Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
Charles M Schmidt <cmschmidt@mitre.org> Thu, 04 May 2023 16:12 UTC
Return-Path: <cmschmidt@mitre.org>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52CA8C14CE36; Thu, 4 May 2023 09:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjVZG_Qn7pge; Thu, 4 May 2023 09:12:26 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C330C1522D3; Thu, 4 May 2023 09:12:25 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id B05241720307; Thu, 4 May 2023 12:12:24 -0400 (EDT)
Received: from smtpxrhmv1.mitre.org (unknown [192.52.194.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id 169291720451; Thu, 4 May 2023 12:08:49 -0400 (EDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02lp2100.outbound.protection.outlook.com [104.47.64.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpxrhmv1.mitre.org (Postfix) with ESMTPS id E0296413DC7; Thu, 4 May 2023 12:08:48 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AYPbp5wG84H7ZHTbByUzl8CyI8x/Defb37s2SEy4WMjCnqRRdukFkNnDBAkd9cOFkVTFjiay3eN+ATPUQf00jWMNiDmVzgn+7cHE6zTcvBxFgYD6PFCf6d5EkKPPiUQQMRvQFcBn0ZxdgH7OarxKYx43OZ9/MxgG17dhaAo3QrwVaHVbY8qZBA2uQDdBLB2vnB69A5er9IvS0FrcvSMc31OEI/Bj2Dt7Jfw1wbkK8l3t6BFJRfnHL8wOL+GOd26hC4kt0ejD8mmRS5dUgp6oBGieUey/ItaXPAFcZ7r3gHaU3uRGuzHmldfY3mflxH9Urc62J9rkS+ZfAyBmOxe5lQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xIN46wkPP5z59gOq+vudEyttnj+m//y5QLyKOTVFlog=; b=l/9iTy06Dp4SwO4ZjUCaWANvEaHJl0zD4W4GNKRyMeOrUNorWg76VcZWLHUYljVlMhYNquX1iHm4Ci2tNUHLA+OiaPKTcFZ3CxXyi/Ho21xb3AfFiaeWvBTv6FcEv8MTq+ooaUw5rXzN26kHSzgJZsY2sp0ZoSCv3gil4NUTI5n708PV2wiikwMq107H+BU8nVtrYIFfgPiJA9d1BxyzWHuROd5cCfzVY7HhgriYFUFslwFxZozbJ3p530+4S4gauTyCcBE5CLtmeVfY5Oj3mkTkVKEBYOrBhlJbuJUOJdbdUnlufWGQoHv4LLT1ryhSA3Izti37SXDaF7+JHfWV5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from SA9PR09MB5821.namprd09.prod.outlook.com (2603:10b6:806:1f::12) by SA1PR09MB11305.namprd09.prod.outlook.com (2603:10b6:806:36f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.26; Thu, 4 May 2023 16:08:46 +0000
Received: from SA9PR09MB5821.namprd09.prod.outlook.com ([fe80::83e3:5294:9e3b:ca03]) by SA9PR09MB5821.namprd09.prod.outlook.com ([fe80::83e3:5294:9e3b:ca03%5]) with mapi id 15.20.6363.026; Thu, 4 May 2023 16:08:46 +0000
From: Charles M Schmidt <cmschmidt@mitre.org>
To: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "jmfitz2@cyber.nsa.gov" <jmfitz2@cyber.nsa.gov>, "Waltermire, David" <david.waltermire@nist.gov>
CC: "sacm-ads@ietf.org" <sacm-ads@ietf.org>, "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "Inacio, Christopher" <inacio@cert.org>, "rdd@cert.org" <rdd@cert.org>, "auth48archive@rfc-editor.org" <auth48archive@rfc-editor.org>
Thread-Topic: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
Thread-Index: AQHZbxqFwOBvC0XiCU6ZbALV3S+C8q9I661w
Date: Thu, 04 May 2023 16:08:46 +0000
Message-ID: <SA9PR09MB58216C20EF01CC2E836A14F0AB6D9@SA9PR09MB5821.namprd09.prod.outlook.com>
References: <17695_1681508760_6439C997_17695_256_1_20230414214558.B61C755E8F@rfcpa.amsl.com>
In-Reply-To: <17695_1681508760_6439C997_17695_256_1_20230414214558.B61C755E8F@rfcpa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mitre.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA9PR09MB5821:EE_|SA1PR09MB11305:EE_
x-ms-office365-filtering-correlation-id: 6deb5e72-ac52-452e-2326-08db4cb9d73a
x-ld-processed: c620dc48-1d50-4952-8b39-df4d54d74d82,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GuSzjaZW7lBq7/zotYL4NRxZVWyPzx93wMJGhDiven+56CIdsz+UhRkhQ84HAMitBYWGCJWa385yMiH+KuTbkVkUUhZQFE4zi4gTmiL6mMkPs/iVFNxkioSpj0IMRYUGc+wTNa3RFZ2DQ6VJR1EoMbBM4GjLOv6nnsPFzjQ6j3RBbz2RFp5V/FkQB8n7tABu1MZspKUH2PwO9qjsSFqz+Zv3XANC+ny9GQGcSxNON7ywyIyALETIeV1QRnFKJ0bX1THwzEVVcDIboQu7DZK+gT9GKFfKc86tBGrUOaezivQc19eTBIvzfLnkzj8Gzu6GB2FCFX3uqD9ZScm7X6I6c3+Y/JOjgXQh3BoyFHdLOi/bbGY0UP48y4Hn4oKqxcCn5XrXsPJlxlKnCJTtl0686l2mZ2zXC4+HvVYClRic3wr2TV1V3UvujgyUqCyQbGNJ6JEOwGpbrh4udkz3lxLQSpmCI3ixyWZMJr6K2bJ4pLo+KZ+FktsCm3EsBUjRVCDZ0co5TeP00sWKlaKNiXalA9Mo3bsz8XHcZTR7rNbS8CUQa+RpA+nMZhwSsorF3RIo8Qi97t50kPZdJALc8ThaF328yn1NcAS+/AAgN/MCN2GSdJh//1MxDdesXP0lydGmzYUi8dquHf5zjimNT9k9CQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA9PR09MB5821.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(366004)(451199021)(40140700001)(30864003)(71200400001)(2906002)(33656002)(53546011)(186003)(26005)(110136005)(7696005)(4326008)(83380400001)(6506007)(9686003)(76116006)(64756008)(66476007)(86362001)(66446008)(66946007)(66556008)(66899021)(38070700005)(54906003)(52536014)(8676002)(5660300002)(8936002)(122000001)(966005)(498600001)(55016003)(38100700002)(579004)(559001)(19607625013); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: NKMe+KblRuaBed7Ut8SQ4FgtQsPobWRKzIcITtkrR7AXcP0vStmGBC7B/tlT2DywWG1eKL3mV15epK91Nzn5iK/2E9AQ8ElT0SzezSMQvTHTXldWhzCavXGeuLNDJJeqAapY+323vMihk5Eg2t11yEaOQoysKUbDglTLwxVaCGLd18x/S7kjLg0CvUXOcDAtuNL67pkYjDpp/4tq3A6XGBOXx/41G7X5z/GmBU+3zxEmcJO5IK1gRI+YQ+BRH7uerfuWvyYkL5qN9M9HJ+v+N+c4TGDlFjBUQMUT56a8CBUPDYAXmGmumWteGYn7kuhZzC7UqqklbrlzWTUBRHEL4SzxryK8B5lVJibEbn2avsA6D2WMwqILOeb9TrFD6XM9li7NDrFg5DgCUEvV9xrYbBZ1+7BKDeD2r0p3KgvLokqG4fLlp3Wh1EeE0hRiBEBq5UUqgd7KAtNNiMdGA+xzemFvv4CkZY3fw7ImXGCESZDOtgCCC63XVjZdxQ0ffvnp+vqmc8LA0AFq1B4fuaUNpYpOo0L0TK2q5+jFDHKcNBc0Pvs6bpxmIXTWMR+bfygeAZEf/QI05KzoyeCic7mWvD9vaEIaKoy+KiD4Zf9etmKlfa2FG8qXEw79aJEgWx9Ec7RT5Onthm4QYMrA11DpTZas73nflkfurJYGAAtKOsX59LwEz9DbErz3lyI7jcG7TrrGeEdnIX5jSiWDiLwEkzX4bNtkYQAGuLN/6mZMpMFAz9uv104MfB8xKs06OBMhzFqRcw0BtdR4qx+ZHm8wLoP9wYwoMjn2Xa75nexO/xuzNW89MgHDCvU1ki9AXQKpR9+H3sV+BkP6MG2G32SWqI0maJa5nrIN8NNeIM8QZJIJnZgvKAEEDpgnzTrPT9ng4tWsphJbTF4xl2R0qyBePZPbmNQB9RLHMSnyqPIBPa7rFDNubZ5DHjK5wJIixAZI250v5GqH/Hh+T1HbJmv6jIoe4PG/dPL2F+gf0pdRmljd3RUDIzTwjGHefr9Jml8c4JqN6QphPVVj+LYL5PClwQE+VO0Ay7BEpuTlbA+OTJjnA6pwKG3JC55kW+rDPpsrXYA77ve/rfHR74q8Gnd9JTAvZnEekC7KJyKDdZUJ3fRVrZYXQ0iXlbGr6Udu4jlIsCdbAZGO2e/sKhfoXIb9r24rD2CQCsX2xJUMS0h1bV/9mucIFqC7c4J9uHj98iIFuy7bETfeQ7IOUwXBJGiNgVKS7kMTaad90oAq7mutwZtx5SfNWte4peccvojtczd6azWXsaugFGvkVcQhNBhK4/kYqZkiy2yaJKy9cN8qRFZNtn2Jntcp5/Yz+Y0iFvZBvF23obsXPFzy/6ACxS5DyWS2xsAfsklwxY5nKNkJEoHVj/bGo1hOb4rCgdKPPqhwANboO+AMufIRjDkD4uhkq6keRvJImYf4+WqCI529EwN0wOGutSM6bpfVrLFQolM42wZI0to6e9uWFzI/XI5p5pTMCsbsyVTknBD1G6uQtscBLDGzyI7igwyc7VszP8PDR3qpDfkLxGtxQQg76UsFAFybWgPLy0wQC+ljWEhyEPe4YQkdC7BbHw6BnrNlg8FP
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 9kYoiEnBhMTbykgNOP/bKyPaxkyHHe54TWnkpdWtSTBg0WbSyQ8ikITOS+tMeKiLqfHRdiWxW17gGe1eo4OMrMN/rb831XGgfaE5H11xnpOgLKqowK4INUF2bhnSuQbspjfddaOfwyldqjGclDutHLKrJtbTj4lkyG18bFz3A9uBuX3nHgY9lDkFv3ibAtVZIgP1tPV4km589GNrxD5p4maTjfkBR/GgkPXRwkfKdc+Lwt06NpGSFtLIU8KKq0mam+aUvR1pgWqx1QC1kOjBBilwM7dgZLfdw6smYjC7025SlSEYyqBLMMVml9XrepLVHCYHvH7Kfwlu8ieuCaFFN/YzNYgNsez2FUsXFcRKZ4E1XoBhPhNkm4CMRed+2SyL9FerrRwo8op2Hg1pqZMZgiEvYLdPyKdznTCTIP+4jT4UFfGrHmBYp4cGD4CRAFp/o6QuSCjmVkJB4gc9SV9VeDsvJ6RY/Q/MiNL//j4l+pD+PZnhNJaBhWT9C7hwJ6f22zELPyzz6rHTouKPS4DxLhYKgcm5+bS3g6D1OLQjgYiis4U1iSZ7XlQXcuLSaTToG7dQHKIHKPHIvUK3wdmKxSwb0i/TQO1ymiM+iMcZljd7ZLZ1jC1wDHYMZbdre9DvPOuP+eBC8bZIt5/I3zrfc34v7I/AvXlWPTSJjaihwARo4oceHp5fkBmIKS+jkZSOAVUOkoZffWZtKC9vwfGmJUeMYDe0AJvRdkPsFohStTMZzs6cNPTFChGs600GLT9Nb2XVTr5Q51xsw9krYOeRHIZeoIlEk2XgYs7mVvgxOiHBrbNfS9CdFieAieoU0GCfJ4mSys4fYSF30Upp0lm4zl8h30Oss5pQhaiqeTP2EldYf7rk3gUXeBMo74MUOZI7rityFgbYzFnyrrFkzMklwZ057e1s/ctjWSgIcnBMFxxr95vz/6y2pu2zb1MvEh8R
