Re: [sacm] CoSWID review
"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Thu, 21 November 2019 05:02 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CAE12098B for <sacm@ietfa.amsl.com>; Wed, 20 Nov 2019 21:02:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFY7_pe8YHNE for <sacm@ietfa.amsl.com>; Wed, 20 Nov 2019 21:02:37 -0800 (PST)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20727.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::727]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07A171209B2 for <sacm@ietf.org>; Wed, 20 Nov 2019 21:02:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SCwwsnhxf7pmkLKdVh7nrFWROztsgt4uFYgfn3I6I0uq8TcgmKRGKGDF+hZZ4nqF2BfhLG/Cv9L/JrTFbF1Q9KxYyVEN4ciUxxhfWQrmPgJJziBH2XdPBNlHbI2JUMXAGa235pP64ROdXLGKmn1rkpSa/bpztsvMtZGI2jgUpKqG9ufXU5e6Xu+uBhgUAxiRQiMGvryywDevwm8NupF7PVIadsI8OZeyI6fH92+oY08do5Flxbk4IMYa+GwG0+siYNvu65bJsnjYZw8LqV4hBOjcHC3pNHiq36gJXw4jsZEVLEkLOGbKEODO7+hMMmiV67U+aApuROu6V2yecwbvkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5NLXR15YMrmL1rNh3fsrE2WEbuMZfY8EtEQz/sj8cyM=; b=JYCNAqa+KZtSUMgve2eis6LE29/dmnJj05aUXUfCjJOUtVGRsxgXlJNazCJDr2iXAsZJguOHwG9t3CtbYmePOrFqNO/T5G6iOHznMhmKngsYe+R7Mj5JCFYggNTSPCENPhn+xWbWhCxqweoVV2yNK2gBri1+hPdvrXnIdIjLNTDCJYaHuvtK/PBtKtEMSwYuTGk6wXbGguMFRIMDXcxLzlqXeYX+BbM4uBfljJdDqk3Scpd1VEiIV+yzvj/nEdtCfPtq/R0TWgXVBtJkZEOujhA+kfEGhsmI3Yxl/OjoLluzi7ebmlF09F384nzZfKXRWkGNVFsjjYbVAdX+Dqng3Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5NLXR15YMrmL1rNh3fsrE2WEbuMZfY8EtEQz/sj8cyM=; b=RdwQB6ObsqneVJSRp2tv+ld/mk2SW6LFcaJTD27KXxQzSjWK4tBbqhFqSBGn1SdbNccZqSHIOcXUrtxELS0Wqq1XpeQ0Zuo0N4AaBbzDhWPFZ2r6nvvxm91pBMHtjTaH4ewpBO0gdCUCDJ5VZkzZTK2O0XsrEUNk2ZzPyT7g+y8=
Received: from BN7PR09MB2819.namprd09.prod.outlook.com (52.135.242.24) by BN7PR09MB2772.namprd09.prod.outlook.com (52.135.242.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Thu, 21 Nov 2019 05:02:35 +0000
Received: from BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310]) by BN7PR09MB2819.namprd09.prod.outlook.com ([fe80::6d13:7512:b4df:e310%7]) with mapi id 15.20.2474.019; Thu, 21 Nov 2019 05:02:34 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "Waltermire, David A. (Fed)" <david.waltermire=40nist.gov@dmarc.ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, David Waltermire <davewaltermire@gmail.com>
CC: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: [sacm] CoSWID review
Thread-Index: AQHVi0zu4YoCNvAGF0yJOMlWNNVbBKePD0jWgAHz1s+AANjK/oADVyJv
Date: Thu, 21 Nov 2019 05:02:34 +0000
Message-ID: <BN7PR09MB2819A0581837DF4583699BB1F04E0@BN7PR09MB2819.namprd09.prod.outlook.com>
References: <CAHbuEH7OH_89+e4_BmXJN4LgxzTTQ9MtKF_03XK--a8K4AO11w@mail.gmail.com> <lejxf9f4owwm819gnwiwhlo0.1573973274271@email.android.com> <CAHcK3jMef-SK+AH4RC+EQs1LQ6wZCDAPGLCxqUyE+MFn=n-H+g@mail.gmail.com> <CAHbuEH75-jbPTqprpzjOdhRTVjtBcKy4+M6gW=zEog140ZEw5Q@mail.gmail.com>, <CAHbuEH6SjQRriP-2Sr4k12_hRk88VR3vpTsSW7phqEdKCJoRqg@mail.gmail.com>, <BN7PR09MB28192E2474958DA879EC1CDFF04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
In-Reply-To: <BN7PR09MB28192E2474958DA879EC1CDFF04C0@BN7PR09MB2819.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [129.6.223.126]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0b5f2986-8c88-41d7-b870-08d76e40059a
x-ms-traffictypediagnostic: BN7PR09MB2772:|BN7PR09MB2772:
x-ms-exchange-purlcount: 1
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <BN7PR09MB2772AF18AAE51B1E0EB47C6EF04E0@BN7PR09MB2772.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1265;
x-forefront-prvs: 0228DDDDD7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(136003)(39850400004)(366004)(189003)(199004)(186003)(71190400001)(14444005)(256004)(478600001)(3846002)(33656002)(966005)(7696005)(66476007)(66556008)(66446008)(64756008)(486006)(66946007)(316002)(2906002)(54896002)(8936002)(76116006)(91956017)(6306002)(110136005)(4326008)(8676002)(14454004)(6436002)(74316002)(9686003)(236005)(76176011)(19627405001)(81156014)(6116002)(81166006)(86362001)(52536014)(6506007)(55016002)(99286004)(606006)(26005)(5660300002)(105004)(446003)(66066001)(6246003)(229853002)(11346002)(25786009)(53546011)(102836004)(476003)(71200400001)(7736002)(482324003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR09MB2772; H:BN7PR09MB2819.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BcH7tbVb/dLDyPDyqZ5FzevVwyK650hJgSDjbN2fvUy00DSIdEB7mUUbFNE33BH5VcUKRfUlDIjjyrAzswRjL7Votv1+XQL/Me5v/I5izrwKJIojXTQM6HATw2R/pPTA1t69cwpgHqArx822DowcT7i9cjO3JzTTvXKy6hzZMRmR0/2WzeMw2MjpecS+eTaxkkI/ERMXhKo8/rcPYD9X5ECSmkjFSKqmJXzpT9pZQakOfizN1EPf5Qz6U7NazY2wk0F/dNOU05lHv68xy5V8fEgFbXrFu/9KEVRYllVjPv+1z0RLRQntTfgZPPBW+640pjjDuwMAoejneKWXe3TCH0kfoS06xmVJ+L1QfJHTbtLFUlYry9qTJwmWqx691ybA6muPUbhEVhz2zgoeWMrUTwz4q1FzklAUernpoOyH6/l+7ijQe/3GRUF9AyJAxExeIVxhgA7CJD2qErowoj5zvAspsfNB2jeysmO76Dpms/s=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR09MB2819A0581837DF4583699BB1F04E0BN7PR09MB2819namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 0b5f2986-8c88-41d7-b870-08d76e40059a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2019 05:02:34.5053 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: laYlK5DNA4YU88YhRNVrjnnUcVq/uK630nXnJ/S73vUyheeMFRwf6HcNAPywvXn9iOor7U37lkZdVeFZNV8YYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR09MB2772
