Re: [Mud] [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs and version non-specific MUD files
Tony Turner <tturner@fortressinfosec.com> Fri, 04 February 2022 20:45 UTC
Return-Path: <tturner@fortressinfosec.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEB353A22A4; Fri, 4 Feb 2022 12:45:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_MUTUALBENEFIT=2, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fortressinfosec.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FS9-odzQOcO3; Fri, 4 Feb 2022 12:45:18 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2119.outbound.protection.outlook.com [40.107.92.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A6923A22A2; Fri, 4 Feb 2022 12:45:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jr6kWxg48S3CCCTmXUJZHcNwDAtjTmarXLfQqVQVYtGJICm0TvaLWfdLL6at0c9U5KJCNXCloAKpsLkSHUyDiHIaS49OV4lR58zvca/46wJ5iC/YGSRjPKzjvrWrHpxi2wzBGxVUL/CZ7AsdfSbfZ0P0kR9bHmyGDhZtDU9SZqQoblOKdkrV86viucuGAQSqoCrp1XIoTDXi6yNPmG9lST5vMyws2Ti7aK+U7sXi/JNkVn8LTYs203oYVLR48PI+CBx+TOLJav5W1OvPDLSAXZknSzv8z47AZHo2AnY5QDIp9tqZTpR69bZtqdCKUzs9dbAdTb0zZBNrtBss5CXn0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H8sq7Y9P59qgnnQ9Ct2rxAaesXpBQQsQb0qyKwLxAzQ=; b=CtuAt5dSzRZ+1HvvupqjbcB1Y0y6zfk9uOsvw4CY3R9DCockeLtBbX+VKYzC89dv3ab1TsRMSwNoU7hu3Z1bJPRvSFn0K09gsDWif0/AgCINB1hf8objUc99QIsgr8RzG+MjgZmbn3QR6x6SxUKZ/NFHCTIXlWY7ibP/3WWvtCc11bhjDHMH7yLaLE8O/pY4/Skr8uczWV/aDwfpCjMM2WpWRdcATmCHwXLhjeM6JhK29FkbY9ZyJuZqeWOK100qjGFDox3RagSzfFtiEcfnWU4R0VKsM9dqzMifAvWv28AKw77u0S1VIU5mbPBQ1RvAafeOdW0gg//EusIu7EnUiw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fortressinfosec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H8sq7Y9P59qgnnQ9Ct2rxAaesXpBQQsQb0qyKwLxAzQ=; b=0hP+us3Rjvwi9DdwAx4cnynD/I8AWPXF9Wc+1ATJcGWwq5Simq5rVEURmGkh+717EhRoGGiZOUvg6mhvG0mLU5T4Q1tckOFwzTCeF7yivl2Zg1o0JY1LWNkT0vE+xww2obxk/Il8W/pXaA2Zx22ccmi8Wcr2PBsdQfEXFEV9dzV+Fgb71VSEFhBZVMEicCkmiRMhRmZkq5CLYX5mPWtlDvykTnxSAU5Jye53LfFc4v+gPFoXrKJsX8V66wyPnAuoqJ6PmFOsNmDOmXdnnPL6/8tZaaunq6O/fnKICQ7hL2fPpEznjRBajnOT9oFRtXBxhBBlIU89AC1deXYtg1+rmw==
Received: from BN6PR18MB1041.namprd18.prod.outlook.com (2603:10b6:404:72::19) by BN9PR18MB4329.namprd18.prod.outlook.com (2603:10b6:408:11e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.16; Fri, 4 Feb 2022 20:45:11 +0000
Received: from BN6PR18MB1041.namprd18.prod.outlook.com ([fe80::991f:c73e:df80:6014]) by BN6PR18MB1041.namprd18.prod.outlook.com ([fe80::991f:c73e:df80:6014%5]) with mapi id 15.20.4951.017; Fri, 4 Feb 2022 20:45:11 +0000
From: Tony Turner <tturner@fortressinfosec.com>
To: "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, "mud@ietf.org" <mud@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs and version non-specific MUD files
Thread-Index: AQHYGfmdkzXL/8hNIkWYFWLf84pcb6yD2klF
Date: Fri, 04 Feb 2022 20:45:11 +0000
Message-ID: <BN6PR18MB1041950CB205841DB571D982A8299@BN6PR18MB1041.namprd18.prod.outlook.com>