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA9PR09MB5821.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6deb5e72-ac52-452e-2326-08db4cb9d73a
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2023 16:08:46.6408 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB11305
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:content-transfer-encoding:mime-version; s=mZkevYdL; bh=xIN46wkPP5z59gOq+vudEyttnj+m//y5QLyKOTVFlog=; b=heu/EVFk7zcouzG8mUnBnwqpBk+qVef+wA2AaU3+ePAdk1hy9/axMwiyy15DKCkq/2SUJAk+H6zmROqeJMPaMUdvDPQ3Mn0a/6rFip/wQE5pjEhh/APe1FTIW2wtKiq2Aa1U77HcK5cCokNSk/HpzyXqH8jZfhGHfOjhXpc25ok=
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/iDEZPAU1G39e-iozwhnGgD7sRXg>
Subject: Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2023 16:12:30 -0000
Hello, Thank you for the feedback. I've included responses to all questions in this email. 1) This question is directed at Roman 2) Please add the zip code for Jessica: Author' Addresses: OLD: Jessica Fitzgerald-McKay National Security Agency 9800 Savage Road Ft. Meade, Maryland United States of America NEW: Jessica Fitzgerald-McKay National Security Agency 9800 Savage Road Ft. Meade, Maryland 20755 United States of America 3) Email of 5/2 noted that this question is removed. 4) Agree with proposed change: Abstract: OLD: CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format. NEW: CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format. 5) Agree with proposed change: Section 1.1 OLD: The SWID specification and supporting guidance provided in NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable SWID Tags [SWID-GUIDANCE] defines four types of SWID tags: primary, patch, corpus, and supplemental. The following text is paraphrased from these sources. NEW: The SWID specification and supporting guidance provided in NIST Internal Report (NISTIR) 8060 ("Guidelines for the Creation of Interoperable Software Identification (SWID) Tags") [SWID-GUIDANCE] define four types of SWID tags: primary, patch, corpus, and supplemental. The following text is paraphrased from these sources. 6) Text is correct as is. A primary tag is indicated by not setting any of the other indices for other tags. As such, it does not need its own index. Primary tags are described in section 1.1. NO CHANGE. 7) Agree with proposed text (with a slight change in the comma position at the end): Section 1.1: OLD: Tags are deployed and previously deployed tags that are typically removed (indicated by an "x" prefix) at each lifecycle stage, as follows: NEW: Tags are deployed, and previously deployed tags are typically removed (indicated by an "x" prefix), at each lifecycle stage as follows: 8) All "Note:" entries should be <aside>s. Section 1.1: The paragraph that starts with "Note" should be an <aside>. Also, it should be indented but without a lead bullet. The Note paragraph is a second paragraph that is part of the preceding bullet on Software Upgrading. OLD: - Software Upgrading. As a software component is upgraded to a new version, new primary and supplemental tags replace existing tags, enabling timely and accurate tracking of updates to software inventory. While not illustrated in the figure, a corpus tag can also provide information about the upgrade installer and dependencies that need to be installed before the upgrade. Note: In the context of software tagging software patching and updating differ in an important way. When installing a patch, a set of file modifications are made to pre-installed software which do not alter the version number or the descriptive metadata of an installed software component. An update can also make a set of file modifications, but the version number or the descriptive metadata of an installed software component are changed. NEW: - Software Upgrading. As a software component is upgraded to a new version, new primary and supplemental tags replace existing tags, enabling timely and accurate tracking of updates to software inventory. While not illustrated in the figure, a corpus tag can also provide information about the upgrade installer and dependencies that need to be installed before the upgrade. Note: In the context of software tagging software patching and updating differ in an important way. When installing a patch, a set of file modifications are made to pre-installed software which do not alter the version number or the descriptive metadata of an installed software component. An update can also make a set of file modifications, but the version number or the descriptive metadata of an installed software component are changed. Section 3: Make the whole paragraph that starts with "Note" an <aside>. Section 6.2.4: Make the sentence that starts with "Note:" an <aside>. Only this sentence should be an aside. 9) Agree with proposed text: Section 2: OLD: The integer values are defined in a registry specific to the kind of value; the text values are not intended for interchange and exclusively meant for private use as defined in Section 6.2.2. NEW: The integer values are defined in a registry specific to the kind of value; the text values are not intended for interchange and are exclusively meant for private use as defined in Section 6.2.2. 10) Types need to be updated: Global (in the xml lines 362, 366, 371, 382, 567, 735, 759, 830, 995, 1089, 1105, 1197, 1214)): OLD: <sourcecode type="cddl"> NEW: <sourcecode type="cddl" name="coswid-exposition.cddl"> XML line 1243: OLD: <sourcecode type="cddl" markers="true"> NEW: <sourcecode type="cddl" name="concise-swid-tag.cddl" markers="true"> XML line 2900: OLD: <sourcecode type="cddl" markers="true"> NEW: <sourcecode type="cddl" name="sign1.cddl" markers="true"> XML line 2938: OLD: <sourcecode type="cddl" markers="true"> NEW: <sourcecode type="cddl" name="sign.cddl" markers="true"> XML line 2999: OLD: <sourcecode type="cddl" markers="true"> NEW: <sourcecode type="cddl" name="tags.cddl" markers="true"> 11) The author comment has been resolved and can be removed. 12) This is not a verbatim quote. The quotation marks should be removed. Section 2.1: OLD: The CDDL "text" type is represented in CBOR as a major type 3, which represents "a string of Unicode characters that [are] encoded as UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). NEW: The CDDL "text" type is represented in CBOR as a major type 3, which represents a string of Unicode characters that [are] encoded as UTF-8 [RFC3629] (see Section 3.1 of [RFC8949]). 