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/SoIJRWM37uFJJreaFmFJm5rWs14>
Subject: Re: [sacm] CoSWID review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 05:02:41 -0000
I have been thinking about the two registry options for hash algorithms. 1. IANA "Named Information Hash Algorithm Registry" 2. IANA COSE Algorithms Registry + draft-ietf-cose-hash-algs<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C97462d06d07641efcd7208d76c9102a3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637097242385976328&sdata=USzaQ8fPYRxwEBSbHTR9as83iQiFxcuw1XRqAZiudLo%3D&reserved=0> The Named Information Hash Algorithm Registry provides a hash-specific set of identifiers that can be used across ISO SWID and IETF CoSWID. This is the original reason we choose this registry, since it has always been our goal to keep as much parity as possible between SWID and CoSWID. This choice was made in draft-birkholz-sacm-coswid-01 back in January 2017. The COSE Algorithms registry contains other types of algorithms beyond hash algorithms. After talking with Jim Schaad, it doesn't look like there will be a clear-cut way to point to only the hash algorithms in this registry. This leaves implementers to decide what is a hash algorithm and also makes CoSWID dependent on the publication of draft-ietf-cose-hash-algs<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C97462d06d07641efcd7208d76c9102a3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637097242385976328&sdata=USzaQ8fPYRxwEBSbHTR9as83iQiFxcuw1XRqAZiudLo%3D&reserved=0>. For these reasons, I'd like to stick with using the Named Information Hash Algorithm Registry. Kathleen, is this something you can live with? Regards, Dave ________________________________ From: sacm <sacm-bounces@ietf.org> on behalf of Waltermire, David A. (Fed) <david.waltermire=40nist.gov@dmarc.ietf.org> Sent: Monday, November 18, 2019 8:36 PM To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; David Waltermire <davewaltermire@gmail.com> Cc: <sacm@ietf.org> <sacm@ietf.org> Subject: Re: [sacm] CoSWID review Not sure if Jim is here this week. I will email him to see what he says. Thanks, Dave ________________________________ From: sacm <sacm-bounces@ietf.org> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sent: Monday, November 18, 2019 7:35 AM To: David Waltermire <davewaltermire@gmail.com> Cc: <sacm@ietf.org> <sacm@ietf.org> Subject: Re: [sacm] CoSWID review On Sun, Nov 17, 2019 at 6:45 AM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote: Hi Dave, On Sun, Nov 17, 2019 at 3:02 AM Dave Waltermire <davewaltermire@gmail.com<mailto:davewaltermire@gmail.com>> wrote: Kathleen, Thank you for the review. I have addressed your comments in the latest draft. Some comments on your comments are inline below. From: sacm <sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> Date: Fri, October 25, 2019 11:57 PM +0800 To: "<sacm@ietf.org<mailto:sacm@ietf.org>>" <sacm@ietf.org<mailto:sacm@ietf.org>> Subject: [sacm] CoSWID review Hello! Thank you for your extensive work on this document! If it gains wide adoption, it could be quite helpful to industry and software security management. I support publication of this document and have some comments and concerns to be addressed. I did not go through all sections thoroughly yet, so I may come back with additional comments. Section 4, Consider another comma in the first sentence of this text after component: Software Patching. When a new patch is applied to the software component a new patch tag is provided, supplying details about the patch and its dependencies. I reworded this as follows: A new patch tag is provided, when a patch is applied to the software component, supplying details about the patch and its dependencies. I think the comma placement is better this way. Thanks. Section 2.4: I see rel(ation) only appears in this section. I had to poke a bit and see that (I think) you just mean for rel to expand to relation and rel is used elsewhere. Would it be more clear to just define that? If this is how it is in SWID, ignore the comment. I'm just thinking about other reviewers/readers. It's defined in 2.7 just as rel. It's helpful to know that's short for relation, but