[sacm] CoSWID review

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 25 October 2019 15:57 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F2F5120219 for <sacm@ietfa.amsl.com>; Fri, 25 Oct 2019 08:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0H4Ir8Pjx1V for <sacm@ietfa.amsl.com>; Fri, 25 Oct 2019 08:57:28 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089721209A0 for <sacm@ietf.org>; Fri, 25 Oct 2019 08:57:16 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id s5so1919707oie.10 for <sacm@ietf.org>; Fri, 25 Oct 2019 08:57:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ijMZOyPD8vKRnWsTJKlGVRy3dVqQXdeKUK/DHs6/4ck=; b=HXUcP61ErbyZmKzK9TMFJS7xPyUgSVjAVPMA+83rtaNOHuN+gNUUeA6UHxysIcqgEy ZQaAB+49VjyBQBSUEBpgOF0jkxKzfgzjAWC9oy884SBhgYQpecbJpW4FbhIgx8UwPV+9 Qt4t2saxPxn2W/cWy65HXCQjn9ScnnDejVuvLOHHYVMs9vDWQcfoj5qW/Ty1iBHgip5C CRHlVyrPBdH2xCBO9UcFdbIjHwCknd/QcIJhQLVsoIT1nEg8nbF8nxA+u1+Cgb9LzO/3 JSDc4BvQ4nYQuEb7inGot1RbkI8QXabPSfXFeEZzhX8hc7VWO9/ZRiAybRrOWfvXnFQF 2b/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ijMZOyPD8vKRnWsTJKlGVRy3dVqQXdeKUK/DHs6/4ck=; b=WWlLxDkVPK7AFhYj2NG3WWUyEx/gR0LXO8ogZ8G6DowXo5tX0lIcWVgSLFP/+/h1U6 0D24tL9LqpAP22NHSlA8HnLoLSHLZBNRP7Xc0Qt5+db/MS5Fe2hHKbfsU8xCtKmFefsl f5+Q6r3+bmdp5MhHjC5/xJcz4XoeP+TzJMSASynVOdTi93Si6myw+M7Qe3oDXI8qZ4SI 9x71aBfo6dMhYuXtfXt9D5H/8GWHlVTc+oXm5RqgOEFWHRMwuA5jQcXEsPBQnb6Qy6MQ S/ldV/nLRD14TsJWAd05gGwmXW6hfz9LEBP0k4posOP+1fuW6jIMfN2Y8DRl+wGnh4d5 i8zQ==
X-Gm-Message-State: APjAAAWB3guRB6adff7Kjv0x9PDWykGKcVv9nCJpBo2JFej4FGuogFHR ko8G8/3UtlADTT/cWhc8JRdcpQ3wAlrM0OcYmqHuV1FR
X-Google-Smtp-Source: APXvYqzAOqvaIIolN2si/LZ9JbhU1E/yvoAjOoN5ZEO8Y1QsD9deQq61U40vqaEPVnZxE5IUm9YoTE/Nne3PH3zaoi0=
X-Received: by 2002:a05:6808:4c6:: with SMTP id a6mr3729660oie.114.1572019035100; Fri, 25 Oct 2019 08:57:15 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 25 Oct 2019 11:56:39 -0400
Message-ID: <CAHbuEH7OH_89+e4_BmXJN4LgxzTTQ9MtKF_03XK--a8K4AO11w@mail.gmail.com>
To: "<sacm@ietf.org>" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002adc240595be34d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/Q8NLEPiPcXoNHM4Z-M-V-Fl-cc0>
Subject: [sacm] CoSWID review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 15:57:31 -0000

Hello!

Thank you for your extensive work on this document!  If it gains wide
adoption, it could be quite helpful to industry and software security
management.  I support publication of this document and have some comments
and concerns to be addressed.  I did not go through all sections thoroughly
yet, so I may come back with additional comments.

Section 4,
Consider another comma in the first sentence of this text after component:

Software Patching.  When a new patch is applied to the software
         component a new patch tag is provided, supplying details about
         the patch and its dependencies.

Section 2.4:
I see rel(ation) only appears in this section.  I had to poke a bit and see
that (I think) you just mean for rel to expand to relation and rel is used
elsewhere.  Would it be more clear to just define that?  If this is how it
is in SWID, ignore the comment.  I'm just thinking about other
reviewers/readers.  It's defined in 2.7 just as rel.  It's helpful to know
that's short for relation, but if that's all you mean, how about rel
(relation) so it doesn't look like more than it is?

Section 2.6:
A Thumbprint is specified in this section, should this be referenced for
clarity on hashes with COSE for object identification:
https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/
Would it be better to tie to the COSE set of supported algorithms (they
likely match, but I didn't verify)?

Section 5:
It might be helpful to list what is being requested at the start of the
IANA section
X registries are established with this request with initial entries for X
registries. Values for Z existing registries are requested.

5.1:
s/This document uses integer/This registry uses integer/

Section 5.2.5:

s/This document defines a new a new a/This document establishes a/

Security Considerations:

I'm wondering why CWT [RFC8392] was not used or recommended for signing. Is
it that the other method fits better within SWIMA?

If CWTs are to be proliferated the way JWTs have been, I suspect it will be
easier for CoSWID to gain traction.  I think it would be good to list use
of a CWT as an option, then registering the claims that one might use for
let's say having the CWT be an EAT and be a remote attestation.  I think
adoption may be better if these are tied together and made simple for
regular readers who will likely start to come across CWTs as opposed to
just signing with one or more signers.  I think what you have us good, but
having both as options would be better.

The claims about the signature may vary from the data in the CoSWID, so
this could be potentially useful.

Thank you!
-- 

Best regards,
Kathleen