References: <282926.1643996393@dooku> <686901d819f9$8ffc5720$aff50560$@reliableenergyanalytics.com>
In-Reply-To: <686901d819f9$8ffc5720$aff50560$@reliableenergyanalytics.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_62273edc-05ed-4f85-afbd-57c7e7a77f62_Enabled=True; MSIP_Label_62273edc-05ed-4f85-afbd-57c7e7a77f62_SiteId=595d5655-8e57-4275-9fba-16457e068878; MSIP_Label_62273edc-05ed-4f85-afbd-57c7e7a77f62_SetDate=2022-02-04T20:38:08.1584456Z; MSIP_Label_62273edc-05ed-4f85-afbd-57c7e7a77f62_ContentBits=0; MSIP_Label_62273edc-05ed-4f85-afbd-57c7e7a77f62_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=fortressinfosec.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e0a497b-8d85-4f4e-3f64-08d9e81f3d0a
x-ms-traffictypediagnostic: BN9PR18MB4329:EE_
x-microsoft-antispam-prvs: <BN9PR18MB4329526043D76322D0F4981EA8299@BN9PR18MB4329.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fciMo6USzBIwzCNLDrQJ0azDsu6BLPfU8wIuQokKbJ3GSssdXJhabGC6GCuavXDzuznGH1TI6zqjrd8eEwz4a7MuzJKY82YUsgkk/7QIl8NbPs5Y8C+lJgg6gKOOlQvUgi5BZeWEU7LKrQLUD1nXJTIlhpRQYx3Wo5e8rMwLAPmwHjw/QaiK6hFwk+5vDXy/WqvfSiVAzcuHmSItSUb6S4zY5yviw3mLWUoWsjUxOLe8cBkvolHwuB1vULTeEpzLZeGcGtkKkK6/BH63ITTjuoxqzc6j+qs14K91Bc01eoZiYATqRy6nm+qbPhEg7It/T1QFc8/TdhjEGWyJeUtoeQtClI+omUn/qHUIyczYTSpHw4/01ZKXDsKW9PhW1XD77JbCFmRZKP4yvmoTk6Qx93gD9zm43x2cZqFN7zW0pPZOxfckCtHnx/59LBGPRUrv3aTrFROcNy9iNJyUY0GLcbDmuKs6GuLXyu+KbGHdAHQUxcnHxyJ3UfJOPfqCAO24vDl5YgWNwhpT/GCD+04Q8PfU+nQKmYUo9sdAzCcDYOvZJ9vP4+rE/Rzwvb51bGTjvocNqtJLCvdh0n+sTDexihXMd2YIGbNkVmv8urTt0dqECpPk7zpSj8/bVduFgBJT+ByE3aaJwKaxGpAIN2v0/zYX8Zpoy46+MBZs17ffW80TV3wM2QA2mU4yF+N31A/5vZtwIkWE+KlcGV459i+yqzLkbufZEJcvAlD/XtycfpD9GmkQYELfg1TmcAOinun9XAqZ/nTDfjV/X9NBjlLyLG3C7E2+3dinWlIjT2XLRvo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR18MB1041.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(136003)(376002)(396003)(39840400004)(366004)(346002)(122000001)(9686003)(7696005)(6506007)(53546011)(38070700005)(2906002)(52536014)(33656002)(40140700001)(83380400001)(55016003)(86362001)(71200400001)(966005)(66946007)(66556008)(8936002)(316002)(66476007)(66446008)(64756008)(5660300002)(110136005)(76116006)(508600001)(8676002)(38100700002)(4326008)(166002)(186003)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: E0O5bleP9BlpH8U7LybmnY6hSKTAc4jR1FT1PUM6ujvjiKwhy3Dtur4ZYlGkl+9gNQVFy+I+avGuXZUujn2Wu4rrvQ2ibqMh5DkutcDMqTJ0iKfbl4VUH1eoW84NvTF/jWa/zpyzo+DvY6ewLNm9akBws34mUzTxb7Y8CMS4RGc5G+Peav7X1NC79/c3hyVY8Ji7AKma4CSEzRtFQYNdzI/oeLyOvR/J5FtkrZlqU+LmAv+tGk+vAODT8MYlnIqtRGcK1zPg1ThdappfFWW59+NlE1fuqvF7QEE4EAzGl6l8QQNx60W9LXCpgznfvyrmxQ7V/92vnxyryq1hGa3oisByReVNRc6EsQuQymX4rJkQRvx/LOXL4x/EFA16vXkv5l9lwuk9O4Jea1XwetN2pksYQ0ex3c9RuQsoV16bm2o5SXnUpH1IMlK4FthtrXxgLq1o9GGcP7su9ySmbNXvbGTVPhLMhYpvFv75i39ZO6bscp6cWYO+SUPef536fTHIEZ3VGE2sCynFYwVQ1U8EgBWsEC6naigMW4bZivhb7DEY1PKziv5/uZ12+1TlyekyRgX9yBOLxLZpLJv4Nt8ploLszOo1q6jnWEdBKLHl4XdL1pHIbb9LYlUfLwBYsT4A7NE6kABhnH7Fk3AqlsHnJffTdgLkDb34qkff0ZjayMTw3+SrAHSjN8H2T/ZeDLrtXrX8G2q6FgvG7MPjKHFoRiQHVuN0aK/bGVbvOWyhWVSHUnRYqULUbJMbJMh/c1Ls2eQCOy6TvhMMwe3gt2P9HUUJ0kPbhOnayihHi0VfqOUOYsdJgQi88H3VxjFudyBJ1t3kjLSyFQUoI097BZMduFfubehZc3FlwIslLduIQWD5zu9+guoN4JCJUheqaQ6d/tXZn64CGwFy6GWZGdonXnwwxmKYiegZsGuWEdBrmCYZqkt2A4gBpandDtsjO2WGpFQtlvT3h0AuauBs5T4yI0X/tk43DhInSk+rt2kB3nj4B2q3Gt0nAYsbbRkxhWdroa2dhjZEdfv6hSG0VhoYZINri/uuwzRc2ZGsQPmSBMa/N7eCmJHaRyvFenpuMsC2KRUPFd5w0E6lkL3J0x/L24mDwkBgyE5w3NbSa9FSK2jDkjX/dbe4vKOlo0CXEYcJs4DUaonA5k0zM99wIFVrpn4MtjJea0zkr5tc988m0AAAzagkyqolaCnkQgGpHgj/bbX31Jwhrn8ymMwTegdp0bgHWLArkmcoCbw5INAoIjbLV00gZxzcRNxOHwFUEo3YkP3+CSdzrejUIMIf+mn0Wha33Dy6eHckPUaJ7NJ3caZ3uuUAZ2qQpbVH+Pm9+lUDURwvO1S2aKw7p+npmuDv73x3T+qtSlYk/ix5/YnPgF5V/LULoRC+n5cbf3aUKOyGgOqLWK4URAFwlFIGhhNO9+4QIfWA1omXEFTaWOk3IfiEJVdvEix/GGkkIITAtUD1C27qJTvB1W7stUqg4i94b31FJljAe6k/p4nL5/xryTnsmPECIaocdiRVy+GHMfFGHBg89Gntwp/JzZBRQ9dtwLDT6UdYWfPmRWlM+YlMyfYqYaIMUjQJ7dwQaocJ+1pLL8lDH/Jmn+Sm8lOWhBUBM6CHTcU7Mr1f23cZS18BGvjvAA/6krurWbMut2LXhpUDBwCiBnoi0O7T51LeSJ01t47bMhHAlnKiBz8QQ8lQ17M=
Content-Type: multipart/alternative; boundary="_000_BN6PR18MB1041950CB205841DB571D982A8299BN6PR18MB1041namp_"
MIME-Version: 1.0
X-OriginatorOrg: fortressinfosec.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR18MB1041.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e0a497b-8d85-4f4e-3f64-08d9e81f3d0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2022 20:45:11.4410 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 595d5655-8e57-4275-9fba-16457e068878
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wqmgXFkGp4R9wLU7FuqhOBVuwMcs5WPqE9NBYy7Oe+Edlzz0FansDkv5gSrMPz/2tJTTYWGcGueDr9FZebg4ofkHY3F1RLnFgvyAWjt2HH0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR18MB4329
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/LHVzz00A4L11vgyWLpJbHQLnYr0>
X-Mailman-Approved-At: Wed, 09 Feb 2022 23:01:05 -0800
Subject: Re: [Mud] [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs and version non-specific MUD files
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 20:45:23 -0000
I also wouldn’t ignore the model where SBOMs will be delivered through 3rd party supply chain attestation data libraries that are already aggregating this data as part of C-SCRM assessment activities for mutual benefit. Certainly MUD makes a lot of sense in very device-centric scenarios and I’m really excited to plug into this model (as I run one of the above mentioned data libraries, not just SBOM, but HBOM/MBOM, SOC2, build artifacts, other 3rd party product and vendor assessments and product certifications, etc) – but I find that discovery of MUD sources is half of the challenge. What I find really interesting is the potential for dynamic updating of SBOM as firmware is updated and communication of software risks this will make possible to device management infrastructure. Its far more likely 3rd party tools like data aggregators for supply chain or vulnerability risk management will