IETF Logo Mail Archive

Re: [Rats] [EXTERNAL] SBOMs -- SPDX and CycloneDX, Eliots review

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Thu, 16 June 2022 09:24 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49061C157B39 for <rats@ietfa.amsl.com>; Thu, 16 Jun 2022 02:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.785
X-Spam-Level:
X-Spam-Status: No, score=-3.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjdGNa3dBA1X for <rats@ietfa.amsl.com>; Thu, 16 Jun 2022 02:24:06 -0700 (PDT)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9CC6C14F724 for <rats@ietf.org>; Thu, 16 Jun 2022 02:24:04 -0700 (PDT)
IronPort-SDR: zngDEyIg0V+oxyCKj1jniKMwsR+NaA14V2+QHeCQABP2/pKtoAEMo5MrVTvOE0c/CF6/ON6Pr4 12SG92IttOHP+gJLekTrHprdPTDpTwu8qQaHYTG7RF878x62uVk8VZ78gvFDWruk1GlQ1jbnsX +sMOxdjvnEmBIO7wFP/b+noGO4rL99HBtO/Dx/MAygxnj6EGsUYn3V3Jzz+KNL9ze3rsDjnxry NV5Vmr3ry4jSxEPULAio9/yIRBd4H++EB7UAcm+XGLMDRwGvt1QHowoQckvWosoS3FQTOVIeuA Hvw=
X-IPAS-Result: A2EFAABf9qpi/xmnZsBaGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYIjgQGBVwKETYghhWmCVC4Dmz+BLBSBEQMYFh0JCwEBAQEBAQEBAQcBASwPAQYEAQEDBIIIgnQChUsmNAkOAQIEAQEBAQMCAwEBAQEFAQEGAQEBAQEBBgQCAoEYhS85DYNTSgMGNQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQUCDRIiHhIXDBIBAR0BAQEBAgEBASEPAQUIAQEpAwwECwkCEQEDAQEBAgIjAwICJwsUAwYIBgEMBgIBAYJ5AYJlAw0jEgSSb5saeoExgQGCCAEBBgQEhQ0YXIFcAwYJAYEHLAGDFYdChB0XIIFVRIEVJw+CRDA+gmIBAQKBKQESAYN3gmWZHSYEDwMaLTQSgSFxAQgGAwMHCgUyBgIMGBQEAhMSTQYdAhIFBwoGFg4UHBISGQwPAxIDEQEHAgsSCBUsCAMCAwgDAgMuAgMXCQcKAx0IChwSEBQCBBMeCwgDGR8sCQIEDgNDCAsKAxEEAxMYCxYIEAQGAwkvDSgLAwUPDQEGAwYCBQUBAyADFAMFJwcDIQcLJg0NBBwHHQMDBSYDAgIbBwICAwIGFwYCAhlWCiYNCAQIBBgEHSQQBQIHMQUELwIeBAUGEQkCFgIGBAUCBAQWAgISCAIIJxsHDwcZHRkBBTYnBgsJIRYGCh8LBgUGFgMjTCcFCj4PKTU2PC8hGwqBDxcqKAEbApVDhF9GDlwELxQOAls2gQIBEwUzoEmECJwUNAeCFIE9gT4GDIlPlF8GEy2DdYxBhis2kUqHIox3glMghGaIJ5Q3GgSFCgIEAgQFAg4IgWGBJnBNJE+CaFEZD44gg3KBf4I/VoVMcwILEAEdAgYBCgEBAwmPAQEB
IronPort-PHdr: A9a23:tMKb+B+JzfpfyP9uWC3oyV9kXcBvk7n3PwtA7J0hhvoOd6m45J3tM QTZ4ukll17GW4jXqpcmw+rbuqztQyoMtJCGtn1RfJlFTRRQj8IQkkQpC9KEDkuuKvnsYmQ6E c1OWUUj8Wu8NB1OGdq4aUfbv3uy6jAfAFPzOFkdGw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.91,304,1647298800"; d="scan'208";a="43029308"
Received: from mail-mtadd25.fraunhofer.de ([192.102.167.25]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jun 2022 11:24:01 +0200
IronPort-SDR: RhXQfudXt2EgiHby9Y6TyHCNvAinEdSO8oRvS7tzmeX52j9zVcYpC3M0lF+PHoUo1Kh0U9uugV yZAidDawZOVb1qqtNO6CaAK8/T+Zc8jaE=
