[OPSAWG] definining a /.well-known value for an SBOM
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 October 2020 22:07 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E4D3A0B87; Fri, 16 Oct 2020 15:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibJY69koIuxP; Fri, 16 Oct 2020 15:07:48 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAFAB3A0B85; Fri, 16 Oct 2020 15:07:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 746BF389A4; Fri, 16 Oct 2020 18:13:34 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7-HMJ71aGg-M; Fri, 16 Oct 2020 18:13:28 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id BE4113899D; Fri, 16 Oct 2020 18:13:28 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 85E96BE9; Fri, 16 Oct 2020 18:07:30 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>, opsawg <opsawg@ietf.org>, sacm@ietf.org
In-Reply-To: <7CB100BC-1001-4DAE-A073-D67C2F4EA5D7@cisco.com>
References: <160260371149.16976.435024798941804386@ietfa.amsl.com> <5A6BF999-4422-47B7-A96B-4C0ACFF6CDD7@cisco.com> <352.1602704502@localhost> <7CB100BC-1001-4DAE-A073-D67C2F4EA5D7@cisco.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 16 Oct 2020 18:07:30 -0400
Message-ID: <30099.1602886050@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/_ssO0VgMpHP6NrfYj_eKt8Tjj9w>
Subject: [OPSAWG] definining a /.well-known value for an SBOM
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 22:07:50 -0000
Relating to: draft-lear-opsawg-sbom-access-00.txt Eliot Lear <lear@cisco.com> wrote: >>> My request is that we discuss this in the WG, and then consider it for >>> adoption, understanding that it has a bit of a road to travel still. >> >> I'm not sure that I understand why you are using the term "layer" in >> "application-layer management system"? Or maybe it is "application" >> That section reads poorly, even though I eventually understood it. > Yeah, edits welcome. Imagine a pool of applications servers that > you’re managing with a cloud orchestration system. That’s the use > case. I found the github at: https://github.com/elear/mud-sbom.git and I'll see if I can reword. BUT, I think that we've gotten to .well-known for SBOM from "MUD" in a kind of roundabout way. I think that having an SBOM for service.example at https://service.example/.well-known/sbom (or some such), it entirely a good idea. {Okay, there are a whole planet-full of lawyers waiting for us here. (Planet-L) Some entities, will not want to disclose, but others will find that they are obligated to. Not our problem to make them do something, just to explain how to do it in a standard way.} As far as I can tell, we got here because in the self-hosted SBOM, the MUD file would like to be able to reference a well known thing. It seems that this problem is not very related to SBOM by MUD. It ought to be just be a new draft. Maybe something the SACM would want to adopt. >> Anyway, I thought that you were going to use a template for local-uri, >> instead of having the enumeration of scheme? > I got an opinion that either we go with .well-known OR we go with a > schema, but not both. I think this is still an open issue, tho. I say, either the SBOM is at some specified URL on a manufacturer web site (with possible access control on it). Or, it's at .well-known. That probably is a simple enum. While I can imagine writing an RFC8520 MUD file for some kind of https interface application server: while it might be running a common OS (or live in a container), it has a very limited number of functions. Probably incoming port 443 from "controller", and outgoing port-443-to-update-server only. >> While the set of SBOM formats is far from set in stone, and I think that >> each will have a MIME type, I want to suggest that this document make it >> clear that HTTP content negotiation should be used to get the format >> one wants and/or that the type returned will be tagged via Content-Type. > Agree. The above .well-known URL for SBOM document could register MIME types the currently known SBOM formats (SPDX-* and CycloneDX). Each have multiple serialization formats, so likely there are many to register. I'm not sure if the various groups have registered anything yet. There is an OCT.22 NTIA/SBOM meeting next week, and I'll bring this up. >> Should the MUD file contain a text description of what content-type(s) are >> available? Avoiding for now, any kind if enumeration, aiming just for >> human consumption? > I guess I would want to explore the use case a bit. Rose, Scott W. \(Fed\) <scott.rose=40nist.gov@dmarc.ietf.org> wrote: >> On 14 Oct 2020, at 21:41, Michael Richardson <mcr+ietf@sandelman.ca> wrote: mcr> Should the MUD file contain a text description of what content-type(s) are mcr> available? Avoiding for now, any kind if enumeration, aiming just for mcr> human consumption? eliot> I guess I would want to explore the use case a bit. scott> Might be helpful. The format would be helpful too but would scott> require a registry (and a process to add formats). Plus there may scott> end up being a lot of abandoned formats. My idea is that the MUD file would just have a textual description for now, no registry. If the format has a MIME type, it could say that, but the target audience is humans, not machines. That way, when you reach out with a list of Accept: headers and get nothing, one might have a clue why. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [OPSAWG] Fwd: New Version Notification for draft-… Eliot Lear
- Re: [OPSAWG] Fwd: New Version Notification for dr… Michael Richardson
- Re: [OPSAWG] New Version Notification for draft-l… Eliot Lear
- Re: [OPSAWG] New Version Notification for draft-l… Rose, Scott W. (Fed)
- [OPSAWG] definining a /.well-known value for an S… Michael Richardson