IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

"Schmidt, Charles M." <cmschmidt@mitre.org> Fri, 04 August 2017 14:10 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA7A13233A for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 07:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oW69DIfnFMiW for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 07:10:03 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1DA132326 for <sacm@ietf.org>; Fri, 4 Aug 2017 07:10:03 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5A5096C036E; Fri, 4 Aug 2017 10:10:02 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 49CB96C0315; Fri, 4 Aug 2017 10:10:02 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 4 Aug 2017 10:10:02 -0400
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Fri, 4 Aug 2017 10:10:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hsCO7tWvv1ZrQBJdJFUzWZDKZR3p3XKnnxykoWP+SYA=; b=sfFy4Xke0QTnw5AM3EBNyuxff9OBuWNWTcGnEldQd2NWqTb3JW80sXYfke0ec3UOegRMVqGl+NyoCOhENrKN7izUOUA3zxUgh0c50D6yIC2nWulojTFniAK4Q5LrreaLsXM+c5fATv1BuGkiufIjvialCBYwAJSiRx4pI2vML7Q=
Received: from BN6PR09MB1186.namprd09.prod.outlook.com (10.172.17.144) by BN6PR09MB1186.namprd09.prod.outlook.com (10.172.17.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Fri, 4 Aug 2017 14:09:55 +0000
Received: from BN6PR09MB1186.namprd09.prod.outlook.com ([10.172.17.144]) by BN6PR09MB1186.namprd09.prod.outlook.com ([10.172.17.144]) with mapi id 15.01.1304.025; Fri, 4 Aug 2017 14:09:55 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Adam Montville <adam.w.montville@gmail.com>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
Thread-Index: AQHTDRHMK7iMuJXSJEi0GWGKglgzCaJ0L2Rg
Date: Fri, 04 Aug 2017 14:09:55 +0000
Message-ID: <BN6PR09MB1186705A6A6FBFF5A55C6580ABB60@BN6PR09MB1186.namprd09.prod.outlook.com>
References: <E40D1FEF-2408-4508-AEBC-AC3052D3AAD3@isoc.org> <CACknUNWFVWBaDuKs_sVpHU7m3jg_WmMrB3-CJy6HCJwj6AhLyQ@mail.gmail.com> <BN6PR09MB118639CCEE0BDF2ADE51838BABB10@BN6PR09MB1186.namprd09.prod.outlook.com> <CACknUNXVeheegfdr8yesXoTL35Mf4ACpCfi1hwmM+maSo8ckJw@mail.gmail.com>
In-Reply-To: <CACknUNXVeheegfdr8yesXoTL35Mf4ACpCfi1hwmM+maSo8ckJw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.86]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR09MB1186; 6:MyoSOovPorxj7QzXAW6EnGTKm03eZnFtUn3chY0IGekbltsA012V3M7gCnoM0ULEhvP/zc7kYWYqlz9vbFnZrocAKUjWMsq79/UuEnswHR4dsdzR3qyHTEziyparEzYgKOAMiDgmshwPj8PDEO8L7dBpPxtE7SYXvacljz+yVIZyuzH10vz3fLFOKwZY13HyRjnXrx1Dr4Qow2K0olztYQpZ7YLIjs9xp1wlkdAE9uglPFnnyLcCpsMsXZcl73WV8X/YLabKeC7qMRqhdUT9NGwQE5/8483jZzaDbAfZKyauWmai8At9zqKaP+E4lmq+CCtso1FNI0rhIHrdxiSkbA==; 5:Cd94XZkimmAI2KrKWn0nHLQg7Gub6Yn0yOa8F8E5e5Gj7OBZE8TQo3h9j61iXVjKDOc3e+mdAOW6ZSc/90DDH8/a5hoba9OWqtE5wQkFGQ4FhWWmlYJyXEZUNClqAeR3SLqy2lmEL/HUrWw4ograuQ==; 24:zmIB+W68vatByHccb3J4AhUg7M/pcHfgI69WGkr+BUFTXQGmrw5y8E12zHwSmb38/5fSYQcIdeUx5jyvDCjk+BKu1Xxh0uE6EuvyL1qEZ9E=; 7:8uZi/qhRuUuQVk3rn8qjwJfLFcIn292ZuXX0rnIMcNQGchcPzfzQttcxHQCxdIE0u7UxTMoUQ3zBFz72sMxNOcaa3Z6Ps9J7oZwVsqPH060Y/9vRUCD+9l5Z2HCNhWrSs0sdd1CYI4nFnePMLSqS9hSlzt7BkNbZ2MMd+NAFwN7SOZXUBIpdrbBiXRkDk8YJKBSX39tc83k5nbM/aVUbr99ZBMxPg+U9NTgElSNP0KM=
x-ms-office365-filtering-correlation-id: 2619f474-fe36-4ecc-7dd4-08d4db427b78
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(48565401081)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN6PR09MB1186;
x-ms-traffictypediagnostic: BN6PR09MB1186:
x-exchange-antispam-report-test: UriScan:;
x-microsoft-antispam-prvs: <BN6PR09MB118643CDB62BB5ABF1CD302CABB60@BN6PR09MB1186.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6055026)(6041248)(20161123558100)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR09MB1186; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR09MB1186;
x-forefront-prvs: 0389EDA07F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39840400002)(39400400002)(39410400002)(39850400002)(35754003)(51444003)(199003)(57704003)(189002)(229853002)(2900100001)(6246003)(25786009)(86362001)(2950100002)(38730400002)(101416001)(2906002)(77096006)(97736004)(81166006)(81156014)(7696004)(105586002)(106356001)(8676002)(8936002)(9686003)(5660300001)(39060400002)(6436002)(230783001)(99286003)(55016002)(2501003)(66066001)(8666007)(189998001)(93886004)(53936002)(305945005)(33656002)(68736007)(6506006)(74316002)(50986999)(54356999)(14454004)(478600001)(7736002)(76176999)(6116002)(3280700002)(3660700001)(3846002)(102836003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR09MB1186; H:BN6PR09MB1186.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2017 14:09:55.0494 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR09MB1186
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/KU6P8Lcbyuk1F5gr1sJHVWPxJM8>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 14:10:06 -0000

