IETF Logo Mail Archive

Re: [mile] CPE and SWID

John Richardson <john_richardson@symantec.com> Wed, 12 February 2014 15:55 UTC

Return-Path: <john_richardson@symantec.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54A751A0547 for <mile@ietfa.amsl.com>; Wed, 12 Feb 2014 07:55:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.448
X-Spam-Level:
X-Spam-Status: No, score=-7.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aSmlx_VE5c8 for <mile@ietfa.amsl.com>; Wed, 12 Feb 2014 07:55:22 -0800 (PST)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com [216.10.195.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3296D1A0545 for <mile@ietf.org>; Wed, 12 Feb 2014 07:55:22 -0800 (PST)
X-AuditID: d80ac3f1-b7fc98e0000007b9-95-52fb9968f25c
Received: from ecl1mtahubpin01.ges.symantec.com (ecl1mtahubpin01.ges.symantec.com [10.48.69.201]) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id 87.6E.01977.8699BF25; Wed, 12 Feb 2014 15:55:20 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by ecl1mtahubpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <john_richardson@symantec.com>) id 1WDc9g-0006PO-0o for mile@ietf.org; Wed, 12 Feb 2014 15:55:20 +0000
Received: from TUS1XCHEVSPIN39.SYMC.SYMANTEC.COM ([155.64.220.158]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Wed, 12 Feb 2014 07:55:19 -0800
From: John Richardson <john_richardson@symantec.com>
To: "mile@ietf.org" <mile@ietf.org>
Date: Wed, 12 Feb 2014 07:51:13 -0800
Thread-Topic: re: [mile] CPE and SWID
Thread-Index: Ac8oCj1XhO1jXPozTEGc3c5koit/Dg==
Message-ID: <1AD43422943F5B4E89EF766D28DCA2EA0BF9D894CE@TUS1XCHEVSPIN39.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_1AD43422943F5B4E89EF766D28DCA2EA0BF9D894CETUS1XCHEVSPIN_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgkeLIzCtJLcpLzFFi42LhMnA9qZsx83eQwemb1hZ7/vcxOTB6LFny kymAMYrLJiU1J7MstUjfLoErY/3cdvaCI21MFQ/v7mVqYPzxhLGLkZNDQsBE4sSMJhYIW0zi wr31bF2MXBxCAu8YJWZc2wPlNDJJPNn/kxHCWcUo8XLXHbAWNqD27Wdb2EFsEQFliYtn+5m6 GDk4WARUJXZu4AUJCwsoSNxc/ooFokRVYuKke8wQtp7Evv5XTCA2r0CUxLO3x8BsRqArvp9a A2YzC4hL3HoynwniOgGJJXvOM0PYohIvH/9jhagXlbjTvp4Roj5fYsX6y8wQMwUlTs58wjKB UXgWklGzkJTNQlIGEdeRWLD7ExuErS2xbOFrZhj7zIHHTMjiCxjZVzHKlJQWGxbnluSXlhSk VhgY6hVX5iYCYydZLzk/dxMjMH5ucB3+uIPx+lLFQ4wCHIxKPLzbJvwOEmJNLAOqPMQowcGs JMJr1AwU4k1JrKxKLcqPLyrNSS0+xCjNwaIkzrskfUWQkEB6YklqdmpqQWoRTJaJg1OqgXGC U3mSfnrYj8I/t/5b9G7M5FERXxASaPUt/VdOV/MOp6pu8zObl65ylby/8xOLwxlX24qtHAll Yb5cK6KWz5yy4xjXo8bD7ZumCjJzpmhbvZP4oc+/7IziMedX/JfFT+vUTBG+tTp30cPo7o3f vnHmrAq/fXx67eN859P5WhlVoVOdzhgnHVViKc5INNRiLipOBAAExwLNmwIAAA==
Subject: Re: [mile] CPE and SWID
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 15:56:14 -0000

Hi Everyone,

I added myself to the this list so that I can comment on SWID tags on this thread from a Symantec perspective. Hopefully my response will be added inline to others on this thread.

Symantec has SWID tags conformant to the ISO 19770-2:2009 standard released in four products - NetBackup 7.0 and later, Endpoint Protection 12.1 and later, Control Compliance Suite 11.0, and Enterprise Vault 9.03 and 10.0 and later.

Symantec has been active in the support and development of the ISO 19770 standards for many years with the initial interest in improving the ability Symantec customers and partners better manage their Symantec assets using COTS SAM tools.

Symantec is a founding member of TagVault.org as we see it necessary to have a consistent implementation of tags across publishers along with normalized data to decrease issues related to the current model where SAM tools use their own proprietary techniques to discover and identify installed software on a device, and to report software asset information.

Symantec, along with TagVault.org members, are working together to agree on common guidelines for how to implement tags against baseline use cases to ensure that if publishers implement tags to these guidelines, COTS tools can use standard algorithms to consistently discover and to identify installed software, as well as consistently report software asset information.

In the past year or so, the Federal Government interest in SWID tags has increased from a security perspective as Dave Waltermire from NIST outlines below. We are actively working with several government agencies, through TagVault.org and along with other TagVault.org members, to ensure that implementation guidelines for SWID tags developed within TagVault.org align with the Federal Government use cases and requirements.

For more information on these activities, please see www.tagvault.org<http://www.tagvault.org>.

