Re: [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Tue, 05 January 2021 18:22 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496183A10C7 for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 10:22:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.161
X-Spam-Level:
X-Spam-Status: No, score=-2.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05AEH6BxO1Uo for <opsawg@ietfa.amsl.com>; Tue, 5 Jan 2021 10:22:22 -0800 (PST)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A45693A0FB9 for <opsawg@ietf.org>; Tue, 5 Jan 2021 10:22:19 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2HaywAWrfRf/xoBYJlfAx0BAQEBCQE?= =?us-ascii?q?SAQUFAUCBTwKBeoElgTgKhDWDS4U5iAItA4EFmFN5gSwWHQkLAQEBAQEBAQE?= =?us-ascii?q?BCRgGDwIEAQECgVOCMUQCgXEBJTgTAhABAQYBAQEBAQYEAgKGTgxDAQEBAwc?= =?us-ascii?q?EBQGCGWJKPAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE?= =?us-ascii?q?BBAIIOwIXPAEBEAEBHQEBAQEDAQEbBg8BBRElCwwECQIHCgMBAQEBAgIfBAM?= =?us-ascii?q?CAicfAQgIBgEMAQUCAQGDIgGDBQULkyabEnaBMoQHOAEDAhEPc4MsgUKBDio?= =?us-ascii?q?BhmEPgiqDFHomD4FNPyZrJw+CLjU+gl0BAQIBFoEMBQESAQcmFQsbglGCYAS?= =?us-ascii?q?BZg1LLysQIhYDCA4BAQIgLggDPDMDBQUoASk2EYVuiTAcI4MIh1eLUTaREyw?= =?us-ascii?q?HgWeBEoEXBQuIA5ImBQofgymKK4UsBoNAjBGUDopKSZEsEhiEeoFtgQtdDAd?= =?us-ascii?q?NJE+CaQkKPRcCDY4tFxRuAQKCSYUUhUVzAgsJIQIGAQkBAQMJAXuESDqDP4J?= =?us-ascii?q?fAYEQAQE?=
X-IPAS-Result: =?us-ascii?q?A2HaywAWrfRf/xoBYJlfAx0BAQEBCQESAQUFAUCBTwKBe?= =?us-ascii?q?oElgTgKhDWDS4U5iAItA4EFmFN5gSwWHQkLAQEBAQEBAQEBCRgGDwIEAQECg?= =?us-ascii?q?VOCMUQCgXEBJTgTAhABAQYBAQEBAQYEAgKGTgxDAQEBAwcEBQGCGWJKPAEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBAIIOwIXPAEBE?= =?us-ascii?q?AEBHQEBAQEDAQEbBg8BBRElCwwECQIHCgMBAQEBAgIfBAMCAicfAQgIBgEMA?= =?us-ascii?q?QUCAQGDIgGDBQULkyabEnaBMoQHOAEDAhEPc4MsgUKBDioBhmEPgiqDFHomD?= =?us-ascii?q?4FNPyZrJw+CLjU+gl0BAQIBFoEMBQESAQcmFQsbglGCYASBZg1LLysQIhYDC?= =?us-ascii?q?A4BAQIgLggDPDMDBQUoASk2EYVuiTAcI4MIh1eLUTaREywHgWeBEoEXBQuIA?= =?us-ascii?q?5ImBQofgymKK4UsBoNAjBGUDopKSZEsEhiEeoFtgQtdDAdNJE+CaQkKPRcCD?= =?us-ascii?q?Y4tFxRuAQKCSYUUhUVzAgsJIQIGAQkBAQMJAXuESDqDP4JfAYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.78,477,1599516000"; d="scan'208";a="27161399"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jan 2021 19:22:16 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DOIgAArvRf/wpIDI1fAx0BAQEBCQE?= =?us-ascii?q?SAQUFAUCBTwKBei92WjAuCoQ1iQSIAi0DgQWYU3mBaAsBAwEBAQEBCRgGDwI?= =?us-ascii?q?EAQGBVYIxRAKBbwIlOBMCEAEBBQEBAQIBBgRxhWEMQwEBAQMHBAUBhRkBAQE?= =?us-ascii?q?EAQEbBg8BBRElCwwECQIHCgMBAQEBAgIfBAMCAicfAQgIBgEMAQUCAQGDIgG?= =?us-ascii?q?DCguTJZsSdoEyhD8BAwIRD3ODLIFCgQ4qAYZhD4IqgxR6Jg+BTT8maycPgi4?= =?us-ascii?q?1PoJdAQECARaBDAUBEgEHJhULG4JRgmAEgWYNSy8rECIWAwgOAQECIC4IAzw?= =?us-ascii?q?zAwUFKAEpNhGFbokwHCODCIdXi1E2kRMsB4FngRKBFwULiAOSJgUKH4Mpiiu?= =?us-ascii?q?FLAaDQIwRlA6LE5EsEhiEeoFtI2ddDAdNJE+CaQkKPRcCDY4tFxRuAQKCSYU?= =?us-ascii?q?UhUVCMQILCSECBgEJAQEDCQF7hEg6gz+CXwGBEAEB?=
X-IronPort-AV: E=Sophos;i="5.78,477,1599516000"; d="scan'208";a="102889443"
Received: from ksapp01.sit.fraunhofer.de ([141.12.72.10]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jan 2021 19:22:10 +0100
Received: from ksapp01.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by ksapp01.sit.fraunhofer.de (Postfix) with ESMTPS id 2F72A8025E; Tue, 5 Jan 2021 19:21:58 +0100 (CET)
Received: from [192.168.16.50] (79.206.145.24) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 5 Jan 2021 19:21:57 +0100
To: Dick Brooks <dick@reliableenergyanalytics.com>, 'Christopher Gates' <chris.gates@velentium.com>, <opsawg@ietf.org>
References: <ema9be735c-1725-4ceb-8ca1-bc90f895f94e@vwdl7400-36262r2> <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: "Friedman, Allan" <AFriedman@ntia.gov>
Message-ID: <1e773120-371c-e4e3-77fb-f2591f9b9abb@sit.fraunhofer.de>
Date: Tue, 5 Jan 2021 19:21:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <27fb01d6e37a$b376a220$1a63e660$@reliableenergyanalytics.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.206.145.24]
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/qSz4HHZv3zttzCE2sN0OSglAb1k>
Subject: Re: [OPSAWG] =?utf-8?q?Fw=3A_Re=3A_=5Bntia-sbom-framing=5D_Fwd=3A_?= =?utf-8?q?=F0=9F=94=94_WG_Adoption_Call_on_draft-lear-opsawg-sbom-access-?= =?utf-8?q?00?=
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 18:22:26 -0000

