IETF Logo Mail Archive

Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

"Schmidt, Charles M." <cmschmidt@mitre.org> Mon, 06 June 2016 19:34 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDF312D7CF for <sacm@ietfa.amsl.com>; Mon, 6 Jun 2016 12:34:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.626
X-Spam-Level:
X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4EcptQat8pw for <sacm@ietfa.amsl.com>; Mon, 6 Jun 2016 12:34:46 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 4676412D5CF for <sacm@ietf.org>; Mon, 6 Jun 2016 12:34:46 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id ED7416C0043; Mon, 6 Jun 2016 15:34:45 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id D5FD56C08FB; Mon, 6 Jun 2016 15:34:45 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Mon, 6 Jun 2016 15:34:45 -0400
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Mon, 6 Jun 2016 15:34:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zoSD2D8iasEKyeKCIsMwdRlMgcRXRca8tRPscyr7mBo=; b=LkyRaWYh1Df8+iqmoiUe+qILtIVVEox8qVXV3CuGcVwmZcqCkZnMZbjj18FNZV7uiedTV9lzz3klqB9IbhUp4VbG8W0Yp2B6Tp7tJqg7z5hmw1AHc54nMpd5KzoiLMXHzKmMWWaNRDYOV8wqQUtpyiKALRHpG2GbKcM3D8XY0+A=
Received: from SN1PR09MB0990.namprd09.prod.outlook.com (10.166.69.8) by SN1PR09MB0992.namprd09.prod.outlook.com (10.166.69.10) with Microsoft SMTP Server (TLS) id 15.1.511.8; Mon, 6 Jun 2016 19:34:38 +0000
Received: from SN1PR09MB0990.namprd09.prod.outlook.com ([10.166.69.8]) by SN1PR09MB0990.namprd09.prod.outlook.com ([10.166.69.8]) with mapi id 15.01.0506.016; Mon, 6 Jun 2016 19:34:38 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Gunnar Engelbach <gunnar.engelbach@threatguard.com>, "tony@yaanatech.com" <tony@yaanatech.com>, Michael Godsey <mgodsey@microsoft.com>, Jerome Athias <athiasjerome@gmail.com>
Thread-Topic: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
Thread-Index: AQHRwCOcXyroj0wY0k+1KGmeoj7imJ/c0Y+A
Date: Mon, 06 Jun 2016 19:34:37 +0000
Message-ID: <SN1PR09MB09904E36917268364AAC9DEDAB5C0@SN1PR09MB0990.namprd09.prod.outlook.com>
References: <17198AFF-DF5A-46BC-B84A-2AAF1717BD90@isoc.org> <e8798c66-2ac8-7b24-4ab3-d28b4868c94a@yaanatech.com> <BN1PR03MB1231A9F5A4EE487623E5C82AF490@BN1PR03MB123.namprd03.prod.outlook.com> <0aa7684f-5a47-c00a-4b5b-e19484dd718a@yaanatech.com> <CAA=AuEfepDpmQF7TOLe2nvkgEPU9LD49Fc8bSvUCW+F_6yYy5A@mail.gmail.com> <BN1PR03MB1236FEF6EE3127323F9294AAF490@BN1PR03MB123.namprd03.prod.outlook.com> <SN1PR09MB0990AD2634A81C9A7128D120AB490@SN1PR09MB0990.namprd09.prod.outlook.com> <0418b8dc-9fd8-f8d2-3461-ce8e019fe22a@yaanatech.com> <8eb2719e-6baa-013a-daf5-5f2b269a75c1@ThreatGuard.com> <SN1PR09MB09900FB2B7AE3C48324891A2AB4A0@SN1PR09MB0990.namprd09.prod.outlook.com> <c45f888a-e2fd-d3ff-0397-f713a79be2db@ThreatGuard.com> <SN1PR09MB0990C08A95F57D0176C8511BAB5C0@SN1PR09MB0990.namprd09.prod.outlook.com> <6217ee86-3479-9476-d76c-d8d74af9175b@ThreatGuard.com>
In-Reply-To: <6217ee86-3479-9476-d76c-d8d74af9175b@ThreatGuard.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-office365-filtering-correlation-id: c923ba83-3db7-4bd8-5dcb-08d38e41991b
x-microsoft-exchange-diagnostics: 1; SN1PR09MB0992; 5:C0aZa25z+12G/3esvHhlCxNmIMSG2SakDQzfzgPqp+smqUHvmucREqgk7GNDtZtnuH5kVZv6IbhnwjvVn8y/M7lYHHtAMsjWMUx3mDOAlpahA16oEfec+2P3yBAJSFOW4+0v7FbpiXBYVlHYvys99w==; 24:k/HmoCICg2oc0uLqdgvGJ6r2bYUW81z5WzbIMKXF6D+blYXw9qNe9HinVnvskY6GBQriuANJKsvvEON15SVppqrafrLZ6zXxtiJhxaw1DdQ=; 7:Lg8LrItEefkuRIdz9DL3uYiCsPC7EQGspf8Tbq0HBWSowFliIfCBurOTJZa9bzAUfhZeh3ekdSyoUrBTrD80J/Kv7MNI7SaZuFR7mfKWrNGONccUQ+I47P5vQntZ3itEOPhTx6+QbvUFKDEr8oGPnzqe3dXqCBNwcQNf/fk29eMN8xAUpZS93T3lKpbf3DbB9T48IOrlmIICxhGXONkRMWOn+ANuAaJCNY74TY/ot04=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR09MB0992;
x-microsoft-antispam-prvs: <SN1PR09MB0992EC7724881C431F9B0B4CAB5C0@SN1PR09MB0992.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506)(120809045254105)(100405760836317)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415321)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:SN1PR09MB0992; BCL:0; PCL:0; RULEID:; SRVR:SN1PR09MB0992;
x-forefront-prvs: 096507C068
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(377454003)(53754006)(199003)(13464003)(24454002)(51914003)(51444003)(81156014)(8676002)(81166006)(4326007)(2900100001)(2950100001)(97736004)(2906002)(5890100001)(2501003)(33656002)(54356999)(561944003)(76176999)(101416001)(5001770100001)(105586002)(93886004)(77096005)(50986999)(87936001)(8666004)(15975445007)(10400500002)(2561002)(5002640100001)(230783001)(122556002)(8936002)(5003600100002)(3280700002)(68736007)(3660700001)(9686002)(189998001)(3846002)(99936001)(66066001)(586003)(2421001)(102836003)(6116002)(86362001)(5004730100002)(1511001)(106116001)(74316001)(19580395003)(106356001)(19580405001)(5008740100001)(92566002)(99286002)(76576001)(11100500001)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR09MB0992; H:SN1PR09MB0990.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_007E_01D1C000.8AC64E40"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2016 19:34:37.9435 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR09MB0992
X-OriginatorOrg: mitre.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/WDdstRBu2qzxci6x1I07dI7_6Hg>
Cc: "sacm@ietf.org" <sacm@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>
Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 19:34:49 -0000

> If there's going to be a consistent data model I don't see I reason why
> there should be any constraint on what endpoint tag types are supported.

I'm afraid you have lost me here. My understanding was that you were arguing
that SWID M&A should support tag types other than the ISO SWID tags. As I
understand the term, ISO SWID 2015 defines a data model, and then different
tag formats (XML, CBOR, JSON) would all be data formats of that common data
model.  But if we have completely different tag types, (for example, SWID
2015 tags and RPM records), I'm confused how there could be a common data
model that both represent. In other words, when you argued for a common data
model, to me this implicitly meant we needed to curtail the types of tags
supported to only those that could serialize that common data model.

Sorry if I am being slow here, but could you clarify how you see the tag
types relating to this common data model?

Thanks,
Charles

> -----Original Message-----
> From: Gunnar Engelbach [mailto:gunnar.engelbach@threatguard.com]
> Sent: Monday, June 06, 2016 1:45 PM
> To: Schmidt, Charles M. <cmschmidt@mitre.org>; tony@yaanatech.com;
> Michael Godsey <mgodsey@microsoft.com>; Jerome Athias
> <athiasjerome@gmail.com>
> Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc
as
> a SACM WG document
> 
> 
> 
> On 6/6/2016 11:36 AM, Schmidt, Charles M. wrote:
> > Hello everyone,
> >
> > I wanted to do a quick loop back to the original question of this
thread,
> > namely the adoption of
> > https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-patnc/ as a
> SACM
> > working group document. This and other threads have indicated that there
> is
> > some desire to evolve the document to address certain concerns, many of
> > which I hope to address in the next draft.
> >
> > With the understanding that adoption as a working group draft does not
in
> > any way end the discussion or evolution of this draft, are there any
other
> > thoughts regarding adoption?
> >
> > Gunnar/Tony - you both raised concerns about adoption due to the
> document
> > being exclusively focused on ISO SWID tags, but since then there appears
> to
> > be agreement to expand to other possible tag types (with the caveat that
> > there also appears to be consensus that this list of tags should be
> > constrained so that endpoints are sending content using a consistent
data
> > model). Does this alteration address you concerns? If so, does that
change
> > your feelings on adoption?
> 
> If there's going to be a consistent data model I don't see I reason why
> there should be any constraint on what endpoint tag types are supported.
> 
> I'd prefer to see that translation happen as soon in the lifecycle of
> the data as possible, but we'll see what consensus is on that. For
> reasons already stated, if that translation is done centrally then I
> don't SACM adoption extending much beyond a few large vendors that put
> out, effectively, their own stovepipes.
> 
> 
> --gun
> 
> 
> >
> > Thanks,
> > Charles
> >
> >> -----Original Message-----
> >> From: Gunnar Engelbach [mailto:gunnar.engelbach@threatguard.com]
> >> Sent: Friday, May 20, 2016 1:51 PM
> >> To: Schmidt, Charles M. <cmschmidt@mitre.org>; tony@yaanatech.com;
> >> Michael Godsey <mgodsey@microsoft.com>; Jerome Athias
> >> <athiasjerome@gmail.com>
> >> Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> >> Subject: Re: [sacm] Call for adoption of
draft-coffin-sacm-nea-swid-patnc
> > as
> >> a SACM WG document
> >>
> >>
> >> Inline...
> >>
> >> On 5/19/2016 1:27 PM, Schmidt, Charles M. wrote:
> >>> Tony/Gunnar,
> >>>
> >>> I agree. Details below.
> >>>
> >>>> 	Two questions not asked: who might do the
> >>>> 	work to bridge the gap with the gazillion other
> >>>> 	software identifier approaches out there, and
> >>>> 	whether some form of out-of-band SWID capability
> >>>> 	(as is used with may of the other SWID mechanisms)
> >>>> 	cannot be included.  For a lot of IoT stuff, it is
> >>>> 	essential.
> >>>>
> >>>> This right here is an excellent point.  There are other software ID
> >>> mechanisms
> >>>> out there and SWID is not going to cover everything for which there
is
> > an
> >>>> alternative.
> >>>>
> >>>> Because this proposal is so SWID-specific, I can't get behind it.
> >>> However, if it
> >>>> was genericized to allow for use of current and possible future
tagging
> >>>> mechanisms, I could certainly support that.
