IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Fri, 04 August 2017 14:42 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6991A128961 for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 07:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1So_ZE5EctU for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 07:41:55 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0096.outbound.protection.outlook.com [23.103.200.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6BED131F1A for <sacm@ietf.org>; Fri, 4 Aug 2017 07:41:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vI5LFkEjrPiF8hooxMUdWOXPYVtjSWUP0+zvTbaH8aM=; b=KXPKO5qLbKEz4IUnVsX8FpDwxQABC6Rku3Cd3YpmTb2xj51tOhLIVCwQguNr7MTgMDwGO/q0CyiBJfJdSOg+bQHmzAed35z1aVuQnYjcGF652FYIz04R+VAPX4XeXiOi754zgW2VouudtnPDln/HCv0cb7Aj/C25Yy1TovNgg/Y=
Received: from MWHPR09MB1440.namprd09.prod.outlook.com (10.173.50.14) by MWHPR09MB1437.namprd09.prod.outlook.com (10.173.50.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Fri, 4 Aug 2017 14:41:52 +0000
Received: from MWHPR09MB1440.namprd09.prod.outlook.com ([10.173.50.14]) by MWHPR09MB1440.namprd09.prod.outlook.com ([10.173.50.14]) with mapi id 15.01.1304.025; Fri, 4 Aug 2017 14:41:52 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Ruben Oliva <david.oliva@verizon.net>, "cmschmidt@mitre.org" <cmschmidt@mitre.org>, "adam.w.montville@gmail.com" <adam.w.montville@gmail.com>, Karen O'donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
Thread-Index: AQHTB6+FzaVaLou9b0eM0Yv7igddP6JuXXgAgARxUACAAL1XAIAAvI2A
Date: Fri, 04 Aug 2017 14:41:52 +0000
Message-ID: <MWHPR09MB144025C6B09DDAC5DEC71BE8F0B60@MWHPR09MB1440.namprd09.prod.outlook.com>
References: <BN6PR09MB118639CCEE0BDF2ADE51838BABB10@BN6PR09MB1186.namprd09.prod.outlook.com> <15dab2f5cf5-5f57-22e8@webprd-m32.mail.aol.com>
In-Reply-To: <15dab2f5cf5-5f57-22e8@webprd-m32.mail.aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [129.6.224.58]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR09MB1437; 6:kX5JBo2OPlZRYQ3ByK87XILrXxxv16P24VF9fgDzQ6AjGx4n4mh17MYeO/kLjsgm3N1oslorTdeuUWSnxMriJvYf4Zi8YWcqs5GyoMl6wtk2vvgq/98tdh1HkfKLbUCihWSXHr8YUUZvqjFzcTjXSEv+4kW2t1f37U5SQngTvLahEKfsAkBIciTVQCHb3chn/Yk9rOQB71XoML5fp8/wvdwxw4Xy1Pq6zBEOElH0vsqEywebFTbX1ihefGOGgrm1uGNphpJfmYqS+UeWyuK0cAs/W6lpbemfmqVwrW632ZiB4c9iahHRik4vl+1u8AxYqRlq+ks1BcBqNT9d2U4aAQ==; 5:8193xqumnq+vDRedc2ohzuwScIsY9FRA499iEpjoDlpS2a3EHT/2QNdDVnNep4Y38dZvyMfGkpQP1tugEeaz+ikZY8KWjj3/5LN6WsuK27ncTbbmPUJve5DoYeuC+mBgabx1pXuWo5Wnu/bd+8SE7A==; 24:eTzWZuF82g/+fgOCEyTRmvLiBXC4Ydvw3lTut5xf9LXra2PPEsR+oVKE2G+jAbrxpgJGmOZMOiMCcBT9yUmnwCU15MCRxPz899K3uss/DTU=; 7:pDg2fA7XC4hd3HeUaBEs5ODdw9Exxl+Q2Ss3butI5oaFIla4JLyS+eUhibuenmWzKCUilVmFYQ1e2CKLPRtn9Oi8sUMNXhcIXSogow76REKTX7IF0L4cMk/W5QACakrP9FExyfOuXwyrBVAExl0wLqHwV9xin5C+MKfeScYlaCiGEsT5QjGeRnYreEscEl5HTQdODc0v5/VgW4xtKx0GIEZm3P2fSwVLIxHOF8mPcvg=
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-ms-office365-filtering-correlation-id: e46363de-faed-4b29-b5ff-08d4db46f27c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(48565401081)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:MWHPR09MB1437;
x-ms-traffictypediagnostic: MWHPR09MB1437:
x-exchange-antispam-report-test: UriScan:(65766998875637)(120809045254105)(192374486261705)(788757137089)(100405760836317)(21748063052155);
x-microsoft-antispam-prvs: <MWHPR09MB1437397BE81814546CF4AC21F0B60@MWHPR09MB1437.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(100000703101)(100105400095)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123558100)(20161123562025)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR09MB1437; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR09MB1437;
x-forefront-prvs: 0389EDA07F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39860400002)(39400400002)(39410400002)(39850400002)(39450400003)(189002)(25584004)(24454002)(13464003)(377454003)(199003)(2906002)(8666007)(2900100001)(7736002)(236005)(6246003)(102836003)(2201001)(2501003)(99286003)(54896002)(101416001)(86362001)(55016002)(6306002)(9686003)(53936002)(6436002)(3846002)(6116002)(790700001)(68736007)(189998001)(105586002)(33656002)(106356001)(606006)(5660300001)(53546010)(19609705001)(2950100002)(81166006)(81156014)(966005)(97736004)(39060400002)(25786009)(14454004)(74316002)(3280700002)(230783001)(66066001)(3660700001)(229853002)(8656003)(478600001)(8936002)(38730400002)(6506006)(54356999)(50986999)(77096006)(7696004)(76176999)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR09MB1437; H:MWHPR09MB1440.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR09MB144025C6B09DDAC5DEC71BE8F0B60MWHPR09MB1440namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2017 14:41:52.7598 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR09MB1437
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/-xvwiEuygWCRHDUVk3CLv9dJiWE>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 14:42:00 -0000