13) We request no change. Unlike the entity-entry and link-entry values, the version-scheme is relatively straightforward and doesn't have or need a section dedicated to it. We feel a reference from section 4.1 is unnecessary and (since only a small portion of that section deals with version-scheme) potentially confusing. 14) The MUST NOT only applies to the "right part" of the value in 6.7. Proposing the following change to avoid ambiguity. Section 2.3: OLD: A textual tag-id MUST NOT contain a sequence of two underscores ("__", see Section 6.7). NEW: A textual tag-id value MUST NOT contain a sequence of two underscores ("__"). This is because a sequence of two underscores is used to separate the TAG_CREATOR_REGID value and UNIQUE_ID value in a Software Identifier and a sequence of two underscores in a tag-id value could create ambiguity when parsing this identifier. See Section 6.7. 15) Replace confusing parenthetical Section 2.3: OLD: - version-scheme (index 14): An integer or textual value representing the versioning scheme used for the software-version item, as an integer label with text escape (Section 2, for the "Version Scheme" registry Section 4.1). NEW: - version-scheme (index 14): An integer or textual value representing the versioning scheme used for the software-version item, as an integer label with text escape. For the "Version Scheme" values, see Section 4.1. 16) Agree with proposed change. Section 2.3 OLD: link (index 4): Provides a means to establish relationship arcs between the tag and another items. NEW: link (index 4): Provides a means to establish relationship arcs between the tag and another item. 17) Delete the confusing sentence. Section 2.4 OLD: If all of the corpus, patch, and supplemental items are "false", or if the corpus item is set to "true", then a software-version item MUST be included with a value set to the version of the software component. This ensures that primary and corpus tags have an identifiable software version. NEW: If all of the corpus, patch, and supplemental items are "false", or if the corpus item is set to "true", then a software-version item MUST be included with a value set to the version of the software component. 18) Agree with proposed change. Section 2.6: OLD: role (index 33): An integer or textual value (integer label with text escape, see Section 2) representing the relationship(s) between the entity, and this tag or the referenced software component. NEW: role (index 33): An integer or textual value (integer label with text escape; see Section 2) representing the relationship(s) between the entity and this tag or the referenced software component. 19) Should be 256..65536. Section 2.7: OLD: $rel /= -356..65536 / text NEW: $rel /= -256..65536 / text 20) Rephrase two bullets: Section 2.7: OLD: - a URI-like expression with "swid:" as the scheme refers to another SWID or CoSWID by the referenced tag's tag-id. This expression needs to be resolved in the context of the endpoint by software that can lookup other SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6-f7dddd1ade4c" references the tag with the tag-id value "2df9de35-0aff-4a86-ace6-f7dddd1ade4c". - a URI-like expression with "swidpath:" as the scheme, which refers to another software tag via an XPATH query [W3C.REC-xpath20-20101214] that matches items in that tag (Section 5.2). This scheme is provided for compatibility with [SWID]. This specification does not define how to resolve an XPATH query in the context of CBOR, see Section 5.2. NEW: - a URI-like expression with "swid:" as the scheme refers to another SWID or CoSWID by the referenced tag's tag-id. This expression needs to be resolved in the context of the endpoint by software that can lookup other SWID or CoSWID tags. For example, "swid:2df9de35-0aff-4a86-ace6-f7dddd1ade4c" references the tag with the tag-id value "2df9de35-0aff-4a86-ace6-f7dddd1ade4c". See Section 5.1 for guidance on the "swid" expression. - a URI-like expression with "swidpath:" as the scheme, which refers to another software tag via an XPATH query [W3C.REC-xpath20-20101214] that matches items in that tag (Section 5.2). This scheme is provided for compatibility with [SWID]. This specification does not define how to resolve an XPATH query in the context of CBOR. See Section 5.2 for guidance on the "swidpath" expression. 21) Agree with proposed changes. Section 2.7: * ownership (index 39): An integer or textual value (integer label with text escape, see Section 2, for the "Software ID Link Ownership Values" registry Section 4.3) used when the "href" item references another software component to indicate the degree of ownership between the software component referenced by the CoSWID tag and the software component referenced by the link. ... * rel (index 40): An integer or textual value that (integer label with text escape, see Section 2, for the "Software ID Link Link Relationship Values" registry Section 4.3) identifies the relationship between this CoSWID and the target resource identified by the "href" item. ... * use (index 42): An integer or textual value (integer label with text escape, see Section 2, for the "Software ID Link Link Relationship Values" registry Section 4.3) used to determine if the referenced software component has to be installed before installing the software component identified by the COSWID tag. NEW: * ownership (index 39): An integer or textual value (integer label with text escape; see Section 2). See Section 4.3 for the list of values available for this item. This item is used when the href item references another software component to indicate the degree of ownership between the software component referenced by the CoSWID tag and the software component referenced by the link. ... * rel (index 40): An integer or textual value (integer label with text escape; see Section 2). See Section 4.4 for the list of values available for this item. This item identifies the relationship between this CoSWID and the target resource identified by the href item. ... * use (index 42): An integer or textual value (integer label with text escape; see Section 2). See Section 4.5 for the list of values available for this item. This item is used to determine if the referenced software component has to be installed before installing the software component identified by the CoSWID tag. 22) Change i.e. to e.g. Section 2.8: OLD: Examples of an entitlement-key might include a serial number, product key, or license key. For values that relate to a given software component install (i.e., license key), a supplemental tag will typically contain this information. NEW: Examples of an entitlement-key might include a serial number, product key, or license key. For values that relate to a given software component install (e.g., license key), a supplemental tag will typically contain this information. 23) "$$software-meta-extension" is correct Section 2.8: OLD: $$meta-extension: This CDDL socket can be used to extend the software-meta-entry group model. See Section 2.2. NEW: $$software-meta-extension: This CDDL socket can be used to extend the software-meta-entry group model. See Section 2.2. 24) 65536 is correct Section 2.10: OLD: $rel /= -256..64436 / text NEW: $rel /= -256..65536 / text OLD: ; supplemental=11 ; this is already defined earlier NEW: ; supplemental=11 ; already defined in the "global map member" integer indices 25) Revised text Section 3: OLD: Note: Multiple of the corpus, patch, and supplemental items can have values set as "true". The rules above provide a means to determine the tag's type in such a case. For example, a SWID or CoSWID tag for a patch installer might have both corpus and patch items set to "true". In such a case, the tag is a "Corpus Tag". The tag installed by this installer would have only the patch item set to "true", making the installed tag type a "Patch Tag". NEW: Note: It is possible for some or all of the corpus, patch, and supplemental items to simultaneously have values set as “true”. The rules above provide a means to determine the tag's type in such a case. For example, a SWID or CoSWID tag for a patch installer might have both corpus and patch items set to "true". In such a case, the tag is a "Corpus Tag". The tag installed by this installer would have only the patch item set to "true", making the installed tag type a "Patch Tag". 26) Agree with proposed text Section 4: OLD: This section defines a number of kinds of indexed label values that are maintained in a registry each (Section 6). NEW: This section defines multiple kinds of indexed label values that are maintained in several IANA registries. See Section 6 for details. 27) Agree with proposed text Table 6: OLD: | 10 | supersedes | The link references another | | | | software that this software | | | | replaces. A patch tag (see | ... NEW: | 10 | supersedes | The link references other software | | | | (e.g., an older software version) | | | | that this software replaces. A path tag (see | ... 28) Agree with proposed text: Section 6.2.1: OLD: This allows values -1 to -24 to be expressed as a single uint_8t in CBOR, and values -25 to -256 to be expressed using an additional uint_8t in CBOR. NEW: This allows values -1 to -24 to be expressed as a single uint8_t in CBOR, and values -25 to -256 to be expressed using an additional uint8_t in CBOR. 29) Agree with proposed text: Sections 6.2.4 through 6.2.8 OLD: Initial registrations for the "Software ID Version Scheme Values" registry are provided below, which are derived from the textual version scheme names defined in [SWID]. ... Initial registrations for the "Software ID Entity Role Values" registry are provided below, which are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Ownership Values" registry are provided below, which are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Relationship Values" registry are provided below, which are derived from the link relationship values defined in [SWID]. ... Initial registrations for the "Software ID Link Use Values" registry are provided below, which are derived from the link relationship values defined in [SWID]. NEW: Initial registrations for the "Software ID Version Scheme Values" registry are provided below and are derived from the textual version scheme names defined in [SWID]. ... Initial registrations for the "Software ID Entity Role Values" registry are provided below and are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Ownership Values" registry are provided below and are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Relationship Values" registry are provided below and are derived from the link relationship values defined in [SWID]. ... Initial registrations for the "Software ID Link Use Values" registry are provided below and are derived from the link relationship values defined in [SWID]. 30) Use "software-version item" Section 6.2.4 OLD: define a value space for the corresponding version item that is NEW: define a value space for the corresponding software-version item that is 31) Change to underscore Sections 7 and 8 OLD: COSE-Sign1-coswid<payload> NEW: COSE_Sign1-coswid<payload> OLD: COSE-Sign-coswid<payload> NEW: COSE_Sign-coswid<payload> 32) Agree with proposed removal of extraneous space. Section 7: OLD: signature : bstr --> NEW: signature: bstr --> 33) Agree with proposed text: Section 8: OLD: Consecutively, the CBOR tag for CoSWID tags defined in Table 21 SHOULD be used in conjunction with CBOR data items that are a CoSWID tags. NEW: Consequently, the CBOR tag defined by this document (Table 21) for CoSWID tags SHOULD be used in conjunction with CBOR data items that are CoSWID tags. 34) Rephrase Section 8 OLD: a tagged CoSWID tag NEW: a CBOR-tagged CoSWID tag 35) Agree with proposed text Section 9: OLD: A signed CoSWID tag (see Section 7) whose signature has been validated can be relied upon to be unchanged since it was signed. NEW: A signed CoSWID tag (see Section 7) whose signature has been validated can be relied upon to be unchanged since the time at which it was signed. 36) Agree with the first proposed text. Section 9: OLD: A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. NEW: A certification path between a trust anchor and a certificate, including a public key enabling the validation of a tag signature, can realize the assessment of trustworthiness of an authoritative tag. 37) Reword Section 9: OLD: This requires an association between the signature and the tag's entity item associated corresponding to the software provider. NEW: This requires verifying that party that signed the tag is the same party given in the software-creator role of the tag’s entity item. 38) Replace with "limited to" Section 9: OLD: Access to the collection of an endpoint's CoSWID tags needs to be appropriately controlled to authorized applications and users using an appropriate access control mechanism. NEW: Access to the collection of an endpoint's CoSWID tags needs to be limited to authorized applications and users using an appropriate access control mechanism. 39) Agree with proposed text References: OLD: [W3C.REC-css3-mediaqueries-20120619] Rivoal, F., Ed., "Media Queries", W3C REC REC-css3-mediaqueries-20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, <https://www.w3.org/TR/2012/REC-css3-mediaqueries-20120619/>. NEW: [W3C.REC-css3-mediaqueries-20120619] Rivoal, F., Ed., "Media Queries", W3C REC REC-css3-mediaqueries-20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, <https://www.w3.org/TR/mediaqueries-3/>. 