Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: ?? WG Adoption Call on draft-lear-opsawg-sbom-access-00

Dick Brooks <dick@reliableenergyanalytics.com> Tue, 05 January 2021 20:05 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFBC73A11A4 for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 12:05:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2jBTAdKR3IW for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 12:05:24 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E26773A119B for <opsawg@ietf.org>; Tue, 5 Jan 2021 12:05:23 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1AA475C011D; Tue, 5 Jan 2021 15:05:23 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 05 Jan 2021 15:05:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=BVgZww8oT+6iPpGVYNEW/NVnU+snaJZQyAQwqmgw7 ts=; b=oWweR49ZSYJUwWHgI+cl6MlnMJ7KYV5WWsFEaQiP+Ites32w7YJSrfqlR Uug8yD1Sd/7vd7SOSOKlLppD9t51JpG7ByxmqWxinRQ0jIYSZ6ZUQu/OWAx82G4/ jGR9gieuiRZ9sH7swDGZYy/3J3GNAbTkRY8pbCNQoeQj03s+lCtbAXZbnCpTzUs4 3nASpk3tnip+qSr+kdMQmiXqpSDCa84KIsPqcxvZKTaHuK1uMmdP9shkbYusKcH/ GMafwD1bVeVUwiNaUw/pFwQmJK1Pxpx0Jf1tZGPk9kx+yHc1yYnVg0NnHSLdUnef yr4eGddcf0lJEcQyC6xn4CKy92bPg==
X-ME-Sender: <xms:gsb0X76JqClxsdXaMKfrmFX_vATgp3RicyOA-GasmGrq7jrgf0mDMQ> <xme:gsb0X0JiKRyx7qW0VX6YIYsszIZd4tHQhvR_E7rmnZFqVkxVBPvv6ZsfvzsGQvx0S APgaXLrry7EF7lcwQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdefjedgleejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlqdehmdenucfjughrpefhvfhfjgfuffhokfggtgfgofhtsehtqhhg tddvtdejnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoughitghksehrvghlih grsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhn peeiheeifefhhedtfeevueeiheelieeviedvgeeutdehjedvuedtheelhedutdegtdenuc ffohhmrghinhepihgrnhgrrdhorhhgpdhrvghlihgrsghlvggvnhgvrhhghigrnhgrlhih thhitghsrdgtohhmnecukfhppedvudeirdduleefrddugedvrddvvdenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgtkhesrhgvlhhirggs lhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:gsb0X76liOXvD21JXUqgqiMW5Y_lt9clV2y5q7n2mVSSMACD7yTKuQ> <xmx:gsb0X3zBoHnDnYlTdhHumXgNiy8t30-cn4sEoHH5ZzYJ2M1v7YkHAA> <xmx:gsb0X_ZKKSi7u-hNWHjqK1wdOMJg8bP90HDndDaBAfgdoaZevd20gA> <xmx:g8b0X2DyPEQlKTn-ArX9vs_ftr2SYvmlA7Hw8N-6uBc2PwAT8dEspA>
Received: from farpoint (unknown [216.193.142.22]) by mail.messagingengine.com (Postfix) with ESMTPA id 4BA03240062; Tue, 5 Jan 2021 15:05:22 -0500 (EST)
From: "Dick Brooks" <dick@reliableenergyanalytics.com>
To: "'Henk Birkholz'" <henk.birkholz@sit.fraunhofer.de>, "'Christopher Gates'" <chris.gates@velentium.com>, <opsawg@ietf.org>
Cc: "'Friedman, Allan'" <AFriedman@ntia.gov>
References: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2> <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com> <1e773120-371c-e4e3-77fb-f2591f9b9abb@sit.fraunhofer.de> <2c3201d6e395$9274f8e0$b75eeaa0$@reliableenergyanalytics.com> <a1fe747e-6773-5b52-d88b-dfaeb03c991d@sit.fraunhofer.de> <2cde01d6e39c$d88904f0$899b0ed0$@reliableenergyanalytics.com>
In-Reply-To: <2cde01d6e39c$d88904f0$899b0ed0$@reliableenergyanalytics.com>
Date: Tue, 5 Jan 2021 15:05:19 -0500
Organization: Reliable Energy Analytics LLC
Message-ID: <2d1d01d6e39e$1916f080$4b44d180$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH8bkPotrER+eOFupHvNH45exmtUQFhtqqOAp/6ER4CxHLCnAIBX7itAdxl5RmpeT+nkA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/f96mBBj3zfVvuIMMSJhYkwOlAYc>
Subject: Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: ?? WG Adoption Call on draft-lear-opsawg-sbom-access-00
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 20:05:27 -0000

