Re: [sacm] CoSWiD review

Henk Birkholz <> Mon, 25 March 2019 14:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72E3112038C; Mon, 25 Mar 2019 07:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3kDWoJDeHjEv; Mon, 25 Mar 2019 07:23:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5CD81203D0; Mon, 25 Mar 2019 07:23:06 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x2PEMvQR027906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Mar 2019 15:22:58 +0100
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 25 Mar 2019 15:22:52 +0100
To: Chris Inacio <>, "" <>, "" <>
References: <>
From: Henk Birkholz <>
Message-ID: <>
Date: Mon, 25 Mar 2019 15:22:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: []
Archived-At: <>
Subject: Re: [sacm] CoSWiD review
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Mar 2019 14:23:12 -0000

Hi Chris,

first of all, thank you for your feedback!

Sitting in secdispatch right now, I'll address the most prominent ones 
(which means there will be a follow-up before the SACM session) in a 
timely fashion.

On 3/25/19 2:35 PM, Chris Inacio wrote:
> General: I’m going to assume that the CDDL has been validated. Is there 
> a method of checking/ensuring that?

The included CDDL data definition in 2.8 always is always valid.

Is the only tool for CDDL still the
> Ruby based tool from Carsten?

For the moment - yes. This will change in the foreseeable future (I 
cannot speak on behalf of proprietary solutions).

> Section 2.5: Same thing as the unspsc, can we do better than just having 
> a raw URI in the document as reference:

Yes, there has to be an alternate representation to the XML Path 
Language at some point, but this is out-of-scope of this document and 
also in itself a separate gap to be addressed (not only for use in CoSWID).

Hence, it seems like a a good approach to accommodate for further to be 
expected alternate representations in this version of CoSWID already, 
for example... a CBOR/CDDL based one.

> Section 2.6: Is there a better reference for unspsc, other than having a 
> link in the middle of the document.

This depends on the result. If, we break semantic interoperability with 
ISO/IEC 19770-2:2015 or violate the principle of least surprise, the 
answer might be no.
Up to be discussed in the WG, I think :)

> Section 3.2: The roles/values in the table I think should align with the 
> role values defined in the CDDL 2.8.

2.8 at the moment contains the consistent updated version.
The fragments illustrated throughout the document are mostly not 
updated, therefore sometimes incorrect and have to aligned. This is an 
open issue that is in the progress of being addressed.

> Section 2.3: Still have a TBD for more description.

We have to talk about 2.3. and similar cases. Maybe the best approach is 
to reduce the semantic representation, off-load the burden of those 
(already defined semantics) and "just make this a text type?
Up to be discussed in the WG, I think :)

> NITs:

Please expect a follow-up reply :)

Viele Grüße,


> Abstract: “Next to the inherent capability of SWID tags to express 
> arbitrary context information, Concise SWID (CoSWID) tags support the 
> definition of additional semantics via well-defined data definitions 
> incorporated by extension points.”
> I’m not sure I’m okay with that sentence - it makes a lot of assumptions 
> of the reader and their familiarity with SWID, and also, I’m not sure 
> that SWID can represent arbitrary context information. And, please be 
> clear about what context information.
> Section 2.6: Depending on how a software organizations distributes 
> revisions, this
> this value could be specified in a primary (if distributed as an value 
> could be specified
> Organizations -> organization
> Table in section 3.2: Can you change the description to be more 
> “…definition…” [ref] instead duplicating it as “From [SAM] 
> ”…description…“ ”. The “[ref]” basically means this is from that source. 
> (Chris’ personal style preference here, so up to authors to ignore this.)
> --
> Chris Inacio