IETF Logo Mail Archive

Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

"Schmidt, Charles M." <cmschmidt@mitre.org> Tue, 07 June 2016 21:44 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B095612D0FF for <sacm@ietfa.amsl.com>; Tue, 7 Jun 2016 14:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.626
X-Spam-Level:
X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiBit1PWqshX for <sacm@ietfa.amsl.com>; Tue, 7 Jun 2016 14:44:32 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id EF4DC12B03F for <sacm@ietf.org>; Tue, 7 Jun 2016 14:44:31 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 59C4AABC064; Tue, 7 Jun 2016 17:44:31 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 420FCABC062; Tue, 7 Jun 2016 17:44:31 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Tue, 7 Jun 2016 17:44:30 -0400
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Tue, 7 Jun 2016 17:44:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EY5qnXZMnBfYVZmR1sOdBzrTbTbqDyKy5xUQgD5RLdc=; b=TwBydEFvrpUrk8yoN1FXZHwW6JMIO5YEvp+gHB7R5xIUEZVeb2xhNYVBIT2uDgvzs0Irg0B3z9U4jVL1+xAuTzeu9paCjDlHTe6FNXQ5FK7HPRCcDSelaUSLJNrgUqQv5yhEcvMzJUxrZ7tmZ8F91FRGyl34fML8JJx6rqBNkbA=
Received: from SN1PR09MB0990.namprd09.prod.outlook.com (10.166.69.8) by SN1PR09MB0991.namprd09.prod.outlook.com (10.166.69.9) with Microsoft SMTP Server (TLS) id 15.1.511.8; Tue, 7 Jun 2016 21:44:24 +0000
Received: from SN1PR09MB0990.namprd09.prod.outlook.com ([10.166.69.8]) by SN1PR09MB0990.namprd09.prod.outlook.com ([10.166.69.8]) with mapi id 15.01.0506.016; Tue, 7 Jun 2016 21:44:23 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Gunnar Engelbach <gunnar.engelbach@threatguard.com>, "tony@yaanatech.com" <tony@yaanatech.com>, Michael Godsey <mgodsey@microsoft.com>, Jerome Athias <athiasjerome@gmail.com>
Thread-Topic: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
Thread-Index: AQHRwCOchZw7lyao2UagUav4D+Ed8p/c0Y+AgAGvylA=
Date: Tue, 07 Jun 2016 21:44:23 +0000
Message-ID: <SN1PR09MB099063D596F3ACF1C49EDF7AAB5D0@SN1PR09MB0990.namprd09.prod.outlook.com>
References: <17198AFF-DF5A-46BC-B84A-2AAF1717BD90@isoc.org> <e8798c66-2ac8-7b24-4ab3-d28b4868c94a@yaanatech.com> <BN1PR03MB1231A9F5A4EE487623E5C82AF490@BN1PR03MB123.namprd03.prod.outlook.com> <0aa7684f-5a47-c00a-4b5b-e19484dd718a@yaanatech.com> <CAA=AuEfepDpmQF7TOLe2nvkgEPU9LD49Fc8bSvUCW+F_6yYy5A@mail.gmail.com> <BN1PR03MB1236FEF6EE3127323F9294AAF490@BN1PR03MB123.namprd03.prod.outlook.com> <SN1PR09MB0990AD2634A81C9A7128D120AB490@SN1PR09MB0990.namprd09.prod.outlook.com> <0418b8dc-9fd8-f8d2-3461-ce8e019fe22a@yaanatech.com> <8eb2719e-6baa-013a-daf5-5f2b269a75c1@ThreatGuard.com> <SN1PR09MB09900FB2B7AE3C48324891A2AB4A0@SN1PR09MB0990.namprd09.prod.outlook.com> <c45f888a-e2fd-d3ff-0397-f713a79be2db@ThreatGuard.com> <SN1PR09MB0990C08A95F57D0176C8511BAB5C0@SN1PR09MB0990.namprd09.prod.outlook.com> <6217ee86-3479-9476-d76c-d8d74af9175b@ThreatGuard.com> <MLQM-20160606155125843-5125@mlite.mitre.org>
In-Reply-To: <MLQM-20160606155125843-5125@mlite.mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.86]
x-ms-office365-filtering-correlation-id: f5444b02-b13f-431d-527d-08d38f1ce40a
x-microsoft-exchange-diagnostics: 1; SN1PR09MB0991; 5:beH2cdYvmgf0EL2UxXORZdW1Bf/uO5oJcmn0HgUDFst11GnGxW60TkzQi4ak0Pi8dcMJr8tzoYmT0j1DpU72gToDKuCDT6HlFgdIbNSjfojNeyOnLcZPLfCIIB0fkZ4R3+rasQtQrPze/Iuf9ALfJA==; 24:nEYhnCFnSvPifLVhxPdq5lMJ+SoTESyOTpPUmZlb3QD1txLU7sNHj7AqAfbnRtD7Md+LB46VnJGS9cvzOY/LgwDRFQnCw0c9j+sYTsCbw9I=; 7:9db1Ez8/nILtt1uXZLbPvLul7619sxRlT3ruM+ZmkRZWdL1G6/SV352AsMUzm8hdSgwGS276uCLJqNcBCZAFJyU9KfXkufaStgxOXAT6HWPdaMk194wM+W8UpB8zv1gvL5yFoyQx5F/MbMmmHNWrd8lT/z5GGkYWjNRHgKEGL2CXvZV/SFbXb7SaKdLFptSrbnVA9R4LGxVdpkR8t1g4AKZY4p6ogHzvW9tynDXyd0Q=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR09MB0991;
x-microsoft-antispam-prvs: <SN1PR09MB099169B9C15F80608EB47527AB5D0@SN1PR09MB0991.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506)(120809045254105)(100405760836317)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415321)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:SN1PR09MB0991; BCL:0; PCL:0; RULEID:; SRVR:SN1PR09MB0991;
x-forefront-prvs: 09669DB681
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(53754006)(377454003)(51914003)(51444003)(199003)(24454002)(13464003)(561944003)(5890100001)(2501003)(81156014)(81166006)(77096005)(87936001)(2900100001)(2950100001)(5008740100001)(586003)(5003600100002)(66066001)(4326007)(86362001)(76576001)(68736007)(33656002)(8666004)(15975445007)(1511001)(74316001)(93886004)(5002640100001)(2906002)(8676002)(76176999)(3660700001)(106116001)(106356001)(122556002)(5004730100002)(230783001)(3280700002)(2561002)(92566002)(105586002)(99936001)(2421001)(9686002)(101416001)(19580405001)(19580395003)(102836003)(5001770100001)(8936002)(189998001)(50986999)(54356999)(10400500002)(6116002)(3846002)(99286002)(97736004)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR09MB0991; H:SN1PR09MB0990.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01F6_01D1C0DB.D54A6B50"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2016 21:44:23.4922 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR09MB0991
X-OriginatorOrg: mitre.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/X-Rhs-urRFVl6hcWAM3OEQ2BIBQ>
Cc: "sacm@ietf.org" <sacm@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>
Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 21:44:36 -0000