Best Regards,

John

________________________________

 *   From: "Waltermire, David A." <david.waltermire at nist.gov<mailto:david.waltermire@DOMAIN.HIDDEN>>
 *   To: "Moriarty, Kathleen" <kathleen.moriarty at emc.com<mailto:kathleen.moriarty@DOMAIN.HIDDEN>>, "Roman D. Danyliw" <rdd at cert.org<mailto:rdd@DOMAIN.HIDDEN>>, "mile at ietf.org<mailto:mile@DOMAIN.HIDDEN>" <mile at ietf.org<mailto:mile@DOMAIN.HIDDEN>>
 *   Date: Wed, 5 Feb 2014 21:43:46 +0000
 *   List-id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>

________________________________

Changing the subject to reflect the discussion thread.



I just saw this message. Here is what I can vouch for as the NIST lead for these efforts:



NIST is continuing to support CPE as it has for the last few years. SCAP and a few other efforts are dependent on it, so this is critical. It has not been defunded.



NIST is working with the SWID community to advance the ISO specification efforts and to ensure that the necessary implementation guidance for SWID tag producers and tool consumers is put in place.



We see SWID tags as having synergies with the CPE effort. We are looking at methods to consume SWID tags, as software publishers create them, for use in auto generating CPEs. This has significant advantages over the current CPE methodology that largely involves investigating vulnerability reports and vendor product pages and documentation to generate CPE names. By generating CPE names in this way we can increase the fidelity and accuracy of the product data, using less human effort, making product identification information available as close to the publication of the software as possible.



Our long-term plans are to maintain a mapping between SWID and CPE in the National Vulnerability Database. This information does not exist yet, but is in the planning stages. Such information will provide a transition path for the SCAP community and other that use CPE today to take greater advantages of the information that SWID offer including: a more robust product metadata model and footprint information including file names, versions, and hashes.



Please let me know if you have any questions.



Thanks,

Dave







> -----Original Message-----

> From: mile [mailto:mile-bounces at ietf.org] On Behalf Of Moriarty, Kathleen

> Sent: Monday, January 27, 2014 5:40 PM

> To: Roman D. Danyliw; mile at ietf.org

> Subject: Re: [mile] @user-agent attribute

>

> CPE isn't funded anymore and may get folded in SWID.  I don't have the

> latest on this, but would not want to rely on something that may go away.  Is

> anyone aware of the latest on CPE?

>

> Thanks,

> Kathleen

>

> -----Original Message-----

> From: mile [mailto:mile-bounces at ietf.org] On Behalf Of Roman D. Danyliw

> Sent: Monday, January 27, 2014 3:22 PM

> To: mile at ietf.org

> Subject: [mile] @user-agent attribute

>

> Hello!

>

> The -04 schema of 5070bis has the following comment in the definition of

> @user-agent in the Application and OperatingSystem classes.

>

> [begin comment]

> "<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in SoftwareTypes?

> This is typically intended to mean servers, but the category seems more

> appropriate than others.-->"

> [end comment]

>

> SoftwareType is the complexType used to define System/Application and

> Service/OperatingSystem.  Lacking documentation in the text and going only

> on the name in the schema, it would appear that this attribute is attempting

> to describe the "User-Agent" HTTP field per Section 14.43 of RFC2616.  If

> there is a broader definition, could someone please talk us through it.

>

> With the addition of the Service/ApplicationHeader there appear to be two

> ways to represent a User-Agent.  Consider the following XML snippet below:

>

> <System>...

> <Service ip_protocol="80">

> ... <ApplicationHeader proto="80" field="User-Agent"

> dtype="string">Mozilla/5.0 (Windows NT 6.2; Win64; x64)

> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0

> Safari/537.36</ApplicationApplication>

>

> ... <Application swid="xxx" configid="xxx" vendor="Google"

> name="Chrome" user-agent="Mozilla/5.0 (Windows NT 6.2; Win64; x64)

> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36"

> version="32.0.11667"> <URL>something</URL> </Application> </Service>

> </System>

>

> A few questions:

> ** Does the data model need the @user-agent attribute if

> ApplicationHeader can model it?

> ** Could @swid (defined as "An identifier that can be used to reference this

> software") be used for a User-Agent?

> ** What implementation guidance should be given about how @user-agent

> should be set with Service/OperatingSystem?

>

> To share my own bias, the Application and OperatingSystem Class are

> currently very poorly specified.  I don't think we should continue improving

> them.  Instead, we should reference software through CPE

> (http://nvd.nist.gov/cpe.cfm) or similar effort as is possible through the SCI-

> defined class Platform.  For the time being, I would drop @user-agent.

>

> Roman

> _______________________________________________

> mile mailing list

> mile at ietf.org

> https://www.ietf.org/mailman/listinfo/mile

>

> _______________________________________________

> mile mailing list

> mile at ietf.org

> https://www.ietf.org/mailman/listinfo/mile

________________________________

 *   Follow-Ups:
    *   Re: [mile] CPE and SWID<http://www.ietf.org/mail-archive/web/mile/current/msg01348.html>
       *   From: Blibbet

 *   Prev by Date: Re: [mile] Documenting DomainData<http://www.ietf.org/mail-archive/web/mile/current/msg01346.html>
 *   Next by Date: Re: [mile] CPE and SWID<http://www.ietf.org/mail-archive/web/mile/current/msg01348.html>
 *   Previous by thread: [mile] I-D Action: draft-ietf-mile-rfc5070-bis-05.txt<http://www.ietf.org/mail-archive/web/mile/current/msg01344.html>
 *   Next by thread: Re: [mile] CPE and SWID<http://www.ietf.org/mail-archive/web/mile/current/msg01348.html>
 *   Index(es):
    *   Date<http://www.ietf.org/mail-archive/web/mile/current/maillist.html#01347>
    *   Thread<http://www.ietf.org/mail-archive/web/mile/current/threads.html#01347>

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

v2.45.0 | Report a Bug | By Email | System Status