Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Eliot Lear <lear@cisco.com> Tue, 05 January 2021 15:53 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C9F3A1038 for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 07:53:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.972
X-Spam-Level:
X-Spam-Status: No, score=-9.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VQZU4-Nct_0 for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 07:53:24 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C867A3A1037 for <opsawg@ietf.org>; Tue, 5 Jan 2021 07:53:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=43849; q=dns/txt; s=iport; t=1609862003; x=1611071603; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=G1dS1FYGI7KpMGHFBE+GQApaui3VpyZeVzTTu/3p/yQ=; b=JGo5Nh/otgQjdVHEyXLHqktgI9c21b09+Gx/ic8ZuyXeHJxptWXj/ef2 ThaOKnclztegHo/Gw0jFybSWh1U8ls2yN9tr3zAM5+tkdusNaiNLWoEm7 wp5QQtQufPRwnIIKZM491+M1OqRKQah+JlgQBa+ssqRG2JuhAoHqFFRzA w=;
X-Files: signature.asc : 488
X-IPAS-Result: =?us-ascii?q?A0A8AwDFivRf/xbLJq1fAxwBAQEBAQEHAQESAQEEBAEBg?= =?us-ascii?q?g+BI1MGgSVXASASLoQ/iQSILgOBBYZnkWx5gWMFBAcBAQEKAwEBGAEFEQQBA?= =?us-ascii?q?YFVgjFEAoFwJjgTAgMBAQEDAgMBAQEBBQEBAQIBBgRxhWEMhXMBAQEDAQEBG?= =?us-ascii?q?wYmJQsFBwQJAgcKAwEBAQEgAQIEAwICJx8JCAYTgyYBgmYgD5MOmxJ2gTKEP?= =?us-ascii?q?wEDAhEPc4ReEIE4gVOFD4I5gxR6QYIAJmsnHIIhNT6CXQEBAgEWgQwFARIBB?= =?us-ascii?q?yYUAQsCCBGCUTSCLASBZg16KxAiFgMIDgEBAiAuCAM8MwMFBSgBKTYRhW6JM?= =?us-ascii?q?Bwjil+BHYo0NpE/gwCDJ4E3hEySMgMWCYMpiiuFMoNAjBGfIZEsEhhig28CB?= =?us-ascii?q?AYFAhaBbSNnXQwHMxoIGxU7KgGCPgkKKxIZDY4tFxRuAQKCSYUUhUVAAzACC?= =?us-ascii?q?wkhAgYBCQEBAwkBjSwBAQ?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,477,1599523200"; d="asc'?scan'208,217";a="29980264"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Jan 2021 15:53:19 +0000
Received: from [10.61.200.230] ([10.61.200.230]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 105FrIDK026804 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Jan 2021 15:53:19 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <E1A6BF55-6E1C-42EF-BB7C-7FEF43D5A362@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_50C12C3A-BCF2-48CA-A7E0-F5EE741AFEC1"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Tue, 5 Jan 2021 16:53:17 +0100
In-Reply-To: <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com>
Cc: Christopher Gates <chris.gates@velentium.com>, opsawg@ietf.org, ntia-sbom-framing@cert.org
To: Dick Brooks <dick@reliableenergyanalytics.com>
References: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2> <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
X-Outbound-SMTP-Client: 10.61.200.230, [10.61.200.230]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/HuvGggfObEJPIDHqQXwh44BQi7s>
Subject: Re: [OPSAWG] =?utf-8?q?Fw=3A_Re=3A_=5Bntia-sbom-framing=5D_Fwd=3A__?= =?utf-8?q?=F0=9F=94=94_WG_Adoption_Call_on_draft-lear-opsawg-sbom-access-?= =?utf-8?q?00?=
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 15:53:27 -0000

Ok.  Should I add something for CycloneDX?

