IETF Logo Mail Archive

Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid

Roman Danyliw <rdd@cert.org> Fri, 03 December 2021 18:39 UTC

Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA61A3A0F8D for <sacm@ietfa.amsl.com>; Fri, 3 Dec 2021 10:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KliDz1MTe3z for <sacm@ietfa.amsl.com>; Fri, 3 Dec 2021 10:39:43 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0712.outbound.protection.office365.us [IPv6:2001:489a:2202:d::712]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56FCD3A0F81 for <sacm@ietf.org>; Fri, 3 Dec 2021 10:39:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=JrB0zmsq4ZV8BknGMBVqB3FDmnd77jBo8QtEZLkL4/t5h2kLbN5ZPZtFxCQBeP3lAR/8W2khMskuchlyJmrnKWOmY4T7dCyHqe7ddCiVXysQO9kvmq0ylCMY7OsqtDW2frppVPMBPUO4tITmt2jn9cvwyNUVyc68CIKnZfv8XAXhu6drOA+Hd8M64o6VA6KbNiq8N3epvz/lpwxHTYFVlzm0Xh3VzkvmG5b6fwvYlgPgSFrjNxvb29TI4Hf8U4Xqqe8aSX7WrCF3C8D1zea/MRwo8YMlkqXW4V0CuKy5PB0adM8wjXZraMjidN2g1/TMULWr9g2A5lP2ArOLXnN4MA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yG6n1/ihdlaH2VgIh0vGVKKyv1NprnWLOo42UJ3bY7k=; b=ktNVh5/IU+TeNhCpFVSCm7V5CrTxt8URidTRNXwWe3jI/vEmw0e+PAgTqx/gemNdX7excx90ynKQ38xQxNL7XleSWowxkr/jvGKyUUIpkDJcTO4vLMgxcB7xx/5bDPi/KNiVcfLa+zKLpfj0iVCHgLRdaDFHQMCB/2DYt9R3hBMN8UX5Xp3V20RBeeSzmOP98d3pQcEyGi53NQv/frLqNaAXmhKHWYB0oQMTxlU9dxgqqVo0zX1sxdaQy9OpKX8XQbXqhctUyOhCcHbJLl6kDtk+vwKDX3fzviugwUzJnMke0N6JeRdeFFUPRWVOYX2q/U41/VjH6pjLrjCwLO/yew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yG6n1/ihdlaH2VgIh0vGVKKyv1NprnWLOo42UJ3bY7k=; b=MJI/C2B+dbiXgjjh4eqpDLSgfnMmog/CMq5SnmQWNimPnySWYACbZq39jz+c9HEnMs75Wu50qA0fA6bnbsnP0enADpffeS/E/LDffqn2SfoBln4uGmHO456aQ+AGr8oXTMfvWxshxlposcyXkMoJNIVCDujb5CvQTh2OPOXxhgc=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0819.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:132::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.22; Fri, 3 Dec 2021 18:39:34 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4734.028; Fri, 3 Dec 2021 18:39:34 +0000
From: Roman Danyliw <rdd@cert.org>
To: Roman Danyliw <rdd@cert.org>, "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: IETF LC Directorate reviews for draft-ietf-sacm-coswid
Thread-Index: AdfGhTwT/qbeeBAKRhu9IJN+7GZ3wgh73ZOg
Date: Fri, 3 Dec 2021 18:39:34 +0000
Message-ID: <BN1P110MB09393F74F44A974C60D81FB7DC6A9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 99be5024-38bc-4b55-ea71-08d9b68c4081
x-ms-traffictypediagnostic: BN1P110MB0819:
x-microsoft-antispam-prvs: <BN1P110MB081939114CB8504B2E888B92DC6A9@BN1P110MB0819.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /P/tdHaoq1dcjiQcQwYRN6XV9qR+Cofs0rslLpJQ6CHpxzn+LEhukd9ZT7X+/DSeuZRgP0sFJgI7X+bWwP53VEB+dUxcRdj+elnjlgC0ElfkCIFqDI3gUSUD6OwCKZr8SeIU6EImzK1NaZTd0xx31NwyGm+qUIKKLds8QfrR9MZWuENU+p+V29wNQHNfMvqlm//Le1uE64a8GTLVjuxh8zcf0X83QQfNxBMCmS4Yj+Oq1qewq0Wa6oKuldKGWOr7Vu1Q53gbY39fTygKUQ5GPGIIW7d57kHkv0htVRY5YqFy0ZdM+htn4nEFOQbE4vMH4maIai+VF0JEGwyUTHxqqaJflLSI6HAOO5vXbmHeNUgEgiwaI2FLqsBYekdsN/ABzbg30jJ7hJf8ddMGv5jaEMtKHvUo1L+FJOK1/OZwEsnS2RASfBzfJBvLU6hbHAXoCEuc6GBq0lf3SajZeZvKTUUqTSBSX7FO0sYEUuOOej0pgvLnQjkt5YJenbVUm0LXrUEiW8iXVVIfCczzmjhhP66Nyc7MpTlnXZebp+T1fApfDUyKm+mr1F2QkQ96oN7xbEtRJzOkUg6ztekrl+HqKtDV92b6r6bLz0gMP5kcwamv7OHaSbsj7NpcMQz8mmzCm4NH4b9ScV+T69BNrepi+OgSi3RCUVAgIHAE9cf9LInNFBo6hmbEP//OX59xF6Wc8zu0pozwkNQmY5mojg75/A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(498600001)(38100700002)(966005)(5660300002)(71200400001)(82960400001)(110136005)(26005)(55016003)(66556008)(122000001)(66946007)(83380400001)(76116006)(9686003)(8936002)(66476007)(64756008)(33656002)(186003)(52536014)(38070700005)(86362001)(8676002)(53546011)(2906002)(7696005)(6506007)(66446008)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yq9Gb1K1ckkNR9ItBqNZRchQ4yDoqGLbMBZyJwe0EJI23CKhqnioJXxnd4rBlzMSJHGF2RHPKv3+Q3W/COZL3TjkOliLKUzjaTJBM7rsmMDyTBavru29qP19jEA15VNNhW4Hy0bF/PRjP0ZofjTGxQ==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 99be5024-38bc-4b55-ea71-08d9b68c4081
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2021 18:39:34.1929 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0819
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/265FlfgLj9QE6KiS6mYGyv73ah0>
Subject: Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 18:39:46 -0000