interoperate with the management portal for a fleet of devices than with the individual devices themselves. -- Tony Turner Vice President, Fortress Labs (R&D) Fortress Information Security Cell 321-634-4886 Main 855.FORTRESS 189 S. Orange Ave., Suite 1950, Orlando, FL 32801 fortressinfosec.com<http://fortressinfosec.com/> From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Dick Brooks <dick@reliableenergyanalytics.com> Date: Friday, February 4, 2022 at 2:01 PM To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, mud@ietf.org <mud@ietf.org> Cc: opsawg@ietf.org <opsawg@ietf.org> Subject: [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs and version non-specific MUD files Michael, The predominant "SBOM delivery channel" I see is through access controlled customer portals where customers can download SBOM's Vulnerability Disclosures and other artifacts needed to perform a NIST C-SCRM risk assessment for Executive Order 14028. Here's a use case to consider, listing all of the evidence data needed: https://github.com/rjb4standards/REA-Products/blob/master/UseCaseVDR117/READ ME.md Thanks, Dick Brooks Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Michael Richardson Sent: Friday, February 4, 2022 12:40 PM To: mud@ietf.org Cc: opsawg@ietf.org Subject: [OPSAWG] SBOMs and version non-specific MUD files ietf-opsawg-sbom-access provides for linking to an SBOM from a MUD file. My understanding is that for the sbom-retrival-method==cloud, that a list of sboms is included, one per version of the device firmware. I just wanted to re-iterate that this really is a good thing, because it allows for a version agnostic MUD file to list many things. I would like a cloud example to be added. I think that we need some RFC6125 text for the https: local-well-known text to explain how validation is (not) done. We still need some way to determine what version of firmware a device is running, and while the correct answer is remote attestation, it would be lovely if there was a recommendation for a lighter weight process. LLDP regularly reveals this, but that's unlikely to work over wifi or in residential situations. (I acknowledge that this is out of scope for sbom-access) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg IMPORTANT: The information transmitted is intended only for the person or entity to which it is addressed. The content may contain business confidential and/or proprietary information, and it may be reviewed and logged for archival purposes by parties at Fortress Information Security other than those named in the message header. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
- [Mud] SBOMs and version non-specific MUD files Michael Richardson
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Michael Richardson
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Christopher Gates
- Re: [Mud] [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs an… Tony Turner