Hi Adam,

Sounds like we are mostly aligned. I've trimmed the points where it looks like we are on the same page and responded inline to the others.

> 	> On Page 15 the draft states "All SW-PCs MUST at least be able to
> generate
> 	> Software Identifiers for the data model types specified in Section 6
> of this
> 	> document." Section 6 describes data models for SWID 2009 and
> SWID 2015,
> 	> but nothing else. Is this really what we desire? What about Linux
> distribution
> 	> package managers?
> 
> 	Adding on to Stephen's comments, I'll note that we intend SWIMA to
> be extensible. If someone wished to report RPM records or other types of
> packages, they are welcome to do so. The just need to define an
> authoritative way of deriving a Software Identifier from the record.
> However, I don't think we want to *require* support for such packages in all
> SW-PCs.
> 
> [AWM] I was looking at this a bit differently, I think. If there is a collector
> capable of expressing RPM packages, as an example, and they want to
> extend this to shuttle that information over PT-TLS, then would they need to
> also collect 2009 and 2015 SWIDs? It seems contrary to the point of having
> posture brokers. Maybe I'm missing something.

<CMS>
I think that this stems from confusion about what "MTI" means for records in SWIMA. SWIMA never requires that any given type of record be collected from an endpoint. An endpoint might have hundreds of SWID tags on it, but a compliant SWIMA specification might never touch them and instead choose to gather some other indicator of software installation. (For example, a SWIMA implementation might feel that RPM records are likely to be more complete and accurate than any SWID tags that might get installed across the endpoint.) The SWIMA specification is explicit that it only requires collection to be done in an internally consistent manner (i.e., it cannot use one source in one report and ignore that source in a subsequent report) but it never requires the use of any specific source of information. In short, a SWIMA implementation can make use of whatever information is available in whatever way it chooses, provided that it uses those sources consistently.

