Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Dick Brooks <dick@reliableenergyanalytics.com> Tue, 05 January 2021 15:52 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948783A1036 for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 07:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtGZQxq4rl-x for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 07:52:01 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A053A0DBF for <opsawg@ietf.org>; Tue, 5 Jan 2021 07:52:01 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 576985C00A9; Tue, 5 Jan 2021 10:52:00 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 05 Jan 2021 10:52:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=D9Qcli VDTvs8E8u1yuHHzhJhGitW3fExZdq/T+7LVmU=; b=j3uaNKdsTFwcT/gcB3rxOA soVsQJzIzNn0+C3X/ZsaN/zXBPK/4NLaSzQlMJfLDapcWthwOI2IN3XOvPY+/lOS 1tOdIlEtzUPrPFMbF4CHlIK5gE1fJ+FwAadqYZ45L5KIl09EzYaNG4KmgHfE0pMX qk0yp54DBi7RUD4ZZIeLe2T/cFv+W1CzM2nuxBcXxlmAJ01CnWXY/e9hvJG1G1fa IyDb+U9mXdXaDEpwzGhVko0dfiJCz2pMb6EeSMFG7ZysYNkFUYmPDI2fwnQDi438 0Xv2ZxA8qDtloWife5dpqYQtmZTaRpl/zFiWkBROdZbMqziF9h2oMwf8hsIiAHZg ==
X-ME-Sender: <xms:H4v0XxS1uMrPV8OPseqANIodmit8bN1WhmqvDf734mV5vDapjg8B2A> <xme:H4v0X6wtu9GFR8FNPWHn21-icQ58t3eKMQDgEpp4EXhLgnwYpPZu7es6VdRBGsPSZ a72CAsHQ9EFt1-AgQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdefjedggeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvfhgjufffohfkgggtofhtsehrtdhgpedvtdejnecuhfhrohhmpedfffhi tghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlh ihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedtteefjefffeeivdeigffflefg heekiedvffefleffheegkeeufedvtdfgudffleenucffohhmrghinheprhgvlhhirggslh gvvghnvghrghihrghnrghlhihtihgtshdrtghomhenucfkphepvdduiedrudelfedrudeg vddrvddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:H4v0X21Sq7GQEdMOx-2oshSll6l0dVSzmwE3ZC-Yd63fkJ60ituzkQ> <xmx:H4v0X5ByX1mMFLrqnEx_uSMP9rDtOajT1yqdEoubBi4p22J0xXZpsg> <xmx:H4v0X6jrlIcHqAlgR4sLHTklu1Ax5PciJ4iSLoiHXfhsbZG-zhCEZw> <xmx:IIv0XwfqHigGbdlHkHdMP9vCb4d5m7ABOOPISH0j00Lk4FbT9kMvcw>
Received: from farpoint (unknown [216.193.142.22]) by mail.messagingengine.com (Postfix) with ESMTPA id A1D301080057; Tue, 5 Jan 2021 10:51:59 -0500 (EST)
From: "Dick Brooks" <dick@reliableenergyanalytics.com>
To: "'Christopher Gates'" <chris.gates@velentium.com>, <opsawg@ietf.org>, <ntia-sbom-framing@cert.org>
References: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2>
In-Reply-To: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2>
Date: Tue, 5 Jan 2021 10:51:56 -0500
Organization: Reliable Energy Analytics LLC
Message-ID: <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_27FC_01D6E350.CAA3A760"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH8bkPotrER+eOFupHvNH45exmtUanOFozg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Ak-mL7gmt0RXR-x26xV_x4uY0hU>
Subject: Re: [OPSAWG] =?utf-8?q?Fw=3A_Re=3A_=5Bntia-sbom-framing=5D_Fwd=3A__?= =?utf-8?q?=F0=9F=94=94_WG_Adoption_Call_on_draft-lear-opsawg-sbom-access-?= =?utf-8?q?00?=
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 15:52:04 -0000

I concur with Chris. I’ve heard reports of people trying to use SWID to communicate SBOM information and they are having to make some “brave” assumptions in the process.  SPDX and CycloneDX seem  to be the only viable SBOM formats, based on my testing experience with both formats. 

 

There remain several issues on naming and identification conventions. A lot of the challenges I’ve experienced could be addressed if NIST NVD and NTIA SBOM parties could reach an agreement on how names/identifiers will be represented in their respective domains. It would only require a few elements to be agreed to, like Publisher name, Product name and Version identifier to make an impactful improvement in vulnerability search results, using SBOM data as inputs. 

 

Thanks,

 

Dick Brooks



 <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™

 <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com

Email:  <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Christopher Gates
Sent: Tuesday, January 05, 2021 10:27 AM
To: opsawg@ietf.org
Subject: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

 

 

------ Forwarded Message ------

From: "Christopher Gates" <chris.gates@velentium.com <mailto:chris.gates@velentium.com> >

To: "Eliot Lear" <lear@cisco.com <mailto:lear@cisco.com> >; "ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org> " <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org> >

Sent: 1/4/2021 2:48:51 PM

Subject: Re: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

 

Eliot,

 

I joined the IETF WG, and I have some feedback....

 



A "SWID tag" isn't an SBOM format, as stated here. It is an element inside of an SBOM.

Since we have removed SWID as a format we in the "NTIA SBOM WG are supporting for SBOM use, shouldn't this reference be removed from the IETF draft as well?

 

 

Also, I still think that creating a Bluetooth Low Energy SBOM Adopted Profile (via the Bluetooth SIG) that is harmonized with this would be a good thing:



 

Due the the low bandwidth of BLE we wouldn't attempt to provide the SBOM via BLE, just the link to a URI that can deliver the SBOM.

It would create a standardized UUID (16 bit) for the SBOM Adopted Profile, and have a consistent set of characteristics being exposed via BLE.

This is exactly how an Adopted Profile is supposed to be defined and utilized.

 

 

Christopher Gates

--------------------------------

Director of Product Security

www.velentium.com <http://www.velentium.com/> 

(805)750-0171

520 Courtney Way Suite 110

Lafayette CO. 80026

(GMT-7)

 

Our new book is now shipping:

Medical Device Cybersecurity for Engineers and Manufacturers

U.S. <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx>  | Worldwide <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2073.aspx> 

Amazon <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1> & Digital <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineers-and-Manufacturers-P2174.aspx> 

Security Book Of The Year! <https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4> 

 

“If everyone is thinking alike, then somebody isn't thinking.” -George S. Patton

"Facts are stubborn things."  -John Adams, 1770

 

------ Original Message ------

From: "Eliot Lear via ntia-sbom-framing" <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org> >

To: ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org> 

Sent: 1/4/2021 9:57:22 AM

Subject: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

 

FYI- this is your opportunity to contribute to the IETF.  If you think sharing of SBOMs is important, this is a starting point for the IETF to begin work on that aspect, not an end point.  Please feel free to contribute by joining the opsawg IETF list at https://www.ietf.org/mailman/listinfo/opsawg.

 

Eliot





Begin forwarded message:

 

From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de> >

Subject: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Date: 4 January 2021 at 17:10:19 CET

To: opsawg <opsawg@ietf.org <mailto:opsawg@ietf.org> >

 

Dear OPSAWG members,

this starts a call for Working Group Adoption on https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00 ending on Monday, January 25.

As a reminder, this I-D describes different ways to acquire Software Bills of Material (SBOM) about distinguishable managed entities. The work was updated by the authors on October 13th and now elaborates on three ways SBOM can be found, including a MUD URI as one of the options.

Please reply with your support and especially any substantive comments you may have.


For the OPSAWG co-chairs,

Henk

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org <mailto:OPSAWG@ietf.org> 
https://www.ietf.org/mailman/listinfo/opsawg

 


Disclaimer: The information and attachments transmitted by this e-mail are proprietary to Velentium, LLC and the information and attachments may be confidential and legally protected under applicable law and are intended for use only by the individual or entity to whom it was addressed. If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message and attachments is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and delete this message from your system immediately hereafter.