Ok - Gunnar has set me straight.

Put in terms for the easily confused (such as myself): Gunnar was advocating
that the network messages used to convey tag data via SWID M&A employ a
standard data model so that recipients always see the same structure in the
messages and can rely on being able to parse it. With that in mind, many tag
types could be converted to this common data model used in the messages,
thus many tag types should be collected by the Posture Collector as
potential input. Gunnar - did I get it right?

In fact, this is largely what the SWID M&A specification does now. The ISO
SWID 2015 and ISO SWID 2009 specifications form a data model for SWID M&A
messages conveying tag information. However, the specification notes that
the SWID tag collection that is conveyed in these messages could come from
many "sources", some of which might be translated from different record
types. (E.g., potentially converted from package manager records or third
party inventory tool results.)

That said, based on some of the conversations that have occurred in meetings
and on list, I think there are some open questions here:
1) Currently SWID M&A uses the ISO SWID specifications as a data model.
Various parties have weighed in on the pros and cons of ISO SWID tags.
Looking from a strictly data-model perspective, what structure makes sense
for conveying tag/inventory data as the standard data model in these
messages. Personally, I would argue that the core should probably be an
existing structure - I don't see any call to invent yet another way to
describe software. 

2) As I wrote it, one of the change proposals presented to the group was
effectively to allow SWID M&A to convey any type of tag natively and simply
include a field to identify the type of tag contained in the message. This
would allow SWID M&A to convey inventory information via an unlimited number
of data models. What do people think about this given the recent
discussions? Gunnar, I take it you would be against this change and would
prefer a fixed tag format (a.k.a. data model) in the SWID M&A messages
themselves. Other thoughts?

3) With regard to conversion, I will note that some tag types (e.g., ISO
SWID tags) can be cryptographically signed. Obviously, any conversion is
going to lose those signatures. Do people think that being able to discern
correctly signed tags from other tags would be of operational significance?
If so, maybe the solution would be three types of messages: a) capture
inventory information using a single, standard data model to which all
source tags are converted [by-normalized-value], b) capture inventory
information using identifiers that can be used to reference tag structures
[by-reference], c) capture inventory information using whatever native tag
structure there is, noting that some tag types might not be consumable, but
ensuring that signatures and the like are correctly conveyed
[by-non-normalized-value]. The requesting party can indicate which of these
return methods it would like.

