[auth48] [AD] Re: AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review
rfc-editor@rfc-editor.org Fri, 08 September 2023 23:26 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F197C15154A; Fri, 8 Sep 2023 16:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJROXzPMyc41; Fri, 8 Sep 2023 16:26:21 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59AE4C151548; Fri, 8 Sep 2023 16:26:21 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 2FE7CE5EA7; Fri, 8 Sep 2023 16:26:21 -0700 (PDT)
To: lear@cisco.com, scott.rose@nist.gov
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, opsawg-ads@ietf.org, opsawg-chairs@ietf.org, bill.wu@huawei.com, rwilton@cisco.com, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20230908232621.2FE7CE5EA7@rfcpa.amsl.com>
Date: Fri, 08 Sep 2023 16:26:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/QQsN2nn736muLyYgWodG_IhnXMM>
Subject: [auth48] [AD] Re: AUTH48: RFC-to-be 9472 <draft-ietf-opsawg-sbom-access-18> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 23:26:25 -0000
Authors and *AD, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. *AD, please review question #10 (re: Section 6). 1) <!-- [rfced] This document's title and short title (that spans the header of the pdf) do not follow the style of other YANG RFCs (although we see that RFCs 8783 and 9132 are exceptions). For example: RFC 9094 - A YANG Data Model for Wavelength Switched Optical Networks (WSONs) RFC 9093 - A YANG Data Model for Layer 0 Types RFC 9067 - A YANG Data Model for Routing Policy Please consider the suggested updates below and let us know if one of these options is agreeable or if you prefer otherwise. Document title Original: Discovering and Retrieving Software Transparency and Vulnerability Information Perhaps: a) A YANG Data Model for Reporting Software Bills of Materials (SBOMs) and Vulnerability Information or b) A YANG Data Model Augmentation for Reporting Software Bills of Materials (SBOMs) and Vulnerability Information ... Short title Original: Discovering SBOMs and Vuln. Info Perhaps: A YANG Data Model for SBOMs and Vuln. Info --> 2) <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> 3) <!--[rfced] Please clarify "A number of activities have been working to". Have the activities improved visibility (option A) or is this a work in progress (option B)? Original: A number of activities have been working to improve visibility to what software is running on a system, and what vulnerabilities that software may have [EO2021]. Perhaps: A) A number of activities have been effective in improving the visibility of what software is running on a system and what vulnerabilities that software may have [EO2021]. or B) A number of activities are being implemented to improve the visibility of what software is running on a system and what vulnerabilities that software may have [EO2021]. --> 4) <!--[rfced] May we replace "vulnerable" with "open" as follows to avoid redundancy? Original: * Is this system vulnerable to a particular vulnerability? Perhaps: * Is this system open to a particular vulnerability? --> 5) <!--[rfced] Would you like to create a new section for the requirements language instead of including it at the end of Section 1? It would become Section 1.1 as follows: Original: Further queries may be necessary based on the content and structure of the response. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Perhaps: Further queries may be necessary based on the content and structure of the response. Section 1.1 Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. --> 6) <!--[rfced] May we change "rather than retrieving it twice" to "rather than the resource being retrieved twice" for clarity? Please let us know if this retains the intended meaning. Original: Network management systems retrieving this information MUST take note that the identical resource is being retrieved rather than retrieving it twice. Perhaps: Network management systems retrieving this information MUST take note that the identical resource is being retrieved rather than the resource being retrieved twice. --> 7) <!--[rfced] Could the title of Section 3 be updated slightly to reduce redundancy? Please let us know if option A or B may be preferable. Original: The mud-transparency Extension Model Extension Perhaps: A) The mud-transparency Extension or B) The mud-transparency Model Extension --> 8) <!-- [rfced] For the benefit of international readership, may we update "N.B." to "Note that" as follows? Original: N.B., this schema extension is intended to be used wherever it might be appropriate (e.g., not just MUD). Perhaps: Note that this schema extension is intended to be used wherever it might be appropriate (e.g., not just with MUD). --> 9) <!