Spdx has a registered MIME type, but CycloneDX doesn't appear to have one.

https://www.iana.org/assignments/media-types/text/spdx


Thanks,

Dick Brooks

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Dick Brooks
Sent: Tuesday, January 05, 2021 2:56 PM
To: 'Henk Birkholz' <henk.birkholz@sit.fraunhofer.de>de>; 'Christopher Gates' <chris.gates@velentium.com>om>; opsawg@ietf.org
Cc: 'Friedman, Allan' <AFriedman@ntia.gov>
Subject: Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: ?? WG Adoption Call on draft-lear-opsawg-sbom-access-00

I agree, Henk. I don't know if there are registered MIME content types for spdx and cycloneDX. With RFC 1767, Dave Crocker took care of registering the EDI MIME content types. 

Thanks,

Dick Brooks

Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Sent: Tuesday, January 05, 2021 2:20 PM
To: Dick Brooks <dick@reliableenergyanalytics.com>om>; 'Christopher Gates' <chris.gates@velentium.com>om>; opsawg@ietf.org
Cc: 'Friedman, Allan' <AFriedman@ntia.gov>
Subject: Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Hi Dick,

exactly. Now it seems to me, there might be some dependencies on "sbom type definitions" here.

What now springs to my mind are the questions: If there are media-types or corresponding content-formats required to be expressed in headers in order to make this work, (1) where are these specified and (2) where are these expected be registered?

