IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-coswid

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Thu, 25 July 2019 14:51 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 054331202F8 for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:51:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N17t9yuB6rdQ for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:51:23 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840129.outbound.protection.outlook.com [40.107.84.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4FAC12028F for <sacm@ietf.org>; Thu, 25 Jul 2019 07:51:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V+2I3cSlqNDsjwHWSsGnkduNaPv42yYfbOO1TM3R5wa1JOw1Vdc5jy6uq0+0u9Y7kLfyL1ofsxJEngoXOxGX3SwPoImMuFixfYClB+fPjT0nEwocwUv8nE/nxLXYw/ND7p7GNFxbd/foicLTX26nYQeAVQDTxKheUgk30PU6G7j3PBpJjqM6nMY8hU/v+O3/0zMn2e9l8d5MWJ7NQzUZDhQFYS8A5rxLXaJXzCEFxIdGTe6OjLMbiFo+6Cv/sJm3Nu/x/sZd04PmMNpCh99IntQcsfNNcAJUwVQ+JP65/NnYFQ0lowwEVz8FjQsiGaSLneGAj+GtTIDVCILVQia1vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eCXA4tD4DotdAaWFVQ56VmUcFDfcKmsNAWnK+Q9ZiKo=; b=lj0vYdsERDidZpKl6T6wEYQ/k5xOWQlGzmOy8XDDCfVfamyi/X+2qA4vQBM5Xx1trMlQuxqy+BM+83scINIitiXtCl0o4z5mVnXLNneR9s7/qGm2frtWCqheIkEpOHLMhtln5RujMN7CV8NKylJrRE/mbqE0qEHOolfoZVb4ukDFfJgE2uJNbTFg+Vc9ncIunmGiaFG8nmPVLTPAtOOHTaKYGDkOhBxT3xruRci+8oayQ2k6NYdhhIsDTZdeWKiWjvjqAuYvbKXHaC0WLNPJB1UOC6vz+oV6V4Qq/aB4Kcqe/+sxRbw5yynxBJxS01ajRyDTC5Qu35JwL/aDzOm7vA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nist.gov;dmarc=pass action=none header.from=nist.gov;dkim=pass header.d=nist.gov;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eCXA4tD4DotdAaWFVQ56VmUcFDfcKmsNAWnK+Q9ZiKo=; b=vWuxe4+8SRc/wzjjmmgy5YkZaRS3Qb48CIztwDEElefYKjsnFGkedL44nVvu5Nfars8YoaKKS3jOCr7qxOX/YvoN9k2mY7BCPE0GU0GOKDGtg0Kj7rlrVw6VDKVusD1KKzJmdAH3P9YrEnzgqzHxD2SEUYxzjfzxYJHRYv2dii0=
Received: from CY4PR09MB2245.namprd09.prod.outlook.com (10.172.140.135) by CY4PR09MB1480.namprd09.prod.outlook.com (10.173.194.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Thu, 25 Jul 2019 14:51:22 +0000
Received: from CY4PR09MB2245.namprd09.prod.outlook.com ([fe80::103a:14af:d29:ffba]) by CY4PR09MB2245.namprd09.prod.outlook.com ([fe80::103a:14af:d29:ffba%11]) with mapi id 15.20.2094.017; Thu, 25 Jul 2019 14:51:21 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Carsten Bormann <cabo@tzi.org>, Karen O'donoghue <odonoghue@isoc.org>
CC: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-coswid
Thread-Index: AQHVLSf2XuoB2t2Q6k63GMXAgOgNQ6a73GUAgB+4iYE=
Date: Thu, 25 Jul 2019 14:51:21 +0000
Message-ID: <CY4PR09MB22450912C141AE21962B32A6F0C10@CY4PR09MB2245.namprd09.prod.outlook.com>
References: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>, <8D332E03-0255-42E6-9603-142800C10F2B@tzi.org>
In-Reply-To: <8D332E03-0255-42E6-9603-142800C10F2B@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [2610:20:6005:219::f1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ee54738b-23e3-46c6-4c78-08d7110f8f22
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:CY4PR09MB1480;
x-ms-traffictypediagnostic: CY4PR09MB1480:
x-ms-exchange-purlcount: 2
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <CY4PR09MB14804908D65F4B99B175D2FDF0C10@CY4PR09MB1480.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(396003)(39860400002)(366004)(376002)(189003)(51914003)(199004)(8936002)(1015004)(71190400001)(71200400001)(76176011)(6116002)(2906002)(8676002)(52536014)(14454004)(14444005)(256004)(64756008)(45080400002)(966005)(229853002)(5660300002)(6436002)(316002)(86362001)(478600001)(66946007)(7696005)(606006)(446003)(99286004)(74316002)(53936002)(19627405001)(186003)(102836004)(53546011)(6506007)(66556008)(110136005)(76116006)(91956017)(66476007)(81166006)(6606003)(9686003)(81156014)(55016002)(46003)(66446008)(476003)(68736007)(4326008)(25786009)(236005)(6306002)(54896002)(33656002)(11346002)(486006)(6246003)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1480; H:CY4PR09MB2245.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 7J0S2A3tzn4gZIuCM3pmmSYQTXlzuqWr6HICmOkrVQIr4MofccEjD9kYtXC0osi+dRrFoGX1st1cpFccVjDgGOBJO/4+WyC/s/9r2QjpNiMB4ygfPS0ZqDelghcTjl3q928orikjz49YOMaXTCBvBytNrf+w4dnJ6Pw+vNDfPps+yyxlbMas8dD8AN42EYezUbJ6TBbP7OOWuiSGJPLQ90QzpuM+9GVZy+YKFq1t0oLik3YY+13yOXrON4wZL/Jr/CB24bTBIg57XtdYxwpAlPe6dfJ57xyMhvotOFq70LNnW2SESFKM9nKwQA0X/HlDp2tS5kF9dAlARNuh7tvzaTbYtPLbo/+80SgzADVBkOuB3lKCo//1BML7w8+jajVv3UbTwFnudbEIxM9/CZKI61RPrKnd4SD4u+30pmMArrs=
Content-Type: multipart/alternative; boundary="_000_CY4PR09MB22450912C141AE21962B32A6F0C10CY4PR09MB2245namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: ee54738b-23e3-46c6-4c78-08d7110f8f22
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 14:51:21.7866 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: davidwal@NIST.GOV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1480
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/cRhQU4MFR7uq4s9g7uwDllcOlgU>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 14:51:31 -0000

