Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
Dick Brooks <dick@reliableenergyanalytics.com> Tue, 04 January 2022 16:37 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02D33A059F; Tue, 4 Jan 2022 08:37:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDkNo1_YEWXc; Tue, 4 Jan 2022 08:37:27 -0800 (PST)
Received: from forward3-smtp.messagingengine.com (forward3-smtp.messagingengine.com [66.111.4.237]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D77B93A1EE1; Tue, 4 Jan 2022 08:37:11 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailforward.nyi.internal (Postfix) with ESMTP id BC046194046B; Tue, 4 Jan 2022 11:37:10 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 04 Jan 2022 11:37:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :reply-to:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=TA2JhJFvfcWCoB2ecHVh3bF0/4zs4 UABEFg03qXGAzg=; b=HQLtQ5WlWyClgedaGWdeeXiNWizVD1GXx3adZMRchO8c/ jk4PwNpxNYrexIpTnbyv6x7c1Qipqr2Zb5Yf8PWgpdMyk9S1xzUpGSipDWu5a9Kh WvCzgkjjL7DcM9r4NeSCf3VQi+LOyKvXjVJ0ngZOBTLQUP8Hm4EDVpfTph57xCPK eszTbTIOi1EvI64zaE/yt3Bv5U0DTbOFNWC1b+5cVpFSNc1AN4X7J+creYZWdaSl g6yHiEYt5F31QiQYbB2kk1zHU+uPR+8/zyBnXQYQ6wKnB4S7EnMrFMk6wK5L7xFn +kc0kaaoBPk4JqsNTcyE3WETbXNisk3ZMFu2jKxtg==
X-ME-Sender: <xms:tnfUYRESKk2sR6wXZjP751J1i5D6iQVxAxYEmfQgCQbT9nNgkukKrw> <xme:tnfUYWUTx1SzV_OnrdaHYid--cromaU01HgJ4edLTVTEUHgWx-ZivhHjPV7eUlFkj D2u-i1dcD6QfBMQMg>
X-ME-Received: <xmr:tnfUYTJYrGLUUi7DEHSegYl9cFrPGMN6clrhAcX8SQhqN33Cer2K_LI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudeffedgledtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheprhfhvfhfjgfuffhokfggtgfgofhtsehtqhhgtddvtdejnecuhfhrohhmpedf ffhitghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnh grlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedtudfhudethefgvdeukeff kedvteehgeeuffduleelhefhffeugfehlefggfeukeenucffohhmrghinhepghhithhhuh gsrdgtohhmpdhgihhthhhusghushgvrhgtohhnthgvnhhtrdgtohhmpdhrvghlihgrsghl vggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhivghtfhdrohhrghenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgtkhesrhgvlhhi rggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:tnfUYXHlmclsEpEdSd2Vbrz4AFcuWCGDcwVqp_XjI53iW_zkyH3MOQ> <xmx:tnfUYXX7GdnxZagNNdMuYWLyIFfIN5HxO36CB7hG12tuL-CvFutC0Q> <xmx:tnfUYSPLvY4S5sKFtudCn_n_LaZjzufL8vFwDJS1N9YHU5Fsf_SY8g> <xmx:tnfUYUgiO994Uzpx_BJ7rvvH2pu-5WSVkLod9HC7r5roAtRnYVPzZA>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 4 Jan 2022 11:37:10 -0500 (EST)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Eliot Lear' <lear@lear.ch>, 'Russ Housley' <housley@vigilsec.com>, gen-art@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
References: <163943295026.14606.17568188352214673806@ietfa.amsl.com> <32f47ca5-d233-69cc-8268-61de514eca6e@lear.ch>
In-Reply-To: <32f47ca5-d233-69cc-8268-61de514eca6e@lear.ch>
Date: Tue, 04 Jan 2022 11:37:07 -0500
Organization: Reliable Energy Analytics LLC
Message-ID: <0afd01d80189$52127bc0$f6377340$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGCj3/L1R9tg8q3bA7hfFo6sMoGBwGziUAKrPBShbA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/YQa_EDOY-RQ5D-7uplM9mrYwYFw>
Subject: Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 16:37:32 -0000
Also, regarding: > This specification does not allow for vulnerability information to be > retrieved directly from the endpoint. That's because vulnerability > information changes occur at different rates to software updates. In practice today, consumers are indeed retrieving vulnerability information directly from the vendor endpoint where SBOM's are being distributed. SBOM Vulnerability Disclosure Reports (VDR) can update independently from an SBOM, but remain at a given URL for download. An example of this method is available online using the AWS client software for demonstration only: https://github.com/rjb4standards/REA-Products/tree/master/C-SCRM-Use-Case AWS-CLI SBOM: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/C-SCRM-Use-Case/AWS_SBOM.spdx AWS-CLI VDR: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/C-SCRM-Use-Case/AWSCLIVDR.xml FYI: VEX is a different form of vulnerability disclosure, reporting CVE info on a product level, i.e. Log4j, whereas the SBOM VDR reports CVE's at the SBOM component level. These are not competitive offerings, they are complementary offerings. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Eliot Lear Sent: Tuesday, January 4, 2022 11:17 AM To: Russ Housley <housley@vigilsec.com>; gen-art@ietf.org Cc: draft-ietf-opsawg-sbom-access.all@ietf.org; opsawg@ietf.org Subject: Re: [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03 Hi Russ, And thanks for your review. Please see below. On 13.12.21 23:02, Russ Housley via Datatracker wrote: > Reviewer: Russ Housley > Review result: Almost Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed by > the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Document: draft-ietf-opsawg-sbom-access-03 > Reviewer: Russ Housley > Review Date: 2021-12-13 > IETF LC End Date: unknown > IESG Telechat date: unknown > > Summary: Almost Ready > > > Note: I am not a good persone to review the YANG specification. I > assume one of the YANG Doctors will have a look at this document too. > > > Major Concerns: > > Section 1 says: > > To satisfy these two key use cases, objects may be found in one of > three ways: > > This lead to some confusion for me. Earlier in the document, it says: > > This specification does not allow for vulnerability information to be > retrieved directly from the endpoint. That's because vulnerability > information changes occur at different rates to software updates. > > After thinking about it, I realized that the objects do not include > vulnerability information, but pointers to obtain vulnerability > information. Please reword to others do not need to give it the same > amount of thought. What I propose is first the following early on in the introduction: > This memo doesn't specify the format of this information, but rather > only how to locate and retrieve these objects. > > > Minor Concerns: > > Section 1, first sentence: The reference to "A number of activities" > is very vague. It is not wrong. Please be more specific, provide > some references, or drop the vague reference altogether. It'd be fun to reference an executive order. Never done that before. > > Section 1 says: > > In the second case, when a device does not have an appropriate > retrieval interface, but one is directly available from the > manufacturer, a URI to that information must be discovered. > > s/must/MUST/ ? > Sure. > Nits: > > The terms "software" and "firmware" are used with essentially the same > meaning in this document. If there is a difference, it needs to be > explained. If they are the same in the context of this document, > please say so. I've removed the term "firmware". > Abstract, last sentence: please add "(MUD)" and also a pointer to RFC > 8520. I think this got rewritten. Let me know when you see the update. Thanks again for the review. Eliot
- [Gen-art] Genart early review of draft-ietf-opsaw… Russ Housley via Datatracker
- [Gen-art] some YANG thoughts on draft-ietf-opsawg… tom petch
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Eliot Lear
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Dick Brooks
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… tom petch
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] Genart early review of draft-ietf-o… Lars Eggert