Hi Dick,

this is Henk with no hats on.

I am not sure how useful it is to make "formats" an exclusive list here. 
Following the evolution of SBOM work in NTIA (and in extension in CISQ), 
it seems to me that the focus starts to move into the direction of 
information models first and that actual 
format(/serializations/encodings) are starting to be step two.

Certainly, SWID semantics are only in the scope of the artifact domain 
and don't cover the defects domain and only some of the chains of 
provenance domain. That is why stand-alone SWID are rather minimal SBOM 
(just a list of (intended) artifacts).

In any case, I was under the impression that the I-D is format agnostic 
and that the references are expositional. Is that maybe an underlying 
point to discuss here?

Viele Grüße,

Henk


On 05.01.21 16:51, Dick Brooks wrote:
> I concur with Chris. I’ve heard reports of people trying to use SWID to 
> communicate SBOM information and they are having to make some “brave” 
> assumptions in the process.  SPDX and CycloneDX seem  to be the only 
> viable SBOM formats, based on my testing experience with both formats.
> 
> There remain several issues on naming and identification conventions. A 
> lot of the challenges I’ve experienced could be addressed if NIST NVD 
> and NTIA SBOM parties could reach an agreement on how names/identifiers 
> will be represented in their respective domains. It would only require a 
> few elements to be agreed to, like Publisher name, Product name and 
> Version identifier to make an impactful improvement in vulnerability 
> search results, using SBOM data as inputs.
> 
> Thanks,
> 
> Dick Brooks
> 
> */Never trust software, always verify and report! 
> <https://reliableenergyanalytics.com/products>/* ™
> 
> http://www.reliableenergyanalytics.com 
> <http://www.reliableenergyanalytics.com/>
> 
> Email: dick@reliableenergyanalytics.com 
> <mailto:dick@reliableenergyanalytics.com>
> 
> Tel: +1 978-696-1788
> 
> *From:* OPSAWG <opsawg-bounces@ietf.org> *On Behalf Of *Christopher Gates
> *Sent:* Tuesday, January 05, 2021 10:27 AM
> *To:* opsawg@ietf.org
> *Subject:* [OPSAWG] Fw: Re: [ntia-sbom-framing] Fwd: 🔔 WG Adoption Call 
> on draft-lear-opsawg-sbom-access-00
> 
> ------ Forwarded Message ------
> 
> From: "Christopher Gates" <chris.gates@velentium.com 
> <mailto:chris.gates@velentium.com>>
> 
> To: "Eliot Lear" <lear@cisco.com <mailto:lear@cisco.com>>; 
> "ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>" 
> <ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>>
> 
> Sent: 1/4/2021 2:48:51 PM
> 
> Subject: Re: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔WG Adoption Call on 
> draft-lear-opsawg-sbom-access-00
> 
>     Eliot,
> 
>     I joined the IETF WG, and I have some feedback....
> 
>     A "SWID tag" isn't an SBOM format, as stated here. It is an element
>     inside of an SBOM.
> 
>     Since we have removed SWID as a format we in the "NTIA SBOM WG are
>     supporting for SBOM use, shouldn't this reference be removed from
>     the IETF draft as well?
> 
>     Also, I still think that creating a Bluetooth Low Energy SBOM
>     Adopted Profile (via the Bluetooth SIG) that is harmonized with
>     this would be a good thing:
> 
>     Due the the low bandwidth of BLE we wouldn't attempt to provide the
>     SBOM via BLE, just the link to a URI that can deliver the SBOM.
> 
>     It would create a standardized UUID (16 bit) for the SBOM Adopted
>     Profile, and have a consistent set of characteristics being exposed
>     via BLE.
> 
>     This is exactly how an Adopted Profile is supposed to be defined and
>     utilized.
> 
>     Christopher Gates
> 
>     --------------------------------
> 
>     Director of Product Security
> 
