Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

Hi all,

To answer Tony's original question: "Why are we supporting the 2009 version of SWID tags given its known flaws?" - The question of whether to retain support for the 2009 SWID specification was raised at IETF 95 and, within that room, the consensus was to support both versions. The reason was that there are existing 2009 SWID tags deployed today and there was a desire to allow them to be delivered by SWID M&A. If SWID M&A only supported the 2015 SWID version, those older version tags are effectively lost to SACM assessment. Between this and the fact that the same design supports both versions of SWID tags (albeit using a slightly different procedure, which will be better clarified in the next revision), it seemed like there was little point in explicitly excluding collection and delivery of any 2009 tags that might exist.

Regarding Michael's comment about adding a reference to NIST IR 8060 - that sounds like a great idea to me.

Charles

> -----Original Message-----
> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Michael Godsey
> Sent: Wednesday, May 18, 2016 10:23 AM
> To: Jerome Athias <athiasjerome@gmail.com>; Tony Rutkowski
> <tony@yaanatech.com>
> Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as
> a SACM WG document
> 
> The current version of the 19770-2:2015 schema can always be found here
> (note difference from below):
>  http://standards.iso.org/iso/19770/-2/2015-current/schema.xsd
> 
> The schema must be published along with and at the time of the standard,
> thus a "point in time" version is in the 19770/-2/2015/ directory.   The
> previous as-published version is in the 19770/-2/2009 directory structure as
> well.   However, the "up to date" version of the 2015 edition of the standard
> is always at the link above, the 19770/-2/2015-current/ directory.
> 
> RE the NIST IR:
> A few weeks ago NIST hosted a workshop on SWID adoption (which I
> attended, along with other software publishers, some end customers, and
> reps from various US Govt agencies).  We mainly reviewed the final draft
> version (released April 2016)  of NISTIR 8060 – Guidelines for the Creation of
> Interoperable Software Identification (SWID) Tags.
> •	This NIST IR (plus related reference info) can be found on their portal
> at: http://csrc.nist.gov/publications/PubsNISTIRs.html
> •	Or here is a direct link to the NIST IR 8060 itself:
> http://dx.doi.org/10.6028/NIST.IR.8060
> 
> This is a really good reference which includes sections giving an overview of
> SWID Tags, the SWID Tag structure, and some implementation guidance for
> Tag creators.   I think this would be a good reference to include, as it is
> available without any paywall.
> 
> Also in the TagVault board meeting yesterday we discussed the need to
> provide some help/guidance for adoption of SWID tags, similar to the NISTIR
> 8060, which being a US document is not appealing to all countries.   We
> decided to create a reference implementation guide which would come out
> of TagVault and be available to anyone.   I am guessing this should be
> available in maybe 3-4 months.
> 
> 
> -----Original Message-----
> From: Jerome Athias [mailto:athiasjerome@gmail.com]
> Sent: Wednesday, May 18, 2016 7:58 AM
> To: Tony Rutkowski <tony@yaanatech.com>
> Cc: Michael Godsey <mgodsey@microsoft.com>; Karen O'Donoghue
> <odonoghue@isoc.org>; sacm@ietf.org
> Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as
> a SACM WG document
> 
> Maybe a misread and difference between the Specification and the XML
> Schema in 2.1.
> "The SWID specification is available from ISO/IEC at
> http://www.iso.org/iso/catalogue_detail.htm?csnumber=53670.
> The XML schema for a SWID tag file is available from ISO:
> http://standards.iso.org/iso/19770/-2/2009/schema.xsd.
> The most current working and production versions of the XML schema for
> SWID tags can be found in the directory listing
> http://standards.iso.org/iso/19770/-2/.
> The US National Institute of Standards and Technology (NIST) also has
> published guidelines for
>    SWID tag creation, which provide further guidance for those
>    interested in the use and best practices surrounding SWID tags.
>    [NIST-SWID]"
> 
> 
> 
> 
> 
> 2016-05-18 17:29 GMT+03:00 Tony Rutkowski <tony@yaanatech.com>:
> > For those unfamiliar with this topic, there is a fairly good
> > explanation of why the old
> > 2009 version was significantly flawed and revised at:
> > http://tagvault.org/2015/06/11/isoiec-19770-2-revision-moving-to-publi
> > cation/
> >
> > --tony
> >
> > ps. Still waiting for someone to request ISO to make the specification
> > publicly available without coughing up CHF 178.  It's not that
> > difficult, and has been widely done for important specifications.  It
> > is also generally required for standards that are imposed as normative
> > requirements by government.
> >
> >
> > On 2016-05-17 8:18 PM, Michael Godsey wrote:
> >
> > I echo the concern and question.   If this points to the 2009 version, it
> > needs to be updated.  Not only did we put a ton of work into revising
> > the -2 standard for 2015, but this also obsoletes the 2009 version.
> > As noted the NISTIR 8060 was based entirely on the 19770-2:2015
> > version, leveraging the many changes implemented for better
> > instrumentation and fidelity of tag data, tag relationships, etc.
> >
> >
> >
> > From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Tony Rutkowski
> > Sent: Tuesday, May 17, 2016 2:37 PM
> > To: Karen O'Donoghue <odonoghue@isoc.org>; sacm@ietf.org
> > Subject: Re: [sacm] Call for adoption of
> > draft-coffin-sacm-nea-swid-patnc as a SACM WG document
> >
> >
> >
> > Remind us again why this ID references the 2009 version of ISO/IEC
> > 19770-2, when there a 2015 apparently significantly different version
> > has been adopted and is referenced in the NISTIR 8060 as the basis for
> > implementations?
> >
> > It's interesting that the 2015 version for the GUID data element
> > references 19770-5.  It's great to see it's apparently now publicly
> > available at
> > https://www.iso.org/obp/ui/#iso:std:iso-iec:19770:-5:ed-2:v1:en
> >
> > The version question seem rather significant for progressing the
> > working group document.  Was there some discussion somewhere?
> >
> > --tony
> >
> > On 2016-05-17 12:21 PM, Karen O'Donoghue wrote:
> >
> > Folks,
> >
> >
> >
> > As discussed during our last couple of meetings, this is the official
> > call for adoption of
> > https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-patnc/ as
> > a SACM working group document.
> >
> >
> >
> > Please reply with any comments or concerns along your support of this
> > action to the mailing list.
> >
> >
> >
> > Thanks,
> >
> > Karen and Adam
> >
> >
> >
> >
> > _______________________________________________
> >
> > sacm mailing list
> >
> > sacm@ietf.org
> >
> > https://www.ietf.org/mailman/listinfo/sacm
> >
> >
> >
> >
> > --
> >
> > ________________________________
> >
> > Anthony Michael Rutkowski
> >
> > EVP, Industry Standards & Regulatory Affairs
> >
> > tony@yaanatech.com
> >
> > +1 703 999 8270
> >
> > ________________________________
> >
> > Yaana Technologies LLC
> >
> > 542 Gibraltar Drive
> >
> > Milpitas CA 95035 USA
> >
> >
> > _______________________________________________
> > sacm mailing list
> > sacm@ietf.org
> > https://www.ietf.org/mailman/listinfo/sacm
> >
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

Attachment: smime.p7s