Re: [Mud] [OPSAWG] SBOMs and version non-specific MUD files
Dick Brooks <dick@reliableenergyanalytics.com> Fri, 04 February 2022 19:01 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5C83A1F6F; Fri, 4 Feb 2022 11:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03SshqIUM3Mb; Fri, 4 Feb 2022 11:01:06 -0800 (PST)
Received: from forward2-smtp.messagingengine.com (forward2-smtp.messagingengine.com [66.111.4.226]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918933A1F6E; Fri, 4 Feb 2022 11:01:06 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailforward.nyi.internal (Postfix) with ESMTP id E822B19401C3; Fri, 4 Feb 2022 14:01:05 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 04 Feb 2022 14:01:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=v6KaSKolEzYqzmg2FfpyDAbN6WZz9 xQYBtbE+1aBwwU=; b=eHd/GpVX7ynU/JBEh9vI/+M2XvuxHsVJCE011tSn/NjIy jQvJ3l8y8eMzsTZZNi6sbc500P1LO6/byW/xyEcuMwwYLKqkjaaOTEGsOfqkZ8k4 gRoSMSKjmgMr5PhTw9G6stWRlzbAF0nqnEI5IkktzDw2A/+hEZqvf9H+bZ31MaGP HxxO4B6F7GrPixHdtQ2QNth/dPNTTzNlbhiwIDf7+36pQ4HcEOCr9tdtpLxZHT5k H3HyzjXpCBR0sHor472FgPqvAMuKqZML5sz/oVvrInUh6fj85Kgue9aFMDwAL+lR jKhrYvWrF1evRXBwD1VX7lh0AZyoFKjDa0fRQ9qGw==
X-ME-Sender: <xms:8Xf9YdLh34U2mg7jDiMomAvQoaRI-DtYq9YXBGjps_nTIOGzGpGFbw> <xme:8Xf9YZLuw7bQuytRyxuMMTkoI0Oxa-bCWDvhCJa1w5sWJeJVFE2K5BwkDHQ3UV8qv pQJqN-qdQVVDCjXDQ>
X-ME-Received: <xmr:8Xf9YVsYvFuFW6tfGrHcWvSA4za74Hvf71WsMFuyPzT0xBnKK8D0yc8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrgeelgdduudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpehrhffvfhgjufffohfkgggtgffoth esthejghdtvddtvdenucfhrhhomhepfdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhes rhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomheqnecuggftrfgrth htvghrnhepkedtueehtdetledthfekjeetjeevjeetvefghfefvdfhhfdvgfetveeuuefh teefnecuffhomhgrihhnpehgihhthhhusgdrtghomhdprhgvlhhirggslhgvvghnvghrgh ihrghnrghlhihtihgtshdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhi htihgtshdrtghomh
X-ME-Proxy: <xmx:8Xf9YeaMv69bD20xocXsAkJhxNDDN5op8l-fadzpbsCEyrbnKfl7Sw> <xmx:8Xf9YUZmcYGmSeQzTm_A-qK13o1OdXrTqMrZH9lUNJje6wPV061JrA> <xmx:8Xf9YSAMmnxhV_R62MxZrzq07Ezq3PTUheZmWtXRAmsKTTai5RPJwQ> <xmx:8Xf9YdDF09hP9FBNdtrPfz0ZARQ0KF2lF6L-VP9WRWvbBH5RYdvtEw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 4 Feb 2022 14:01:05 -0500 (EST)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, mud@ietf.org
Cc: opsawg@ietf.org
References: <282926.1643996393@dooku>
In-Reply-To: <282926.1643996393@dooku>
Date: Fri, 04 Feb 2022 14:01:03 -0500
Organization: Reliable Energy Analytics LLC
Message-ID: <686901d819f9$8ffc5720$aff50560$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKKKG9YQSV0Fk837yYvHefh3I71d6sfoTFQ
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/WbT7Nu88nx-v6o7oeipNfki2V30>
Subject: Re: [Mud] [OPSAWG] SBOMs and version non-specific MUD files
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 19:01:13 -0000
Michael, The predominant "SBOM delivery channel" I see is through access controlled customer portals where customers can download SBOM's Vulnerability Disclosures and other artifacts needed to perform a NIST C-SCRM risk assessment for Executive Order 14028. Here's a use case to consider, listing all of the evidence data needed: https://github.com/rjb4standards/REA-Products/blob/master/UseCaseVDR117/READ ME.md Thanks, Dick Brooks Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Michael Richardson Sent: Friday, February 4, 2022 12:40 PM To: mud@ietf.org Cc: opsawg@ietf.org Subject: [OPSAWG] SBOMs and version non-specific MUD files ietf-opsawg-sbom-access provides for linking to an SBOM from a MUD file. My understanding is that for the sbom-retrival-method==cloud, that a list of sboms is included, one per version of the device firmware. I just wanted to re-iterate that this really is a good thing, because it allows for a version agnostic MUD file to list many things. I would like a cloud example to be added. I think that we need some RFC6125 text for the https: local-well-known text to explain how validation is (not) done. We still need some way to determine what version of firmware a device is running, and while the correct answer is remote attestation, it would be lovely if there was a recommendation for a lighter weight process. LLDP regularly reveals this, but that's unlikely to work over wifi or in residential situations. (I acknowledge that this is out of scope for sbom-access) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Mud] SBOMs and version non-specific MUD files Michael Richardson
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Michael Richardson
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Dick Brooks
- Re: [Mud] [OPSAWG] SBOMs and version non-specific… Christopher Gates
- Re: [Mud] [EXTERNAL SOURCE] Re: [OPSAWG] SBOMs an… Tony Turner