>     www.velentium.com <http://www.velentium.com/>
> 
>     (805)750-0171
> 
>     520 Courtney Way Suite 110
> 
>     Lafayette CO. 80026
> 
>     (GMT-7)
> 
>     Our new book is now shipping:
> 
>     /Medical Device Cybersecurity for Engineers and Manufacturers/
> 
>     U.S.
>     <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx> |
>     Worldwide
>     <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2073.aspx>
> 
>     Amazon
>     <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1>&
>     Digital
>     <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineers-and-Manufacturers-P2174.aspx>
> 
>     Security Book Of The Year!
>     <https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4>
> 
>     “If everyone is thinking alike, then somebody isn't thinking.”
>     -George S. Patton
> 
>     "Facts are stubborn things."  -John Adams, 1770
> 
>     ------ Original Message ------
> 
>     From: "Eliot Lear via ntia-sbom-framing" <ntia-sbom-framing@cert.org
>     <mailto:ntia-sbom-framing@cert.org>>
> 
>     To: ntia-sbom-framing@cert.org <mailto:ntia-sbom-framing@cert.org>
> 
>     Sent: 1/4/2021 9:57:22 AM
> 
>     Subject: [ntia-sbom-framing] Fwd: [OPSAWG] 🔔WG Adoption Call on
>     draft-lear-opsawg-sbom-access-00
> 
>         FYI- this is your opportunity to contribute to the IETF.  If you
>         think sharing of SBOMs is important, this is a *starting
>         point* for the IETF to begin work on that aspect, not an end
>         point.  Please feel free to contribute by joining the opsawg
>         IETF list at https://www.ietf.org/mailman/listinfo/opsawg.
> 
>         Eliot
> 
> 
> 
>             Begin forwarded message:
> 
>             *From: *Henk Birkholz <henk.birkholz@sit.fraunhofer.de
>             <mailto:henk.birkholz@sit.fraunhofer.de>>
> 
>             *Subject: [OPSAWG] **🔔**WG Adoption Call on
>             draft-lear-opsawg-sbom-access-00*
> 
>             *Date: *4 January 2021 at 17:10:19 CET
> 
>             *To: *opsawg <opsawg@ietf.org <mailto:opsawg@ietf.org>>
> 
>             Dear OPSAWG members,
> 
>             this starts a call for Working Group Adoption on
>             https://tools.ietf.org/html/draft-lear-opsawg-sbom-access-00
>             ending on Monday, January 25.
> 
>             As a reminder, this I-D describes different ways to acquire
>             Software Bills of Material (SBOM) about distinguishable
>             managed entities. The work was updated by the authors on
>             October 13th and now elaborates on three ways SBOM can be
>             found, including a MUD URI as one of the options.
> 
>             Please reply with your support and especially any
>             substantive comments you may have.
> 
> 
>             For the OPSAWG co-chairs,
> 
>             Henk
> 
>             _______________________________________________
>             OPSAWG mailing list
>             OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
>             https://www.ietf.org/mailman/listinfo/opsawg
> 
> 
> Disclaimer: The information and attachments transmitted by this e-mail 
> are proprietary to Velentium, LLC and the information and attachments 
> may be confidential and legally protected under applicable law and are 
> intended for use only by the individual or entity to whom it was 
> addressed. If you are not the intended recipient, you are hereby 
> notified that any use, forwarding, dissemination, or reproduction of 
> this message and attachments is strictly prohibited and may be unlawful. 
> If you are not the intended recipient, please contact the sender by 
> return e-mail and delete this message from your system immediately 
> hereafter.
> 
> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>