David,

At NIST we are adding SWID Tags as an SCAP specification in SCAP 1.3 which will be released soon. We also have a some SCAP 1.2 validated products that support SWID tags today.

AT NIST, we support the use of SWID tags to address a number of security automation use cases. We hope that the SWID-related standards created in the IETF and other standards organizations will provide a basis for further adoption of SWID tags in open source and commercially available tools. In the USG, we are constantly faced with identifying what software is in use across agencies. Despite investments in software asset management (SAM) and other software inventory solutions, we are unable to automatically and quickly gather information about how much of a given software product is installed across the USG. Software vulnerabilities like Heartbleed pointed out how challenging of a problem this is. The cause of this problem is twofold: 1) SAM products use different mechanisms to determine the software inventory of devices, and 2) different SAM, vulnerability, and patch management products identify software in inconsistent ways. If SWID tags are adopted by the majority of major software vendors (20-30 companies), this problem will largely be solved. IMHO, as a file that can be generated automatically during software builds and packaged with software, SWID tags are a small cost relative to the significant management costs that vendors and end-users face when dealing with licensing, patching, and otherwise managing deployed software. SWID tags are a win-win; they help vendors ensure that customers use licensed products and help customers manage the software they acquire.

At NIST we are starting work on an SCAP 2.0. Our current use-case focus is around better support for vulnerability assessment, and we plan to iterate around different use cases in subsequent releases. We want to use standards like SWID tags, SWIMA and ROLIE which can provide for the collection and exchange of SWID tag data as part of a larger SCAP architecture. The work in MILE and SACM is important and can fill software identification and inventory gaps that exist in SCAP 1.x.

Regards,
Dave


From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Ruben Oliva
Sent: Thursday, August 03, 2017 11:00 PM
To: cmschmidt@mitre.org; adam.w.montville@gmail.com; Karen O'donoghue <odonoghue@isoc.org>; sacm@ietf.org; Waltermire, David A. (Fed) <david.waltermire@nist.gov>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

Charles and team:

I have been following the progress of SACM since around 2012 and like what I see, but I am still too used the way NIST/SCAP works.

Somehow I thought that NIST (via the NVLAP labs) would include SWID as another SCAP specification.

From what I can tell, there is no SCAP product that uses SWID (https://nvd.nist.gov/scap/validated-tools).
As it is now, there is no incentive of any kind to embrace SWID for users of SCAP products,
even though NIST appears to endorse it (IR 8060 and IR 8085).


So my question is.