40) Document was reviewed for inclusive language. Authors did not identify any other issues. In looking for a replacement for "whitespace", none of the proposed replacements were seen as adequate because they were not sufficiently comprehensive to include all the types of characters that fall under the general term of "whitespace". If you have a suggestion we would be open to using it, but currently do not have an adequate replacement. 41) Normalizations: Global: OLD: URI-scheme NEW: URI scheme * Note: one instance of "URI-scheme" is in a URL, and thus should not be changed. OLD: XPATH NEW: XPath OLD: Private Use NEW: private use * NOTE: one instance of "Private Use" is in a section title and should not be changed. OLD: XML Schema NEW: XML schema * NOTE: one instance of "XML Schema" is in the title of a reference and it should not be changed. OLD: indexes NEW: indices OLD: "href" item NEW: href item OLD: "role" item NEW role item Section 1: OLD: Remote Attestation, which requires a link between reference integrity measurements (RIM) and Attester-produced event logs that complement attestation evidence [I-D.ietf-rats-architecture]. NEW: Remote Attestation, which requires a link between Reference Integrity Manifests (RIM) and Attester-produced event logs that complement attestation evidence [I-D.ietf-rats-architecture]. I believe this addresses all of your questions and feedback. Please let me know if I missed anything or if any part of this response is unclear. Thanks a bunch, Charles -----Original Message----- From: rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org> Sent: Friday, April 14, 2023 4:46 PM To: henk.birkholz@sit.fraunhofer.de; jmfitz2@cyber.nsa.gov; Charles M Schmidt <cmschmidt@mitre.org>; Waltermire, David <david.waltermire@nist.gov> Cc: rfc-editor@rfc-editor.org; sacm-ads@ietf.org; sacm-chairs@ietf.org; Inacio, Christopher <inacio@cert.org>; rdd@cert.org; auth48archive@rfc-editor.org Subject: [EXT] [AD] Re: AUTH48: RFC-to-be 9393 <draft-ietf-sacm-coswid-24> for your review Authors and *Roman (AD), While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. *AD, please see question #1. 1) <!-- [rfced] *AD - This document underwent two version changes since version -22, which we edited last year; we later received notifications for versions -23 and -24. We manually incorporated the updates by looking at the diff between version -22 and version -24 on the Datatracker. Please review the changes to Sections 5 and 6 carefully, and let us know if you approve. --> 2) <!-- [rfced] Authors' Addresses: Jessica Fitzgerald-McKay's contact information is the only listing that does not include a postal code. If you would like us to include a postal code, please provide it. (We see "20755" used in draft-ietf-rats-tpm-based-network-device-attest.) Original: Jessica Fitzgerald-McKay National Security Agency 9800 Savage Road Ft. Meade, Maryland United States of America Email: jmfitz2@cyber.nsa.gov --> 3) <!-- [rfced] As it appears that "LocalWords" as listed after the Acknowledgments section in the original XML file refers to "key words" as defined in RFC 2119, we list them here as key words and have added them to our database record for this document. If this is incorrect, please insert any keywords (beyond those that appear in the title) for use on <https://www.rfc-editor.org/search>, and we will update the <keyword> settings here and in our database record accordingly. Original: LocalWords: SWID verifier TPM filesystem discoverable CoSWID --> 4) <!-- [rfced] Abstract: To what does "similar" refer in this sentence? If the suggested text is not correct, please provide clarifying text. Original: CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory efficient format. Suggested: CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format. --> 5) <!-- [rfced] Section 1.1: Because we see "paraphrased from these sources", we changed "defines" to "define" in the sentence that precedes it. If this is incorrect, please provide clarifying text. Original: The SWID specification and supporting guidance provided in NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable SWID Tags [SWID-GUIDANCE] defines four types of SWID tags: primary, patch, corpus, and supplemental. The following text is paraphrased from these sources. Currently: The SWID specification and supporting guidance provided in NIST Internal Report (NISTIR) 8060 ("Guidelines for the Creation of Interoperable Software Identification (SWID) Tags") [SWID-GUIDANCE] define four types of SWID tags: primary, patch, corpus, and supplemental. The following text is paraphrased from these sources. --> 6) <!-- [rfced] Section 1.1: Section 2.3 does not contain a description of the primary tag type. We also see that the primary tag type does not have an index number, as do the other three types. Please confirm that (1) the lack of a description for the primary tag type in Section 2.3 will not be an issue for readers and (2) the primary tag type should not have an index number. Original ("four tags types" has been changed to "four tag types"): A detailed description of the four tags types is provided in Section 2.3. --> 7) <!-- [rfced] Section 1.1: This sentence did not parse. We changed "that are typically removed" to "are typically removed". If this is incorrect, please provide clarifying text. Original: Tags are deployed and previously deployed tags that are typically removed (indicated by an "x" prefix) at each lifecycle stage, as follows: Currently: Tags are deployed, and previously deployed tags are typically removed (indicated by an "x" prefix) at each lifecycle stage, as follows: --> 8) <!-- [rfced] Please review whether any of the separate "Note:" paragraphs in this document should be in the <aside> element. <aside> is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside) --> 9) <!-- [rfced] Section 2: It appears that one or more words are missing from this sentence. Should "and exclusively meant" be "and are exclusively meant"? If not, please provide clarifying text. Original: The integer values are defined in a registry specific to the kind of value; the text values are not intended for interchange and exclusively meant for private use as defined in Section 6.2.2. --> 10) <!-- [rfced] Please review the "type" attribute of each sourcecode element in the XML file to ensure correctness. If the current list of preferred values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) does not contain an applicable type, please let us know. Also, please review the remaining two instances of the artwork element. Should any of the artwork elements be tagged as sourcecode or another type of element? Please note that (1) for the ABNF in Section 6.7, we changed artwork to sourcecode with type="abnf" and (2) we changed the instances of sourcecode types "cddl;example" to "cddl", as "cddl;example" is not included on <https://www.rfc-editor.org/materials/sourcecode-types.txt>. Please let us know any concerns. --> 11) <!