-- [rfced] Section 4. Please review the following questions about the YANG module and section title. a) FYI: We updated one instance of "YANG model" to "YANG Data Model" in this section's title per guidance from Benoit Claise and the YANG Doctors, as "YANG module" and "YANG data model" are preferred. Please review. Original: The mud-sbom augmentation to the MUD YANG model Current: The mud-sbom Augmentation to the MUD YANG Data Model b) Note that the YANG module has been updated per the formatting option of pyang. Please let us know any concerns. c) FYI: We added titles to the reference entries for RFCs 6991 and 8520 for consistency. d) May we include reference entries in the YANG module for RFCs 7231, 7252, and 9110 since these RFCs are mentioned in the description clauses? e) We note that RFCs 6991 and 7231 are only referenced in the YANG module and not in the running text. In order to have a 1:1 matchup between the references section and the text, may we add an introductory sentence before the YANG module that includes these citations (option i)? Alternatively, you may reference all of the RFCs that are mentioned (option ii). Please let us know your preference. Perhaps: i) This YANG module references [RFC6991] and [RFC7231]. or ii) This YANG module references [RFC6991], [RFC7231], [RFC7252], [RFC8520], and [RFC9110]. f) We note that RFC 7231 has been obsoleted by RFC 9110. May we replace RFC 7231 with RFC 9110 in the following instance? Current: "Use http (RFC 7231) (insecure) to retrieve SBOM information. This method is NOT RECOMMENDED but may be unavoidable for certain classes of deployment where TLS has not or cannot be implemented."; --> 10) <!-- [rfced] *[AD] Section 6: The Security Considerations section does not follow the requirements listed on https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines, which says "This section MUST be patterned after the latest approved template." Please confirm if the current text is acceptable per the context of the document or if any further updates are needed in order to follow the template. Also, please confirm if it is acceptable that RFCs 6242, 8341, and 8446 are not listed in the Normative References section or if they should be added. --> 11) <!--[rfced] Is this sentence intended to be an ordered list (option A) or are "any change in a URL" and "any change to the authority section" the 2 risks that are being referred to (option B)? Original: To address either risk, any change in a URL, and in particular to the authority section, two approaches may be used: Perhaps: A) To address either risk, any change in a URL, and particularly any change to the authority section, two approaches may be used: or B) To address either risk, i.e., any change in a URL and, in particular, to the authority section, two approaches may be used: --> 12) <!-- [rfced] We have included some clarifications about the IANA text below. In addition to reviewing those, please review all of the IANA-related updates carefully and let us know if any further updates are needed. a) Section 7.2. FYI: We have added the defining RFCs for each of the registries as follows and have added the corresponding reference entries to the Normative References section. Original: The IANA is requested to add "transparency" to the MUD extensions registry as follows: Current: IANA has added "transparency" to the "MUD Extensions" registry [RFC8520] as follows: ... Original: The following YANG module should be registered in the "YANG Module Names" registry: Current: IANA has registered the following YANG module in the "YANG Module Names" registry [RFC6020]: ... Original: The following XML registration is requested: Current: The following URI has been registered in the "IETF XML Registry" [RFC3688]: b) Section 7.2. FYI: In the entry under the "YANG Module Names" registry, we removed "Registration Contact" since it is not listed in the registry, and we added "Maintained by IANA: N" since it is listed in the registry; please see https://www.iana.org/assignments/yang-parameters/. Original: Name: ietf-mud URN: urn:ietf:params:xml:ns:yang:ietf-mud-transparency Prefix: mudtx Registrant contact: The IESG Reference: This memo Current: Name: ietf-mud URN: urn:ietf:params:xml:ns:yang:ietf-mud-transparency Maintained by IANA: N Prefix: mudtx Reference: RFC 9472 c) Section 7.3. FYI: We have added "Status: permanent" to the entry for the "Well-Known URIs" registry to match the IANA registry at https://www.iana.org/assignments/well-known-uris/. Original: URI suffix: "sbom" Change controller: "IETF" Specification document: This memo Related information: See ISO/IEC 5962:2021 and SPDX.org Current: URI Suffix: sbom Change Controller: IETF Reference: RFC 9472 Status: permanent Related information: See ISO/IEC 5962:2021 and SPDX.org --> 13) <!