IETF Logo Mail Archive

[Gen-art] Genart early review of draft-ietf-opsawg-sbom-access-03

Russ Housley via Datatracker <noreply@ietf.org> Mon, 13 December 2021 22:02 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E04B3A0C1C; Mon, 13 Dec 2021 14:02:30 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Russ Housley via Datatracker <noreply@ietf.org>
To: gen-art@ietf.org
Cc: draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.41.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
Reply-To: Russ Housley <housley@vigilsec.com>
Date: Mon, 13 Dec 2021 14:02:30 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/c_Npcow_0xA8aojaPi07NMcoeaw>
Subject: [Gen-art] Genart early review of draft-ietf-opsawg-sbom-access-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2021 22:02:37 -0000

Reviewer: Russ Housley
Review result: Almost Ready

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.

For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-opsawg-sbom-access-03
Reviewer: Russ Housley
Review Date: 2021-12-13
IETF LC End Date: unknown
IESG Telechat date: unknown

Summary: Almost Ready


Note: I am not a good persone to review the YANG specification.  I
assume one of the YANG Doctors will have a look at this document too.


Major Concerns:

Section 1 says:

   To satisfy these two key use cases, objects may be found in one of
   three ways:

This lead to some confusion for me.  Earlier in the document, it says:

   This specification does not allow for vulnerability information to be
   retrieved directly from the endpoint.  That's because vulnerability
   information changes occur at different rates to software updates.

After thinking about it, I realized that the objects do not include
vulnerability information, but pointers to obtain vulnerability
information.  Please reword to others do not need to give it the
same amount of thought.


Minor Concerns:

Section 1, first sentence: The reference to "A number of activities"
is very vague.  It is not wrong.  Please be more specific, provide
some references, or drop the vague reference altogether.

Section 1 says:

   In the second case, when a device does not have an appropriate
   retrieval interface, but one is directly available from the
   manufacturer, a URI to that information must be discovered.

s/must/MUST/ ?


Nits:

The terms "software" and "firmware" are used with essentially the same
meaning in this document.  If there is a difference, it needs to be
explained.  If they are the same in the context of this document, please
say so.

Abstract, last sentence: please add "(MUD)" and also a pointer to
RFC 8520.

Section 1, first sentence: The reference to "A number of activities"
is very vague.  It is not wrong.  Please be more specific, provide
some references, or drop the vague reference altogether.

v2.23.0 | Report a Bug | By Email