Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11

Qin Wu <bill.wu@huawei.com> Mon, 10 October 2022 02:06 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BB0C14F74D; Sun, 9 Oct 2022 19:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.888
X-Spam-Level:
X-Spam-Status: No, score=-6.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZfQgAij5JKV; Sun, 9 Oct 2022 19:06:47 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9343C14F746; Sun, 9 Oct 2022 19:06:46 -0700 (PDT)
Received: from fraeml738-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Mm2LJ6sjrz687S8; Mon, 10 Oct 2022 10:05:12 +0800 (CST)
Received: from canpemm500006.china.huawei.com (7.192.105.130) by fraeml738-chm.china.huawei.com (10.206.15.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 10 Oct 2022 04:06:43 +0200
Received: from canpemm500005.china.huawei.com (7.192.104.229) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 10 Oct 2022 10:06:41 +0800
Received: from canpemm500005.china.huawei.com ([7.192.104.229]) by canpemm500005.china.huawei.com ([7.192.104.229]) with mapi id 15.01.2375.031; Mon, 10 Oct 2022 10:06:41 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Eliot Lear <lear@lear.ch>, opsawg <opsawg@ietf.org>
CC: Eliot Lear <lear@cisco.com>, "draft-ietf-opsawg-sbom-access@ietf.org" <draft-ietf-opsawg-sbom-access@ietf.org>
Thread-Topic: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
Thread-Index: AdjcTIxxA4m8r/e3Th+t+WGup2J71w==
Date: Mon, 10 Oct 2022 02:06:41 +0000
Message-ID: <b165c32983ca4de9b2988801455e4b54@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.100.16]
Content-Type: multipart/alternative; boundary="_000_b165c32983ca4de9b2988801455e4b54huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/1LC80drtkGq5z2GgohJ0fGc2xFM>
Subject: Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 02:06:52 -0000

Elliot:
The suggested changes all look good, thank for clarification and addressing my comments, I will update document shepherd review to reflect the current implementation status.

-Qin
发件人: Eliot Lear [mailto:lear@lear.ch]
发送时间: 2022年10月9日 20:19
收件人: Qin Wu <bill.wu@huawei.com>; opsawg <opsawg@ietf.org>
抄送: Eliot Lear <lear@cisco.com>; draft-ietf-opsawg-sbom-access@ietf.org
主题: Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11


Hi Qin,

Thanks for your review.  Please see below.
On 08.10.22 11:27, Qin Wu wrote:
Hi, authors:
I have read the latest version of this draft, it is well written, thank for that.
Here is the identified minor issues during document shepherd review of draft-ietf-opsawg-sbom-access-11:

1.       Abstract said:
“
It may optionally be discovered through manufacturer usage descriptions.

”

[Qin] This sentence is not clear. Are you saying MUD extensions transparency can be discovered using extensions defined in section 3.9 of RFC8520?
Or software transparency and vulnerability information can be discovered by using ACL example defined in section 5.4 of this draft? I assume it is the latter. Please clarify.

Ok, I propose the following change:

OLD:

This memo specifies a model to provide access to this information.  It

may optionally be discovered through manufacturer usage descriptions.



NEW:

This memo extends the MUD YANG model to provide the locations of software

bills of materials and to vulnerability information.




2.       Section 1 said:
“
   The mechanisms specified in this document are meant to satisfy
   several use cases:

   *  A network-layer management system retrieving information from an
      IoT device as part of its ongoing lifecycle.  Such devices may or
      may not have query interfaces available.

”
[Qin] How many use cases do we specify here? I believe it is two, how about be specific about the number of use cases here, s/several use cases/the following two use cases

Ok




3.       Section 1 said:
“   In the first case, devices will have interfaces that permit direct
   retrieval.  Examples of these interfaces might be an HTTP [RFC9110<https://datatracker.ietf.org/doc/html/rfc9110>],
   or COAP [RFC7252<https://datatracker.ietf.org/doc/html/rfc7252>] endpoint for retrieval.  There may also be private
   interfaces as well.

   In the second case, when a device does not have an appropriate
   retrieval interface, but one is directly available from the
   manufacturer, a URI to that information MUST be discovered.

   In the third case, a supplier may wish to make an SBOM or
   vulnerability information available under certain circumstances, and
   may need to individually evaluate requests.  The result of that
   evaluation might be the SBOM or vulnerability itself or a restricted

”
[Qin] I believe the first case, the second case, the third case are corresponding to three ways to discover object instead of two key use cases listed in section 1? Therefore there are confusing to be introduced here.

I suggest to change as follows:
s/in one of three ways/ through one of three method
s/In the first case/In the first method
s/In the second case/In the second method
s/in the third case/In the third method


Ok.  I changed the word "In" to "Using", but otherwise agree.



4.       Section 1.1

[Qin] s/in either/either in

Ok



5.       Section 1.1 said:

“ The MUD semantics provide a way for manufacturers

to control how often tooling should check for those changes through

the cache-validity node. “

[Qin] Can you provide a reference section in RFC8520 about such MUD semantics.

I have changed this to "MUD's cache-validity node provides a way..."

For your information, this is Section 3.5 of 8520.

6.       Section 3 N.B.

[Qin] What N.B. stands for? Can you provide a reference or change in other words.

N.B. is a commonly used Latin abbreviation for "nota bene" or "note well".  It falls into the class of i.e,  and e.g.





7.       Section 5.4 said:

“ 5.4<https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-11#section-5.4>.  With ACLS



Finally, here is a complete example where the device provides SBOM

and vulnerability information, as well as access-control information.



{

"ietf-mud:mud": {

"mud-version": 1,

"extensions": [
"ol",

"transparency"
], “


[Qin] How this draft is related to draft-ietf-opsawg-ol-01? In other words, how sbom access work together with Ownership and licensing statements in YANG described in draft-ietf-opsawg-ol-01.

If ‘ol’ extension is needed, I think a informative reference is needed here.

This as discussed within the working group, and the point was made that it is good to show mud working with unrelated extensions.  I would prefer for this reason not to include an informative reference.  Implementations need not process extensions they do not understand (to do so would require a major rev of MUD).


8.       Section 6 said:

“N.B., for MUD, the mandatory method of retrieval is TLS. “

[Qin] New fashion of acronym,☺


9.       Section 6 said:

“

One example may be to issue a certificate to the client for

this purpose after a registration process has taken place.  Another

example would involve the use of OAUTH in combination with a
federations of SBOM servers. “

[Qin] I feel there is disconnection between the fifth sentence and the sixth sentence in the paragraph 9 . Two examples are provided here, I am wondering which security risk are addressed by which example?




I think you are right.  The sentence order wasn't good.  How about this:

[...] Other servers that offer the data MAY restrict access to

SBOM information using appropriate authorization semantics within

HTTP.  One way to do this would be to issue a certificate to the client for

this purpose after a registration process has taken place.  Another

approach would involve the use of OAUTH in combination with a

In particular, if a system attempts to retrieve an SBOM via

HTTP and the client is not authorized, the server MUST produce an

appropriate error, with instructions on how to register a particular

client.



10.   Section 6 said:

“

Vulnerability information is generally made available to such

databases as NIST's National Vulnerability Database. “

[Qin] Do we need to list the Database Name developed by specific entity in the security section as normative text?



11.   Do we have implementation that pertains to this draft?

Indeed we do.  Please see https://github.com/sbomtools/apt2sbom.
Eliot