Carsten,


Thanks for the feedback. I have addressed your comments in -12. My responses are below marked [daw:].

Regards,
Dave

________________________________
From: sacm <sacm-bounces@ietf.org> on behalf of Carsten Bormann <cabo@tzi.org>
Sent: Friday, July 5, 2019 6:21 AM
To: Karen O'donoghue <odonoghue@isoc.org>
Cc: sacm@ietf.org <sacm@ietf.org>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid

Nice piece of work.
While I didn’t have time to fully check the whole I-D, I skimmed it, and came up with the following.  I’ll also send a few editorial comments to the authors.

Grüße, Carsten

# Major

The term "private use" is used repeatedly but not explained.
Is this meant for random software authors to dump random information
into their coswid tags?  Are there any usage guidelines?  This sounds
like an X-Dash problem waiting to happen (please see RFC 6648).

[daw:  I reworked the IANA section for registered CoSWID values, providing guidelines on private use and for designated experts. Please let me know if the new text is satisfactory.]

The document qualifies some values as 8-bit, 16-bit etc.  That is
unnecessary.  Any value ranges that are important should be given, and
they need to be consistent (version-scheme cannot be both 8-bit and
have a private use range of 32768-65535).  If a value range is
important, it should also be visible in the CDDL.

[daw: References to 8-bit, 16-bit etc. have been removed.]

The way URIs are used is trampling on the URI scheme space (coswid:,
swidpath:).  Maybe not much can be salvaged there, but shouldn't these
be registered?

[daw: I added registrations for swid and swidpath.]

# Minor

[SEMVER] -- is this really needed as a normative reference?
Please also compare draft-verdt-netmod-yang-semver

[daw:  The draft draft-verdt-netmod-yang-semver is way to yang module specific for use here. I don't know of another stable reference for SEMVER. I believe the current SEMVER specification reference is stable. It was at least stable enough for ISO/IEC SC7 to reference it in 19770-2:2015.]

Similarly, [SWID-GUIDANCE] is not a great source for a normative
reference.  AFAICS, this is used to define
"primary/patch/corpus/supplemental".  Can this be drawn out of the
original [SWID]?

[daw:  No. [SWID-GUIDANCE] clarified the operational roles of primary/patch/corpus/supplemental. It is referenced in CoSWID as an informative reference to identify the source of the paraphrased text in section 1.1. Since it is not being used in a normative way, I don't see any action to take here.]

I don't think you have a fragment identifier scheme, even though the
media type registration is written for one (with a dangling internal
reference).  Since this is a +cbor media type, any fragment identifier
scheme would also have to include any defined for CBOR itself (none so
far), but beyond that RFC 7049 gives you freedom.  Do you want to use
those fragment identifiers?  If no, please update the fragment
identifier scheme text in the media type registration to no longer
point to it.

[daw:  We are good with following along with whatever fragment identifier scheme gets defined for "+cbor". I see no reason to make an adjustment as a result.]

Is there a point in carrying around GUIDs in text form?  Text (in RFC
4122 form) is 36 bytes, binary is 16.

[daw:  I added a 16 byte binary string option to avoid this.]


> On Jun 27, 2019, at 22:36, Karen O'Donoghue <odonoghue@isoc.org> wrote:
>
> Folks,
>
> As discussed at our virtual interim on Tuesday, this begins a three week working group last call for:
>
> Concise Software Identification Tags
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-coswid%2F&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cac79620c9e9541230cee08d701328fcc%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636979188981227622&amp;sdata=KRiXDwxHWonk0rZ2kR3ogUACAzVEoL0YglHI%2BFBixt0%3D&amp;reserved=0
>
> Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication.
>
> DEADLINE: Please reply by Friday 19 July 2019.
>
> Thanks!
> Karen and Chris

_______________________________________________
sacm mailing list
sacm@ietf.org
https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&amp;data=02%7C01%7Cdavid.waltermire%40nist.gov%7Cac79620c9e9541230cee08d701328fcc%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636979188981227622&amp;sdata=WgkCaYdK5AMlq712RhF%2Fm%2FyEl2LON8a7Pdr1fr4xm2s%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email