Re: [OPSAWG] [EXTERNAL SOURCE] [ntia-sbom-framing] Fw: Re: Fwd: ?? WG Adoption Call on draft-lear-opsawg-sbom-access-00

Eliot Lear <lear@cisco.com> Tue, 05 January 2021 16:12 UTC

Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 780243A10BE for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 08:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.972
X-Spam-Level:
X-Spam-Status: No, score=-9.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFAw0vch3DsE for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 08:12:54 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 853583A1076 for <opsawg@ietf.org>; Tue, 5 Jan 2021 08:12:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=49459; q=dns/txt; s=iport; t=1609863172; x=1611072772; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=os1xrL/FfgIY6aCUccVSkShSKfX8LDrrKSsOkf1ix/k=; b=ElfKUnPuU54vDhq/4lwUUKF6KU6CvEasQqE7rTxvbUeSqze1AspH2CZC BYg0SrSlcXAdaxSIExSRh4Xgh1Fo4+lfNQmIcRtdGySuXjIRWyzvgAJyI qPJADgHYVcqQJmUwXzCqaUiMJTmTM5lpY5R3gJnb4esl/LGFkH5VcIjfE Q=;
X-Files: signature.asc : 488
X-IPAS-Result: =?us-ascii?q?A0A6CABIj/Rf/xbLJq1fAxwBAQEBAQEHAQESAQEEBAEBg?= =?us-ascii?q?g+BIwFSBoElVwEgEi6EP4kEiC4DgQWCEoRViD+JLXmBYwUEBwEBAQoDAQEYA?= =?us-ascii?q?QURBAEBgVWCMUQCgXAmOBMCAwEBAQMCAwEBAQEFAQEBAgEGBHGFYQyFcwEBA?= =?us-ascii?q?QMBAQEbBiYlCwUHBAkCBwcDAwEBAQEgAQIEAwICJx8JCAYTG4MLAYJmIA+TF?= =?us-ascii?q?psSdoEyhD8BAwIRD3OEXRCBOIFThQ+FTXpBggAmayccgiE1PoJdAQECARaBD?= =?us-ascii?q?AUBEgEHJhQBCwIIEYJRNIIsBIFLGw16KxAUDhYDCA4BAQIgLggDIBwzAwUFH?= =?us-ascii?q?wkBDAQBGDYRhW6JLwEcI4pfgR2KNDaRP4MAgyeBN4RMj0OCbwMfgymBLoh9h?= =?us-ascii?q?TKDQIwRkUaLX4F8kSwSGGKDbwIEBgUCFoFtI2ddDAczGggbFTsqAYI+CQorE?= =?us-ascii?q?hkNji0XFG4BAoJJhRSFRUADMAILCR4DAgYBCQEBAwmNLQEB?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,477,1599523200"; d="asc'?scan'208,217";a="29980601"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Jan 2021 16:12:47 +0000
Received: from [10.61.200.230] ([10.61.200.230]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 105GCidn023409 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Jan 2021 16:12:47 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <F3FCEEF8-32C9-422F-8CBC-F00A21F0F0A9@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_64BCBE5F-71FC-4E81-8E55-82B776755903"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Tue, 5 Jan 2021 17:12:43 +0100
In-Reply-To: <CANRyRchM=GT-2dqUa9cAY7j2ickUYh7XaQ2fP2_9imxw99th-A@mail.gmail.com>
Cc: Dick Brooks <dick@reliableenergyanalytics.com>, Christopher Gates <chris.gates@velentium.com>, opsawg@ietf.org, ntia-sbom-framing@cert.org
To: Tony Turner <tturner@fortressinfosec.com>
References: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2> <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com> <E1A6BF55-6E1C-42EF-BB7C-7FEF43D5A362@cisco.com> <283501d6e37b$344d1dc0$9ce75940$@reliableenergyanalytics.com> <CANRyRchM=GT-2dqUa9cAY7j2ickUYh7XaQ2fP2_9imxw99th-A@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
X-Outbound-SMTP-Client: 10.61.200.230, [10.61.200.230]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/lxerUo6uN5Kufh-ncTmTut2txkw>
Subject: Re: [OPSAWG] [EXTERNAL SOURCE] [ntia-sbom-framing] Fw: Re: Fwd: ?? WG Adoption Call on draft-lear-opsawg-sbom-access-00
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 16:13:02 -0000

Thanks, Tony.

