[OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-sbom-access-15: (with COMMENT)

Éric Vyncke via Datatracker <noreply@ietf.org> Mon, 24 April 2023 08:53 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-sbom-access@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, henk.birkholz@sit.fraunhofer.de, bill.wu@huawei.com, bill.wu@huawei.com
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <168232642126.49973.3794267032564521950@ietfa.amsl.com>
Date: Mon, 24 Apr 2023 01:53:41 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/mZvGxbtTSqjg5W4wMyJY5jIxNzQ>
Subject: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-sbom-access-15: (with COMMENT)

Éric Vyncke has entered the following ballot position for
draft-ietf-opsawg-sbom-access-15: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for the work put into this document.

Please find below some non-blocking COMMENT points (but replies would be
appreciated even if only for my own education).

Special thanks to Win Wu for the shepherd's detailed write-up including the WG
consensus and the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric

# COMMENTS (non blocking)

## 'transparency' vs. 'sbom'

This is probably due to historical reasons, but I find it strange to have the
YANG module named 'transparency' while this term does not appear in the
abstract.

## Abstract

I am not a native English speaker, so I am probably outside of my expertise
here, but:

* `automation is necessary to locate what software is running` should 'to
identify' or 'to list' be better ? * `to provide the locations of software
bills of materials (SBOMS) and to vulnerability information.` is there a verb
missing between 'to' and 'vulnerability' ? I must admit that I cannot parse
this sentence.

## Section 1

`we seek` who is the 'we' ?

s/the model is a discovery mechanism/the model can be used as a discovery
mechanism/ ? I.e., how can a model be a mechanism ?

In `report to administrators the state of a system.` "state" is rather vague,
can the state be qualified ? I.e., "security state" ?

In the introduction of the 3 methods, the 2nd one (URI) is the only one having
a normative MUST. Is it on purpose that the two other methods do not have
normative language ?

## Section 6

`the endpoint SHOULD NOT provide unrestricted access by default` this is indeed
a key point as the SBOM can also be viewed as the list of open doors to the
device. I am really unsure how to fix this problem at all...

I would also wish to have a mean to keep the SBOM information available for
years even after manufacturer bankruptcy ...

[OPSAWG] Éric Vyncke's Yes on draft-ietf-opsawg-s… Éric Vyncke via Datatracker
Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eliot Lear
Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eric Vyncke (evyncke)
Re: [OPSAWG] Éric Vyncke's Yes on draft-ietf-opsa… Eliot Lear