IETF Logo Mail Archive

Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid

Roman Danyliw <rdd@cert.org> Tue, 25 January 2022 21:42 UTC

Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D163A0C1A for <sacm@ietfa.amsl.com>; Tue, 25 Jan 2022 13:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67tVvM2wVkse for <sacm@ietfa.amsl.com>; Tue, 25 Jan 2022 13:42:38 -0800 (PST)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0124.outbound.protection.office365.us [23.103.208.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF9E3A0C15 for <sacm@ietf.org>; Tue, 25 Jan 2022 13:42:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ZXEzgHEbGK45pGdbfPs5yDoYyUB/NJD8UEo1p4c44g67ctgAyO72pJU1xW11yzWrX7b7kQVAK4s0+9CFpaE6l1M/xvGi/fboyDL+MYvOp7QG2Uwj8FN+hVUvEhoV+iyvrIPZYyW3o+j91SmtI/vxV1h2ZME09Mc1Cjy7m6m4nT/LY7MbtgzeswDr6ukqkGWiBn0v5J0x4lGVOxYS8EUTc9KTpxGENBHmpBy5qTnMS3MzPktFXZjsLrOXYHebu79YDvy2kWorUXAPDh2Xf5+rpjTmDTmKrCF/h4nt0B87/PDMPtxRu8Wq6Rz3B51Y5guwmsmpv/pRbUKsKkoIPjNsIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6i1QC4Ujab2MklpNFO01k9TZIjmACRBxUU/zB5s+mtE=; b=TLJ0uXiOK1M+ZINuMU6Cimn1J0ZII7XP9748piGf9YHl5+L1X+QYFblCoqyGXC0HTEq1sTC3k8ONx8E2jl/pZ18O5baKmHt417uqENbhu80FWvH4ViH8Z6pIl8XEDzpwLQpGzJtsFodCaUAJwPvfGs0DtFzZmbSuTZFg/pbaLj+2pgbM5gUD5PMnomiNa+zSEgKB1HhJ03VsUqDSbNzAyi3SrgclFI+rKpQN13CIgorf29a66msR1fAJqT4qWdrt/t8xFGeA1Skqis3ftOkOzxj1FQvIG2q0PRs5gmNsI5vQKxjM1qhrDEw+kj/A4qx/QWVXacISRSxICsVrulWERg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6i1QC4Ujab2MklpNFO01k9TZIjmACRBxUU/zB5s+mtE=; b=D18k9SCPs9lhKkhetX+C35CvR9dug92kvb8Dd1BHAGkOjAwdEgS4W/Zi66HvCxSs+z5GEBcKJKMUzvbmV3ggT3LvKZgmbmXJsOe5UO6k8Jn3N2D5U5LwsEomvbqXwHhF93+M40MuH8GdD6pfj2IHhfWWT580pTprRc16URqCGck=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1237.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:179::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.10; Tue, 25 Jan 2022 21:42:35 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::45f0:b470:9c74:ef6e]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::45f0:b470:9c74:ef6e%3]) with mapi id 15.20.4909.019; Tue, 25 Jan 2022 21:42:35 +0000
From: Roman Danyliw <rdd@cert.org>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Scott Bradner <sob@sobco.com>
CC: "sacm@ietf.org" <sacm@ietf.org>, "Salz, Rich" <rsalz@akamai.com>, Robert Sparks <rjsparks@nostrum.com>
Thread-Topic: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
Thread-Index: AdfGhTwT/qbeeBAKRhu9IJN+7GZ3whKj+5GAAAA8zIAAReFLAAAAUuZQ
Date: Tue, 25 Jan 2022 21:42:35 +0000
Message-ID: <BN2P110MB110785B79B222BEC3D901CBADC5F9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <17f95b5f-2890-b658-eabb-4bee19ad3404@sit.fraunhofer.de> <E77143BB-F615-4DCF-A1EE-3504D88957AC@sobco.com> <b0eee453-b494-591c-b597-508b638680c0@sit.fraunhofer.de>
