>>>>> member" > >>>>> integer indices > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 25) Revised text > >>>>>>>>>>>>>>> Section 3: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Note: Multiple of the corpus, patch, and supplemental > >>>>>>>>>>>>>>> items can > >>>>> have values set as "true". The rules above provide a means to > >>>>> determine the > >>>>> tag's type in such a case. For example, a SWID or CoSWID tag for > >>>>> a patch > >>>>> installer might have both corpus and patch items set to "true". > >>>>> In such a case, > >>>>> the tag is a "Corpus Tag". The tag installed by this installer > >>>>> would have only > >>>>> the patch item set to "true", making the installed tag type a > >>>>> "Patch Tag". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Note: It is possible for some or all of the corpus, > >>>>>>>>>>>>>>> patch, and > >>>>> supplemental items to simultaneously have values set as "true". > >>>>> The > >>>>> rules > >>>>> above provide a means to determine the tag's type in such a case. > >>>>> For > >>>>> example, a SWID or CoSWID tag for a patch installer might have > >>>>> both > >>>>> corpus > >>>>> and patch items set to "true". In such a case, the tag is a > >>>>> "Corpus Tag". The tag > >>>>> installed by this installer would have only the patch item set to > >>>>> "true", making > >>>>> the installed tag type a "Patch Tag". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 26) Agree with proposed text > >>>>>>>>>>>>>>> Section 4: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> This section defines a number of kinds of indexed label > >>>>>>>>>>>>>>> values that > >>>>> are maintained in a registry each (Section 6). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> This section defines multiple kinds of indexed label > >>>>>>>>>>>>>>> values that are > >>>>> maintained in several IANA registries. See Section 6 for > >>>>> details. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 27) Agree with proposed text > >>>>>>>>>>>>>>> Table 6: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> | 10 | supersedes | The link references > >>>>>>>>>>>>>>> another > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> | | | software that this > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> | | | replaces. A patch tag > >>>>>>>>>>>>>>> (see > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> | 10 | supersedes | The link references other > >>>>>>>>>>>>>>> software | > >>>>>>>>>>>>>>> | | | (e.g., an older software > >>>>>>>>>>>>>>> version) | > >>>>>>>>>>>>>>> | | | that this software > >>>>>>>>>>>>>>> replaces. A path tag (see | > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 28) Agree with proposed text: > >>>>>>>>>>>>>>> Section 6.2.1: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a > >>>>>>>>>>>>>>> single > >>>>>>>>>>>>>>> uint_8t in > >>>>> CBOR, and values -25 to -256 to be expressed using an additional > >>>>> uint_8t in > >>>>> CBOR. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a > >>>>>>>>>>>>>>> single > >>>>>>>>>>>>>>> uint8_t in > >>>>> CBOR, and values -25 to -256 to be expressed using an additional > >>>>> uint8_t in > >>>>> CBOR. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 29) Agree with proposed text: > >>>>>>>>>>>>>>> Sections 6.2.4 through 6.2.8 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Version > >>>>>>>>>>>>>>> Scheme > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> version scheme names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> entity role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Ownership > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> entity role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Relationship Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> link > >>>>> relationship values defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use > >>>>>>>>>>>>>>> Values" registry > >>>>> are provided below, which are derived from the link relationship > >>>>> values > >>>>> defined in [SWID]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Version > >>>>>>>>>>>>>>> Scheme > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual > >>>>> version scheme names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual entity > >>>>> role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Ownership > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual entity > >>>>> role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Relationship Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> link > >>>>> relationship values defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use > >>>>>>>>>>>>>>> Values" registry > >>>>> are provided below and are derived from the link relationship > >>>>> values defined in > >>>>> [SWID]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 30) Use "software-version item" > >>>>>>>>>>>>>>> Section 6.2.4 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> define a value space for the corresponding version item > >>>>>>>>>>>>>>> that is > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> define a value space for the corresponding software- > >>>>>>>>>>>>>>> version item > >>>>> that is > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 31) Change to underscore > >>>>>>>>>>>>>>> Sections 7 and 8 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> COSE-Sign1-coswid<payload> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> COSE_Sign1-coswid<payload> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> COSE-Sign-coswid<payload> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> COSE_Sign-coswid<payload> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 32) Agree with proposed removal of extraneous space. > >>>>>>>>>>>>>>> Section 7: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> signature : bstr --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> signature: bstr --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 33) Agree with proposed text: > >>>>>>>>>>>>>>> Section 8: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Consecutively, the CBOR tag for CoSWID tags defined in > >>>>>>>>>>>>>>> Table 21 > >>>>> SHOULD be used in conjunction with CBOR data items that are a > >>>>> CoSWID tags. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Consequently, the CBOR tag defined by this document > >>>>>>>>>>>>>>> (Table 21) > >>>>> for CoSWID tags SHOULD be used in conjunction with CBOR data > >>>>> items > >>>>> that are > >>>>> CoSWID tags. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 34) Rephrase > >>>>>>>>>>>>>>> Section 8 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> a tagged CoSWID tag > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> a CBOR-tagged CoSWID tag > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 35) Agree with proposed text > >>>>>>>>>>>>>>> Section 9: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has > >>>>>>>>>>>>>>> been > >>>>> validated can be relied upon to be unchanged since it was signed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has > >>>>>>>>>>>>>>> been > >>>>> validated can be relied upon to be unchanged since the time at > >>>>> which it was > >>>>> signed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 36) Agree with the first proposed text. > >>>>>>>>>>>>>>> Section 9: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> A certification path between a trust anchor and a > >>>>>>>>>>>>>>> certificate > >>>>> including a public key enabling the validation of a tag signature > >>>>> can realize the > >>>>> assessment of trustworthiness of an authoritative tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> A certification path between a trust anchor and a > >>>>>>>>>>>>>>> certificate, > >>>>> including a public key enabling the validation of a tag > >>>>> signature, > >>>>> can realize the > >>>>> assessment of trustworthiness of an authoritative tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 37) Reword > >>>>>>>>>>>>>>> Section 9: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> This requires an association between the signature and > >>>>>>>>>>>>>>> the tag's > >>>>> entity item associated corresponding to the software provider. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> This requires verifying that party that signed the tag > >>>>>>>>>>>>>>> is > >>>>>>>>>>>>>>> the same > >>>>> party given in the software-creator role of the tag's entity > >>>>> item. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 38) Replace with "limited to" > >>>>>>>>>>>>>>> Section 9: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Access to the collection of an endpoint's CoSWID tags > >>>>>>>>>>>>>>> needs to be > >>>>> appropriately controlled to authorized applications and users > >>>>> using > >>>>> an > >>>>> appropriate access control mechanism. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Access to the collection of an endpoint's CoSWID tags > >>>>>>>>>>>>>>> needs to be > >>>>> limited to authorized applications and users using an appropriate > >>>>> access control > >>>>> mechanism. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 39) Agree with proposed text > >>>>>>>>>>>>>>> References: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] > >>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- > >>>>>>>>>>>>>>> mediaqueries- > >>>>> 20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, > >>>>> <https://www.w3.org/TR/2012/REC-css3-mediaqueries-20120619/>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] > >>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- > >>>>>>>>>>>>>>> mediaqueries- > >>>>> 20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, > >>>>> <https://www.w3.org/TR/mediaqueries-3/>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 40) Document was reviewed for inclusive language. > >>>>>>>>>>>>>>> Authors > >>>>>>>>>>>>>>> did > >>>>> not identify any other issues. In looking for a replacement for > >>>>> "whitespace", > >>>>> none of the proposed replacements were seen as adequate because > >>>>> they were > >>>>> not sufficiently comprehensive to include all the types of > >>>>> characters that fall > >>>>> under the general term of "whitespace". If you have a suggestion > >>>>> we > >>>>> would be > >>>>> open to using it, but currently do not have an adequate > >>>>> replacement. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 41) Normalizations: > >>>>>>>>>>>>>>> Global: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> URI-scheme > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> URI scheme > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Note: one instance of "URI-scheme" is in a URL, and > >>>>>>>>>>>>>>> thus should > >>>>> not be changed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> XPATH > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> XPath > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Private Use > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> private use > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * NOTE: one instance of "Private Use" is in a section > >>>>>>>>>>>>>>> title and > >>>>> should not be changed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> XML Schema > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> XML schema > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * NOTE: one instance of "XML Schema" is in the title of > >>>>>>>>>>>>>>> a > >>>>>>>>>>>>>>> reference > >>>>> and it should not be changed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> indexes > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> indices > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> "href" item > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> href item > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> "role" item > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW > >>>>>>>>>>>>>>> role item > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Section 1: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> Remote Attestation, which requires a link between > >>>>>>>>>>>>>>> reference > >>>>> integrity measurements (RIM) and Attester-produced event logs > >>>>> that > >>>>> complement attestation evidence [I-D.ietf-rats-architecture]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> Remote Attestation, which requires a link between > >>>>>>>>>>>>>>> Reference > >>>>> Integrity Manifests (RIM) and Attester-produced event logs that > >>>>> complement > >>>>> attestation evidence [I-D.ietf-rats-architecture]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> I believe this addresses all of your questions and > >>>>>>>>>>>>>>> feedback. Please > >>>>> let me know if I missed anything or if any part of this response > >>>>> is > >>>>> unclear. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thanks a bunch, > >>>>>>>>>>>>>>> Charles > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>>>>> From: rfc-editor@rfc-editor.org <rfc-editor@rfc- > >>>>>>>>>>>>>>> editor.org> > >>>>>>>>>>>>>>> Sent: Friday, April 14, 2023 4:46 PM > >>>>>>>>>>>>>>> To: henk.birkholz@sit.fraunhofer.de; > >>>>>>>>>>>>>>> jmfitz2@cyber.nsa.gov; > >>>>> Charles M Schmidt <cmschmidt@mitre.org>; Waltermire, David > >>>>> <david.waltermire@nist.gov> > >>>>>>>>>>>>>>> Cc: rfc-editor@rfc-editor.org; sacm-ads@ietf.org; sacm- > >>>>> chairs@ietf.org; Inacio, Christopher <inacio@cert.org>; > >>>>> rdd@cert.org; > >>>>> auth48archive@rfc-editor.org > >>>>>>>>>>>>>>> Subject: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft- > >>>>>>>>>>>>>>> ietf-sacm- > >>>>> coswid-24> for your review > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Authors and *Roman (AD), > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> While reviewing this document during AUTH48, please > >>>>>>>>>>>>>>> resolve (as > >>>>> necessary) the following questions, which are also in the XML > >>>>> file. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> *AD, please see question #1. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 1) <!-- [rfced] *AD - This document underwent two > >>>>>>>>>>>>>>> version > >>>>>>>>>>>>>>> changes > >>>>> since version -22, which we edited last year; we later received > >>>>> notifications for > >>>>> versions -23 and -24. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We manually incorporated the updates by looking at the > >>>>>>>>>>>>>>> diff > >>>>> between version -22 and version -24 on the Datatracker. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the changes to Sections 5 and 6 > >>>>>>>>>>>>>>> carefully, > >>>>>>>>>>>>>>> and let us > >>>>> know if you approve. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 2) <!-- [rfced] Authors' Addresses: Jessica > >>>>>>>>>>>>>>> Fitzgerald- > >>>>>>>>>>>>>>> McKay's > >>>>> contact information is the only listing that does not include a > >>>>> postal code. > >>>>>>>>>>>>>>> If you would like us to include a postal code, please > >>>>>>>>>>>>>>> provide it. > >>>>>>>>>>>>>>> (We see "20755" used in > >>>>>>>>>>>>>>> draft-ietf-rats-tpm-based-network-device-attest.) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Jessica Fitzgerald-McKay > >>>>>>>>>>>>>>> National Security Agency > >>>>>>>>>>>>>>> 9800 Savage Road > >>>>>>>>>>>>>>> Ft. Meade, Maryland > >>>>>>>>>>>>>>> United States of America > >>>>>>>>>>>>>>> Email: jmfitz2@cyber.nsa.gov --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 3) <!-- [rfced] As it appears that "LocalWords" as > >>>>>>>>>>>>>>> listed after the > >>>>> Acknowledgments section in the original XML file refers to "key > >>>>> words" as > >>>>> defined in RFC 2119, we list them here as key words and have > >>>>> added > >>>>> them to > >>>>> our database record for this document. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> If this is incorrect, please insert any keywords > >>>>>>>>>>>>>>> (beyond > >>>>>>>>>>>>>>> those that > >>>>> appear in the title) for use on <https://www.rfc- > >>>>> editor.org/search>, > >>>>>>>>>>>>>>> and we will update the <keyword> settings here and in > >>>>>>>>>>>>>>> our > >>>>> database record accordingly. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> LocalWords: SWID verifier TPM filesystem discoverable > >>>>>>>>>>>>>>> CoSWID -- > >>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 4) <!-- [rfced] Abstract: To what does "similar" refer > >>>>>>>>>>>>>>> in this > >>>>> sentence? If the suggested text is not correct, please provide > >>>>> clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> CoSWID supports a similar set of > >>>>>>>>>>>>>>> semantics and features as SWID tags, as well as new > >>>>>>>>>>>>>>> semantics > >>>>> that allow CoSWIDs to describe additional types of information, > >>>>> all in a more > >>>>> memory efficient format. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested: > >>>>>>>>>>>>>>> CoSWID supports a set of > >>>>>>>>>>>>>>> semantics and features that are similar to those for > >>>>>>>>>>>>>>> SWID > >>>>>>>>>>>>>>> tags, as > >>>>> well as new semantics that allow CoSWIDs to describe additional > >>>>> types of > >>>>> information, all in a more memory-efficient format. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 5) <!-- [rfced] Section 1.1: Because we see > >>>>>>>>>>>>>>> "paraphrased > >>>>>>>>>>>>>>> from > >>>>> these sources", we changed "defines" to "define" in the sentence > >>>>> that precedes > >>>>> it. If this is incorrect, please provide clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> The SWID specification and supporting guidance provided > >>>>>>>>>>>>>>> in NIST > >>>>> Internal Report (NISTIR) 8060: Guidelines for the Creation of > >>>>> Interoperable > >>>>> SWID Tags [SWID-GUIDANCE] defines four types of SWID > >>>>>>>>>>>>>>> tags: primary, patch, corpus, and supplemental. The > >>>>>>>>>>>>>>> following text > >>>>> is paraphrased from these sources. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> The SWID specification and supporting guidance provided > >>>>>>>>>>>>>>> in NIST > >>>>> Internal Report (NISTIR) 8060 ("Guidelines for the Creation of > >>>>> Interoperable > >>>>> Software Identification (SWID) Tags") [SWID-GUIDANCE] define > >>>>> four > >>>>> types of > >>>>> SWID tags: primary, patch, corpus, and supplemental. The > >>>>> following text is > >>>>> paraphrased from these sources. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 6) <!-- [rfced] Section 1.1: Section 2.3 does not > >>>>>>>>>>>>>>> contain a > >>>>> description of the primary tag type. We also see that the > >>>>> primary > >>>>> tag type does > >>>>> not have an index number, as do the other three types. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please confirm that (1) the lack of a description for > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> primary tag > >>>>> type in Section 2.3 will not be an issue for readers and (2) the > >>>>> primary tag type > >>>>> should not have an index number. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original ("four tags types" has been changed to "four > >>>>>>>>>>>>>>> tag > >>>>>>>>>>>>>>> types"): > >>>>>>>>>>>>>>> A detailed description of the four > >>>>>>>>>>>>>>> tags types is provided in Section 2.3. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 7) <!-- [rfced] Section 1.1: This sentence did not > >>>>>>>>>>>>>>> parse. We > >>>>> changed "that are typically removed" to "are typically removed". > >>>>> If this is > >>>>> incorrect, please provide clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Tags are deployed and > >>>>>>>>>>>>>>> previously deployed tags that are typically removed > >>>>>>>>>>>>>>> (indicated by > >>>>> an "x" prefix) at each lifecycle stage, as follows: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> Tags are deployed, and > >>>>>>>>>>>>>>> previously deployed tags are typically removed > >>>>>>>>>>>>>>> (indicated > >>>>>>>>>>>>>>> by an "x" > >>>>>>>>>>>>>>> prefix) at each lifecycle stage, as follows: --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 8) <!-- [rfced] Please review whether any of the > >>>>>>>>>>>>>>> separate > >>>>>>>>>>>>>>> "Note:" > >>>>>>>>>>>>>>> paragraphs in this document should be in the <aside> > >>>>>>>>>>>>>>> element. > >>>>>>>>>>>>>>> <aside> is defined as "a container for content that is > >>>>>>>>>>>>>>> semantically > >>>>> less important or tangential to the content that surrounds it" > >>>>>>>>>>>>>>> (https://authors.ietf.org/en/rfcxml-vocabulary#aside) > >>>>>>>>>>>>>>> --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 9) <!-- [rfced] Section 2: It appears that one or more > >>>>>>>>>>>>>>> words are > >>>>> missing from this sentence. Should "and exclusively meant" be > >>>>> "and > >>>>> are > >>>>> exclusively meant"? If not, please provide clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> The integer values are defined in a registry specific > >>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>> the kind of > >>>>> value; the text values are not intended for interchange and > >>>>> exclusively meant > >>>>> for private use as defined in Section 6.2.2. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 10) <!-- [rfced] Please review the "type" attribute of > >>>>>>>>>>>>>>> each > >>>>> sourcecode element in the XML file to ensure correctness. If the > >>>>> current list of > >>>>> preferred values for "type" > >>>>>>>>>>>>>>> (https://www.rfc-editor.org/materials/sourcecode- > >>>>>>>>>>>>>>> types.txt) > >>>>>>>>>>>>>>> does not contain an applicable type, please let us > >>>>>>>>>>>>>>> know. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Also, please review the remaining two instances of the > >>>>>>>>>>>>>>> artwork > >>>>> element. Should any of the artwork elements be tagged as > >>>>> sourcecode or > >>>>> another type of element? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please note that (1) for the ABNF in Section 6.7, we > >>>>>>>>>>>>>>> changed > >>>>> artwork to sourcecode with type="abnf" and (2) we changed the > >>>>> instances of > >>>>> sourcecode types "cddl;example" to "cddl", as "cddl;example" is > >>>>> not > >>>>> included > >>>>> on <https://www.rfc-editor.org/materials/sourcecode-types.txt>. > >>>>>>>>>>>>>>> Please let us know any concerns. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 11) <!-- [rfced] Please let us know if any updates are > >>>>>>>>>>>>>>> needed > >>>>> regarding this author comment as seen in the original approved > >>>>> document. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Hmm, duplicate detection doesn't work in CDDL tool > >>>>>>>>>>>>>>> here. > >>>>>>>>>>>>>>> --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 12) <!-- [rfced] Section 2.1: Because this text is > >>>>>>>>>>>>>>> quoted, we > >>>>> searched RFCs 3629 and 8949 but could not find this text in > >>>>> either > >>>>> RFC. To > >>>>> avoid possible reader confusion, may we either rephrase as > >>>>> suggested or > >>>>> remove the quotes? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major > >>>>>>>>>>>>>>> type 3, > >>>>> which represents "a string of Unicode characters that [are] > >>>>> encoded as > >>>>>>>>>>>>>>> UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested (per RFC 8949): > >>>>>>>>>>>>>>> The CDDL "text" type is represented in CBOR as a major > >>>>>>>>>>>>>>> type 3, > >>>>> which represents a string of Unicode characters that are > >>>>> "encoded > >>>>> as > >>>>>>>>>>>>>>> UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 13) <!-- [rfced] Table 2: All "$" entries in this > >>>>>>>>>>>>>>> table, > >>>>>>>>>>>>>>> except for > >>>>> $version-scheme, are indirectly cited in their respective > >>>>> subsections of Section > >>>>> 4. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Per the pattern of indirect citations used for the > >>>>>>>>>>>>>>> other > >>>>>>>>>>>>>>> entries > >>>>> (where the other entries point to Sections 2.6 ("The entity-entry > >>>>>>>>>>>>>>> Map") and 2.7 ("The link-entry Map")), may we update > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> first > >>>>> sentence of Section 4.1 so that the sentence cites Section 2.3 > >>>>> ("The concise- > >>>>> swid-tag Map")? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original (Table 2 and Section 4.1): > >>>>>>>>>>>>>>> | version-scheme | $version-scheme | Section 4.1 | > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> The following table contains a set of values for use in > >>>>>>>>>>>>>>> the concise- > >>>>> swid-tag group's version-scheme item. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested (Section 4.1): > >>>>>>>>>>>>>>> The following table contains a set of values for use in > >>>>>>>>>>>>>>> the concise- > >>>>> swid-tag group's version-scheme item (see Section 2.3). --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 14) <!-- [rfced] Section 2.3: This sentence seems to > >>>>>>>>>>>>>>> contradict the > >>>>> cited information in Section 6.7. If the text below is correct > >>>>> as > >>>>> is, please > >>>>> confirm that "... MUST NOT contain a sequence of two underscores" > >>>>> and "... are > >>>>> connected with a double underscore (_)" > >>>>>>>>>>>>>>> will be clear to readers. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> A textual > >>>>>>>>>>>>>>> tag-id MUST NOT contain a sequence of two underscores > >>>>>>>>>>>>>>> ("__", see > >>>>>>>>>>>>>>> Section 6.7). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> From Section 6.7: > >>>>>>>>>>>>>>> If the tag-id item's > >>>>>>>>>>>>>>> value is expressed as a 16-byte binary string, the > >>>>>>>>>>>>>>> UNIQUE_ID MUST > >>>>> be represented using the UUID string representation defined in > >>>>> [RFC4122] > >>>>> including the "urn:uuid:" prefix. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The TAG_CREATOR_REGID and the UNIQUE_ID are connected > >>>>>>>>>>>>>>> with > >>>>> a double underscore (_), without any other connecting character > >>>>> or > >>>>> whitespace. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 15) <!-- [rfced] Section 2.3: We had trouble following > >>>>>>>>>>>>>>> the meaning > >>>>> of the parenthetical phrase in this sentence. Also, we could not > >>>>> find a '"Version > >>>>> Scheme" registry'; this appears to refer to the "Software ID > >>>>> Version Scheme > >>>>> Values" registry, as mentioned a few lines after this sentence. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> If the suggested text is not correct, please provide > >>>>>>>>>>>>>>> text > >>>>>>>>>>>>>>> that > >>>>> clarifies the meaning of "(Section 2, for the "Version Scheme" > >>>>>>>>>>>>>>> registry Section 4.1)". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> * version-scheme (index 14): An integer or textual > >>>>>>>>>>>>>>> value > >>>>>>>>>>>>>>> representing the versioning scheme used for the > >>>>>>>>>>>>>>> software- > >>>>>>>>>>>>>>> version > >>>>>>>>>>>>>>> item, as an integer label with text escape (Section 2, > >>>>>>>>>>>>>>> for the > >>>>>>>>>>>>>>> "Version Scheme" registry Section 4.1). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested: > >>>>>>>>>>>>>>> * version-scheme (index 14): An integer or textual > >>>>>>>>>>>>>>> value > >>>>>>>>>>>>>>> representing the versioning scheme used for the > >>>>>>>>>>>>>>> software- > >>>>>>>>>>>>>>> version > >>>>>>>>>>>>>>> item, as an integer label with text escape (Section 2). > >>>>>>>>>>>>>>> See > >>>>>>>>>>>>>>> Section 4.1 for the list of values available for this > >>>>>>>>>>>>>>> item. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 16) <!-- [rfced] Section 2.3: As it appears that > >>>>>>>>>>>>>>> "another items" > >>>>> should be "another item", we updated this sentence accordingly. > >>>>> If > >>>>> this is > >>>>> incorrect, please clarify this text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> * link (index 4): Provides a means to establish > >>>>>>>>>>>>>>> relationship arcs > >>>>>>>>>>>>>>> between the tag and another items. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> link (index 4): Provides a means to establish > >>>>>>>>>>>>>>> relationship arcs > >>>>>>>>>>>>>>> between the tag and another item. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 17) <!-- [rfced] Section 2.4: Does "software version" > >>>>>>>>>>>>>>> here refer to > >>>>> the software-version item or to a software version in general? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This ensures that primary and corpus tags have an > >>>>>>>>>>>>>>> identifiable > >>>>> software version. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 18) <!-- [rfced] Section 2.6: As it appears that this > >>>>>>>>>>>>>>> sentence means > >>>>> "... between (1) the entity and (2) this tag or the referenced > >>>>> software > >>>>> component", we removed the comma after "entity" to avoid reader > >>>>> confusion. > >>>>> If this is incorrect (e.g., the intent is to say "between > >>>>> entities"), please provide > >>>>> clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> * role (index 33): An integer or textual value > >>>>>>>>>>>>>>> (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape, see Section 2) representing the > >>>>>>>>>>>>>>> relationship(s) > >>>>>>>>>>>>>>> between the entity, and this tag or the referenced > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> component. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> role (index 33): An integer or textual value (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape; see Section 2) representing the > >>>>>>>>>>>>>>> relationship(s) > >>>>>>>>>>>>>>> between the entity and this tag or the referenced > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> component. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 19) <!-- [rfced] Section 2.7: Please confirm that "- > >>>>>>>>>>>>>>> 356..65536" and > >>>>> not "-256..65535" is correct here. We ask because we do not see > >>>>> this range > >>>>> used anywhere else. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> $rel /= -356..65536 / text --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 20) <!-- [rfced] Section 2.7: We do not see CBOR > >>>>>>>>>>>>>>> mentioned in > >>>>> Section 5.2. Please confirm that this citation is correct and > >>>>> will > >>>>> be clear to > >>>>> readers. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This specification > >>>>>>>>>>>>>>> does not define how to resolve an XPATH query in the > >>>>>>>>>>>>>>> context of > >>>>> CBOR, see Section 5.2. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Possibly (perhaps the intent was to point to the XPath > >>>>>>>>>>>>>>> query or > >>>>>>>>>>>>>>> expression?): > >>>>>>>>>>>>>>> This specification does not define how to resolve an > >>>>>>>>>>>>>>> XPath > >>>>> expression (Section 5.2) in the context of CBOR. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 21) <!-- [rfced] Section 2.7: We had trouble following > >>>>>>>>>>>>>>> the three > >>>>> instances of "... registry Section 4.3" in this section. If the > >>>>> suggested text is not > >>>>> correct, please provide text that clarifies the meanings of these > >>>>> citations. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please note that in the second and third suggestions we > >>>>>>>>>>>>>>> (1) suggest different section numbers, as there appear > >>>>>>>>>>>>>>> to > >>>>>>>>>>>>>>> be some > >>>>> section-number mismatches and (2) changed "COSWID" to "CoSWID". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> * ownership (index 39): An integer or textual value > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID > >>>>>>>>>>>>>>> Link > >>>>>>>>>>>>>>> Ownership Values" registry Section 4.3) used when the > >>>>>>>>>>>>>>> "href" item > >>>>>>>>>>>>>>> references another software component to indicate the > >>>>>>>>>>>>>>> degree of > >>>>>>>>>>>>>>> ownership between the software component referenced by > >>>>>>>>>>>>>>> the > >>>>> CoSWID > >>>>>>>>>>>>>>> tag and the software component referenced by the link. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * rel (index 40): An integer or textual value that > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape, see Section 2, for the "Software ID > >>>>>>>>>>>>>>> Link Link > >>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) identifies > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> relationship between this CoSWID and the target > >>>>>>>>>>>>>>> resource > >>>>>>>>>>>>>>> identified by the "href" item. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * use (index 42): An integer or textual value (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape, see Section 2, for the "Software ID Link > >>>>>>>>>>>>>>> Link > >>>>>>>>>>>>>>> Relationship Values" registry Section 4.3) used to > >>>>>>>>>>>>>>> determine if > >>>>>>>>>>>>>>> the referenced software component has to be installed > >>>>>>>>>>>>>>> before > >>>>>>>>>>>>>>> installing the software component identified by the > >>>>>>>>>>>>>>> COSWID tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested: > >>>>>>>>>>>>>>> ownership (index 39): An integer or textual value > >>>>>>>>>>>>>>> (integer label > >>>>>>>>>>>>>>> with text escape; see Section 2). See Section 4.3 for > >>>>>>>>>>>>>>> the list > >>>>>>>>>>>>>>> of values available for this item. This item is used > >>>>>>>>>>>>>>> when the > >>>>>>>>>>>>>>> href item references another software component to > >>>>>>>>>>>>>>> indicate the > >>>>>>>>>>>>>>> degree of ownership between the software component > >>>>>>>>>>>>>>> referenced > >>>>> by > >>>>>>>>>>>>>>> the CoSWID tag and the software component referenced by > >>>>>>>>>>>>>>> the > >>>>> link. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> rel (index 40): An integer or textual value (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.4 for the > >>>>>>>>>>>>>>> list of > >>>>>>>>>>>>>>> values available for this item. This item identifies > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> relationship between this CoSWID and the target > >>>>>>>>>>>>>>> resource > >>>>>>>>>>>>>>> identified by the href item. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> use (index 42): An integer or textual value (integer > >>>>>>>>>>>>>>> label with > >>>>>>>>>>>>>>> text escape; see Section 2). See Section 4.5 for the > >>>>>>>>>>>>>>> list of > >>>>>>>>>>>>>>> values available for this item. This item is used to > >>>>>>>>>>>>>>> determine > >>>>>>>>>>>>>>> if the referenced software component has to be > >>>>>>>>>>>>>>> installed > >>>>>>>>>>>>>>> before > >>>>>>>>>>>>>>> installing the software component identified by the > >>>>>>>>>>>>>>> CoSWID tag. -- > >>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 22) <!-- [rfced] Section 2.8: Should "i.e.," (that is) > >>>>>>>>>>>>>>> be "e.g.," (for > >>>>>>>>>>>>>>> example) here? In other words are license keys the > >>>>>>>>>>>>>>> only > >>>>>>>>>>>>>>> applicable > >>>>> category as related to a given software component install, or > >>>>> would > >>>>> serial > >>>>> numbers or product keys also be applicable? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Examples of an entitlement-key might include a serial > >>>>>>>>>>>>>>> number, > >>>>> product key, or license key. For values that relate to a given > >>>>> software > >>>>> component install (i.e., license key), a supplemental tag will > >>>>> typically contain > >>>>> this information. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 23) <!-- [rfced] Section 2.8: There appears to be a > >>>>>>>>>>>>>>> string mismatch > >>>>> for "$$meta-extension" versus "$$software-meta-extension". Table > >>>>> 1, the > >>>>> CDDL earlier in this section, and Section 2.10 use "$$software- > >>>>> meta-extension". > >>>>> Which string is correct? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> | software-meta-entry | $$software-meta-extension > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> Section > >>>>> | > >>>>>>>>>>>>>>> | | > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> 2.8 | > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * $$software-meta-extension, > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * $$meta-extension: This CDDL socket can be used to > >>>>>>>>>>>>>>> extend the > >>>>>>>>>>>>>>> software-meta-entry group model. See Section 2.2. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> * $$software-meta-extension, --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 24) <!-- [rfced] Section 2.10: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> a) Please confirm that "64436" is correct here. We ask > >>>>>>>>>>>>>>> because we > >>>>> do not see this value used anywhere else. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> $rel /= -256..64436 / text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> b) "already defined earlier" reads oddly. Should a > >>>>>>>>>>>>>>> specific section > >>>>> number be cited here? If not, would "already defined" or > >>>>> "defined > >>>>> earlier" be > >>>>> sufficient? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> ; supplemental=11 ; this is already defined earlier --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 25) <!-- [rfced] Section 3: We had trouble following > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> meaning > >>>>> of "Multiple of" here. Does "Multiple of" mean "Multiples of", > >>>>> "Multiple", or > >>>>> something else? Please clarify. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Note: Multiple of the corpus, patch, and supplemental > >>>>>>>>>>>>>>> items can > >>>>> have values set as "true". The rules above provide a means to > >>>>> determine the > >>>>> tag's type in such a case. For example, a SWID or CoSWID tag for > >>>>> a patch > >>>>> installer might have both corpus and patch items set to "true". > >>>>> In such a case, > >>>>> the tag is a "Corpus Tag". The tag installed by this installer > >>>>> would have only > >>>>> the patch item set to "true", making the installed tag type a > >>>>> "Patch Tag". --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 26) <!-- [rfced] Section 4: We could not follow the > >>>>>>>>>>>>>>> meaning of > >>>>> "that are maintained in a registry each". Does this mean "that > >>>>> are > >>>>> each > >>>>> maintained in separate IANA registries (Section 6)", "that are > >>>>> maintained in > >>>>> several IANA registries (Section 6)", or something else? If the > >>>>> suggested text is > >>>>> not correct, please clarify. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This section defines a number of kinds of indexed label > >>>>>>>>>>>>>>> values that > >>>>> are maintained in a registry each (Section 6). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested: > >>>>>>>>>>>>>>> This section defines a number of kinds of indexed label > >>>>>>>>>>>>>>> values that > >>>>> are maintained in several IANA registries. See Section 6 for > >>>>> details. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 27) <!-- [rfced] Table 6: We had trouble following > >>>>>>>>>>>>>>> "another > >>>>> software that" here. We updated the text. If this update is > >>>>> incorrect, please > >>>>> clarify this sentence. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> | 10 | supersedes | The link references > >>>>>>>>>>>>>>> another > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> | | | software that this > >>>>>>>>>>>>>>> software > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> | | | replaces. A patch tag > >>>>>>>>>>>>>>> (see > >>>>>>>>>>>>>>> | > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> | 10 | supersedes | The link references other > >>>>>>>>>>>>>>> software | > >>>>>>>>>>>>>>> | | | (e.g., an older software > >>>>>>>>>>>>>>> version) | > >>>>>>>>>>>>>>> | | | that this software > >>>>>>>>>>>>>>> replaces. A | --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 28) <!-- [rfced] Section 6.2.1: Should "uint_8t" be > >>>>>>>>>>>>>>> "uint8_t" here? > >>>>>>>>>>>>>>> We ask because we do not see any instances of "uint_8t" > >>>>>>>>>>>>>>> in any > >>>>> RFC. > >>>>>>>>>>>>>>> However, we see "uint8_t" in RFC 8949. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This allows values -1 to -24 to be expressed as a > >>>>>>>>>>>>>>> single > >>>>>>>>>>>>>>> uint_8t in > >>>>> CBOR, and values -25 to -256 to be expressed using an additional > >>>>> uint_8t in > >>>>> CBOR. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 29) <!-- [rfced] Sections 6.2.4 through 6.2.8: As it > >>>>>>>>>>>>>>> appears that > >>>>> "which" in these sentences refers to the initial registrations > >>>>> derived from > >>>>> names or values defined in [SWID], and not to the registries > >>>>> themselves, we > >>>>> updated the sentences accordingly. If these updates are > >>>>> incorrect, > >>>>> please > >>>>> provide clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Version > >>>>>>>>>>>>>>> Scheme > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> version scheme names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> entity role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Ownership > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> textual > >>>>> entity role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Relationship Values" > >>>>>>>>>>>>>>> registry are provided below, which are derived from the > >>>>>>>>>>>>>>> link > >>>>> relationship values defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use > >>>>>>>>>>>>>>> Values" registry > >>>>> are provided below, which are derived from the link relationship > >>>>> values > >>>>> defined in [SWID]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Version > >>>>>>>>>>>>>>> Scheme > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual > >>>>> version scheme names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Entity Role > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual entity > >>>>> role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Ownership > >>>>>>>>>>>>>>> Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> textual entity > >>>>> role names defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link > >>>>>>>>>>>>>>> Relationship Values" > >>>>>>>>>>>>>>> registry are provided below and are derived from the > >>>>>>>>>>>>>>> link > >>>>> relationship values defined in [SWID]. > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> Initial registrations for the "Software ID Link Use > >>>>>>>>>>>>>>> Values" registry > >>>>> are provided below and are derived from the link relationship > >>>>> values defined in > >>>>> [SWID]. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 30) <!-- [rfced] Section 6.2.4: Should "version item" > >>>>>>>>>>>>>>> here be > >>>>> "software-version item"? We do not see "version item" used > >>>>> anywhere else in > >>>>> this document. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Designated experts MUST also ensure that newly > >>>>>>>>>>>>>>> requested > >>>>>>>>>>>>>>> entries > >>>>> define a value space for the corresponding version item that is > >>>>> unique from > >>>>> other previously registered entries. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 31) <!-- [rfced] Sections 7 and 8: > >>>>>>>>>>>>>>> Should "COSE-Sign1-coswid<payload>" and "COSE-Sign- > >>>>> coswid<payload>" > >>>>>>>>>>>>>>> be "COSE_Sign1-coswid<payload>" and "COSE_Sign- > >>>>> coswid<payload>" > >>>>>>>>>>>>>>> (i.e., underscores after "COSE" instead of hyphens)? > >>>>>>>>>>>>>>> We > >>>>>>>>>>>>>>> ask > >>>>> because we see "COSE_Sign1" and "COSE_Sign" used in the second > >>>>> paragraph > >>>>> of Section 7. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> COSE-Sign1-coswid<payload> = [ > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> COSE-Sign-coswid<payload> = [ > >>>>>>>>>>>>>>> ... > >>>>>>>>>>>>>>> signed-coswid-for<payload> = #6.18(COSE-Sign1- > >>>>>>>>>>>>>>> coswid<payload>) > >>>>>>>>>>>>>>> / #6.98(COSE-Sign-coswid<payload>) --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 32) <!-- [rfced] Section 7: Should "signature :" be > >>>>>>>>>>>>>>> "signature:" > >>>>> here? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> signature : bstr --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 33) <!-- [rfced] Section 8: We had trouble following > >>>>>>>>>>>>>>> this sentence. > >>>>>>>>>>>>>>> If the suggested update is not correct, please provide > >>>>>>>>>>>>>>> text that > >>>>> clarifies the meaning of "Consecutively" and "a CoSWID tags". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Consecutively, the CBOR tag for CoSWID tags defined in > >>>>>>>>>>>>>>> Table 21 > >>>>> SHOULD be used in conjunction with CBOR data items that are a > >>>>> CoSWID tags. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Suggested: > >>>>>>>>>>>>>>> Consequently, the CBOR tag defined by this document > >>>>>>>>>>>>>>> (Table 21) > >>>>> for CoSWID tags SHOULD be used in conjunction with CBOR data > >>>>> items > >>>>> that > >>>>> are CoSWID tags. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 34) <!-- [rfced] Section 8: "a tagged CoSWID tag" > >>>>>>>>>>>>>>> reads > >>>>>>>>>>>>>>> oddly. > >>>>> Please confirm that the text is correct and will be clear to > >>>>> readers (e.g., are any > >>>>> words missing?). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This specification allows for a tagged CoSWID tag to > >>>>>>>>>>>>>>> reside in a > >>>>> COSE envelope that is also tagged with a CoSWID CBOR tag. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 35) <!-- [rfced] Section 9: To prevent some readers > >>>>>>>>>>>>>>> from > >>>>>>>>>>>>>>> possibly > >>>>> interpreting "since" as "because", we changed "since it was > >>>>> signed" > >>>>>>>>>>>>>>> in this sentence to "since the time at which it was > >>>>>>>>>>>>>>> signed". Please > >>>>> let us know any concerns. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has > >>>>>>>>>>>>>>> been > >>>>> validated can be relied upon to be unchanged since it was signed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> A signed CoSWID tag (see Section 7) whose signature has > >>>>>>>>>>>>>>> been > >>>>> validated can be relied upon to be unchanged since the time at > >>>>> which it was > >>>>> signed. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 36) <!-- [rfced] Section 9: Does "including a public > >>>>>>>>>>>>>>> key" refer to the > >>>>> certification path or the certificate? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> A certification path between a trust anchor and a > >>>>>>>>>>>>>>> certificate > >>>>> including a public key enabling the validation of a tag signature > >>>>> can realize the > >>>>> assessment of trustworthiness of an authoritative tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Perhaps (certification path that includes): > >>>>>>>>>>>>>>> A certification path between a trust anchor and a > >>>>>>>>>>>>>>> certificate, > >>>>> including a public key enabling the validation of a tag > >>>>> signature, > >>>>> can realize the > >>>>> assessment of trustworthiness of an authoritative tag. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Or possibly (certificate that includes): > >>>>>>>>>>>>>>> A certification path between (1) a trust anchor and (2) > >>>>>>>>>>>>>>> a > >>>>>>>>>>>>>>> certificate > >>>>> that includes a public key enabling the validation of a tag > >>>>> signature can realize > >>>>> the assessment of trustworthiness of an authoritative tag. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 37) <!-- [rfced] Section 9: We had trouble following > >>>>>>>>>>>>>>> this > >>>>>>>>>>>>>>> sentence. > >>>>>>>>>>>>>>> Please provide text that clarifies the meaning of > >>>>>>>>>>>>>>> "associated > >>>>> corresponding to". > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> This requires an association between the signature and > >>>>>>>>>>>>>>> the tag's > >>>>> entity item associated corresponding to the software provider. > >>>>> --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 38) <!-- [rfced] Section 9: "controlled to authorized > >>>>>>>>>>>>>>> applications > >>>>> and users" reads oddly. Should "controlled to" be "controlled > >>>>> for" > >>>>> or perhaps > >>>>> "limited to"? If not, please provide clarifying text. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> Access to the collection of an > >>>>>>>>>>>>>>> endpoint's CoSWID tags needs to be appropriately > >>>>>>>>>>>>>>> controlled to > >>>>> authorized applications and users using an appropriate access > >>>>> control > >>>>> mechanism. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 39) <!-- [rfced] When accessing the page corresponding > >>>>>>>>>>>>>>> to > >>>>> [W3C.REC-css3-mediaqueries-20120619], we got a red popup saying > >>>>> "This > >>>>> version is outdated!" Because the citations in this document are > >>>>> general in > >>>>> nature, we updated the citation string and reference listing as > >>>>> follows. Please > >>>>> let us know any concerns. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Original: > >>>>>>>>>>>>>>> [W3C.REC-css3-mediaqueries-20120619] > >>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- > >>>>>>>>>>>>>>> mediaqueries-20120619, W3C REC-css3-mediaqueries- > >>>>>>>>>>>>>>> 20120619, > >>>>>>>>>>>>>>> 19 June 2012, <https://www.w3.org/TR/2012/REC-css3- > >>>>>>>>>>>>>>> mediaqueries-20120619/>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Currently: > >>>>>>>>>>>>>>> [W3C.REC-mediaqueries-3-20220405] > >>>>>>>>>>>>>>> Rivoal, F., Ed., "Media Queries Level 3", W3C > >>>>>>>>>>>>>>> Recommendation REC-mediaqueries-3-20220405, 5 April > >>>>>>>>>>>>>>> 2022, > >>>>>>>>>>>>>>> <https://www.w3.org/TR/mediaqueries-3/>. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 40) <!-- [rfced] Please review the "Inclusive Language" > >>>>>>>>>>>>>>> portion of > >>>>> the online Style Guide at <https://www.rfc- > >>>>> editor.org/styleguide/part2/#inclusive_language>, > >>>>>>>>>>>>>>> and let us know if any changes are needed. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> For example, please consider whether the following > >>>>>>>>>>>>>>> should > >>>>>>>>>>>>>>> be > >>>>> updated: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> whitespace --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 41) <!-- [rfced] Please let us know if any changes are > >>>>>>>>>>>>>>> needed for > >>>>> the > >>>>>>>>>>>>>>> following: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> a) The following terms were used inconsistently in this > >>>>>>>>>>>>>>> document. > >>>>>>>>>>>>>>> We chose to use the latter forms. Please let us know > >>>>>>>>>>>>>>> any > >>>>> objections. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> URI-scheme (titles of Sections 6.6.1 and 6.6.2) / URI > >>>>>>>>>>>>>>> Scheme > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Version Scheme Name / version scheme name (in running > >>>>>>>>>>>>>>> text) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XPATH / XPath (per usage elsewhere in this document and > >>>>>>>>>>>>>>> per > >>>>> W3C) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> b) The following terms appear to be used inconsistently > >>>>>>>>>>>>>>> in this > >>>>> document. Please let us know which form is preferred. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> private use / Private Use (e.g., "for private use", > >>>>>>>>>>>>>>> "for > >>>>>>>>>>>>>>> Private Use") > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XML schema / XML Schema > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> c) The following terms appear to be used inconsistently > >>>>>>>>>>>>>>> in this > >>>>> document and the companion documents. Please let us know which > >>>>> form > >>>>> is > >>>>> preferred. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> indices / indexes > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> reference integrity measurements (RIM) / reference > >>>>>>>>>>>>>>> measurements > >>>>> (RIMs) / > >>>>>>>>>>>>>>> Reference Integrity Manifests (RIMs) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> d) Quoting of item names was inconsistent. For > >>>>>>>>>>>>>>> example: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> href item vs. "href" item > >>>>>>>>>>>>>>> role item vs. "role" item > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We removed the quotes, as item names were mostly > >>>>>>>>>>>>>>> unquoted. > >>>>>>>>>>>>>>> Please let us know any objections. --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thank you. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> RFC Editor/lb/kc > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Apr 14, 2023, at 2:41 PM, rfc-editor@rfc-editor.org > >>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> *****IMPORTANT***** > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Updated 2023/04/14 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> RFC Author(s): > >>>>>>>>>>>>>>> -------------- > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Instructions for Completing AUTH48 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Your document has now entered AUTH48. Once it has been > >>>>> reviewed and approved by you and all coauthors, it will be > >>>>> published as an RFC. > >>>>>>>>>>>>>>> If an author is no longer available, there are several > >>>>>>>>>>>>>>> remedies > >>>>> available as listed in the FAQ (https://www.rfc-editor.org/faq/). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You and you coauthors are responsible for engaging > >>>>>>>>>>>>>>> other > >>>>>>>>>>>>>>> parties > >>>>> (e.g., Contributors or Working Group) as necessary before > >>>>> providing > >>>>> your > >>>>> approval. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Planning your review > >>>>>>>>>>>>>>> --------------------- > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the following aspects of your document: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * RFC Editor questions > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review and resolve any questions raised by the > >>>>>>>>>>>>>>> RFC > >>>>>>>>>>>>>>> Editor > >>>>>>>>>>>>>>> that have been included in the XML file as comments > >>>>>>>>>>>>>>> marked as > >>>>>>>>>>>>>>> follows: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> <!-- [rfced] ... --> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> These questions will also be sent in a subsequent > >>>>>>>>>>>>>>> email. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Changes submitted by coauthors > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please ensure that you review any changes submitted by > >>>>>>>>>>>>>>> your > >>>>>>>>>>>>>>> coauthors. We assume that if you do not speak up that > >>>>>>>>>>>>>>> you > >>>>>>>>>>>>>>> agree to changes submitted by your coauthors. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Content > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the full content of the document, as this > >>>>>>>>>>>>>>> cannot > >>>>>>>>>>>>>>> change once the RFC is published. Please pay > >>>>>>>>>>>>>>> particular > >>>>>>>>>>>>>>> attention > >>>>> to: > >>>>>>>>>>>>>>> - IANA considerations updates (if applicable) > >>>>>>>>>>>>>>> - contact information > >>>>>>>>>>>>>>> - references > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Copyright notices and legends > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the copyright notice and legends as > >>>>>>>>>>>>>>> defined > >>>>>>>>>>>>>>> in > >>>>>>>>>>>>>>> RFC 5378 and the Trust Legal Provisions > >>>>>>>>>>>>>>> (TLP - https://trustee.ietf.org/license-info/). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Semantic markup > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the markup in the XML file to ensure that > >>>>>>>>>>>>>>> elements > >>>>> of > >>>>>>>>>>>>>>> content are correctly tagged. For example, ensure that > >>>>> <sourcecode> > >>>>>>>>>>>>>>> and <artwork> are set correctly. See details at > >>>>>>>>>>>>>>> <https://authors.ietf.org/rfcxml-vocabulary>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Formatted output > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please review the PDF, HTML, and TXT files to ensure > >>>>>>>>>>>>>>> that > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> formatted output, as generated from the markup in the > >>>>>>>>>>>>>>> XML > >>>>>>>>>>>>>>> file, is > >>>>>>>>>>>>>>> reasonable. Please note that the TXT will have > >>>>>>>>>>>>>>> formatting > >>>>>>>>>>>>>>> limitations compared to the PDF and HTML. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Submitting changes > >>>>>>>>>>>>>>> ------------------ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> To submit changes, please reply to this email using > >>>>>>>>>>>>>>> 'REPLY ALL' as > >>>>> all the parties CCed on this message need to see your changes. > >>>>> The > >>>>> parties > >>>>>>>>>>>>>>> include: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * your coauthors > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * rfc-editor@rfc-editor.org (the RPC team) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * other document participants, depending on the stream > >>>>>>>>>>>>>>> (e.g., > >>>>>>>>>>>>>>> IETF Stream participants are your working group chairs, > >>>>>>>>>>>>>>> the > >>>>>>>>>>>>>>> responsible ADs, and the document shepherd). > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * auth48archive@rfc-editor.org, which is a new > >>>>>>>>>>>>>>> archival > >>>>>>>>>>>>>>> mailing > >>>>> list > >>>>>>>>>>>>>>> to preserve AUTH48 conversations; it is not an active > >>>>>>>>>>>>>>> discussion > >>>>>>>>>>>>>>> list: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * More info: > >>>>>>>>>>>>>>> https://mailarchive.ietf.org/arch/msg/ietf- > >>>>>>>>>>>>>>> announce/yb6lpIGh- > >>>>> 4Q9l2USxIAe6P8O4Zc > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * The archive itself: > >>>>>>>>>>>>>>> https://mailarchive.ietf.org/arch/browse/auth48archive/ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> * Note: If only absolutely necessary, you may > >>>>>>>>>>>>>>> temporarily opt out > >>>>>>>>>>>>>>> of the archiving of messages (e.g., to discuss a > >>>>>>>>>>>>>>> sensitive matter). > >>>>>>>>>>>>>>> If needed, please add a note at the top of the message > >>>>>>>>>>>>>>> that you > >>>>>>>>>>>>>>> have dropped the address. When the discussion is > >>>>>>>>>>>>>>> concluded, > >>>>>>>>>>>>>>> auth48archive@rfc-editor.org will be re-added to the CC > >>>>>>>>>>>>>>> list and > >>>>>>>>>>>>>>> its addition will be noted at the top of the message. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You may submit your changes in one of two ways: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> An update to the provided XML file > >>>>>>>>>>>>>>> - OR - > >>>>>>>>>>>>>>> An explicit list of changes in this format > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Section # (or indicate Global) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> OLD: > >>>>>>>>>>>>>>> old text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> NEW: > >>>>>>>>>>>>>>> new text > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You do not need to reply with both an updated XML file > >>>>>>>>>>>>>>> and an > >>>>> explicit list of changes, as either form is sufficient. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We will ask a stream manager to review and approve any > >>>>>>>>>>>>>>> changes > >>>>> that seem beyond editorial in nature, e.g., addition of new text, > >>>>> deletion of > >>>>> text, and technical changes. Information about stream managers > >>>>> can > >>>>> be found > >>>>> in the FAQ. Editorial changes do not require approval from a > >>>>> stream manager. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Approving for publication > >>>>>>>>>>>>>>> -------------------------- > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> To approve your RFC for publication, please reply to > >>>>>>>>>>>>>>> this > >>>>>>>>>>>>>>> email > >>>>> stating that you approve this RFC for publication. Please use > >>>>> 'REPLY ALL', as all > >>>>> the parties CCed on this message need to see your approval. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Files > >>>>>>>>>>>>>>> ----- > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The files are available here: > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.xml > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.html > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.pdf > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.txt > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Diff file of the text: > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-diff.html > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html > >>>>>>>>>>>>>>> (side by > >>>>> side) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Diff of the XML: > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393- > >>>>>>>>>>>>>>> xmldiff1.html > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> XMLv3 file that is a best effort to capture v3-related > >>>>>>>>>>>>>>> format > >>>>> updates > >>>>>>>>>>>>>>> only: > >>>>>>>>>>>>>>> https://www.rfc-editor.org/authors/rfc9393.form.xml > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Tracking progress > >>>>>>>>>>>>>>> ----------------- > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The details of the AUTH48 status of your document are > >>>>>>>>>>>>>>> here: > >>>>>>>>>>>>>>> https://www.rfc-editor.org/auth48/rfc9393 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please let us know if you have any questions. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thank you for your cooperation, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> RFC Editor > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> -------------------------------------- > >>>>>>>>>>>>>>> RFC9393 (draft-ietf-sacm-coswid-24) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Title : Concise Software Identification Tags > >>>>>>>>>>>>>>> Author(s) : H. Birkholz, J. Fitzgerald-McKay, C. > >>>>>>>>>>>>>>> Schmidt, D. > >>>>> Waltermire > >>>>>>>>>>>>>>> WG Chair(s) : Karen O'Donoghue, Christopher Inacio > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Area Director(s) : Roman Danyliw, Paul Wouters > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >>> > >
- [auth48] AUTH48: RFC-to-be 9393 <draft-ietf-sacm-… rfc-editor
- [auth48] [AD] Re: AUTH48: RFC-to-be 9393 <draft-i… rfc-editor
- Re: [auth48] [AD] AUTH48: RFC-to-be 9393 <draft-i… Lynne Bartholomew
- Re: [auth48] [EXT] Re: [AD] AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] AUTH48: RFC-to-be 9393 <d… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… jmfitz2@cyber.nsa.gov
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Henk Birkholz
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Waltermire, David A. (Fed)
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Roman Danyliw
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Lynne Bartholomew
- [auth48] [IANA] Re: AUTH48: RFC-to-be 9393 <draft… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew