Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
Eliot Lear <lear@lear.ch> Sun, 09 October 2022 12:19 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A20AC14F727; Sun, 9 Oct 2022 05:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.899
X-Spam-Level:
X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONKvf0VAVWWY; Sun, 9 Oct 2022 05:19:22 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3BA8C14F74A; Sun, 9 Oct 2022 05:19:04 -0700 (PDT)
Received: from [192.168.0.130] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 299CIt0j2019690 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Sun, 9 Oct 2022 14:18:57 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1665317937; bh=8zt31BepRngZ/saOyfiwqiAIV5/SFW02GeiJud9zQ88=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=kn/jZtot53/jeOp7ymQ8lIcjZjgN4sRzt09ZmcFR/DxrwgpYjBNqT5dOlKDcqiXiw j3K03OtPUE5tc3dSt8V7ebB8liMy5cm5EmAg27szQ7piw0pouyWvWjuGG41AI0zNUm ietiPPrwNv/ZgNXJ5EVvqV8dRIqDUjLMbjXb7KCI=
Message-ID: <e48490b4-a960-269e-8618-f7823a1b5ab2@lear.ch>
Date: Sun, 09 Oct 2022 14:18:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: Qin Wu <bill.wu=40huawei.com@dmarc.ietf.org>, opsawg <opsawg@ietf.org>
Cc: Eliot Lear <lear@cisco.com>, "draft-ietf-opsawg-sbom-access@ietf.org" <draft-ietf-opsawg-sbom-access@ietf.org>
References: <e3389967055a4be09986b3300649af34@huawei.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <e3389967055a4be09986b3300649af34@huawei.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------e41OBZcK4hC0Pegfc1LsNS8C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zt4Nt7e5cibd5NvJfB7PDf3_lho>
Subject: Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2022 12:19:27 -0000
Hi Qin,
Thanks for your review. Please see below.
On 08.10.22 11:27, Qin Wu wrote:
>
> Hi, authors:
>
> I have read the latest version of this draft, it is well written,
> thank for that.
>
> Here is the identified minor issues during document shepherd review of
> draft-ietf-opsawg-sbom-access-11:
>
> 1.Abstract said:
>
> “
>
> It may optionally be discovered through manufacturer usage descriptions.
>
> ”
>
> [Qin] This sentence is not clear. Are you saying MUD extensions
> transparency can be discovered using extensions defined in section 3.9
> of RFC8520?
>
> Or software transparency and vulnerability information can be
> discovered by using ACL example defined in section 5.4 of this draft?
> I assume it is the latter. Please clarify.
>
Ok, I propose the following change:
OLD:
This memo specifies a model to provide access to this information. It
may optionally be discovered through manufacturer usage descriptions.
NEW:
This memo extends the MUD YANG model to provide the locations of software
bills of materials and to vulnerability information.
> 2.Section 1 said:
>
> “
>
> The mechanisms specified in this document are meant to satisfy
>
> several use cases:
>
> * A network-layer management system retrieving information from an
>
> IoT device as part of its ongoing lifecycle. Such devices may or
>
> may not have query interfaces available.
>
> ”
>
> [Qin] How many use cases do we specify here? I believe it is two, how
> about be specific about the number of use cases here, s/several use
> cases/the following two use cases
>
Ok
> 3.Section 1 said:
>
> “ In the first case, devices will have interfaces that permit direct
>
> retrieval. Examples of these interfaces might be an HTTP [RFC9110
> <https://datatracker.ietf.org/doc/html/rfc9110>],
>
> or COAP [RFC7252 <https://datatracker.ietf.org/doc/html/rfc7252>]
> endpoint for retrieval. There may also be private
>
> interfaces as well.
>
> In the second case, when a device does not have an appropriate
>
> retrieval interface, but one is directly available from the
>
> manufacturer, a URI to that information MUST be discovered.
>
> In the third case, a supplier may wish to make an SBOM or
>
> vulnerability information available under certain circumstances, and
>
> may need to individually evaluate requests. The result of that
>
> evaluation might be the SBOM or vulnerability itself or a restricted
>
> ”
>
> [Qin] I believe the first case, the second case, the third case are
> corresponding to three ways to discover object instead of two key use
> cases listed in section 1? Therefore there are confusing to be
> introduced here.
>
> I suggest to change as follows:
>
> s/in one of three ways/ through one of three method
>
> s/In the first case/In the first method
>
> s/In the second case/In the second method
>
> s/in the third case/In the third method
>
Ok. I changed the word "In" to "Using", but otherwise agree.
> 4.Section 1.1
>
> [Qin] s/in either/either in
>
Ok
> 5.Section 1.1 said:
>
> “The MUD semantics provide a way for manufacturers
>
> to control how often tooling should check for those changes through
>
> the cache-validity node.“
>
> [Qin] Can you provide a reference section in RFC8520 about such MUD
> semantics.
>
I have changed this to "MUD's cache-validity node provides a way..."
For your information, this is Section 3.5 of 8520.
> 6.Section 3 N.B.
>
> [Qin] What N.B. stands for? Can you provide a reference or change in
> other words.
>
N.B. is a commonly used Latin abbreviation for "nota bene" or "note
well". It falls into the class of i.e, and e.g.
> 7.Section 5.4 said:
>
> “*5.4
> <https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-11#section-5.4>.
> With ACLS*
>
> Finally, here is a complete example where the device provides SBOM
>
> and vulnerability information, as well as access-control information.
>
> {
>
> "ietf-mud:mud": {
>
> "mud-version": 1,
>
> "extensions": [
>
> "ol",
>
> "transparency"
>
> ],“
>
> [Qin] How this draft is related to draft-ietf-opsawg-ol-01? In other
> words, how sbom access work together with Ownership and licensing
> statements in YANG described in draft-ietf-opsawg-ol-01.
>
> If ‘ol’ extension is needed, I think a informative reference is needed
> here.
>
This as discussed within the working group, and the point was made that
it is good to show mud working with unrelated extensions. I would
prefer for this reason *not* to include an informative reference.
Implementations need not process extensions they do not understand (to
do so would require a major rev of MUD).
> 8.Section 6 said:
>
> “N.B., for MUD, the mandatory method of retrieval is TLS.“
>
> [Qin] New fashion of acronym,J
>
> 9.Section 6 said:
>
> “
>
> One example may be to issue a certificate to the client for
>
> this purpose after a registration process has taken place. Another
>
> example would involve the use of OAUTH in combination with a
>
> federations of SBOM servers.“
>
> [Qin] I feel there is disconnection between the fifth sentence and the
> sixth sentence in the paragraph 9 . Two examples are provided here, I
> am wondering which security risk are addressed by which example?
>
>
I think you are right. The sentence order wasn't good. How about this:
[...] Other servers that offer the data MAY restrict access to
SBOM information using appropriate authorization semantics within
HTTP. One way to do this would be to issue a certificate to the client for
this purpose after a registration process has taken place. Another
approach would involve the use of OAUTH in combination with a
In particular, if a system attempts to retrieve an SBOM via
HTTP and the client is not authorized, the server MUST produce an
appropriate error, with instructions on how to register a particular
client.
> 10.Section 6 said:
>
> “
>
> Vulnerability information is generally made available to such
>
> databases as NIST's National Vulnerability Database. “
>
> [Qin] Do we need to list the Database Name developed by specific
> entity in the security section as normative text?
>
> 11.Do we have implementation that pertains to this draft?
>
Indeed we do. Please see https://github.com/sbomtools/apt2sbom.
Eliot