Will SWID be included in any future NVLAP testing and be advertised as an NIST-validated SCAP tool?



David Oliva


-----Original Message-----
From: Schmidt, Charles M. <cmschmidt@mitre.org<mailto:cmschmidt@mitre.org>>
To: Adam Montville <adam.w.montville@gmail.com<mailto:adam.w.montville@gmail.com>>; Karen O'Donoghue <odonoghue@isoc.org<mailto:odonoghue@isoc.org>>; sacm <sacm@ietf.org<mailto:sacm@ietf.org>>
Sent: Thu, Aug 3, 2017 11:42 am
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

Hi Adam,

A few inline comments added to those made by Andreas. (And thanks to Andreas for his inputs.)

> Should we be referencing the NIST interagency report related to SWID or the
> ISO standard directly? The NIST document is more readily accessible, and if
> they have parity, then we might gain points for referencing the freely
> available resource.

The NIST and ISO documents are not equivalent. The NIST document describes best practices for using and creating SWID tags, and someone could use that and the freely available SWID tag XML schema to create compliant tags. However, the ISO document remains the authoritative source for SWID tag compliance. As such, I feel most references should be made to the (authoritative) ISO specification.

That said, it probably makes sense to add an informational reference to the NIST specification for the reasons you mention.

> Is there a reason to mention TCG + NEA in the introduction? If we're looking
> at NEA, then let's just use NEA references and not the TCG ones for, at least,
> the sake of consistency.

I think there are a few reasons to at least mention the relationship to TCG's TNC.
1) It emphasizes that there is alignment (rather than bifurcation) in these standards.
2) It sends a reasonable call out to the TCG board, who agreed to support transfer of this specification to the IETF.

That said, I can agree that Table 1 (which identifies equivalent components in the two architectures) might be more than is necessary. If we drop Table 1 but retain the final paragraph of section 1.1 ("This document is based on standards published by the Trusted Computing Group's Trusted Network Communications (TNC) workgroup. The TNC and NEA architectures are interoperable and many components are equivalent.") would this address your concern?

> Propose modified definition for SW-PC: A Posture Collector (PC) that collects
> endpoint software inventory information and that conforms to this
> specification.
>
> Propose modified definition for SW-PV: A Posture Validator (PV) that
> interprets SW Attributes sent by SW-PCs and that conforms to this
> specification.

I like the rewording.

> Propose modified definition for SW Attribute: A PA-TNC attribute that
> conveys software inventory information. (NOTE: We should ensure that PA-
> TNC is the NEA-specific term.)

In retrospect, I'm not sure I like this or what currently exists. There are PA-TNC attributes that convey software information, but are not "SW attributes". Moreover, (for reasons you noted) the requests don't convey software information, but need to be considered SW attributes for the sake of this document. That term needs to refer specifically to the attributes that are defined in this specification. I propose:

SW Attribute - This is a PA-TNC attribute (as defined in RFC 5792 [RFC5792]) extension as defined in this specification.

> Propose renaming "SW Attribute" to "SWIMA Attribute", which seems more
> accurate. Take a look a the "SW Attribute" subtypes listed in section 5.2 to
> understand my motivation. Assuming "SW" expands to "software" (which is a
> reasonable presumption), then SW Request is not a SW Attribute. A SW
> Attribute might be a configuration item that software contains, but not a SW
> Request. The SW Request attribute is used to request software inventory
> related information from an endpoint, and is thus more appropriately an
> attribute associated with SWIMA than with "software". If this is acceptable,
> then we should update the term in section 10.1.
>
> Then, we may want to consider expanding "SW" to "SWIMA" wherever
> appropriate (i.e. SW Request could become SWIMA Request), which is longer
> to type but also inarguably more clear.

Stephen's comments notwithstanding, I'm of two minds here. On the one hand, SW Attribute (and SW-PC and SW-PV) are primarily characterized by their conformance to the SWIMA specification, rather than just being software related. There are other NEA components that deal with software but are not part of SWIMA and therefore would not be SW-PCs or SW Attributes according to our definitions, which I agree might be confusing. In that regard, SWIMA-PC and SWIMA Attribute better capture the key characteristic of these entities.

On the other hand, a "Software Inventory Message and Attributes Attribute" seems a bit redundant.