-- [rfced] Please let us know if any updates are needed regarding this author comment as seen in the original approved document. Original: Hmm, duplicate detection doesn't work in CDDL tool here. --> 12) <!-- [rfced] Section 2.1: Because this text is quoted, we searched RFCs 3629 and 8949 but could not find this text in either RFC. To avoid possible reader confusion, may we either rephrase as suggested or remove the quotes? Original: The CDDL "text" type is represented in CBOR as a major type 3, which represents "a string of Unicode characters that [are] encoded as UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). Suggested (per RFC 8949): The CDDL "text" type is represented in CBOR as a major type 3, which represents a string of Unicode characters that are "encoded as UTF-8 [RFC3629]" (see Section 3.1 of [RFC8949]). --> 13) <!-- [rfced] Table 2: All "$" entries in this table, except for $version-scheme, are indirectly cited in their respective subsections of Section 4. Per the pattern of indirect citations used for the other entries (where the other entries point to Sections 2.6 ("The entity-entry Map") and 2.7 ("The link-entry Map")), may we update the first sentence of Section 4.1 so that the sentence cites Section 2.3 ("The concise-swid-tag Map")? Original (Table 2 and Section 4.1): | version-scheme | $version-scheme | Section 4.1 | ... The following table contains a set of values for use in the concise- swid-tag group's version-scheme item. Suggested (Section 4.1): The following table contains a set of values for use in the concise- swid-tag group's version-scheme item (see Section 2.3). --> 14) <!-- [rfced] Section 2.3: This sentence seems to contradict the cited information in Section 6.7. If the text below is correct as is, please confirm that "... MUST NOT contain a sequence of two underscores" and "... are connected with a double underscore (_)" will be clear to readers. Original: A textual tag-id MUST NOT contain a sequence of two underscores ("__", see Section 6.7). From Section 6.7: If the tag-id item's value is expressed as a 16-byte binary string, the UNIQUE_ID MUST be represented using the UUID string representation defined in [RFC4122] including the "urn:uuid:" prefix. The TAG_CREATOR_REGID and the UNIQUE_ID are connected with a double underscore (_), without any other connecting character or whitespace. --> 15) <!-- [rfced] Section 2.3: We had trouble following the meaning of the parenthetical phrase in this sentence. Also, we could not find a '"Version Scheme" registry'; this appears to refer to the "Software ID Version Scheme Values" registry, as mentioned a few lines after this sentence. If the suggested text is not correct, please provide text that clarifies the meaning of "(Section 2, for the "Version Scheme" registry Section 4.1)". Original: * version-scheme (index 14): An integer or textual value representing the versioning scheme used for the software-version item, as an integer label with text escape (Section 2, for the "Version Scheme" registry Section 4.1). Suggested: * version-scheme (index 14): An integer or textual value representing the versioning scheme used for the software-version item, as an integer label with text escape (Section 2). See Section 4.1 for the list of values available for this item. --> 16) <!-- [rfced] Section 2.3: As it appears that "another items" should be "another item", we updated this sentence accordingly. If this is incorrect, please clarify this text. Original: * link (index 4): Provides a means to establish relationship arcs between the tag and another items. Currently: link (index 4): Provides a means to establish relationship arcs between the tag and another item. --> 17) <!-- [rfced] Section 2.4: Does "software version" here refer to the software-version item or to a software version in general? Original: This ensures that primary and corpus tags have an identifiable software version. --> 18) <!-- [rfced] Section 2.6: As it appears that this sentence means "... between (1) the entity and (2) this tag or the referenced software component", we removed the comma after "entity" to avoid reader confusion. If this is incorrect (e.g., the intent is to say "between entities"), please provide clarifying text. Original: * role (index 33): An integer or textual value (integer label with text escape, see Section 2) representing the relationship(s) between the entity, and this tag or the referenced software component. Currently: role (index 33): An integer or textual value (integer label with text escape; see Section 2) representing the relationship(s) between the entity and this tag or the referenced software component. --> 19) <!-- [rfced] Section 2.7: Please confirm that "-356..65536" and not "-256..65535" is correct here. We ask because we do not see this range used anywhere else. Original: $rel /= -356..65536 / text --> 20) <!-- [rfced] Section 2.7: We do not see CBOR mentioned in Section 5.2. Please confirm that this citation is correct and will be clear to readers. Original: This specification does not define how to resolve an XPATH query in the context of CBOR, see Section 5.2. Possibly (perhaps the intent was to point to the XPath query or expression?): This specification does not define how to resolve an XPath expression (Section 5.2) in the context of CBOR. --> 21) <!-- [rfced] Section 2.7: We had trouble following the three instances of "... registry Section 4.3" in this section. If the suggested text is not correct, please provide text that clarifies the meanings of these citations. Please note that in the second and third suggestions we (1) suggest different section numbers, as there appear to be some section-number mismatches and (2) changed "COSWID" to "CoSWID". Original: * ownership (index 39): An integer or textual value (integer label with text escape, see Section 2, for the "Software ID Link Ownership Values" registry Section 4.3) used when the "href" item references another software component to indicate the degree of ownership between the software component referenced by the CoSWID tag and the software component referenced by the link. ... * rel (index 40): An integer or textual value that (integer label with text escape, see Section 2, for the "Software ID Link Link Relationship Values" registry Section 4.3) identifies the relationship between this CoSWID and the target resource identified by the "href" item. ... * use (index 42): An integer or textual value (integer label with text escape, see Section 2, for the "Software ID Link Link Relationship Values" registry Section 4.3) used to determine if the referenced software component has to be installed before installing the software component identified by the COSWID tag. Suggested: ownership (index 39): An integer or textual value (integer label with text escape; see Section 2). See Section 4.3 for the list of values available for this item. This item is used when the href item references another software component to indicate the degree of ownership between the software component referenced by the CoSWID tag and the software component referenced by the link. ... rel (index 40): An integer or textual value (integer label with text escape; see Section 2). See Section 4.4 for the list of values available for this item. This item identifies the relationship between this CoSWID and the target resource identified by the href item. ... use (index 42): An integer or textual value (integer label with text escape; see Section 2). See Section 4.5 for the list of values available for this item. This item is used to determine if the referenced software component has to be installed before installing the software component identified by the CoSWID tag. --> 22) <!