Any thoughts about any of these?

Thanks,
Charles

> -----Original Message-----
> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Schmidt, Charles
> M.
> Sent: Monday, June 06, 2016 2:35 PM
> To: Gunnar Engelbach <gunnar.engelbach@threatguard.com>;
> tony@yaanatech.com; Michael Godsey <mgodsey@microsoft.com>; Jerome
> Athias <athiasjerome@gmail.com>
> Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc
as
> a SACM WG document
> 
> > If there's going to be a consistent data model I don't see I reason why
> > there should be any constraint on what endpoint tag types are supported.
> 
> I'm afraid you have lost me here. My understanding was that you were
> arguing
> that SWID M&A should support tag types other than the ISO SWID tags. As I
> understand the term, ISO SWID 2015 defines a data model, and then
> different
> tag formats (XML, CBOR, JSON) would all be data formats of that common
> data
> model.  But if we have completely different tag types, (for example, SWID
> 2015 tags and RPM records), I'm confused how there could be a common
> data
> model that both represent. In other words, when you argued for a common
> data
> model, to me this implicitly meant we needed to curtail the types of tags
> supported to only those that could serialize that common data model.
> 
> Sorry if I am being slow here, but could you clarify how you see the tag
> types relating to this common data model?
> 
> Thanks,
> Charles
> 
> > -----Original Message-----
> > From: Gunnar Engelbach [mailto:gunnar.engelbach@threatguard.com]
> > Sent: Monday, June 06, 2016 1:45 PM
> > To: Schmidt, Charles M. <cmschmidt@mitre.org>; tony@yaanatech.com;
> > Michael Godsey <mgodsey@microsoft.com>; Jerome Athias
> > <athiasjerome@gmail.com>
> > Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> > Subject: Re: [sacm] Call for adoption of
draft-coffin-sacm-nea-swid-patnc
> as
> > a SACM WG document
> >
> >
> >
> > On 6/6/2016 11:36 AM, Schmidt, Charles M. wrote:
> > > Hello everyone,
> > >
> > > I wanted to do a quick loop back to the original question of this
> thread,
> > > namely the adoption of
> > > https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-patnc/ as
a
> > SACM
> > > working group document. This and other threads have indicated that
> there
> > is
> > > some desire to evolve the document to address certain concerns, many
> of
> > > which I hope to address in the next draft.
> > >
> > > With the understanding that adoption as a working group draft does not
> in
> > > any way end the discussion or evolution of this draft, are there any
> other
> > > thoughts regarding adoption?
> > >
> > > Gunnar/Tony - you both raised concerns about adoption due to the
> > document
> > > being exclusively focused on ISO SWID tags, but since then there
appears
> > to
> > > be agreement to expand to other possible tag types (with the caveat
that
> > > there also appears to be consensus that this list of tags should be
> > > constrained so that endpoints are sending content using a consistent
> data
> > > model). Does this alteration address you concerns? If so, does that
> change
> > > your feelings on adoption?
> >
> > If there's going to be a consistent data model I don't see I reason why
> > there should be any constraint on what endpoint tag types are supported.
> >
> > I'd prefer to see that translation happen as soon in the lifecycle of
> > the data as possible, but we'll see what consensus is on that. For
> > reasons already stated, if that translation is done centrally then I
> > don't SACM adoption extending much beyond a few large vendors that put
> > out, effectively, their own stovepipes.
> >
> >
> > --gun
> >
> >
> > >
> > > Thanks,
> > > Charles
> > >
> > >> -----Original Message-----
> > >> From: Gunnar Engelbach [mailto:gunnar.engelbach@threatguard.com]
> > >> Sent: Friday, May 20, 2016 1:51 PM
> > >> To: Schmidt, Charles M. <cmschmidt@mitre.org>;
> tony@yaanatech.com;
> > >> Michael Godsey <mgodsey@microsoft.com>; Jerome Athias
> > >> <athiasjerome@gmail.com>
> > >> Cc: sacm@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>
> > >> Subject: Re: [sacm] Call for adoption of
> draft-coffin-sacm-nea-swid-patnc
> > > as
> > >> a SACM WG document
> > >>
> > >>
> > >> Inline...
> > >>
> > >> On 5/19/2016 1:27 PM, Schmidt, Charles M. wrote:
> > >>> Tony/Gunnar,
> > >>>
> > >>> I agree. Details below.
> > >>>
> > >>>> 	Two questions not asked: who might do the
> > >>>> 	work to bridge the gap with the gazillion other
> > >>>> 	software identifier approaches out there, and
> > >>>> 	whether some form of out-of-band SWID capability
> > >>>> 	(as is used with may of the other SWID mechanisms)
> > >>>> 	cannot be included.  For a lot of IoT stuff, it is
> > >>>> 	essential.
> > >>>>
> > >>>> This right here is an excellent point.  There are other software ID
> > >>> mechanisms
> > >>>> out there and SWID is not going to cover everything for which there
