Re: [OPSAWG] Warren Kumari's No Objection on draft-ietf-opsawg-sbom-access-15: (with COMMENT)
Eliot Lear <lear@lear.ch> Wed, 26 April 2023 06:42 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47F1C151534; Tue, 25 Apr 2023 23:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.887
X-Spam-Level:
X-Spam-Status: No, score=-0.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSAVXLfNBFlE; Tue, 25 Apr 2023 23:42:35 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 682D0C15152C; Tue, 25 Apr 2023 23:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1682491346; bh=GpX+O1vpygLx8PslrS5FgKm5wg10MpQ8HPxTWCcfxhI=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=OTJpkVh7ekMaLQV8qaBRVJt96YOGVMGDmqOpu/2KmS0n/PtId5SBt2vvHmJPQThwS H2slZC6yHYIwA7s4ENW+yAV2EfIQ1pgKKPHAJ2Q0jdzb7lhnxJmZSd6apywVvI08dN RTfHJeBKrLu+aXAtnhiIYV0TFiQNbk4ANy0i6UiE=
Received: from [IPV6:2001:420:c0c0:1011::b] ([IPv6:2001:420:c0c0:1011:0:0:0:b]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 33Q6gOt0232665 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 26 Apr 2023 08:42:26 +0200
Content-Type: multipart/alternative; boundary="------------aBpDBgu4euYAcytXQPaq4sbX"
Message-ID: <e0cf2808-2636-022c-aa13-da97aaab5303@lear.ch>
Date: Wed, 26 Apr 2023 08:42:22 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
Cc: ops-dir@ietf.org, draft-ietf-opsawg-sbom-access@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org
References: <168246915176.4422.14143513950445519246@ietfa.amsl.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <168246915176.4422.14143513950445519246@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Ig_gEB8cUcCj3zSGVbUWDWHTfK8>
Subject: Re: [OPSAWG] Warren Kumari's No Objection on draft-ietf-opsawg-sbom-access-15: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2023 06:42:38 -0000
On 26.04.23 02:32, Warren Kumari via Datatracker wrote: > Warren Kumari has entered the following ballot position for > draft-ietf-opsawg-sbom-access-15: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer tohttps://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for this document, and also much thanks to Henk for the OpsDir review > - > https://datatracker.ietf.org/doc/review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19/ > > I found it an easy read, and only have a few nits to offer: > > 1: "A number of activities have been working to improve visibility to > what software is running on a system, and what vulnerabilities that > software may have[EO2021]." > Missing space before the [EO2021] reference. Hmm... I go both ways on that. > > 2: "... two classes of questions *at scale*:" > I think that you should drop the "emphasis" - I really don't think that it > helps readability, and looks "odd". I often use this form for emphasis, but I > really don't think that it should be used in an RFC. You are the second person to complain about that text. Expanded on what that means. > > 3: "Examples of these interfaces might be an HTTP [RFC7231],[RFC9110], or COAP > [RFC7252] endpoint for retrieval." Missing space after [RFC7231] -- hey, I > *did* mention that this is all nits (and also that I *emphasize text*). Ok. > > 4: "Using the second method, when a device does not have an appropriate > retrieval interface, but one is directly available from the manufacturer, a URI > to that information MUST be discovered." I don't really understand the > uppercase MUST here; it's unclear who / what the MUST is directed at. Removed per earlier discussion. > > 5: "To address either risk, any change in a URL, and in particular to the > authority section, should be treated with some suspicion. One mitigation would > be to test any cloud-based URL against a reputation service." I don't really > have any useful text to suggest, but I find the wording of "To address either > risk, ..., should be treated with some suspicion" to be strange. I don't really > view treating something with suspicion as addressing a risk. I *do* know what > you are trying to say, but I don't really think that this accomplishes it. I'm > also not really sure why the second sentence only views 'cloud-based' URLs as > different to non-cloud-based ones - why is foo.bar.example.com more or less > sketchy if it is on AWS then on a physical server? And I think that the > hand-wavy "check it against some sort of reputation thing" is sufficiently > underspecified that it's not helpful. I agree with you about suspicion, but I don't agree with you about reputation services. In fact I would go so far as to say that any resolver that can take as input random HTTP and HTTPS URIs should do some sort of test with a reputation service. All browsers do this already! But that's not this document. In any case, I've rewritten this section a bit to also suggest that administrators be given the opportunity to approve processing when an origin has changed. There are *legitimate *reasons for such changes, but some caution seems warranted, especially to an origin of unknown quality. > > Please notes that these really are just intended to be nits / attempts to help > improve the document; I seem to be having a hard time with my tone in this > writeup and apologize if it came out as snarky.... > Thanks for your suggestions. The document is much improved! Eliot
- [OPSAWG] Warren Kumari's No Objection on draft-ie… Warren Kumari via Datatracker
- Re: [OPSAWG] Warren Kumari's No Objection on draf… Eliot Lear