IETF Logo Mail Archive

[Gen-art] some YANG thoughts on draft-ietf-opsawg-sbom-access-03

tom petch <ietfc@btconnect.com> Tue, 14 December 2021 10:15 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2822E3A0A2F; Tue, 14 Dec 2021 02:15:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65-SLTUkMpxK; Tue, 14 Dec 2021 02:15:44 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2054.outbound.protection.outlook.com [104.47.12.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305483A0A2E; Tue, 14 Dec 2021 02:15:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g/j6XEKqgDvFCbReTrncCcUeDmextC4Irvnwc/UsEoMu1el1UWuKGFqTF3qtH69Gx5RE5t2a68aWcBYK4XLvtrYOhl0z3nAjhNRJCgZlZtczvCnurmDDaXSHCK0zg1EX0nNTYsHF5i+DOr8XmJ0R1qXaJl7s/05opijfiTe8NBzGv86RMF0iGInTv67jNZedcW5gmr4qJK1Cqc2PI3CMfiOPKpIelL0EZnGPR47Y55DNhCfmLjFPB23jk6lnPYiwygXpSATLYrcPGn2t8gGfLiobFeBJOpqTkIxV2clPxzB4UZn/pxnaenP9J0v9V0t0ICK2dWFVZhd9w3qlbKINKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oCPNBQlaN3dg1i1VzrVXS7bYow8ZBzv1SWUwY25lzGo=; b=Kf9+8EeVA2d1vfDbX0m/VKcdPLnzEJpEfUGcgHuDSXyIRVaZFCqD/rKFN6Kh3M2UCD9cLXy0x73g5QjZiKfp/pQbgBnh/+aO9fuE43bnyJVxLXkoyk3q9/M4DMsLET76utHrQ9jHZ2hXIBpcSkC+Ju/jL9N/RZksLR/d3YUD287/um/65By5x8CyUE1J4TaCDDjwz8YaPKUZZmJwlbYWVfkDMCeYLFaJMnWGQzCCcQlMQrCt6YuiGuSEX/wXWh+TPHaABw0RMaVu4DdC8JrqibDwkudOXNbXqhCGRO1TLksMQoh4HWb3Yir/iUQ/mD8gxgQ+gTjyK+983RZcUX7LVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oCPNBQlaN3dg1i1VzrVXS7bYow8ZBzv1SWUwY25lzGo=; b=Dm4k0C0Hnr1Dh1kRBHzFe3JLO7kTt6xFNB1AKzwIh2fIpoPHEAvrcJLVrqfF7pkn9fUuJuJG/kRRz6ekL2+jZGa5NhTxBJm7q5JlK0uRqtAPkUZNnBsRArbSnNQBvJB54yohUQTJoi7oAIclZGoh7VvAxCYy47MRtxCBCynOKjQ=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR0702MB3591.eurprd07.prod.outlook.com (2603:10a6:209:12::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.14; Tue, 14 Dec 2021 10:15:39 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::89f3:ef4c:9336:3848]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::89f3:ef4c:9336:3848%3]) with mapi id 15.20.4801.014; Tue, 14 Dec 2021 10:15:39 +0000
From: tom petch <ietfc@btconnect.com>
To: "gen-art@ietf.org" <gen-art@ietf.org>, Russ Housley <housley@vigilsec.com>
CC: "draft-ietf-opsawg-sbom-access.all@ietf.org" <draft-ietf-opsawg-sbom-access.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: some YANG thoughts on draft-ietf-opsawg-sbom-access-03
Thread-Index: AQHX8NOLus2uUp5f9Eit5gdr2r61UA==
Date: Tue, 14 Dec 2021 10:15:39 +0000
Message-ID: <AM7PR07MB62488F5123CDBDBBA79100CBA0759@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
In-Reply-To: <163943295026.14606.17568188352214673806@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: a751b005-63c6-6488-0338-1c18c977aed0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fc43333b-33da-4054-b0b7-08d9beeaadb4
x-ms-traffictypediagnostic: AM6PR0702MB3591:EE_
x-microsoft-antispam-prvs: <AM6PR0702MB359172D764F786B4CDD92184A0759@AM6PR0702MB3591.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EH1JnSqwPGEz9d9jU+FrVLZ59AClzKPuq1yj04GDuTxinHc5blG/pRAr9MjSXdA7y5IRgwaMJWnDl4qFRoPNj7BuADD2v5QXXJ0byXgv2XARGsFQoBaQpxaoLSrYLyEx/Twr1suYxRsMXLDTIkJz01WcWTl94oc2UUYxI18eWqzlCz/76WfIG+qS1EK8mrfTHfb5q2Ny3r9Er34b9dzB3pm10GAbjprhYJnUoe350ZYjiLq6fDPrvOSzWRZFq6ypDl2rPDatHlOOtibfNFZI1FwZDrCdmTHnpJI2pyPYrvdnOEPSvYspVsvBZD8TpP0BvN1WIbG7pqNKZck7u6qSBfQN8jafiKPcdUKGpkJS7p7ExauwWkEBekv4j2LrrFVL286FZuLJO66amhlvdEv/fR3yqsCj8uTHqjvt37ifcgcQU5attGf7lm89THH8wMinavZzJ4Tiw/0MHEcvaIXSFpree/9SWvvD0BOliCUiArjIhmkuaILiP5nqzSf2RzMuHAbKVW1mhn3cvlLFpaVP1uTaNHSU1bQYSKbDS9pP81wEmpx/6kaT0Lmkrw9oj5IbkJs0FEjz53Cwy5qsTr6sRVuKqDzL9ziRVF7A19EcwwoJDCv18eENRg05Je9OjSsUihvcYnZodiibfprCwmqrxDDYzGN46FmhxnLrkSoSbZPJehmwKW51h3nQwdq+XqD55j754Vc1eiqVvB0RsfOIvO2/m1FU4nRHJ4yJk3ZO2XXUGSiT6z9d2IFr5sYPtSpTcUyNEkGt8Npuh+UO5Rf8DEfjI5qR9U2hn8grJ06uDMU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38100700002)(186003)(38070700005)(2906002)(66556008)(53546011)(7696005)(66476007)(66446008)(71200400001)(8936002)(316002)(64756008)(6506007)(8676002)(122000001)(4326008)(26005)(508600001)(76116006)(91956017)(55016003)(5660300002)(66946007)(33656002)(86362001)(110136005)(9686003)(966005)(54906003)(83380400001)(82960400001)(52536014)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: e5O2SnJAFnetqjFXoIs7/T6Nd19n8xQWKF7LuZzGbUI2i/UMFtiMctToYUHQogDJKtcKSvVr721EUN7Htg3M2r+oAEYzrENTPdbr7Ki/RB0EUYyUInmq5xRnLdZAuQjIvCMHLQC8D/b/L7idIWZmo8EXw7B3xmcnMoasAS7dGonPuTNUYSHey9bhr66cTNyHAXTRyT+swteO4oqj66xrT04aKyx66Wr/uH9jFx0Y9hOS8QJH0g/BZdmTJxxLr9mc5AYn5kfrDg3CAh3/41xen7p3cBpIHtFLedO186dMIOhnLIXGch+WkaFkQ962ZqmH7ep24Bb10dLwPb1ACONQTg6U4CbhQr1xObIw1txASAZO3RLmdNJ9wJAEEyf7R8j8OEoQRTpQoG8epM4BdqwqvOjD+AQuaW1FCo3PUCHPNW8ZznxcCFlzF4qJCJr11Iv/DvCV3PFtCVxtFRhpRcroavRGtZu2IdpG9MlJCnZpVFzDQIXSPab0fvKept8mS097/SeyDVErJ/shSGRFMI2aY9WIRisl6Sdc6J37/DoMg10wXKlJP6BAYv9w/u+0anK3rSX7ZAN1R5yiHrAAriU5v1iIV44f4GiOJ86j9avpM21LoB2lHLsv6khLK+ga9wTWQ3ivLEz5tpZtRq0c+SjtIE8Utc99VblCqyY7hqWOP+iMVYYAPX/0zw57rf1mTH3M5HAxPvxmkwh4yXAInEBRSStkNytzOBlbFZDqA6bHgWrEBdTGZxIFwykxCjiYIa3JnX27cFF2qOLYRqkK4V4c9JPyFgrEXplPeGFIuu2E2YSi+VofJHFzwa4bY3U2pIUuKetOwABlKAk43jpQNQtmm8GlJQmHH9SIQfslzntASssRhwWAPQOjpMtlAcyhKVflnKGuk5Tou+RZ+EZD6H9XIypPbrhSyYfhfpJFCKupmi4nU1BBzmxnX56/DA+JG49N8oT2vk9AZQphCxM45MKe8DXKnhi6iVsFKeBfTRHhQszr83ENQjjdsuOiCCYCI9+NeLJjTf6YEvPgCDcnr1qHxr2gRTRRWecCy869HcOvZ3GPm3nsibZS7T1AnW+mjSdIgPTBVI1OI3vDb8+WITiWzANRb5WzIYZWr6rAA/b3lQ3KH2sAymCWftl/rIcWvVyKqo6Dvb/Zmr4822kabZW990Bmhgh5mw1yr8ao1UPnrUfd8stjcO9UNnTqPxfFNgpOcFzktUIIQaq4dx40yIE1oBNrm7Za2ZFARL5KeQs05LcZ8vxamajNcnCW8sgUfkJK8GGQP0kt9vojgkITnexwlf+jqbtQHnduOq5lmwePIeaE9KqNSqsNqYKnySXjm6K7hrGEBtyZns4vN3m04BwKMBI0H5TMGsZMbXQudcKF4GnrS5130G9BPCNM2vhzHnCsGy54290xJhC0pPI/n7DgRiYhfzX6uodAFCRz2RvqNotJccPqUF1BzdJeIJXiaaYU2SVsOcrjW1FOTySldTootmaBxB0HAPh2Tj6M31TuFBJlPnYYB1+dNpeTibcry7DCX99G/VIoNwMbZjzLQMe0gyeRrQceEyOJt/kPnoKQCYi8gQRRNh8FLuAotlaZ6qb/zVghJYsC+Xl6J0T8gtdXDw==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fc43333b-33da-4054-b0b7-08d9beeaadb4
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2021 10:15:39.5092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kjuRyxkz8peMtu5Oap7xhkEDnQirlo6bPPp1YggiFMu5O/xhuEhhqQVG6oxDDdOIuLdZQQ3PPkF9YqV+AG9qhQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0702MB3591
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/cvAwsge6y7fHfYXu9Fvgu4DG8Sk>
Subject: [Gen-art] some YANG thoughts on draft-ietf-opsawg-sbom-access-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2021 10:15:49 -0000