-- [rfced] References a) We updated the title for reference [EO2021] to match the following URL: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/ executive-order-on-improving-the-nations-cybersecurity/. Please let us know if this is correct or if the intension is to point to a different article (perhaps https://www.nist.gov/itl/executive-order-14028-improving-nations- cybersecurity). Original: [EO2021] Biden, J., "Executive Order 14028, Improving the Nations Cybersecurity", May 2021. Current: [EO2021] Biden, J., "Executive Order on Improving the Nation's Cybersecurity", EO 14028, May 2021. b) FYI: We updated the title of the reference [CycloneDX12] to match the title at "https://cyclonedx.org/docs/1.2/xml" and included a direct URL. Please let us know of any objections. Original: [CycloneDX12] cyclonedx.org, "CycloneDX XML Reference v1.2", May 2020. Current: [CycloneDX12] CycloneDX, "CycloneDX v1.2 XML Reference", Version 1.2.1, <https://cyclonedx.org/docs/1.2/xml/>. --> 14) <!-- [rfced] Throughout the text, the following terminology appears to be capitalized inconsistently. May we update to "Content-Type" to match past RFCs, including use in RFCs 7252, 8615, 8040, 9110? Content-Type vs. Content-type vs. content-type --> 15) <!-- [rfced] The following lines exceed the 72-character limit for sourcecode. Please let us know how these lines can be modified. Section 5.1 (1 character over): "systeminfo": "retrieving vuln and SBOM info via a cloud service", Section 5.2 (1 character over): "systeminfo": "mixed example: SBOM on device, vuln info in cloud", Section 5.3 (2 characters over): "contact-info": "https://iot-device.example.com/contact-info.html", Section 5.3 (1 character over): "systeminfo": "retrieving vuln and SBOM info via a cloud service", --> 16) <!-- [rfced] Please review the "type" attributes for the sourcecode elements in the XML file for correctness. If the current list of preferred values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) does not contain an applicable type, then feel free to suggest a new one. Also, it is acceptable to leave the "type" attribute not set. --> 17) <!-- [rfced] FYI: We have added expansions for the following abbreviations per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. Access Control Lists (ACLs) Constrained Application Protocol (CoAP) Internet of Things (IoT) --> 18) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> Thank you. RFC Editor/st/kc On Sep 8, 2023, at 4:23 PM, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/09/08 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9472.xml https://www.rfc-editor.org/authors/rfc9472.html https://www.rfc-editor.org/authors/rfc9472.pdf https://www.rfc-editor.org/authors/rfc9472.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9472-diff.html https://www.rfc-editor.org/authors/rfc9472-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9472-xmldiff1.html The following files are provided to facilitate creation of your own diff files of the XML. Initial XMLv3 created using XMLv2 as input: https://www.rfc-editor.org/authors/rfc9472.original.v2v3.xml XMLv3 file that is a best effort to capture v3-related format updates only: https://www.rfc-editor.org/authors/rfc9472.form.xml Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9472 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9472 (draft-ietf-opsawg-sbom-access-18) Title : Discovering and Retrieving Software Transparency and Vulnerability Information Author(s) : E. Lear, S. Rose WG Chair(s) : Henk Birkholz, Joe Clarke, Tianran Zhou Area Director(s) : Warren Kumari, Robert Wilton
- [auth48] AUTH48: RFC-to-be 9472 <draft-ietf-opsaw… rfc-editor
- [auth48] [AD] Re: AUTH48: RFC-to-be 9472 <draft-i… rfc-editor
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rose, Scott W. (Fed)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- [auth48] [IANA] Re: [AD] AUTH48: RFC-to-be 9472 <… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- [auth48] Fwd: [IANA #1282204] [IANA] Re: [AD] AUT… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Rob Wilton (rwilton)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Eliot Lear
- Re: [auth48] [AD] AUTH48: RFC-to-be 9472 <draft-i… Sarah Tarrant