-- [rfced] Section 2.8: Should "i.e.," (that is) be "e.g.," (for example) here? In other words are license keys the only applicable category as related to a given software component install, or would serial numbers or product keys also be applicable? Original: Examples of an entitlement-key might include a serial number, product key, or license key. For values that relate to a given software component install (i.e., license key), a supplemental tag will typically contain this information. --> 23) <!-- [rfced] Section 2.8: There appears to be a string mismatch for "$$meta-extension" versus "$$software-meta-extension". Table 1, the CDDL earlier in this section, and Section 2.10 use "$$software-meta-extension". Which string is correct? Original: | software-meta-entry | $$software-meta-extension | Section | | | | 2.8 | ... * $$software-meta-extension, ... * $$meta-extension: This CDDL socket can be used to extend the software-meta-entry group model. See Section 2.2. ... * $$software-meta-extension, --> 24) <!-- [rfced] Section 2.10: a) Please confirm that "64436" is correct here. We ask because we do not see this value used anywhere else. Original: $rel /= -256..64436 / text b) "already defined earlier" reads oddly. Should a specific section number be cited here? If not, would "already defined" or "defined earlier" be sufficient? Original: ; supplemental=11 ; this is already defined earlier --> 25) <!-- [rfced] Section 3: We had trouble following the meaning of "Multiple of" here. Does "Multiple of" mean "Multiples of", "Multiple", or something else? Please clarify. Original: Note: Multiple of the corpus, patch, and supplemental items can have values set as "true". The rules above provide a means to determine the tag's type in such a case. For example, a SWID or CoSWID tag for a patch installer might have both corpus and patch items set to "true". In such a case, the tag is a "Corpus Tag". The tag installed by this installer would have only the patch item set to "true", making the installed tag type a "Patch Tag". --> 26) <!-- [rfced] Section 4: We could not follow the meaning of "that are maintained in a registry each". Does this mean "that are each maintained in separate IANA registries (Section 6)", "that are maintained in several IANA registries (Section 6)", or something else? If the suggested text is not correct, please clarify. Original: This section defines a number of kinds of indexed label values that are maintained in a registry each (Section 6). Suggested: This section defines a number of kinds of indexed label values that are maintained in several IANA registries. See Section 6 for details. --> 27) <!-- [rfced] Table 6: We had trouble following "another software that" here. We updated the text. If this update is incorrect, please clarify this sentence. Original: | 10 | supersedes | The link references another | | | | software that this software | | | | replaces. A patch tag (see | Currently: | 10 | supersedes | The link references other software | | | | (e.g., an older software version) | | | | that this software replaces. A | --> 28) <!-- [rfced] Section 6.2.1: Should "uint_8t" be "uint8_t" here? We ask because we do not see any instances of "uint_8t" in any RFC. However, we see "uint8_t" in RFC 8949. Original: This allows values -1 to -24 to be expressed as a single uint_8t in CBOR, and values -25 to -256 to be expressed using an additional uint_8t in CBOR. --> 29) <!-- [rfced] Sections 6.2.4 through 6.2.8: As it appears that "which" in these sentences refers to the initial registrations derived from names or values defined in [SWID], and not to the registries themselves, we updated the sentences accordingly. If these updates are incorrect, please provide clarifying text. Original: Initial registrations for the "Software ID Version Scheme Values" registry are provided below, which are derived from the textual version scheme names defined in [SWID]. ... Initial registrations for the "Software ID Entity Role Values" registry are provided below, which are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Ownership Values" registry are provided below, which are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Relationship Values" registry are provided below, which are derived from the link relationship values defined in [SWID]. ... Initial registrations for the "Software ID Link Use Values" registry are provided below, which are derived from the link relationship values defined in [SWID]. Currently: Initial registrations for the "Software ID Version Scheme Values" registry are provided below and are derived from the textual version scheme names defined in [SWID]. ... Initial registrations for the "Software ID Entity Role Values" registry are provided below and are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Ownership Values" registry are provided below and are derived from the textual entity role names defined in [SWID]. ... Initial registrations for the "Software ID Link Relationship Values" registry are provided below and are derived from the link relationship values defined in [SWID]. ... Initial registrations for the "Software ID Link Use Values" registry are provided below and are derived from the link relationship values defined in [SWID]. --> 30) <!-- [rfced] Section 6.2.4: Should "version item" here be "software-version item"? We do not see "version item" used anywhere else in this document. Original: Designated experts MUST also ensure that newly requested entries define a value space for the corresponding version item that is unique from other previously registered entries. --> 31) <!-- [rfced] Sections 7 and 8: Should "COSE-Sign1-coswid<payload>" and "COSE-Sign-coswid<payload>" be "COSE_Sign1-coswid<payload>" and "COSE_Sign-coswid<payload>" (i.e., underscores after "COSE" instead of hyphens)? We ask because we see "COSE_Sign1" and "COSE_Sign" used in the second paragraph of Section 7. Original: COSE-Sign1-coswid<payload> = [ ... COSE-Sign-coswid<payload> = [ ... signed-coswid-for<payload> = #6.18(COSE-Sign1-coswid<payload>) / #6.98(COSE-Sign-coswid<payload>) --> 32) <!