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Russ Housley via Datatracker <noreply@ietf.org>
Sent: 13 December 2021 22:02
Subject: [OPSAWG] Genart early review of draft-ietf-opsawg-sbom-access-03

Reviewer: Russ Housley
Review result: Almost Ready
<snip>


Note: I am not a good persone to review the YANG specification.  I
assume one of the YANG Doctors will have a look at this document too.

<tp>

You could say that there is no YANG Module as YANG Modules must be registered with IANA and the IANA Considerations in this I-D do not do so:-)

So
IANA Considerations must register the module as per YANG Guidelines

Security Considerations must use the template referenced by YANG Guidelines

The title in the revision reference clause bears little relationship to that of the I-D

YANG prefix must be unique and should be easy to use; I think that 'mud-transparency' is about 12 characters longer than I would class as easy to use (e.g. mudtx)

URL is insecure and to an obsolete web site (tools)

No mention of NMDA or lack of support thereof

Lots of abbreviations not expanded on first use 

In our modern pageless format, Section one would be easier to refer to with more subsections such as one for terminology with expanded abbreviations

Why have a grouping and a uses which for me makes the module harder to understand?  It is not as if this grouping is going to be imported in lots of places AFAICT.

Tom Petch

Major Concerns:

Section 1 says:

   To satisfy these two key use cases, objects may be found in one of
   three ways:

This lead to some confusion for me.  Earlier in the document, it says:

   This specification does not allow for vulnerability information to be
   retrieved directly from the endpoint.  That's because vulnerability
   information changes occur at different rates to software updates.

After thinking about it, I realized that the objects do not include
vulnerability information, but pointers to obtain vulnerability
information.  Please reword to others do not need to give it the
same amount of thought.


Minor Concerns:

Section 1, first sentence: The reference to "A number of activities"
is very vague.  It is not wrong.  Please be more specific, provide
some references, or drop the vague reference altogether.

Section 1 says:

   In the second case, when a device does not have an appropriate
   retrieval interface, but one is directly available from the
   manufacturer, a URI to that information must be discovered.

s/must/MUST/ ?


Nits:

The terms "software" and "firmware" are used with essentially the same
meaning in this document.  If there is a difference, it needs to be
explained.  If they are the same in the context of this document, please
say so.

Abstract, last sentence: please add "(MUD)" and also a pointer to
RFC 8520.

Section 1, first sentence: The reference to "A number of activities"
is very vague.  It is not wrong.  Please be more specific, provide
some references, or drop the vague reference altogether.

______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email