Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
Eliot Lear <lear@lear.ch> Tue, 04 January 2022 16:16 UTC
Return-Path: <lear@lear.ch>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 921413A1DED; Tue, 4 Jan 2022 08:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZ0rEf-O5YGz; Tue, 4 Jan 2022 08:16:43 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0633A1DEC; Tue, 4 Jan 2022 08:16:42 -0800 (PST)
Received: from [IPV6:2001:420:c0c0:1011::4] ([IPv6:2001:420:c0c0:1011:0:0:0:4]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 204GGcuL2482294 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 4 Jan 2022 17:16:39 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1641312999; bh=kvd8Io0fHOaJudBVDW0BR3u9uIfWBP80CkPMj17sBTw=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=aatgTGi5bZZa7cOTHKWjUWwqnABgwomMLSx9dLC0f+8moOBJi5S+Tuu4r9Tgam40c xCLWj9iqISEDdmiQmUkD6L3t2eZJfDs6W+WIdKm7WFOSmKf/WiZrtmiBY2j+1rR22x fWKb6DnLXzL1WYrGwuM0ZhT01JumYgqYArKAJcj4=
Message-ID: <32f47ca5-d233-69cc-8268-61de514eca6e@lear.ch>
Date: Tue, 04 Jan 2022 17:16:37 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Russ Housley <housley@vigilsec.com>, gen-art@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
References: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------eMXIiMIAPCrozdtXEDL0q0Wg"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/aUY-7vwoBU9Dih-iGNnAWwVT3qo>
Subject: Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 16:16:48 -0000
Hi Russ, And thanks for your review. Please see below. On 13.12.21 23:02, Russ Housley via Datatracker wrote: > Reviewer: Russ Housley > Review result: Almost Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Document: draft-ietf-opsawg-sbom-access-03 > Reviewer: Russ Housley > Review Date: 2021-12-13 > IETF LC End Date: unknown > IESG Telechat date: unknown > > Summary: Almost Ready > > > Note: I am not a good persone to review the YANG specification. I > assume one of the YANG Doctors will have a look at this document too. > > > Major Concerns: > > Section 1 says: > > To satisfy these two key use cases, objects may be found in one of > three ways: > > This lead to some confusion for me. Earlier in the document, it says: > > This specification does not allow for vulnerability information to be > retrieved directly from the endpoint. That's because vulnerability > information changes occur at different rates to software updates. > > After thinking about it, I realized that the objects do not include > vulnerability information, but pointers to obtain vulnerability > information. Please reword to others do not need to give it the > same amount of thought. What I propose is first the following early on in the introduction: > This memo doesn't specify the format of this information, but rather > only how to locate and retrieve these objects. > > > Minor Concerns: > > Section 1, first sentence: The reference to "A number of activities" > is very vague. It is not wrong. Please be more specific, provide > some references, or drop the vague reference altogether. It'd be fun to reference an executive order. Never done that before. > > Section 1 says: > > In the second case, when a device does not have an appropriate > retrieval interface, but one is directly available from the > manufacturer, a URI to that information must be discovered. > > s/must/MUST/ ? > Sure. > Nits: > > The terms "software" and "firmware" are used with essentially the same > meaning in this document. If there is a difference, it needs to be > explained. If they are the same in the context of this document, please > say so. I've removed the term "firmware". > Abstract, last sentence: please add "(MUD)" and also a pointer to > RFC 8520. I think this got rewritten. Let me know when you see the update. Thanks again for the review. Eliot
- [Gen-art] Genart early review of draft-ietf-opsaw… Russ Housley via Datatracker
- [Gen-art] some YANG thoughts on draft-ietf-opsawg… tom petch
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Eliot Lear
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Dick Brooks
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… tom petch
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] Genart early review of draft-ietf-o… Lars Eggert