X-IPAS-Result: A0AIAACv9api/3+zYZlaGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQAmBMgUBAQEBCwGBUVIHelgpVgKETINNAQGEUl+FCl0BgiQDOAGbBoEsFIERA1QLAQMBAQEBAQcBASwPAQYEAQGCD4J0AoVIAiY0CQ4BAgQBAQEBAwIDAQEBAQUBAQUBAQECAQEGBIEJJwZeBmiBT4FhEws0DYZCAQEBAQIBAQEQEQ8BBQgBARQVAwwECwkCEQEDAQEBAgIjAwICJwsHDQMGCAYBDAYCAQEeglsBgmUDDSMCAQEOBJJtjzkBgT8Cih96gTGBAYIIAQEGBASFDRhcgVwDBgkBgQcsAYMVh0KEHRcggVVEgRUnD4JEMD6CYgEBAoEpARIBg3eCZZkdJgQPAxotNBKBIXEBCAYDAwcKBTIGAgwYFAQCExJNBh0CEgUHCgYWDhQcEhIZDA8DEgMRAQcCCxIIFSwIAwIDCAMCAy4CAxcJBwoDHQgKHBIQFAIEEx4LCAMZHywJAgQOA0MICwoDEQQDExgLFggQBAYDCS8NKAsDBQ8NAQYDBgIFBQEDIAMUAwUnBwMhBwsmDQ0EHAcdAwMFJgMCAhsHAgIDAgYXBgICGVYKJg0IBAgEGAQdJBAFAgcxBQQvAh4EBQYRCQIWAgYEBQIEBBYCAhIIAggnGwcPBxkdGQEFNicGCwkhFgYKHwsGBQYWAyNMJwUKPg8pNTY8LyEbCoEPFyooARsClUOEX0YOXAQvFA4CWzaBAgETBTOgSYQInBQ0B4IUgT2BPgYMiU+UXwYTLYN1jEGGKzaRSocijHeCUyCEZognlDcaBIUKAgQCBAUCDgEBBoFhPGlwTSRPgmhOAQIBAg0BAgIDAQIBAgkBAQKOHYNygX+CP1aFTEEyAgsQAR0CBgEKAQEDCY8BAQE
IronPort-PHdr: A9a23:l39XoBEmJrkhaLCTh3DH251Gfi4Y04WdBeZdwpYkircbdKOl8tyiO UHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvG sNEWRdl8ni3PFITFtz5YgjJo2H04yQbBxP/MgR4PKL5F926sg==
IronPort-Data: A9a23:B7y5e65L2kFzEzTPZEF4LwxRtMfHchMFZxGqfqrLsTDasY5as4F+v mdJWT2BOqrfYWWjKdl/YI2zo0pUupbRzdUwS1dorS08Zn8b8sCt6fZ1gavT04N+CuWZESqLO u1HMoGowPgcFySa+1HxWlTYhSEUOZugH9IQM8aZfHEoLeNYYH1500g7xbdn2tcAbeWRWmthh /ui+6UzB3f4g1aYAkpMg05UgEoy1BhakGpwUm0WPZinjneH/5UmJM53yZWKEpfNatI88thW5 wr05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkSvqkAqm8A87ko0HNUHMVcG0TG2o8Fsl u98jcOaRyFxYYSZzYzxUzEAe81/FbZD5KeBLGi0sYqd1UTbdXvrzfh0Sk07VWEa0r8qWicfq rpBd2FLN0rc7w616OrTpu1EhsklL4/hPZkcunZk3xnCDOpgT4rKXqPK4tFVxnE8i6iiGN6HO 5dIM2U+PEiojxtnA1QQFJE4seaRuEK4Xhcb+A2FnrUd7D2GpOB2+P23WDbPQfSQQtRKn0Kcj m/W9GTwBB4XctmewiCC6XWimqnEmiaTcIYdEJW57fpjhlHW3GEIDwcKE1C8pJGRkEeiQPpeJ lAavC00osAPGFeDF4SmGkzn5Sfb71tFAYUWDeh840eD0KPJ5QaeCGUeCDJMADA7iPILqfUR/ gfht7vU6fZH7NV5kFqRqeWZqy2cIy8QITNQbCMIV1JascLivMc9lBvSSNZkHqOvyNH4QGmiz zePpSk4prMSkc9Si/Tlpw+a2Wr0q8ibVBMx6yXWQnmhsFFzarmlUIr0u1LV2vBNcdSCRV6bs XlYwMWTtbhcDZyEmCGXbv8KGbWlu6SMPDHG2AE9BJg9sTq38mOlfYde7Ss4KEowapQIfjrgY UnyvwJN5cYPbSXwMvItO9q8Up14w7LhGNLpUuHvQuBPOpUhJhWa+CxOZFKL2z6/mkYbkZY5Z cWRf/GqACtIEq9g1je3G7wQ3LJ3lCAzwWTfGcLywxi9i+HMf3uJUfEIIFCOKO4j5b6CoALb/ swZO8bTk0dTV+j3Yy/2948PLAlWfCZhWs2s85RaJryZPw5rOGA9EPuNk7kvTIpowvZOneDS8 3DhB0JVlAjliXvcJVnYY3xvcui0D88i9jdqYml1YgftgiJ8J5iqqqxZeYE+YL8n8+Ju17h4Q qBdKcmHB/1OTBXB+igcNMWs8tY9KU7z3Q/ebTC4ZDUffoJ7Q1Cb8NHTeAaypjIFCTC6tJdjr rCtvu8BrUHvm+i/4B7qVc+S