Hi!

I wanted to check in on the progress of addressing this IETF LC feedback.  At IETF 112, we had discussed and agreed that these would be responded to by the week after the meeting (Friday, Nov 19).

Thanks,
Roman

> -----Original Message-----
> From: sacm <sacm-bounces@ietf.org> On Behalf Of Roman Danyliw
> Sent: Thursday, October 21, 2021 10:16 AM
> To: <sacm@ietf.org> <sacm@ietf.org>
> Subject: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
> 
> Hi!
> 
> Thanks for -19 of draft-ietf-sacm-coswid.  Since the conclusion of IETF LC, I
> reviewed it based on the provided feedback.  I didn't see direct replies to the
> directorate reviews but from cross-walking their feedback against the -18-to-19
> diff, I believe the following are still unresolved/undiscussed.
> 
> (1) Scott Bradner did an OPSDIR review --
> https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-opsdir-lc-bradner-
> 2021-08-07/.  The following feedback does not appear to be discussed or
> resolved:
> 
> > along the same line - it would seem to me that the IANA repository
> > should be at https://www.iana.org/assignments/coswid  (or co_swid) not
> > https://www.iana.org/assignments/swid
> 
> I believe the comment is about the following text in a few places in Section
> 6.2.*:
> 
>    [TO BE REMOVED: This registration should take place at the following
>    location: https://www.iana.org/assignments/swid]
> 
> Earlier in the text in Section 6.2:
> 
> "6.2.  Software Tag Values Registries
> 
>    The following IANA registries provide a mechanism for new values to
>    be added over time to common enumerations used by SWID and CoSWID."
> 
> It would seem that if in fact things should stay in "assignments/swid", there is a
> missing registration procedure item -- nothing can be added if it isn't in the
> SWID specification.  I under the impression from earlier conversations that we
> wanted to provide flexibility for CoSWID to potentially extend it's own data
> model independent of SWID (i.e., there could be data elements in CoSWID that
> were not in SWID).  If so, this suggests that "assignment/coswid" should be
> used instead (as Scott was suggesting).
> 
> (2) Rich Salz did an ARTART review -- https://datatracker.ietf.org/doc/review-
> ietf-sacm-coswid-18-artart-lc-salz-2021-08-02/.  The following feedback does
> not appear to be discussed or resolved:
> 
> > In 2.3, why are there three separate bools for corpus/patch/supplemental as
> opposed to a single enumeration?
> 
> If this is a design choice, please answer Rich.
> 
> > Can the tag-id be a digest of the source file?
> 
> I think the answer is yes.  It might be worth saying so.
> 
> > What are the implications of it not being unique? That should be listed in the
> security considerations.
> 
> I see that this new text was added: "Failure to ensure global uniqueness can
> create ambiguity in tag use since the tag-id serves as the global key for
> matching and lookups".  To Rich's point, there are likely security implications to
> this collision.  Please explicitly describe those.
> 
> (3) Robert Sparks did a SECDIR review --
> https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-secdir-lc-sparks-
> 2021-08-11/.  The following feedback does not appear to have been discussed
> or resolved:
> 
> > Consider RFC6648 (BCP 178) where you are reserving "x_" name prefixes for
> private use.
> 
> Section 4.2 says:
> 
>    The values above are registered in the IANA "Software Tag Entity Role
>    Values" registry defined in Section 6.2.5.  Additional values will
>    likely be registered over time.  Additionally, the index values 128
>    through 255 and the name prefix "x_" have been reserved for private
>    use.
> 
> Section 6.2.5 says:
> 
>                    +=========+=========================+
>                    | Range   | Registration Procedures |
>                    +=========+=========================+
>                    | 0-127   | Standards Action        |
>                    +---------+-------------------------+
>                    | 128-255 | Specification Required  |
>                    +---------+-------------------------+
> 
>                +=======+=================+=================+
>                | Index | Role Name       | Specification   |
>                +=======+=================+=================+
>                | 0     | Reserved        |                 |
>                +-------+-----------------+-----------------+
> ...
>                +-------+-----------------+-----------------+
>                | 7-255 | Unassigned      |                 |
>                +-------+-----------------+-----------------+
> 
> >From the Sec 6.2.5 text, it looks like values 128 - 255 could in fact be assigned.
> However, Sec 4.2 says they are reserved for private use.  There may other cases
> of this.
> 
> Thanks,
> Roman
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.8.7 | Report a Bug | By Email