[sacm] SWIMA and Data Models
"Schmidt, Charles M." <cmschmidt@mitre.org> Wed, 18 January 2017 18:24 UTC
Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11621129553 for <sacm@ietfa.amsl.com>; Wed, 18 Jan 2017 10:24:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.399
X-Spam-Level:
X-Spam-Status: No, score=-7.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tzSBjxM6v74D for <sacm@ietfa.amsl.com>; Wed, 18 Jan 2017 10:24:32 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB5812954F for <sacm@ietf.org>; Wed, 18 Jan 2017 10:24:32 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 94C436DCBCA for <sacm@ietf.org>; Wed, 18 Jan 2017 13:24:31 -0500 (EST)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 878456DCBC8 for <sacm@ietf.org>; Wed, 18 Jan 2017 13:24:31 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 18 Jan 2017 13:24:30 -0500
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Wed, 18 Jan 2017 13:24:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HCM4LJ7eQ59CHdIlZ1fBwTn7QPEXv+6Z33NhHFwVcxk=; b=g5qouSB5k6QzjzDhGm2Ha8KHlP3P/Y8wpzXX7ThV2jNse1HGrVgsB4kSYXoiP+sNg3oj2mjF4InzGMGEMpb+w1c/YUTSV9mSaSDZXy0O14lssYZ+TTQfMFCKYox53x3BVmecTp7g2+TG5nX2AXmDa8Ue8XUOkibIhb7T4Mm0nsU=
Received: from CY1PR09MB0889.namprd09.prod.outlook.com (10.163.43.27) by CY1PR09MB0891.namprd09.prod.outlook.com (10.163.43.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Wed, 18 Jan 2017 18:24:24 +0000
Received: from CY1PR09MB0889.namprd09.prod.outlook.com ([10.163.43.27]) by CY1PR09MB0889.namprd09.prod.outlook.com ([10.163.43.27]) with mapi id 15.01.0860.012; Wed, 18 Jan 2017 18:24:24 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: SWIMA and Data Models
Thread-Index: AdJxsuo2y5IxRlt7Qjmbh2TlOuXMCA==
Date: Wed, 18 Jan 2017 18:24:24 +0000
Message-ID: <CY1PR09MB08898DA491CDAF8EE916697AAB7F0@CY1PR09MB0889.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-office365-filtering-correlation-id: 8656e870-24b2-448f-ac65-08d43fcf3aba
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR09MB0891;
x-microsoft-exchange-diagnostics: 1; CY1PR09MB0891; 7:bK77JuCXrxnGR9U9V0csCpDzllqy42D21fg5/zoFKkGQz02dSpjUttRGy4Flj9qZwP24gehXvn1Mw3ynxrrchqLCUKvmqpn2NIk+TvQmNLXLJwHRI90AWVtTUm2JdQ16Ky4X8VHWDtoin5NQ97WPwVpjuz35xMtDW5jyu0/Pg7l8rh1EudR/bWA3Qk9hmx5eJdSVPI5xbylF5vVS82aJSTU/F0vMXyAmuQNe76DbAq//GQGqLoIUThrUBm4uXqpPMdxYVrF6n9VUxcuexO5Bo4fzFZaqHwxSQrF2Fr5DVTOgDA8ce3j/7fcALe7HuA6c85hELHzg8RGsymgsmUNALQYWyMUC3i3aYwWNiRIKtjuv6ld1sUx/JLrYwJcgMb4nO5Mp5JC9XxjXzsiGmOPaHqthRr5mulMLus1Ky3JeybBaz8spJhCYZbTUPId/G/E/eoX994EL6+uS0CeG49A6vQ==
x-microsoft-antispam-prvs: <CY1PR09MB0891166131DDBA2261381A24AB7F0@CY1PR09MB0891.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123558021)(20161123555025)(20161123562025)(20161123564025)(6072148); SRVR:CY1PR09MB0891; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0891;
x-forefront-prvs: 01917B1794
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39860400002)(39840400002)(39410400002)(39450400003)(39850400002)(53754006)(199003)(189002)(86362001)(305945005)(5660300001)(74316002)(7736002)(106356001)(450100001)(92566002)(101416001)(105586002)(189998001)(6306002)(107886002)(54356999)(50986999)(9686003)(33656002)(99286003)(31430400001)(2906002)(6116002)(3846002)(102836003)(6436002)(2900100001)(3660700001)(97736004)(25786008)(55016002)(6506006)(66066001)(53936002)(122556002)(8676002)(110136003)(81166006)(7696004)(3280700002)(81156014)(3480700004)(38730400001)(68736007)(77096006)(8936002)(170073001)(491001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR09MB0891; H:CY1PR09MB0889.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2017 18:24:24.0163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0891
X-OriginatorOrg: mitre.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/TpajOI2J9UK5yh2Gl5PD1No0VKs>
Subject: [sacm] SWIMA and Data Models
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 18:24:34 -0000