Viele Grüße,

Henk

On 05.01.21 20:04, Dick Brooks wrote:
> Thanks, Henk, you raise a good question. I guess it depends:
> 
> If the goal is to ensure interoperability of SBOM data communicated via an OPSWAG solution, that only exchanges SBOM's then I would imagine that we would need to define which SBOM payloads are supported, to ensure interoperability. If the intent of OPSWAG is to send any type of payload labelled as "SBOM content" with mutually agreed to payloads, then I would agree with you. I view this "tell them what is in the package", very similar to how S/MIME works. For example, when I worked in RFC 1767, EDI over the Internet, we assigned different S/MIME content types for the different type of EDI payloads that could be exchanged (and parsed),  one of the options is "consent". Maybe OPSWAG should include something similar.
> 
> I refer you to this section in the I-D:
> 
> 1.2.  SBOM formats
> 
>     There are multiple ways to express an SBOM.  When these are retrieved
>     either directly from the device or directly from a web server, "tools
>     will need to observe the content-type header to determine precisely
>     which format is being transmitted".  Because IoT devices in particular
>     have limited capabilities, use of a specific Accept: header in HTTP
>     or the Accept Option in CoAP is NOT RECOMMENDED.  Instead, backend
>     tooling MUST silently discard SBOM information sent with a media type
>     that is not understood.
> 
> 
> Thanks,
> 
> Dick Brooks
> 
> Never trust software, always verify and report! ™ 
> http://www.reliableenergyanalytics.com
> Email: dick@reliableenergyanalytics.com
> Tel: +1 978-696-1788
> 
> -----Original Message-----
> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Sent: Tuesday, January 05, 2021 1:22 PM
> To: Dick Brooks <dick@reliableenergyanalytics.com>om>; 'Christopher 
> Gates' <chris.gates@velentium.com>om>; opsawg@ietf.org
> Cc: Friedman, Allan <AFriedman@ntia.gov>
> Subject: Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption 
> Call on draft-lear-opsawg-sbom-access-00
> 
> Hi Dick,
> 
> this is Henk with no hats on.
> 
> I am not sure how useful it is to make "formats" an exclusive list here.
> Following the evolution of SBOM work in NTIA (and in extension in 
> CISQ), it seems to me that the focus starts to move into the direction 
> of information models first and that actual
> format(/serializations/encodings) are starting to be step two.
> 
> Certainly, SWID semantics are only in the scope of the artifact domain and don't cover the defects domain and only some of the chains of provenance domain. That is why stand-alone SWID are rather minimal SBOM (just a list of (intended) artifacts).
> 
> In any case, I was under the impression that the I-D is format agnostic and that the references are expositional. Is that maybe an underlying point to discuss here?
> 
> Viele Grüße,
> 
> Henk
> 
> 
> On 05.01.21 16:51, Dick Brooks wrote:
>> I concur with Chris. I’ve heard reports of people trying to use SWID 
>> to communicate SBOM information and they are having to make some “brave”
>> assumptions in the process.  SPDX and CycloneDX seem  to be the only 
>> viable SBOM formats, based on my testing experience with both formats.
>>
>> There remain several issues on naming and identification conventions.
>> A lot of the challenges I’ve experienced could be addressed if NIST 
>> NVD and NTIA SBOM parties could reach an agreement on how 
>> names/identifiers will be represented in their respective domains. It 
>> would only require a few elements to be agreed to, like Publisher 
>> name, Product name and Version identifier to make an impactful 
>> improvement in vulnerability search results, using SBOM data as inputs.
>>
>> Thanks,
>>
>> Dick Brooks
>>
>> */Never trust software, always verify and report!
>> <https://reliableenergyanalytics.com/products>/* ™
>>
>> http://www.reliableenergyanalytics.com
>> <http://www.reliableenergyanalytics.com/>
>>
>> Email: dick@reliableenergyanalytics.com 
>> <mailto:dick@reliableenergyanalytics.com>
>>
>> Tel: +1 978-696-1788
>>
>> *From:* OPSAWG <opsawg-bounces@ietf.org> *On Behalf Of *Christopher 
>> Gates
>> *Sent:* Tuesday, January 05, 2021 10:27 AM
>> *To:* opsawg@ietf.org
>> *Subject:* [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption 
>> Call on draft-lear-opsawg-sbom-access-00
>>
>> ------ Forwarded Message ------
>>
>> From: "Christopher Gates" <chris.gates@velentium.com 
>> <mailto:chris.gates@velentium.com>>
>>
>> To: "Eliot Lear" <lear@cisco.com <mailto:lear@cisco.com>>; 
>> "ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>"
>> <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
>>
>> Sent: 1/4/2021 2:48:51 PM
>>
>> Subject: Re: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔WG Adoption Call on
>> draft-lear-opsawg-sbom-access-00
>>
>>      Eliot,
>>
>>      I joined the IETF WG, and I have some feedback....
>>
>>      A "SWID tag" isn't an SBOM format, as stated here. It is an element
>>      inside of an SBOM.
>>