Eliot

> On 5 Jan 2021, at 16:51, Dick Brooks <dick@reliableenergyanalytics.com> wrote:
> 
> I concur with Chris. I’ve heard reports of people trying to use SWID to communicate SBOM information and they are having to make some “brave” assumptions in the process.  SPDX and CycloneDX seem  to be the only viable SBOM formats, based on my testing experience with both formats.
> 
> There remain several issues on naming and identification conventions. A lot of the challenges I’ve experienced could be addressed if NIST NVD and NTIA SBOM parties could reach an agreement on how names/identifiers will be represented in their respective domains. It would only require a few elements to be agreed to, like Publisher name, Product name and Version identifier to make an impactful improvement in vulnerability search results, using SBOM data as inputs.
> 
> Thanks,
> 
> Dick Brooks
> <image001.jpg>
> Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™
> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/>
> Email: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>
> Tel: +1 978-696-1788
> 
> From: OPSAWG <opsawg-bounces@ietf.org <mailto:opsawg-bounces@ietf.org>> On Behalf Of Christopher Gates
> Sent: Tuesday, January 05, 2021 10:27 AM
> To: opsawg@ietf.org <mailto:opsawg@ietf.org>
> Subject: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> 
> ------ Forwarded Message ------
> From: "Christopher Gates" <chris.gates@velentium.com <mailto:chris.gates@velentium.com>>
> To: "Eliot Lear" <lear@cisco.com <mailto:lear@cisco.com>>; "ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>" <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
> Sent: 1/4/2021 2:48:51 PM
> Subject: Re: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
>> Eliot,
>> 
>> I joined the IETF WG, and I have some feedback....
>> 
>> <image002.png>
>> A "SWID tag" isn't an SBOM format, as stated here. It is an element inside of an SBOM.
>> Since we have removed SWID as a format we in the "NTIA SBOM WG are supporting for SBOM use, shouldn't this reference be removed from the IETF draft as well?
>> 
>> 
>> Also, I still think that creating a Bluetooth Low Energy SBOM Adopted Profile (via the Bluetooth SIG) that is harmonized with this would be a good thing:
>> <image003.png>
>> 
>> Due the the low bandwidth of BLE we wouldn't attempt to provide the SBOM via BLE, just the link to a URI that can deliver the SBOM.
>> It would create a standardized UUID (16 bit) for the SBOM Adopted Profile, and have a consistent set of characteristics being exposed via BLE.
>> This is exactly how an Adopted Profile is supposed to be defined and utilized.
>> 
>> 
>> Christopher Gates
>> --------------------------------
>> Director of Product Security
>> www.velentium.com <http://www.velentium.com/>
>> (805)750-0171
>> 520 Courtney Way Suite 110
>> Lafayette CO. 80026
>> (GMT-7)
>> 
>> Our new book is now shipping:
>> Medical Device Cybersecurity for Engineers and Manufacturers
>> U.S. <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx> | Worldwide <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2073.aspx>
>> Amazon <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1>& Digital <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineers-and-Manufacturers-P2174.aspx>
>> Security Book Of The Year! <https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4>
>> 
>> “If everyone is thinking alike, then somebody isn't thinking.” -George S. Patton
>> "Facts are stubborn things."  -John Adams, 1770
>> 
>> ------ Original Message ------
>> From: "Eliot Lear via ntia-sbom-framing" <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
>> To: ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>
>> Sent: 1/4/2021 9:57:22 AM
>> Subject: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
>> 
>>> FYI- this is your opportunity to contribute to the IETF.  If you think sharing of SBOMs is important, this is a starting point for the IETF to begin work on that aspect, not an end point.  Please feel free to contribute by joining the opsawg IETF list at https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>.
>>> 
>>> Eliot
>>> 
>>> 
>>>> Begin forwarded message:
>>>> 
>>>> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>
>>>> Subject: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
>>>> Date: 4 January 2021 at 17:10:19 CET
>>>> To: opsawg <opsawg@ietf.org <mailto:opsawg@ietf.org>>
>>>> 
>>>> Dear OPSAWG members,
>>>> 
>>>> this starts a call for Working Group Adoption on https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00 <https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00> ending on Monday, January 25.
>>>> 
>>>> As a reminder, this I-D describes different ways to acquire Software Bills of Material (SBOM) about distinguishable managed entities. The work was updated by the authors on October 13th and now elaborates on three ways SBOM can be found, including a MUD URI as one of the options.
>>>> 
>>>> Please reply with your support and especially any substantive comments you may have.
>>>> 
>>>> 
>>>> For the OPSAWG co-chairs,
>>>> 
>>>> Henk
>>>> 
>>>> _______________________________________________
>>>> OPSAWG mailing list
>>>> OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>
>>> 
> 
> 
> Disclaimer: The information and attachments transmitted by this e-mail are proprietary to Velentium, LLC and the information and attachments may be confidential and legally protected under applicable law and are intended for use only by the individual or entity to whom it was addressed. If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message and attachments is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and delete this message from your system immediately hereafter.
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>