Hello all, In last week's virtual interim meeting we did not have time to discuss the recent changes to how data models are handled in the latest SWIMA draft. Hence, these questions are going to the list. References to the current draft are to draft-ietf-sacm-nea-swid-patnc-00 (https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swid-patnc/). References to issue numbers are from the Software Identification GitHub tracker (https://github.com/sacmwg/software-identification). == Multiple open issues were addressed in the latest draft. Issue #5 - Clarify that the SW M&A must accept all data models Section 3.2 addresses this. Specifically, it notes that servers "MUST NOT reject a record or respond with a PA-TNC Error due to the data model used in attributes it receives." The section goes on to note that, while servers have no dependency on parsing the records they receive, downstream components that consume the collected information might. However, it notes that is strictly concerned with conveying the information that a Collector finds, and that filtering that available data by data model would be the responsibility of those downstream components. Are people comfortable with this? == Issue #6 - MTI data models Section 3.2 addresses this. It notes that Validators have no dependency on the type of data models they receive (and thus "MTI" for them is a meaningless concept) and that the job of Collectors is to convey the data that their sources make available (and we cannot reasonably demand that the endpoint utilize certain data models). Thus the only dependency SWIMA has on the data model is the requirement that Collectors be able to deterministically generate Software Identifiers from each record it delivers. This requires that Collectors know the algorithm to do this for each supported data model. The section goes on to note that all Collectors MUST at least support the data models identified in section 5 of the specification. Section 5 identifies ISO 2015 SWID Tags using XML and ISO 2009 SWID Tags using XML, and defines the procedures for generating Software Identifiers from each. Are people comfortable with this? == Procedures for generating Software Identifiers from SWID tags Sections 5.1.2 (for SWID 2015) and 5.2.2 (for SWID 2009) contain procedures for generating Software Identifiers from the respective versions of these SWID tags. Currently, the Identifiers are "a concatenation of the value of the Tag Creator RegID field and the Unique ID field. Specifically, it MUST be of the form: NUMBER "::" TAG_CREATOR_REGID UNIQUE_ID, where NUMBER is the length of TAG_CREATOR_REGID in bytes." If one wished to decompose this Software Identifier, one would read until the ::, convert that into a integer, read that many bytes as the Tag Creator RegID, and then read the remainder of the bytes into the Unique ID. A comment was made that an easier procedure would be to use a delimiting character to separate the Tag Creator RegID and the Unique ID values. In the case of 2015 SWID tags, the Tag Creator RegID is required to be a URI, and thus we could use whitespace as such a delimiter. Unfortunately, the only restriction on the Tag Creator RegID imposed by the 2009 spec is that "all characters are valid for use in filenames on any platforms the tag will be installed on", so in this case a delimiting character is not possible. The question thus becomes: do we use a delimiter in the 2015 SWID tag Software Identifier (because we can), or do we have both use the same NUMBER "::" TAG_CREATOR_REGID UNIQUE_ID format for the sake of consistency? For the sake of providing a yes/no question: are people comfortable with having both 2015 and 2009 use the NUMBER "::" TAG_CREATOR_REGID UNIQUE_ID format for Software Identifiers so both can use the same procedures? == Other Data Models? Section 5 describes the use of ISO 2015 SWID Tags using XML and ISO 2009 SWID Tags using XML as data models. SWIMA is not limited to conveying information using these data models, but 1) the data models described in this section are MTI (according to section 3.2 of the document) and 2) the fact that the document directly provides procedures for these makes them easier to use. Are there other data models that are reasonable to use in this specification directly (noting that the Software Data Models IANA table can easily be extended at a later date to identify new data models and their associated procedures for generating Software Identifiers? Are ISO 2015 SWID Tags using XML and ISO 2009 SWID Tags using XML sufficient data models for initial release of SWIMA? Thanks, Charles
- [sacm] SWIMA and Data Models Schmidt, Charles M.