What we’ll to make clear is how to know what to retrieve.  HTTP has a pretty good interface for that with media types, and you can match that with an Accepts: header, if one really wants to (my guess is that the tooling will want to take on the burden of implementing both, and the suppliers will just provide what they have, at least for a while.

Eliot

> On 5 Jan 2021, at 17:01, Tony Turner <tturner@fortressinfosec.com> wrote:
> 
> I think you have to support both and have ability to map between the two if you want to have any hope of interoperability because the standards universe here is very fragmented. I see more appsec products supporting CycloneDX while I see more software providers supporting SPDX. And then multiple other providers doing their own proprietary thing, either a variation of SPDX or something entirely new. Some SBOMs I see are nothing more than a software (not component) inventory as discovered on disk, or just a basic table with supplier, component, version.
> 
> On Tue, Jan 5, 2021 at 10:56 AM Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>> wrote:
> I would support having both SPDX and CycloneDX. Both have proven viable in my testing.
> 
> 
> 
> Thanks,
> 
> 
> 
> Dick Brooks
> 
> <image001.jpg>
> 
> Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™
> 
> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/>
> Email: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>
> Tel: +1 978-696-1788
> 
> 
> 
> From: Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>>
> Sent: Tuesday, January 05, 2021 10:53 AM
> To: Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>>
> Cc: Christopher Gates <chris.gates@velentium.com <mailto:chris.gates@velentium.com>>; opsawg@ietf.org <mailto:opsawg@ietf.org>; ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>
> Subject: Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> 
> 
> Ok.  Should I add something for CycloneDX?
> 
> 
> 
> Eliot
> 
> 
> 
> 
> On 5 Jan 2021, at 16:51, Dick Brooks <dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>> wrote:
> 
> 
> 
> I concur with Chris. I’ve heard reports of people trying to use SWID to communicate SBOM information and they are having to make some “brave” assumptions in the process.  SPDX and CycloneDX seem  to be the only viable SBOM formats, based on my testing experience with both formats.
> 
> 
> 
> There remain several issues on naming and identification conventions. A lot of the challenges I’ve experienced could be addressed if NIST NVD and NTIA SBOM parties could reach an agreement on how names/identifiers will be represented in their respective domains. It would only require a few elements to be agreed to, like Publisher name, Product name and Version identifier to make an impactful improvement in vulnerability search results, using SBOM data as inputs.
> 
> 
> 
> Thanks,
> 
> 
> 
> Dick Brooks
> 
> <image001.jpg>
> 
> Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™
> 
> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/>
> Email: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>
> Tel: +1 978-696-1788
> 
> 
> 
> From: OPSAWG <opsawg-bounces@ietf.org <mailto:opsawg-bounces@ietf.org>> On Behalf Of Christopher Gates
> Sent: Tuesday, January 05, 2021 10:27 AM
> To: opsawg@ietf.org <mailto:opsawg@ietf.org>
> Subject: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> 
> 
> 
> 
> ------ Forwarded Message ------
> 
> From: "Christopher Gates" <chris.gates@velentium.com <mailto:chris.gates@velentium.com>>
> 
> To: "Eliot Lear" <lear@cisco.com <mailto:lear@cisco.com>>; "ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>" <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
> 
> Sent: 1/4/2021 2:48:51 PM
> 
> Subject: Re: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> 
> 
> Eliot,
> 
> 
> 
> I joined the IETF WG, and I have some feedback....
> 
> 
> 
> <image002.png>
> 
> A "SWID tag" isn't an SBOM format, as stated here. It is an element inside of an SBOM.
> 
> Since we have removed SWID as a format we in the "NTIA SBOM WG are supporting for SBOM use, shouldn't this reference be removed from the IETF draft as well?
> 
> 
> 
> 
> 
