Re: [Last-Call] [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt
Dick Brooks <dick@reliableenergyanalytics.com> Mon, 27 March 2023 16:27 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1DAC14CE55; Mon, 27 Mar 2023 09:27:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.596
X-Spam-Level:
X-Spam-Status: No, score=-2.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9wkxVAhtb2x; Mon, 27 Mar 2023 09:27:09 -0700 (PDT)
Received: from wforward4-smtp.messagingengine.com (wforward4-smtp.messagingengine.com [64.147.123.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472A9C14CE44; Mon, 27 Mar 2023 09:27:09 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailforward.west.internal (Postfix) with ESMTP id 322871AC076A; Mon, 27 Mar 2023 12:27:08 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 27 Mar 2023 12:27:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1679934427; x=1680020827; bh=GAZlfJWH57s5aBPGUsZQp/TYz85LrRS0BRj HwDsbBt8=; b=ePxnHo8aOO+n3AQFwqbo5LGvr3YD56zHPTYLAT1Xs3iILhY51+Q t4kppG6iFT1gfXfoB/Xl4uYiz0Z00BEQbm4OvR2g0HC1WcLSHbRyL9bNPfoFEnhq dt4C6VQbM19UCcY39nyp0ihhxrT6pBpPUwuvNDP5BQ6TMWNtTw+PvOFhBJ9GeI03 fYPcsutm7Pi7pIJXNMX4M/6PRucnaDzbMujdedgwf0tWUWDiuNUoONIM+AJgtYDQ 1Yp9Oy5Ml25TvyMs9h6kmBfi83Lu4tYpHtyNSE2A9OH8tMG9f7Oyr0g4XDuKvggI VtJHzCwDe0qS3vr53toChzJUrc3LPMMNTgA==
X-ME-Sender: <xms:28MhZF3UUu8hW6sDr9shFo35nfuSXVUPF5RmFwqkyT-1FQGmcz3E6Q> <xme:28MhZMEVwgSs3oW_JeKxUYmun4ClY8kZSKjLxiFNYl6PrczYHIW2X-bRggHQsnv-5 TQfDV3S-uL7Ko9BOw>
X-ME-Received: <xmr:28MhZF4Be8nJFprkT6QaWvz6KDDu3Znd8jgLNkZYcRqh34c4Pn8hyG4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdehvddguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpehrhffvfhgjufffohfkgggtgffothesthhqghdtvddtjeenucfhrhhomhep fdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrg hnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepfefhjeeuueekheeuvdef jefhgfffteeuvddugeehhefggedutdfghedvtdfggeevnecuffhomhgrihhnpegvnhgvrh hghigtvghnthhrrghlrdgtohhmpdhgihhthhhusghushgvrhgtohhnthgvnhhtrdgtohhm pdhrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhivghtfhdroh hrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegu ihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:28MhZC11JVjtOah-lSD-e3ykCTCeyKgl98w_0HRsuFyTisCwfUsxvQ> <xmx:28MhZIEW-XbKUzLlaKkEKWj6Sp5pp5K7PXC8XsSyOdDWCbzrOTOgcQ> <xmx:28MhZD8XGZCyKBwkim8ie2xNHDYwvhuIRVRUqCY9lh9vEjdJ2j4R5g> <xmx:28MhZDOslxs4Kx7C9PRyvXX2elPDolPgr1Or2bUFEIpoNPZ1wfC0P3GmYRs>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 27 Mar 2023 12:27:07 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Eliot Lear' <lear@lear.ch>, opsawg@ietf.org, 'Last Call' <last-call@ietf.org>
References: <167993355634.39121.3302783950715486153@ietfa.amsl.com> <c002d6af-ce6f-aece-a131-3ee4c9981088@lear.ch>
In-Reply-To: <c002d6af-ce6f-aece-a131-3ee4c9981088@lear.ch>
Date: Mon, 27 Mar 2023 12:27:04 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <199001d960c8$f97b3fb0$ec71bf10$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIBCU1VcJzfRUwJkZpSL7whtfIV3QIkf9hOrq5YcnA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Gn4-GCoji96pifbPMZeIikKlatw>
Subject: Re: [Last-Call] [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 16:27:14 -0000
Eliot, Just an FYI: The "out of band" approach referred to in the draft, where software vendors provide links to SBOM and Vulnerability Disclosure Reports is described in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements to meet EO 14028 requirements following NIST Guidance defined in OMB M-22-18 This approach uses an open-source, free to use, "Vendor Response File" format to communicate SBOM and VDR URL information that aligns with NIST Guidance. https://raw.githubusercontent.com/rjb4standards/REA-Products/master/jsonvrf.json Please include a reference to the above article, in the draft, as an option for the out of band approach referenced. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Eliot Lear Sent: Monday, March 27, 2023 12:14 PM To: opsawg@ietf.org; Last Call <last-call@ietf.org> Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-15.txt Good morning, good afternoon, and good evening! The below should resolve LC comments. A number of references are corrected, and a paragraph is added to discuss multiple objects being returned. Eliot On 27.03.23 18:12, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This Internet-Draft is a work item of the Operations and > Management Area Working Group (OPSAWG) WG of the IETF. > > Title : Discovering and Retrieving Software Transparency and Vulnerability Information > Authors : Eliot Lear > Scott Rose > Filename : draft-ietf-opsawg-sbom-access-15.txt > Pages : 20 > Date : 2023-03-27 > > Abstract: > To improve cybersecurity posture, automation is necessary to locate > what software is running on a device, whether that software has known > vulnerabilities, and what, if any recommendations suppliers may have. > This memo extends the MUD YANG model to provide the locations of > software bills of materials (SBOMS) and to vulnerability information. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-15 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-sbom-acces > s-15 > > Internet-Drafts are also available by rsync at > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg > _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg