Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
Eliot Lear <lear@lear.ch> Tue, 04 January 2022 16:16 UTC
Return-Path: <lear@lear.ch>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 921413A1DED; Tue, 4 Jan 2022 08:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZ0rEf-O5YGz; Tue, 4 Jan 2022 08:16:43 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0633A1DEC; Tue, 4 Jan 2022 08:16:42 -0800 (PST)
Received: from [IPV6:2001:420:c0c0:1011::4] ([IPv6:2001:420:c0c0:1011:0:0:0:4]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 204GGcuL2482294 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 4 Jan 2022 17:16:39 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1641312999; bh=kvd8Io0fHOaJudBVDW0BR3u9uIfWBP80CkPMj17sBTw=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=aatgTGi5bZZa7cOTHKWjUWwqnABgwomMLSx9dLC0f+8moOBJi5S+Tuu4r9Tgam40c xCLWj9iqISEDdmiQmUkD6L3t2eZJfDs6W+WIdKm7WFOSmKf/WiZrtmiBY2j+1rR22x fWKb6DnLXzL1WYrGwuM0ZhT01JumYgqYArKAJcj4=
Message-ID: <32f47ca5-d233-69cc-8268-61de514eca6e@lear.ch>
Date: Tue, 04 Jan 2022 17:16:37 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Russ Housley <housley@vigilsec.com>, gen-art@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
References: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------eMXIiMIAPCrozdtXEDL0q0Wg"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/aUY-7vwoBU9Dih-iGNnAWwVT3qo>
Subject: Re: [Gen-art] [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 16:16:48 -0000
Hi Russ,
And thanks for your review. Please see below.
On 13.12.21 23:02, Russ Housley via Datatracker wrote:
> Reviewer: Russ Housley
> Review result: Almost Ready
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair. Please wait for direction from your
> document shepherd or AD before posting a new version of the draft.
>
> For more information, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Document: draft-ietf-opsawg-sbom-access-03
> Reviewer: Russ Housley
> Review Date: 2021-12-13
> IETF LC End Date: unknown
> IESG Telechat date: unknown
>
> Summary: Almost Ready
>
>
> Note: I am not a good persone to review the YANG specification. I
> assume one of the YANG Doctors will have a look at this document too.
>
>
> Major Concerns:
>
> Section 1 says:
>
> To satisfy these two key use cases, objects may be found in one of
> three ways:
>
> This lead to some confusion for me. Earlier in the document, it says:
>
> This specification does not allow for vulnerability information to be
> retrieved directly from the endpoint. That's because vulnerability
> information changes occur at different rates to software updates.
>
> After thinking about it, I realized that the objects do not include
> vulnerability information, but pointers to obtain vulnerability
> information. Please reword to others do not need to give it the
> same amount of thought.
What I propose is first the following early on in the introduction:
> This memo doesn't specify the format of this information, but rather
> only how to locate and retrieve these objects.
>
>
> Minor Concerns:
>
> Section 1, first sentence: The reference to "A number of activities"
> is very vague. It is not wrong. Please be more specific, provide
> some references, or drop the vague reference altogether.
It'd be fun to reference an executive order. Never done that before.
>
> Section 1 says:
>
> In the second case, when a device does not have an appropriate
> retrieval interface, but one is directly available from the
> manufacturer, a URI to that information must be discovered.
>
> s/must/MUST/ ?
>
Sure.
> Nits:
>
> The terms "software" and "firmware" are used with essentially the same
> meaning in this document. If there is a difference, it needs to be
> explained. If they are the same in the context of this document, please
> say so.
I've removed the term "firmware".
> Abstract, last sentence: please add "(MUD)" and also a pointer to
> RFC 8520.
I think this got rewritten. Let me know when you see the update.
Thanks again for the review.
Eliot
- [Gen-art] Genart early review of draft-ietf-opsaw… Russ Housley via Datatracker
- [Gen-art] some YANG thoughts on draft-ietf-opsawg… tom petch
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Eliot Lear
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] [OPSAWG] Genart early review of dra… Dick Brooks
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… tom petch
- Re: [Gen-art] [OPSAWG] some YANG thoughts on draf… Eliot Lear
- Re: [Gen-art] Genart early review of draft-ietf-o… Lars Eggert