All the MTI requirement means is that every compliant SWIMA-PC MUST know how to take any 2009 or 2015 SWID tag it does collect (*if* it collects any at all) and deterministically derive a standard Software Identifier from that record. The issue this tries to address is that we would need a one-to-one mapping between information records describing software and the Software Identifier that is the shorthand for the described software. Unfortunately, there are lots of ways to do such a mapping, so there could be variation across implementations as to how a given piece of software is represented by a Software Identifier. By making 2009 and 2015 SWID tags MTI, all we are doing is ensuring that every SWIMA implementation will have the same one-to-one mapping between a given tag and its Software Identifier. This means that, at least for SWID tags, two collectors (from different vendors) will use the same Software Identifier for the same SWID tag, and thus those Identifiers can be directly compared.

This might get at your "redundancy" comment too - if MTI meant "required collection", then yes, requiring both types of tags be collected could be redundant. However, that is not the requirement. All the MTI statement requires is that SWIMA implementations are universally consistent in their mapping of 2009 and 2015 SWID tags to Software Identifiers. I don't think that is redundant - it is just better covering the bases.

> 	> What about discovered software outside typical
> 	> installation patterns?
> 
> 	As Andreas notes, such software can still be represented using SWID
> tags. They could also be represented using other record formats, as I note
> above.
> 
> [AWM] Do we need to mention how? If so, is this the right place to do that?

<CMS>
If you are talking about "how to convert to a SWID tag", I think that is beyond the scope of SWIMA. (Maybe if SACM decides someday to endorse SWID tags as the official record format for software information, that might be reasonable, but for now I think it would be premature.)

If you are talking about how to represent records other than SWID tags within SWIMA messages, I'm not sure that is necessary because the specification itself is completely generic. We just talk about records and Software Identifiers.  

> 	> And, does it make sense, in a brokered architecture like
> 	> NEA, to require redundant capabilities in the anticipated myriad
> collectors?
> 
> 	Not sure how this is "redundant". The group agreed that 2009 SWID
> tags should be supported for legacy reasons, while 2015 tags should be
> supported for future compliance. In general, SWIMA has virtually no control
> over the nature of the records on the endpoint - they might be SWID 2009,
> SWID 2015, something completely different, or a combination thereof.
> SWIMA is concerned with collection and conveyance of available information.
> Normalization of that information into one preferred record format is
> beyond the scope of SWIMA. (Deliberately so, since our early conversations
> on SWIMA involved a lot of holy wars about preferred record formats, none
> of which appear to "dominate" are target environment today.) Maybe SACM
> will eventually get behind a single format, and when they do SWIMA will be
> ready and able to convey it. Until then, SWIMA's goal is to support collection
> and conveyance of whatever software records might be available.
> 
> [AWM] Maybe I should ask this way. Is the expectation that RPM package
> management collectors, for example, would require a separate specification
> for shuttling over PT-TLS, or that they would extend this draft? If a separate
> specification, then I retract my comments, because then SWID data models
> aren't necessary. If an extension of this draft, then my comment remains.

<CMS>
See my earlier comment about redundancy - if this is related to concerns about require collection of records, SWIMA never imposes such a requirement. 

To answer your question, no - ideally we would hope that those collectors would not use a separate PA-TNC binding. In fact, no extension of this draft is necessary for RPM package manifests to be used directly in SWIMA. Any representation of installed software can be directly conveyed by SWIMA. Of course, if that representation hasn't been standardized in the IANA table, then two different vendors might identify that data model differently and use a different algorithm to derive Software Identifiers from those records, making direct comparison between their findings more challenging, but at least within that vendor's product space there would be no problem. (The advantage of the IANA table entries, is that the data model type identifier of the record will be the same across all implementations and the algorithm to derive the Software Identifier will be the same, allowing any such records to be directly compared across vendor boundaries.) 

So, in the current draft, any vendor could declare that an RPM manifest entry was a utilized Data Model Type, create a way to create a Software Identifier from each manifest entry, and start sending those to a consumer via SWIMA with no extensions necessary. Of course, vendor 2 might do the same thing, but would use a different type identifier and Software Identifier algorithm. In either case, however, the information is collected and delivered.

Does this address your questions?

Thanks,
Charles

v2.23.0 | Report a Bug | By Email