Overall, I think I might be more inclined to go along with your suggestion and change SW Attribute to SWIMA Attribute (and SW-PC to SWIMA-PC, etc.) because it will better emphasize the key characteristic of these entities - that they are conformant to the SWIMA specification. (Really looking forward to a few hundred search and replace actions here....)

> On Page 15 the draft states "All SW-PCs MUST at least be able to generate
> Software Identifiers for the data model types specified in Section 6 of this
> document." Section 6 describes data models for SWID 2009 and SWID 2015,
> but nothing else. Is this really what we desire? What about Linux distribution
> package managers?

Adding on to Stephen's comments, I'll note that we intend SWIMA to be extensible. If someone wished to report RPM records or other types of packages, they are welcome to do so. The just need to define an authoritative way of deriving a Software Identifier from the record. However, I don't think we want to *require* support for such packages in all SW-PCs.

> What about discovered software outside typical
> installation patterns?

As Andreas notes, such software can still be represented using SWID tags. They could also be represented using other record formats, as I note above.

> And, does it make sense, in a brokered architecture like
> NEA, to require redundant capabilities in the anticipated myriad collectors?

Not sure how this is "redundant". The group agreed that 2009 SWID tags should be supported for legacy reasons, while 2015 tags should be supported for future compliance. In general, SWIMA has virtually no control over the nature of the records on the endpoint - they might be SWID 2009, SWID 2015, something completely different, or a combination thereof. SWIMA is concerned with collection and conveyance of available information. Normalization of that information into one preferred record format is beyond the scope of SWIMA. (Deliberately so, since our early conversations on SWIMA involved a lot of holy wars about preferred record formats, none of which appear to "dominate" are target environment today.) Maybe SACM will eventually get behind a single format, and when they do SWIMA will be ready and able to convey it. Until then, SWIMA's goal is to support collection and conveyance of whatever software records might be available.

> Are the subscription semantics of this draft intended to be extrapolated to
> other types of information collection going over PT-TLS in the future? This
> wasn't clear to me when reading the draft, but the IANA table additions
> (section 10.2) relating to subscriptions appear to have names generic enough
> to be reused. If that's the intent, then maybe we can figure out an easy way
> to clarify this in the draft, so that subsequent collection drafts are easier to
> create.

I was not intending to create a generic subscription mechanism for PA-TNC. (Subscriptions would be at the application layer, rather than transport layer, which is what PT-TLS is.) I'm not sure a generic subscription mechanism for PA-TNC is really feasible since different types of information will have different triggers and different transport constraints.

With regard to the generic names of the attributes: on a technical level, there will be no ambiguity. The attributes defined in this specification (with the exception of PA-TNC Error) are all part of the SWIMA PA Subtype. (Basically, this serves as a namespace for all the attributes defined in this specification.) Some other PA-TNC extension might conceivably define their own "Subscription Status Request" attribute, but it would have a different PA Subtype, so there would never be any confusion as to meaning. True - a human might get confused; however, I think this is mitigated by the fact that the attribute names really only are used within the context of a specific PA TNC extension (e.g., within the SWIMA specification). Thus I don't think there will be many practical opportunities for people to get confused. As such, I'd prefer to keep the names as they are rather than to make them even longer by prepending SWIMA or some other specification-specific label.

Please let me know if you have any questions or comments.

Charles

> On Fri, Jul 28, 2017 at 10:41 AM Karen O'Donoghue <odonoghue@isoc.org<mailto:odonoghue@isoc.org>
> <mailto:odonoghue@isoc.org<mailto:odonoghue@isoc.org?>> > wrote:
>
>
> Folks,
>
> This begins a 3 week working group last call (WGLC) for the following
> document:
>
> Software Inventory Message and Attributes (SWIMA) for PA-TNC
> https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/
>
> We have chosen to do a 3 week WGLC to account for post IETF
> recovery and August vacations.
>
> Please review the referenced document and send any comments to
> the mailing list including your assessment of whether this document is
> mature enough to proceed to the IESG. Please note that these messages of
> support for progression to the mailing list will be used to determine WG
> consensus to proceed.
>
> Please send all comments in by Friday 18 August 2017.
>
> Thank you!
> Karen and Adam
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org<mailto:sacm@ietf.org> <mailto:sacm@ietf.org<mailto:sacm@ietf.org?>>
> https://www.ietf.org/mailman/listinfo/sacm
>

_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email