> >>> This makes sense. Even those strongly attached to the use of SWID tags
> >> would
> >>> like to make sure that this specification can handle future revisions
of
> > the
> >>> ISO SWID specification, and as you both note, there are other
structures
> >> out
> >>> there which people might wish to use.
> >>>
> >>> Basically, it seems to me that we want to support a common, core set
of
> >>> functionality related to inventory and inventory events, but that we
> > want
> >> to
> >>> have some flexibility in the data (I'll call these "records") used to
> > convey
> >>> that information to a policy server. Are we in agreement on this? (I
> > don't
> >>> think we want the nature of what one can infer from a report to change
> >> based
> >>> on the record structure used to convey that report.)
> >>>
> >>> Given this, the following are the core capabilities of SWID M&A for
> >>> reporting records as I see them:
> >>> 1) Records need to be associated with specific instances of a specific
> >>> software product and version thereof.
> >>> --- If the same version of the same product is installed multiple
times,
> >>> there will need to be multiple records naming the same product and
> >> version -
> >>> one associated with each actual installation. (We need to convey that
a
> >>> given product+version is installed "exactly X times" rather than "at
> > least
> >>> one instance".)
> >>> --- Changes to a software product need to result in a change in the
> >>> associated record. (The record needs to distinguish between AcmeApp
> >> v1.2.3
> >>> and AcmeApp v1.2.4, since this is critical to multiple consumers of
this
> >>> data.)
> >>> --- Records associated with a product+version need to be consistent
> over
> >>> time and across endpoints. (There needs to be an easy way for the
> SWID-
> >> PV to
> >>> say "this is the same product+version" across different reports and
> >> between
> >>> reports from different machines.)
> >>> 2) If the record is more than about 200 bytes, there needs to be a
> > concise
> >>> identifier for this record. In SWID tags, this is created by the
> > combination
> >>> of the TagCreatorRegID and the TagID fields. (Concise identifiers are
> > used
> >>> in multiple places in SWID M&A to convey information without bloating
> >>> messages.)
> >> I tried to find fault, but I think as a basic core set, this is good
> >> coverage.
> >>
> >> In ongoing practice there are undoubtedly going to be more capabilities
> >> desired for other use cases, and some tagging solutions will have
useful
> >> capabilities that are not available in others. Extensibility is
assumed.
> >>
> >> I think it's also a necessity that a common data model be used
> >> regardless of the tag type/source.  For hopefully obvious reasons.
> >>
> >>
> >>
> >>> Do you (or anyone) have any questions or concerns about any of these
> >> core
> >>> capabilities, or have any others to add? I think all of the other SWID
> > M&A
> >>> capabilities (monitoring for changes, tracking and ordering of events,
> >>> subscriptions, processing targeted requests, etc.) are fairly neutral
> > with
> >>> regard to the record structure used in messages assuming the two
> >>> requirements above are met. Let me know if you disagree about that.
> >>>
> >>> Capabilities do not need to be inherent in the record itself. (For
> > example,
> >>> there is nothing in a SWID tag that allows one to distinguish between
> >>> multiple installations of a single product.) There just needs to be a
> >>> reliable, deterministic mechanism by which these capabilities can be
met
> >>> while using the record.
> >>>
> >>> I will work on putting together some proposals on how different record
> >> types
> >>> can be clearly labeled in SWID M&A messages so recipients can know the
> >> type
> >>> of content they are getting prior to parsing. (Probably want a way for
> >>> SWID-PVs to express a preference too... need to think about this.)
While
> > I
> >>> am doing that, if you have a favorite non-ISO-SWID record that you
> would
> >>> like to see supported, could you put together any necessary
> requirements
> >>> that would be needed to ensure it aligns with the core capabilities
> >>> described above? I think that would be very useful for fleshing out
this
> >>> flexibility.
> >>>
> >>> I am interested in your thoughts on this. Thanks for the input.
> >>>
> >>> Charles

v2.23.0 | Report a Bug | By Email