IETF Logo Mail Archive

Re: [sacm] AD Review of draft-ietf-sacm-coswid-15

Carsten Bormann <cabo@tzi.org> Wed, 17 February 2021 23:22 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAD13A1E21 for <sacm@ietfa.amsl.com>; Wed, 17 Feb 2021 15:22:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6GbTGMDzgYR for <sacm@ietfa.amsl.com>; Wed, 17 Feb 2021 15:22:02 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFDDF3A1E1F for <sacm@ietf.org>; Wed, 17 Feb 2021 15:22:01 -0800 (PST)
Received: from [192.168.217.152] (p5089a828.dip0.t-ipconnect.de [80.137.168.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4Dgv4R64cpzySR; Thu, 18 Feb 2021 00:21:59 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CAE5tNmoMkLMo--MqoQbsvJdtWPmLzYVsmdx4znGdE_sDoFoYRw@mail.gmail.com>
Date: Thu, 18 Feb 2021 00:21:59 +0100
Cc: Roman Danyliw <rdd@cert.org>, "<sacm@ietf.org>" <sacm@ietf.org>, Jessica Fitzgerald-McKay <jmfitz2@cyber.nsa.gov>, "Waltermire, David A." <david.waltermire@nist.gov>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, "Schmidt, Charles M." <cmschmidt@mitre.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A281F59-9951-4862-B20F-EA291D0C88EB@tzi.org>
References: <d2439fe599dd48508c7cedaed3be7764@cert.org> <CAM+R6NXLyOFm10omDFLKS=EGv6xq77r9+dVPFwY=CCAGuuWL8g@mail.gmail.com> <c25873c6f6834d74a6bf7cf1c314bfad@cert.org> <DD21CD76-E713-4EDC-880C-8DC98547A243@tzi.org> <CAE5tNmoMkLMo--MqoQbsvJdtWPmLzYVsmdx4znGdE_sDoFoYRw@mail.gmail.com>
To: David Kemp <dk190a@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/Tanq_rBu1YFwLaVkorrUxCfqKks>
Subject: Re: [sacm] AD Review of draft-ietf-sacm-coswid-15
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 23:22:06 -0000

On 17. Feb 2021, at 23:45, David Kemp <dk190a@gmail.com> wrote:
> 
> I believe CoSWID should use RFC 7049 Tag 1 (POSIX Time), with or without the tag, defined as seconds since the epoch.  POSIX time is both more compact and more computationally pure than strings and their myriad formats and leap second hacks.

I agree.  The only shortcoming of tag 1 is that it can’t express software release dates that fall on leap seconds.
Seriously, don’t do that then :-) [1]

> CoSWID is a newer document than SWID and should have the flexibility to represent date-time, regardless of whether the current version of SWID is restricted to date only.  Use cases should drive requirements, and it seems plausible that software identifiers could be issued more than once per day.  And if restriction to date resolution is desired by policy, it should be expressed as policy rather than hard-coded into the underlying data format.

Yes.  I was confused by the references to xs:date, which (according to the SWID schema) really should have been to xs:dateTime, which (with the above limitation) is an exact match.

Grüße, Carsten

[1]: http://www.catb.org/~esr/jargon/html/D/Don-t-do-that-then-.html

v2.23.0 | Report a Bug | By Email