[Iot-onboarding] SBOM : Basic question on how it will be used
"M. Ranganathan" <mranga@gmail.com> Thu, 26 March 2020 17:56 UTC
Return-Path: <mranga@gmail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B38913A09AB for <iot-onboarding@ietfa.amsl.com>; Thu, 26 Mar 2020 10:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQhNC3-kZLn6 for <iot-onboarding@ietfa.amsl.com>; Thu, 26 Mar 2020 10:56:07 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF8F3A093E for <iot-onboarding@ietf.org>; Thu, 26 Mar 2020 10:56:07 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id x16so6215101ilp.12 for <iot-onboarding@ietf.org>; Thu, 26 Mar 2020 10:56:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=jLNWFtO4GVeedwupXKSGMVY59cj8z0iL500CdG/Isv8=; b=AbxRCmaO9Ye9CuHHT0Ygu2W8B95GzDOetg6Q7Wbkm9/rz1flWV8b3VpRiCaf9TSK7w MD/uw6RHC9H/x7pmBzkohungSNvpUEzvoaYWyD6lVpMktRBBCJlnpMIozHdvk15H5twY mB8h3SceoxXW9eHzTCR5gP5bnULix+Sjl39gksG8IjdeZGhB4q1GMluUMEIUsC/FVeRL tRZpYf0lTU75vEz7BZyQ94MPBe+BRNJslfSxM5/Jgsg9bUBZfJJDvKQdmRZN8M+V2BpA PLaQJwOQjXtseyWs0ZaReBF/xKNj9mCLMw33n9OAS3LLPf2LOwYTRO/cfok6RY8rJVrd pkTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jLNWFtO4GVeedwupXKSGMVY59cj8z0iL500CdG/Isv8=; b=iYtDFcNEwjdHVfzE42ZPuFm6S4m2FOel4F09WQ3uuuhU+01t0L1vhPrqW6YC/jIFWN afjIx3u5kNIyU8qmaV6jpyTaj2OJDEl6HlZNZ4Zcl1YvJzTDIXhYX6ZhsG5XNUfPinVd sRZAoAHfTRAwuoX+V/chnd2xEbLTGThgdSwUv797TI1kAIbnvJsW82Q7aPXuZ7HkPqRe ka6AhrgdT/6ZhF2bvkjnjpPVDr5mEKkyEuUfGsc7cPPBFhaflLDqttXtg1AuLMr4sP5x q7Zrh0Y4AFr4xWe0A4kmuE8x1Trcmp32XeEeivrmCsNlFay9JOYfgj9VGGrSKz1QbDhH guGQ==
X-Gm-Message-State: ANhLgQ0tCwiCW4eDHNLhakg7iY4qtngnaK9XLcokh/3BcREG/l4PLW81 P6tMsiZTKbEMhDS1nSrk9utfRPYIVnx1S2skrbzI/EjN
X-Google-Smtp-Source: ADFU+vtmw8J0SOlOIp5geHWIWN/J0lGMxZfmsarxmgzJiL2X+wkCsAMx4aJtPoIXql/Uoiun7rgPCKPv4bMEH7XxfZw=
X-Received: by 2002:a92:aa0e:: with SMTP id j14mr10199837ili.52.1585245364168; Thu, 26 Mar 2020 10:56:04 -0700 (PDT)
MIME-Version: 1.0
From: "M. Ranganathan" <mranga@gmail.com>
Date: Thu, 26 Mar 2020 13:55:27 -0400
Message-ID: <CAHiu4JOOMpLmZ9RmOu4KBFf7kLOkiHKDDaYw-dc24gJDtq_Dcg@mail.gmail.com>
To: iot-onboarding@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/V2UO4wK9342R5ErNYXSdjClLfy4>
Subject: [Iot-onboarding] SBOM : Basic question on how it will be used
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 17:56:09 -0000
I am starting this new thread on the subject as I am confused about how an SBOM will actually be used on a network and I don't want to divert the other thread. Before I understand how it will get distributed, I'd like to start with some basic questions. Given that there is no automated mechanism to actually check if the SBOM is consistent with the software that is bundled with the device is it regarded as being just informational (i.e. an additional piece of information about the device that the manufacturer ships)? If the SBOM is informational and specific to the software that is actually on the device and you trust the software that is on the device, then I'd imagine the device could publish its own SBOM. -- M. Ranganathan
- [Iot-onboarding] SBOM : Basic question on how it … M. Ranganathan
- Re: [Iot-onboarding] SBOM : Basic question on how… Eliot Lear
- Re: [Iot-onboarding] SBOM : Basic question on how… Michael Richardson