>>      Since we have removed SWID as a format we in the "NTIA SBOM WG are
>>      supporting for SBOM use, shouldn't this reference be removed from
>>      the IETF draft as well?
>>
>>      Also, I still think that creating a Bluetooth Low Energy SBOM
>>      Adopted Profile (via the Bluetooth SIG) that is harmonized with
>>      this would be a good thing:
>>
>>      Due the the low bandwidth of BLE we wouldn't attempt to provide the
>>      SBOM via BLE, just the link to a URI that can deliver the SBOM.
>>
>>      It would create a standardized UUID (16 bit) for the SBOM Adopted
>>      Profile, and have a consistent set of characteristics being exposed
>>      via BLE.
>>
>>      This is exactly how an Adopted Profile is supposed to be defined and
>>      utilized.
>>
>>      Christopher Gates
>>
>>      --------------------------------
>>
>>      Director of Product Security
>>
>>      www.velentium.com <http://www.velentium.com/>
>>
>>      (805)750-0171
>>
>>      520 Courtney Way Suite 110
>>
>>      Lafayette CO. 80026
>>
>>      (GMT-7)
>>
>>      Our new book is now shipping:
>>
>>      /Medical Device Cybersecurity for Engineers and Manufacturers/
>>
>>      U.S.
>>      <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx> |
>>      Worldwide
>>      
>> <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-
>> E ngineers-and-Manufacturers-P2073.aspx>
>>
>>      Amazon
>>      <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1>&
>>      Digital
>>      
>> <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineer
>> s
>> -and-Manufacturers-P2174.aspx>
>>
>>      Security Book Of The Year!
>>      
>> <https://engineering.tapad.com/the-best-information-security-books-of
>> -
>> 2020-e7430444fbd4>
>>
>>      “If everyone is thinking alike, then somebody isn't thinking.”
>>      -George S. Patton
>>
>>      "Facts are stubborn things."  -John Adams, 1770
>>
>>      ------ Original Message ------
>>
>>      From: "Eliot Lear via ntia-sbom-framing" <ntia-sbom-framing@cert.org
>>      <mailto:ntia-sbom-framing@cert.org>>
>>
>>      To: ntia-sbom-framing@cert.org
>> <mailto:ntia-sbom-framing@cert.org>
>>
>>      Sent: 1/4/2021 9:57:22 AM
>>
>>      Subject: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔WG Adoption Call on
>>      draft-lear-opsawg-sbom-access-00
>>
>>          FYI- this is your opportunity to contribute to the IETF.  If you
>>          think sharing of SBOMs is important, this is a *starting
>>          point* for the IETF to begin work on that aspect, not an end
>>          point.  Please feel free to contribute by joining the opsawg
>>          IETF list at https://www.ietf.org/mailman/listinfo/opsawg.
>>
>>          Eliot
>>
>>
>>
>>              Begin forwarded message:
>>
>>              *From: *Henk Birkholz <henk.birkholz@sit.fraunhofer.de
>>              <mailto:henk.birkholz@sit.fraunhofer.de>>
>>
>>              *Subject: [OPSAWG] **🔔**WG Adoption Call on
>>              draft-lear-opsawg-sbom-access-00*
>>
>>              *Date: *4 January 2021 at 17:10:19 CET
>>
>>              *To: *opsawg <opsawg@ietf.org <mailto:opsawg@ietf.org>>
>>
>>              Dear OPSAWG members,
>>
>>              this starts a call for Working Group Adoption on
>>              https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00
>>              ending on Monday, January 25.
>>
>>              As a reminder, this I-D describes different ways to acquire
>>              Software Bills of Material (SBOM) about distinguishable
>>              managed entities. The work was updated by the authors on
>>              October 13th and now elaborates on three ways SBOM can be
>>              found, including a MUD URI as one of the options.
>>
>>              Please reply with your support and especially any
>>              substantive comments you may have.
>>
>>
>>              For the OPSAWG co-chairs,
>>
>>              Henk
>>
>>              _______________________________________________
>>              OPSAWG mailing list
>>              OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
>>              https://www.ietf.org/mailman/listinfo/opsawg
>>
>>
>> Disclaimer: The information and attachments transmitted by this 
>> e-mail are proprietary to Velentium, LLC and the information and 
>> attachments may be confidential and legally protected under 
>> applicable law and are intended for use only by the individual or 
>> entity to whom it was addressed. If you are not the intended 
>> recipient, you are hereby notified that any use, forwarding, 
>> dissemination, or reproduction of this message and attachments is strictly prohibited and may be unlawful.
>> If you are not the intended recipient, please contact the sender by 
>> return e-mail and delete this message from your system immediately 
>> hereafter.
>>
>>
>> _______________________________________________
>> OPSAWG mailing list
>> OPSAWG@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsawg
>>
> 

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg