Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
Eliot Lear <lear@lear.ch> Sun, 09 October 2022 12:19 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A20AC14F727; Sun, 9 Oct 2022 05:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.899
X-Spam-Level:
X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONKvf0VAVWWY; Sun, 9 Oct 2022 05:19:22 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3BA8C14F74A; Sun, 9 Oct 2022 05:19:04 -0700 (PDT)
Received: from [192.168.0.130] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 299CIt0j2019690 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Sun, 9 Oct 2022 14:18:57 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1665317937; bh=8zt31BepRngZ/saOyfiwqiAIV5/SFW02GeiJud9zQ88=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=kn/jZtot53/jeOp7ymQ8lIcjZjgN4sRzt09ZmcFR/DxrwgpYjBNqT5dOlKDcqiXiw j3K03OtPUE5tc3dSt8V7ebB8liMy5cm5EmAg27szQ7piw0pouyWvWjuGG41AI0zNUm ietiPPrwNv/ZgNXJ5EVvqV8dRIqDUjLMbjXb7KCI=
Message-ID: <e48490b4-a960-269e-8618-f7823a1b5ab2@lear.ch>
Date: Sun, 09 Oct 2022 14:18:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: Qin Wu <bill.wu=40huawei.com@dmarc.ietf.org>, opsawg <opsawg@ietf.org>
Cc: Eliot Lear <lear@cisco.com>, "draft-ietf-opsawg-sbom-access@ietf.org" <draft-ietf-opsawg-sbom-access@ietf.org>
References: <e3389967055a4be09986b3300649af34@huawei.com>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <e3389967055a4be09986b3300649af34@huawei.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------e41OBZcK4hC0Pegfc1LsNS8C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zt4Nt7e5cibd5NvJfB7PDf3_lho>
Subject: Re: [OPSAWG] Document Shepherd Review of draft-ietf-opsawg-sbom-access-11
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2022 12:19:27 -0000
Hi Qin, Thanks for your review. Please see below. On 08.10.22 11:27, Qin Wu wrote: > > Hi, authors: > > I have read the latest version of this draft, it is well written, > thank for that. > > Here is the identified minor issues during document shepherd review of > draft-ietf-opsawg-sbom-access-11: > > 1.Abstract said: > > “ > > It may optionally be discovered through manufacturer usage descriptions. > > ” > > [Qin] This sentence is not clear. Are you saying MUD extensions > transparency can be discovered using extensions defined in section 3.9 > of RFC8520? > > Or software transparency and vulnerability information can be > discovered by using ACL example defined in section 5.4 of this draft? > I assume it is the latter. Please clarify. > Ok, I propose the following change: OLD: This memo specifies a model to provide access to this information. It may optionally be discovered through manufacturer usage descriptions. NEW: This memo extends the MUD YANG model to provide the locations of software bills of materials and to vulnerability information. > 2.Section 1 said: > > “ > > The mechanisms specified in this document are meant to satisfy > > several use cases: > > * A network-layer management system retrieving information from an > > IoT device as part of its ongoing lifecycle. Such devices may or > > may not have query interfaces available. > > ” > > [Qin] How many use cases do we specify here? I believe it is two, how > about be specific about the number of use cases here, s/several use > cases/the following two use cases > Ok > 3.Section 1 said: > > “ In the first case, devices will have interfaces that permit direct > > retrieval. Examples of these interfaces might be an HTTP [RFC9110 > <https://datatracker.ietf.org/doc/html/rfc9110>], > > or COAP [RFC7252 <https://datatracker.ietf.org/doc/html/rfc7252>] > endpoint for retrieval. There may also be private > > interfaces as well. > > In the second case, when a device does not have an appropriate > > retrieval interface, but one is directly available from the > > manufacturer, a URI to that information MUST be discovered. > > In the third case, a supplier may wish to make an SBOM or > > vulnerability information available under certain circumstances, and > > may need to individually evaluate requests. The result of that > > evaluation might be the SBOM or vulnerability itself or a restricted > > ” > > [Qin] I believe the first case, the second case, the third case are > corresponding to three ways to discover object instead of two key use > cases listed in section 1? Therefore there are confusing to be > introduced here. > > I suggest to change as follows: > > s/in one of three ways/ through one of three method > > s/In the first case/In the first method > > s/In the second case/In the second method > > s/in the third case/In the third method > Ok. I changed the word "In" to "Using", but otherwise agree. > 4.Section 1.1 > > [Qin] s/in either/either in > Ok > 5.Section 1.1 said: > > “The MUD semantics provide a way for manufacturers > > to control how often tooling should check for those changes through > > the cache-validity node.“ > > [Qin] Can you provide a reference section in RFC8520 about such MUD > semantics. > I have changed this to "MUD's cache-validity node provides a way..." For your information, this is Section 3.5 of 8520. > 6.Section 3 N.B. > > [Qin] What N.B. stands for? Can you provide a reference or change in > other words. > N.B. is a commonly used Latin abbreviation for "nota bene" or "note well". It falls into the class of i.e, and e.g. > 7.Section 5.4 said: > > “*5.4 > <https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-11#section-5.4>. > With ACLS* > > Finally, here is a complete example where the device provides SBOM > > and vulnerability information, as well as access-control information. > > { > > "ietf-mud:mud": { > > "mud-version": 1, > > "extensions": [ > > "ol", > > "transparency" > > ],“ > > [Qin] How this draft is related to draft-ietf-opsawg-ol-01? In other > words, how sbom access work together with Ownership and licensing > statements in YANG described in draft-ietf-opsawg-ol-01. > > If ‘ol’ extension is needed, I think a informative reference is needed > here. > This as discussed within the working group, and the point was made that it is good to show mud working with unrelated extensions. I would prefer for this reason *not* to include an informative reference. Implementations need not process extensions they do not understand (to do so would require a major rev of MUD). > 8.Section 6 said: > > “N.B., for MUD, the mandatory method of retrieval is TLS.“ > > [Qin] New fashion of acronym,J > > 9.Section 6 said: > > “ > > One example may be to issue a certificate to the client for > > this purpose after a registration process has taken place. Another > > example would involve the use of OAUTH in combination with a > > federations of SBOM servers.“ > > [Qin] I feel there is disconnection between the fifth sentence and the > sixth sentence in the paragraph 9 . Two examples are provided here, I > am wondering which security risk are addressed by which example? > > I think you are right. The sentence order wasn't good. How about this: [...] Other servers that offer the data MAY restrict access to SBOM information using appropriate authorization semantics within HTTP. One way to do this would be to issue a certificate to the client for this purpose after a registration process has taken place. Another approach would involve the use of OAUTH in combination with a In particular, if a system attempts to retrieve an SBOM via HTTP and the client is not authorized, the server MUST produce an appropriate error, with instructions on how to register a particular client. > 10.Section 6 said: > > “ > > Vulnerability information is generally made available to such > > databases as NIST's National Vulnerability Database. “ > > [Qin] Do we need to list the Database Name developed by specific > entity in the security section as normative text? > > 11.Do we have implementation that pertains to this draft? > Indeed we do. Please see https://github.com/sbomtools/apt2sbom. Eliot