> is
> > > an
> > >>>> alternative.
> > >>>>
> > >>>> Because this proposal is so SWID-specific, I can't get behind it.
> > >>> However, if it
> > >>>> was genericized to allow for use of current and possible future
> tagging
> > >>>> mechanisms, I could certainly support that.
> > >>> This makes sense. Even those strongly attached to the use of SWID
> tags
> > >> would
> > >>> like to make sure that this specification can handle future
revisions
> of
> > > the
> > >>> ISO SWID specification, and as you both note, there are other
> structures
> > >> out
> > >>> there which people might wish to use.
> > >>>
> > >>> Basically, it seems to me that we want to support a common, core set
> of
> > >>> functionality related to inventory and inventory events, but that we
> > > want
> > >> to
> > >>> have some flexibility in the data (I'll call these "records") used
to
> > > convey
> > >>> that information to a policy server. Are we in agreement on this? (I
> > > don't
> > >>> think we want the nature of what one can infer from a report to
> change
> > >> based
> > >>> on the record structure used to convey that report.)
> > >>>
> > >>> Given this, the following are the core capabilities of SWID M&A for
> > >>> reporting records as I see them:
> > >>> 1) Records need to be associated with specific instances of a
specific
> > >>> software product and version thereof.
> > >>> --- If the same version of the same product is installed multiple
> times,
> > >>> there will need to be multiple records naming the same product and
> > >> version -
> > >>> one associated with each actual installation. (We need to convey
that
> a
> > >>> given product+version is installed "exactly X times" rather than "at
> > > least
> > >>> one instance".)
> > >>> --- Changes to a software product need to result in a change in the
> > >>> associated record. (The record needs to distinguish between AcmeApp
> > >> v1.2.3
> > >>> and AcmeApp v1.2.4, since this is critical to multiple consumers of
> this
> > >>> data.)
> > >>> --- Records associated with a product+version need to be consistent
> > over
> > >>> time and across endpoints. (There needs to be an easy way for the
> > SWID-
> > >> PV to
> > >>> say "this is the same product+version" across different reports and
> > >> between
> > >>> reports from different machines.)
> > >>> 2) If the record is more than about 200 bytes, there needs to be a
> > > concise
> > >>> identifier for this record. In SWID tags, this is created by the
> > > combination
> > >>> of the TagCreatorRegID and the TagID fields. (Concise identifiers
are
> > > used
> > >>> in multiple places in SWID M&A to convey information without
bloating
> > >>> messages.)
> > >> I tried to find fault, but I think as a basic core set, this is good
> > >> coverage.
> > >>
> > >> In ongoing practice there are undoubtedly going to be more
capabilities
> > >> desired for other use cases, and some tagging solutions will have
> useful
> > >> capabilities that are not available in others. Extensibility is
> assumed.
> > >>
> > >> I think it's also a necessity that a common data model be used
> > >> regardless of the tag type/source.  For hopefully obvious reasons.
> > >>
> > >>
> > >>
> > >>> Do you (or anyone) have any questions or concerns about any of these
> > >> core
> > >>> capabilities, or have any others to add? I think all of the other
SWID
> > > M&A
> > >>> capabilities (monitoring for changes, tracking and ordering of
events,
> > >>> subscriptions, processing targeted requests, etc.) are fairly
neutral
> > > with
> > >>> regard to the record structure used in messages assuming the two
> > >>> requirements above are met. Let me know if you disagree about that.
> > >>>
> > >>> Capabilities do not need to be inherent in the record itself. (For
> > > example,
> > >>> there is nothing in a SWID tag that allows one to distinguish
between
> > >>> multiple installations of a single product.) There just needs to be
a
> > >>> reliable, deterministic mechanism by which these capabilities can be
> met
> > >>> while using the record.
> > >>>
> > >>> I will work on putting together some proposals on how different
> record
> > >> types
> > >>> can be clearly labeled in SWID M&A messages so recipients can know
> the
> > >> type
> > >>> of content they are getting prior to parsing. (Probably want a way
for
> > >>> SWID-PVs to express a preference too... need to think about this.)
> While
> > > I
> > >>> am doing that, if you have a favorite non-ISO-SWID record that you
> > would
> > >>> like to see supported, could you put together any necessary
> > requirements
> > >>> that would be needed to ensure it aligns with the core capabilities
> > >>> described above? I think that would be very useful for fleshing out
> this
> > >>> flexibility.
> > >>>
> > >>> I am interested in your thoughts on this. Thanks for the input.
> > >>>
> > >>> Charles

v2.23.0 | Report a Bug | By Email