IronPort-HdrOrdr: A9a23:Io3MSam5x71/PgdYuHU/7I5Bq3fpDfOXimdD5ihNYBxZY6Wkfp +V88jzhCWZtN9OYhwdcLC7WZVoMkmsk6KdhrNhQYtKPTOWxVdASbsN0WKM+UyEJ8STzJ8n6U 4kSdkFNDSSNykKsS+Z2njbLz9I+rDum8rJ9ITjJjVWPHlXgslbnnlE422gYypLrWd9dOME/d anl656T23KQwVpUi33PAhMY8Hz4/nw0L72ax8PABAqrCGIkDOT8bb/VzyVxA0XXT9jyaortT GtqX2y2oyT99WAjjPM3W7a6Jpb3PPn19t4HcSJzuwYMC/lhAqEbJloH+XqhkF5nMifrHIR1P XcqRYpOMp+r1vXY2GOuBPony3tyiwn5XPOwUKRxVHjvcv6bjQnDNcpv/MTTjLpr24b+P1s2q NC2GyU87JREBP7hSz4o+PFUhl7/3DE1kYKoKo2tThyQIEeYLheocg050VOCqoNGyr89cQODP RuJNu03ocZTXqqK1Ti+kV/yt2lWXo+Wj2cRFIZh8CT2z9K2Fhk0kojwtAFlHtozuNzd3B93Z WFDk1UrsAMcidPBpgNRtvpAPHHRlAleCi8cV57ej/cZeQ603Gkke+C3Fx63pDvRHUy9upApH 3waiIpiYcMQTOdNSSv5uw8zvmfehT1YdzSovsukqSR/IeMA4bWDQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.91,304,1647298800"; d="scan'208";a="145927984"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaDD25.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jun 2022 11:23:55 +0200
Received: from XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.7; Thu, 16 Jun 2022 11:23:54 +0200
Received: from DEU01-FR2-obe.outbound.protection.outlook.com (104.47.11.175) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.7 via Frontend Transport; Thu, 16 Jun 2022 11:23:54 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KS18d1dusG5nyE3pRqasICn3Gs/FIiTDB1VoH90tJhbt75EJvm8wLhlUVBgwYE9C2pFIdF+o78ju0pbyyFjeA6cq0mZbkz58k306EHqavH+e14Y790xIeMPjq4/YjFZ468R3ucmQ0RqxUSuqoF2nTmZ8CjbRCcmge9GA6xyALFx2+2zb3Qb/teH7yOAlsaLV+ev5pL542kekHFSOdAkTyUkmaqUejwVedKdnQ5AayuEuwioK3i36wktZJ2wwBCsdur9kCR96xnrOO2eL1Om5KoOao0pPhLFY3A8CZyURp71Oi6Y0o+hdWh0TM31zS3tcBy9wOfs8yEkRlZCSSievEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cIWd+Bt3UWXGLHu3e2FPXU+iFhWt7XGjT/3z7ERkbBQ=; b=I23JE/qk0wDIDzuxxjnK05iAqe69r3t1DVt/Aey+Ctx5LJx+UQcrOiEP/dPVVuaJjRVDg8SjTO//z6JT+o/0s0Q89YofLrro9hXtG2oOJBkzU9qif8MalYh43tACTzielSu4/FhW9IM88ziiz8VXNXymHn/TI2zjDQbe02L3c7mOn2bOpSvi9Q7KEKW8CZlk6TN6Jq1z68jPItLjuoztMHASEfldAXOcIA0XKS0t2nMCr9ThRguVAvX85qBuwijqFhUObU0iQ2sMZ6PgCdQpbmHcmMj3FpA26X12DNVmPUTfAVZd19+3V7sHSfSF5F/H7ra29xvNzisnHlCnlFk1zw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sit.fraunhofer.de; dmarc=pass action=none header.from=sit.fraunhofer.de; dkim=pass header.d=sit.fraunhofer.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cIWd+Bt3UWXGLHu3e2FPXU+iFhWt7XGjT/3z7ERkbBQ=; b=fHsomVJtW5Pm6cwpLlhYa+3LLy8g77GDNi98hFQYgBlkUdCgHo3ZD8vpHl5EBXf0+DL85Fh1cxBBAERSP2eGY8JKWtXbXYoYmy4x3ehAT/5sgovpHQJKv8VuVoGOxO70LYF4xNA24Di4kDffhQOcXv6eQSbNmjg4Era5JaMXCwM=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sit.fraunhofer.de;
Received: from FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:50::13) by FR3P281MB1517.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:7c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.9; Thu, 16 Jun 2022 09:23:53 +0000