> Also, I still think that creating a Bluetooth Low Energy SBOM Adopted Profile (via the Bluetooth SIG) that is harmonized with this would be a good thing:
> 
> <image003.png>
> 
> 
> 
> Due the the low bandwidth of BLE we wouldn't attempt to provide the SBOM via BLE, just the link to a URI that can deliver the SBOM.
> 
> It would create a standardized UUID (16 bit) for the SBOM Adopted Profile, and have a consistent set of characteristics being exposed via BLE.
> 
> This is exactly how an Adopted Profile is supposed to be defined and utilized.
> 
> 
> 
> 
> 
> Christopher Gates
> 
> --------------------------------
> 
> Director of Product Security
> 
> www.velentium.com <http://www.velentium.com/>
> (805)750-0171
> 
> 520 Courtney Way Suite 110
> 
> Lafayette CO. 80026
> 
> (GMT-7)
> 
> 
> 
> Our new book is now shipping:
> 
> Medical Device Cybersecurity for Engineers and Manufacturers
> 
> U.S. <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx> | Worldwide <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2073.aspx>
> Amazon <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1>& Digital <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineers-and-Manufacturers-P2174.aspx>
> Security Book Of The Year! <https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4>
> 
> 
> “If everyone is thinking alike, then somebody isn't thinking.” -George S. Patton
> 
> "Facts are stubborn things."  -John Adams, 1770
> 
> 
> 
> ------ Original Message ------
> 
> From: "Eliot Lear via ntia-sbom-framing" <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
> 
> To: ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>
> Sent: 1/4/2021 9:57:22 AM
> 
> Subject: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> 
> 
> FYI- this is your opportunity to contribute to the IETF.  If you think sharing of SBOMs is important, this is a starting point for the IETF to begin work on that aspect, not an end point.  Please feel free to contribute by joining the opsawg IETF list at https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>.
> 
> 
> 
> Eliot
> 
> 
> 
> 
> 
> Begin forwarded message:
> 
> 
> 
> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>
> 
> Subject: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00
> 
> Date: 4 January 2021 at 17:10:19 CET
> 
> To: opsawg <opsawg@ietf.org <mailto:opsawg@ietf.org>>
> 
> 
> 
> Dear OPSAWG members,
> 
> this starts a call for Working Group Adoption on https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00 <https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00> ending on Monday, January 25.
> 
> As a reminder, this I-D describes different ways to acquire Software Bills of Material (SBOM) about distinguishable managed entities. The work was updated by the authors on October 13th and now elaborates on three ways SBOM can be found, including a MUD URI as one of the options.
> 
> Please reply with your support and especially any substantive comments you may have.
> 
> 
> For the OPSAWG co-chairs,
> 
> Henk
> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>
> 
> 
> 
> Disclaimer: The information and attachments transmitted by this e-mail are proprietary to Velentium, LLC and the information and attachments may be confidential and legally protected under applicable law and are intended for use only by the individual or entity to whom it was addressed. If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message and attachments is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and delete this message from your system immediately hereafter.
> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>
> 
> 
> 
> 
> --
> Tony Turner
> VP, Security Solutions
> Fortress Information Security
> Cell  321-634-4886 Main 855.FORTRESS
> 189 S. Orange Ave., Suite 1950, Orlando, FL 32801
> fortressinfosec.com <http://fortressinfosec.com/>
> CONFIDENTIAL:
> 
> The information transmitted is intended only for the person or entity to which it is addressed. The content may contain confidential and/or privileged material, and it may be reviewed and logged for archival purposes by parties at Fortress Information Security other than those named in the message header. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.