-- [rfced] Section 7: Should "signature :" be "signature:" here? Original: signature : bstr --> 33) <!-- [rfced] Section 8: We had trouble following this sentence. If the suggested update is not correct, please provide text that clarifies the meaning of "Consecutively" and "a CoSWID tags". Original: Consecutively, the CBOR tag for CoSWID tags defined in Table 21 SHOULD be used in conjunction with CBOR data items that are a CoSWID tags. Suggested: Consequently, the CBOR tag defined by this document (Table 21) for CoSWID tags SHOULD be used in conjunction with CBOR data items that are CoSWID tags. --> 34) <!-- [rfced] Section 8: "a tagged CoSWID tag" reads oddly. Please confirm that the text is correct and will be clear to readers (e.g., are any words missing?). Original: This specification allows for a tagged CoSWID tag to reside in a COSE envelope that is also tagged with a CoSWID CBOR tag. --> 35) <!-- [rfced] Section 9: To prevent some readers from possibly interpreting "since" as "because", we changed "since it was signed" in this sentence to "since the time at which it was signed". Please let us know any concerns. Original: A signed CoSWID tag (see Section 7) whose signature has been validated can be relied upon to be unchanged since it was signed. Currently: A signed CoSWID tag (see Section 7) whose signature has been validated can be relied upon to be unchanged since the time at which it was signed. --> 36) <!-- [rfced] Section 9: Does "including a public key" refer to the certification path or the certificate? Original: A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. Perhaps (certification path that includes): A certification path between a trust anchor and a certificate, including a public key enabling the validation of a tag signature, can realize the assessment of trustworthiness of an authoritative tag. Or possibly (certificate that includes): A certification path between (1) a trust anchor and (2) a certificate that includes a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. --> 37) <!-- [rfced] Section 9: We had trouble following this sentence. Please provide text that clarifies the meaning of "associated corresponding to". Original: This requires an association between the signature and the tag's entity item associated corresponding to the software provider. --> 38) <!-- [rfced] Section 9: "controlled to authorized applications and users" reads oddly. Should "controlled to" be "controlled for" or perhaps "limited to"? If not, please provide clarifying text. Original: Access to the collection of an endpoint's CoSWID tags needs to be appropriately controlled to authorized applications and users using an appropriate access control mechanism. --> 39) <!-- [rfced] When accessing the page corresponding to [W3C.REC-css3-mediaqueries-20120619], we got a red popup saying "This version is outdated!" Because the citations in this document are general in nature, we updated the citation string and reference listing as follows. Please let us know any concerns. Original: [W3C.REC-css3-mediaqueries-20120619] Rivoal, F., Ed., "Media Queries", W3C REC REC-css3- mediaqueries-20120619, W3C REC-css3-mediaqueries-20120619, 19 June 2012, <https://www.w3.org/TR/2012/REC-css3- mediaqueries-20120619/>. Currently: [W3C.REC-mediaqueries-3-20220405] Rivoal, F., Ed., "Media Queries Level 3", W3C Recommendation REC-mediaqueries-3-20220405, 5 April 2022, <https://www.w3.org/TR/mediaqueries-3/>. --> 40) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide at <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>, and let us know if any changes are needed. For example, please consider whether the following should be updated: whitespace --> 41) <!-- [rfced] Please let us know if any changes are needed for the following: a) The following terms were used inconsistently in this document. We chose to use the latter forms. Please let us know any objections. URI-scheme (titles of Sections 6.6.1 and 6.6.2) / URI Scheme Version Scheme Name / version scheme name (in running text) XPATH / XPath (per usage elsewhere in this document and per W3C) b) The following terms appear to be used inconsistently in this document. Please let us know which form is preferred. private use / Private Use (e.g., "for private use", "for Private Use") XML schema / XML Schema c) The following terms appear to be used inconsistently in this document and the companion documents. Please let us know which form is preferred. indices / indexes reference integrity measurements (RIM) / reference measurements (RIMs) / Reference Integrity Manifests (RIMs) d) Quoting of item names was inconsistent. For example: href item vs. "href" item role item vs. "role" item We removed the quotes, as item names were mostly unquoted. Please let us know any objections. --> Thank you. RFC Editor/lb/kc On Apr 14, 2023, at 2:41 PM, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/04/14 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9393.xml https://www.rfc-editor.org/authors/rfc9393.html https://www.rfc-editor.org/authors/rfc9393.pdf https://www.rfc-editor.org/authors/rfc9393.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9393-diff.html https://www.rfc-editor.org/authors/rfc9393-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9393-xmldiff1.html XMLv3 file that is a best effort to capture v3-related format updates only: https://www.rfc-editor.org/authors/rfc9393.form.xml Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9393 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9393 (draft-ietf-sacm-coswid-24) Title : Concise Software Identification Tags Author(s) : H. Birkholz, J. Fitzgerald-McKay, C. Schmidt, D. Waltermire WG Chair(s) : Karen O'Donoghue, Christopher Inacio Area Director(s) : Roman Danyliw, Paul Wouters
- [auth48] AUTH48: RFC-to-be 9393 <draft-ietf-sacm-… rfc-editor
- [auth48] [AD] Re: AUTH48: RFC-to-be 9393 <draft-i… rfc-editor
- Re: [auth48] [AD] AUTH48: RFC-to-be 9393 <draft-i… Lynne Bartholomew
- Re: [auth48] [EXT] Re: [AD] AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] AUTH48: RFC-to-be 9393 <d… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Charles M Schmidt
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… jmfitz2@cyber.nsa.gov
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Henk Birkholz
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Waltermire, David A. (Fed)
- Re: [auth48] [EXT] [AD] Re: AUTH48: RFC-to-be 939… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Roman Danyliw
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9393 <dr… Lynne Bartholomew
- [auth48] [IANA] Re: AUTH48: RFC-to-be 9393 <draft… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew
- [auth48] [IANA #1275282] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1275282] [IANA] Re: AUTH48: R… Lynne Bartholomew