Received: from FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM ([fe80::dd6:1453:229b:824d]) by FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM ([fe80::dd6:1453:229b:824d%6]) with mapi id 15.20.5373.009; Thu, 16 Jun 2022 09:23:53 +0000
Message-ID: <ee22a74d-90bf-ead9-8fb9-512fb1dde21d@sit.fraunhofer.de>
Date: Thu, 16 Jun 2022 11:23:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: "Roy Williams (COSINE)" <roywill@exchange.microsoft.com>, Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
References: <9CC7BE9B-A49E-4E99-86B7-22722D18EC1F@island-resort.com> <MWHPR21MB0288104CB7A29E2256637D3F8EAD9@MWHPR21MB0288.namprd21.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
In-Reply-To: <MWHPR21MB0288104CB7A29E2256637D3F8EAD9@MWHPR21MB0288.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: AM6P195CA0028.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:81::41) To FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:50::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 95a3e927-d49c-432f-775a-08da4f79ee76
X-MS-TrafficTypeDiagnostic: FR3P281MB1517:EE_
X-Microsoft-Antispam-PRVS: <FR3P281MB15172E0EA477AA27825E4335A8AC9@FR3P281MB1517.DEUP281.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pjZUw3cSESsAUG+flAkuPPRFTijD/RUhNm6uMEZAgGHkfy0TqNER8EUokArdX4INBwIbhUpdP5ubIh/N3188cd2w110y+ZzCb8CjuzsuVGbkTRaxoyb1XS3MCs/Qo9IHrGaq+ShQPl6yYkyeeQvbyoWEc1Wn8KemIoXOXx1qK60uNmdL15CS842u4Rw6SKaraoCyzwk9VzFvzGoSRtRJn9XT43xj/fAWdTDrLGdkavTqd43hKbinzsDP6d10n7oV10zMc8kxHtCOZHAZJgENOSLfew7ydFfd3wBkZx/68cPqGFWgtXtpF8Ya9e7WgzvPfexYlAIc5gRE37f2Vi9MUVfOCvQl4lhbY7PkrfuTzjqNiQpTrF0tUdvYjMN01wZChrvMMBV78+L2ZOAT/NpEfXoVzmL43jikFSDKr8x7GcIIeAEWNqgGWwOvJ/Ig8JARkA4bIXGUtJhv4SI8E4tjsnkKeMAAT+AWSUeoNExRg4C0spRYX2chNK/vYaajhqqbM7UT/PHv4tnmCPs02pD4p4FpkKPKalcANTSDORA/jsKGJ73N2v4pjgXO/BgihS5huMPoDDYki6rFlEYSmFd/AePl24XpaEiyeaN3sczmHQFUaCvqnBm9K9iZoZlckXJ8c7z/ja3qtRoY0kRqtcqQvUTPT80Pz3OIreChUsz3XaqyYPrXLD+gEFH5dL5F+UiL8VMHS8eySf9cn1GKnSDmD48xR3GTCQ8ZOkMqHIzcsPjskBcgxHtyA/olwjvq/vaG+ZUIO1SZ5okfgiXdYbpyrVAKrfqWUyvotXUN/BBzU4OqhtVDgGpfx0ML8RkbdZ+vLaM++VTrW83K6NI9eRiqABh/4N9W3o0jaW7PO7zRirk=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(82960400001)(186003)(6486002)(53546011)(6506007)(52116002)(2616005)(6512007)(31696002)(38100700002)(83380400001)(508600001)(8676002)(5660300002)(44832011)(8936002)(86362001)(31686004)(110136005)(316002)(2906002)(66556008)(966005)(66946007)(66476007)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: K0i8fLkpuFGSVvsgeMXPBpYa5CbkSVdpspO7004NrsNcTTVb3WQyUa9oRz6U0uyB67gheN+Gv8vwFJFs3Joq9Iqpd+lK2TZfUHBFx0fgVfTLLMqn0s/0Uy8SWv2Xkwg14hLg+fD6CWzBadw8Nnrk4+W3mrEaVNAZXn/MwhjmVIeF4Slo+OtPqzNLOsesIETl7onAoHf5lCEN/gJne5GLt8xkUGzfWKBjht8fIsOZluUF/14X9ryAGx5dv3sAXZAaCaQugKPo50PzgzNchyEOMhh7OTgF0KMnUU872+RnH9i0eMEA5f3b5IBaqsKdnKR8XT480NyobwsaErNnU8Ha9exrsKO0F2kH5BHchX6JtYW1Gq/a0jWV6ofG1tHgjVpF5fgyFsFvTY54DczNqAccZw7L0uq8MHrH0b2QNOtdUZKPlo4ZPZGecJ6uHUh2gpuUkHZYU3/2MyWV8Tds0s4goIVilySHLyrKk98R+NDK3i1Y8+u9VSlH+pXkoYsAbjJQd8bZxqF4yt0dZvR5pihLC3mJAfo8l4BP1BI3mpm9IQ7UlpsQ4sCdnhtC6bqGBmzyJgjAViLx6/b//S4FLTkiNDaEXcCN42ehAQ9NZ8gOjnKtyzjtNU4J+bZRRHNAsRAfmSEk8gF4z6JF5R93WtZC5avKJsqizpZgBT0g54hjm58ldj3CGQfYhx1cR0IlGSLXEFGectVZzdryuqDHCVwFARvYOrYHDgFI8igDSurbj26lcE5Y773hyLg0q05S5a/iyn/xEueM9iIl6+Ko4XCxm0nQ96ueCB0VAcdXNgXnma8NpiDiYPNCXJOBllcPNwBLayxBQ4SRtoTLlNv3aRJAUghxHfGsAmhgaaSQzI1xgu8MHmWcOozAz5T7VRx00yQGzIrMjD5BOqtFY8lUCGq2TgtsHa7WxXIwDranRyOz1zV0PwBtXgRSbKtleFrEPF2u9E/gchLGvDPufwEP6x8nUPiqfaCqAerOMDSrs/criS8/ehj2cFDcRfrhABJMXzgNSnu+Und9fzQkLAdO3UmYiE2LdXQgPuBqaL06M7PFThIQB2/fNav7xTEDEzCYI2GJoB35PblxQaPg2lwLN4yjUg6wDRABRfYM8F1lJ9vHYQYqL4ZcDz+pHST720QzvYS0sOdT3B7TZCOCZT6WeEcfOy73BRQiJ0XCl9h3F0nuYr2OyKcmuLKjqY0Jm2bWZ20S5zfmW5Y41bnLh1aGdduFEN5O2ECKi8wmCQmLTfn1xdlGKFkvAgmGalWRXp0YcCDfLYoVnm0fX9bQHeEP3iI890ziXZkC51WXi1TWvKz6voDkA2IbSaUPQb/vjCYU+hR2nHRvGoJz2bnbdbracDypQYoeGF59LhRRUiVuM3AlghFKrSAztedE9n+YvmXmXcGP+itlYji1G2bueu2/reaefbHZ0lvriXus+Vg9iT+ve65wP0Jg+eUOhQlLg4g0Wxa0Kf0Vem1HeNgm9E9F6o9USX6TVkNsieo3KFWDo2JXSsM6aGpNSvfoat2lpBCbu2U17htYPQOk8h2taI2lEKjX7bvtTpWTjeSYF/CYKcBOBM5SJWmO6y3RhkgeH+rjVu2FNCW87beSB6wfqb6pSlVskDHm4fmvDwLm+mD0qfg3GzfrXJOV+6soJnvDJkaO+Yd/6wo0EhpbqY+nNnMDErgLKNrhM8r/UjpiSIT3H3hkZiL/plnGoSSVLwy9k7OeNWQozOFes4QDg2TQIrKyDIQ5RKga/oWP4AdJ/zYBHumKz+LUIHnDs4I9mPT68IBl6N8TPuEUsmvz
X-MS-Exchange-AntiSpam-MessageData-1: DayxB6V+w/CPLG5N8MlgDGJm89w4P37oP0g/aPBMfrjNr1bS7LUB6U5p
X-MS-Exchange-CrossTenant-Network-Message-Id: 95a3e927-d49c-432f-775a-08da4f79ee76
X-MS-Exchange-CrossTenant-AuthSource: FR0P281MB0785.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2022 09:23:53.8287 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 4QCJVjJGdL/uOuz8znaSqSsmAj7iBryBS6gCpHAmIcuqD/ASSrVt5BvMzHARu1UQgx6lrIZgZj1IC/wb6uQKiCwv5c0Ya5plcTS7YkQZs3E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR3P281MB1517
X-OriginatorOrg: sit.fraunhofer.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/VGos1GGu9mxEPZRL0UFAzeT6PQg>
Subject: Re: [Rats] [EXTERNAL] SBOMs -- SPDX and CycloneDX, Eliots review
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 09:24:11 -0000

Hi Roy,
hi Laurence,

the really confusing thing is:

An *Endorsement is called Attestation* in SBOM space.

A pointer to "SBOM Attestations":

> https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/software-supply-chain-security-guidance-2

Please compare with:

> https://www.ietf.org/archive/id/draft-ietf-rats-architecture-18.html#name-terminology-2

The type of "attestation" used in SBOM actually has *nothing* to with 
remote attestation Evidence or Attestation Results.

Please always keep that in mind, when you hear or read the term 
"attestation" without proper context. It means factually nothing by 
itself in a lot of cases.

In the context of RATS please always make clear what part of remote 
attestation procedures (especially which type of conceptual message / 
RATS artifact) you are referring to. Is it Evidence? AR? Endorsements? 
Or even Reference Values? Simply use these term, not just attestation.

Viele Grüße,

Henk

On 16.06.22 00:37, Roy Williams (COSINE) wrote:
> There is a difference between endorsements for Secure Supply Chain and 
> Attestations like RATS.  The former can be a weaker claim that “I 
> reviewed this and signed off” whereas the latter is “Here is what I 
> reviewed and why I signed off”. The value of the former is that it does 
> not educate bad actors of what to taint or what is actually used.
> 
> The convergence of SPDX and CycloneDX comes up time and again and I 
> suspect will resonate for quite a while.
> 
> Roy.
> 
> *From:* RATS <rats-bounces@ietf.org> *On Behalf Of * Laurence Lundblade
> *Sent:* Wednesday, June 15, 2022 2:04 PM
> *To:* rats <rats@ietf.org>
> *Subject:* [EXTERNAL] [Rats] SBOMs -- SPDX and CycloneDX, Eliots review
> 
> 	
> 
> You don't often get email from lgl@island-resort.com 
> <mailto:lgl@island-resort.com>. Learn why this is important 
> <https://aka.ms/LearnAboutSenderIdentification>
> 
> 	
> 
> In his review Eliot wrote:
> 
>     Section 4.2.16
> 
>     Can a software manifest be an SPDX or CycloneDX document or a pointer
> 
>     to same?  There's a WHOLE lot of the former out there, and the latter
> 
>     is growing in popularity.  If this is the case, let's define
> 
>     appropriate types now.
> 
> Off the top of my head, I’d say yes a manifest can be an SPDX or 
> CycloneDX, but this is not something I know a lot about, so I’m asking 
> here.
> 
> Doesn’t look like there are CoAP registrations for SPDX or CycloneDX, 
> but there are MIME type registries.
> 
> I think EAT establishes a means of extending the manifests claim and 
> registers a couple of important ones and that is enough for the EAT 
> draft. I propose that registration of CoAP content formats for SPDX and 
> CycloneDX and inclusion in EAT can be done in a follow-on draft, but am 
> open to suggestions.
> 
> Again, not my area of expertise (so I’m fishing a bit here), but it 
> seems like SBOM processing is similar to a big part of what a RATS 
> Verifier does, or at least what a lot of people are expecting a RATS 
> verifier to do — Checking SW versions, checking vulnerability databases…
> 
> Also, for the sake of clarification, I wouldn’t call SBOM processing and 
> RATS Verification “certification”, at least not in the way that FIPS and 
> Common Criteria are certification. Certification is something that takes 
> months or years, costs a lot and involves detailed review of the 
> implementation and design.  I think the way DLOA’s bring certification 
> into RATS in a good way.
> 
> LL
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email