if that's all you mean, how about rel (relation) so it doesn't look like more than it is? I changed the reference to just "rel". I agree this is more consistent to how other data elements are referenced. Great, thanks! Section 2.6: A Thumbprint is specified in this section, should this be referenced for clarity on hashes with COSE for object identification: https://datatracker.ietf.org/doc/draft-ietf-cose-hash-algs/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cose-hash-algs%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C97462d06d07641efcd7208d76c9102a3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637097242385976328&sdata=USzaQ8fPYRxwEBSbHTR9as83iQiFxcuw1XRqAZiudLo%3D&reserved=0> Would it be better to tie to the COSE set of supported algorithms (they likely match, but I didn't verify)? The IANA COSE Algorithms registry contains other types of algorithms beyond hash algorithms. To use this registry, we would need to list the hash-specific algorithms, which is less ideal. Its a shame this registry isn't broken out by algorithm type, which would make this decision easy. With the IANA "Named Information Hash Algorithm Registry", we get only hash algorithms, which is what we are looking for. Can you live with use of the IANA "Named Information Hash Algorithm Registry"? COSE is open as is their main draft. This is a problem that can likely be solved this week... Talk to Jim. Let me and the list know what's possible. Section 5: It might be helpful to list what is being requested at the start of the IANA section X registries are established with this request with initial entries for X registries. Values for Z existing registries are requested. Done. Thanks. 5.1: s/This document uses integer/This registry uses integer/ Fixed. Section 5.2.5: s/This document defines a new a new a/This document establishes a/ Fixed a bunch of cases that matched this pattern. Thanks for catching this. Just trying to head off issues at the later review stages :-) . And they were all super minor and may have gone through unnoticed. Security Considerations: I'm wondering why CWT [RFC8392] was not used or recommended for signing. Is it that the other method fits better within SWIMA? COSE was chosen for CoSWID, since it is parallel to the use of XMLDSig..for SWID tags. We could consider CWTs, but this would require a bunch of additional work, and we are fairly close to shipping this draft to the IESG. Maybe a better option might be to write a second draft discussing the use of CWTs with CoSWID? This would allow this draft to move forward, while CWT use is defined. Would you be interested in working on this draft? Yes, I am interested, with coauthors. Are you offering? If CWTs are to be proliferated the way JWTs have been, I suspect it will be easier for CoSWID to gain traction. I think it would be good to list use of a CWT as an option, then registering the claims that one might use for let's say having the CWT be an EAT and be a remote attestation. I think adoption may be better if these are tied together and made simple for regular readers who will likely start to come across CWTs as opposed to just signing with one or more signers. I think what you have us good, but having both as options would be better. Both options would also create the need for some signature verifiers to support both options. This is something that should be discussed at greater length, as it could also create potential interoperability issues. I am not against both options, but we should talk to potential implementors about what they want. This is maybe more reason to do this work in a separate draft to allow for some time to work out these details.. OK, great point on interoperability. My hunch is that since CWTs are in EATs, there is code and there is an established pattern of use that this would be more likely to be supported (more widely). It may be good to pull this all out as not to create confusion as if it is int he base draft, this will be seen as necessary as opposed to a choice and as you note, will create confusion. The claims about the signature may vary from the data in the CoSWID, so this could be potentially useful. Right and minimal claims are possible too. Thanks, Kathleen True. Thank you! -- Best regards, Kathleen -- Best regards, Kathleen -- Best regards, Kathleen
- [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Kathleen Moriarty
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- [sacm] Fw: CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Waltermire, David A. (Fed)
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] [COSE] CoSWID review Michael Richardson
- Re: [sacm] [COSE] CoSWID review Jim Schaad
- Re: [sacm] CoSWID review Waltermire, David A. (Fed)