In-Reply-To: <b0eee453-b494-591c-b597-508b638680c0@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 48cf3c60-7b4b-44d1-56a3-08d9e04b99d6
x-ms-traffictypediagnostic: BN2P110MB1237:EE_
x-microsoft-antispam-prvs: <BN2P110MB12376434E37005D3B33DDAA5DC5F9@BN2P110MB1237.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 99JZgT0x97IjHPKmsbSNinn91ATUg8aEiTrgz9slFq3MJrW5i5rkMn9mzgypS6WF58X4AwafYD3uftwX9HSdgjaAUhCICALJKZmcX79SVecGDsf1h/IaQhwdde1llJAcUuytN9xTXRHIPLuQxhgKRCSAPYRNVXAOMsZQno09jS8YvGC9DR2vMxEZ5rhMQhsP7gt5FKEPmjO+qcvnD94+wrjWPac9ZSvp/zoCDJklXi+An7avNlxubXWLt5rvKbfqJvxzIaYYImgZchq7XJtC3iBwoVKF0wo0dqt0EG4YQRUuFjl1CXO9IZdxtDU1bIxHU1V8WGV3fIGIYbwQeWvEo5vZxUUEYAl8byY6Tue5M2oEfVyfiEQZ2WXWqXv71YN93xPX4LjkTkl9LJ2+ZNiLNoN4mRP9E1o6Ot1gk0eJvZi5XfDyfVtkpFDq99SN8ijvvZ1QGuS72vD7AJY1/iD+IA8g8XrhQ2akNK3ZrUzjowxNlOWc2n5hAeYV313o8QXrayDXpiN+E3UBuXNtos9Rvqr1vMP6hNXomLhWCpnI5m0DxUuMax6lNkGgwimX0A4Ed8ccfHya+Lzsi0lZ1aCVBTgmCoShY53cHB5b64izm9jtKay6iQzHQHkS58+CgYUaphOeueUMAX6uqZmw1ha8usecuqG2R6k4r83yj5ovnNnuPQ01jqlJxnSY+lSyS7tFgfblBFYfDp5RZ8OIxUex8g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(84040400005)(110136005)(64756008)(66946007)(66556008)(66476007)(33656002)(4326008)(71200400001)(8676002)(7696005)(76116006)(54906003)(38100700002)(5660300002)(122000001)(52536014)(66446008)(83380400001)(8936002)(82960400001)(498600001)(9686003)(38070700005)(6506007)(53546011)(2906002)(966005)(186003)(86362001)(55016003)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gTo+/wRb6ZhMjVftMI6MNE62ObHy7pMi2hUtquuHU82+ZvUMcOuScGS7BRdMVHENQ/OUSfjwxCum4Z7PBeGeHOpCS5THsfg9KsRDXjtI6c+VWl48KqrEjCMzQtw08+2nJaf4N2f81i1deWbaccTWfg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 48cf3c60-7b4b-44d1-56a3-08d9e04b99d6
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2022 21:42:35.6984 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1237
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/ZQW_RjDl6Yx7YFZKSjYVRVe1xjE>
Subject: Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 21:42:43 -0000

Hi!

> -----Original Message-----
> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Sent: Tuesday, January 25, 2022 3:54 PM
> To: Scott Bradner <sob@sobco.com>
> Cc: Roman Danyliw <rdd@cert.org>; sacm@ietf.org; Salz, Rich
> <rsalz@akamai.com>; Robert Sparks <rjsparks@nostrum.com>
> Subject: Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
> 
> Hi Scott,
> 
> yes, we added some clarifying text to section 6.2.
> 
> Does that address your open issue appropriately?
> 
> 
> Viele Grüße,
> 
> Henk
> 
> On 24.01.22 12:32, Scott Bradner wrote:
> >
> >
> >> On Jan 24, 2022, at 6:26 AM, Henk Birkholz
> <henk.birkholz@sit.fraunhofer.de> wrote:
> >>
> >> And here are the corresponding responses. Scott, Rich, and Robert are
> included to the TO, analogously.
> >>
> >>> (1) Scott Bradner did an OPSDIR review --
> https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-opsdir-lc-bradner-
> 2021-08-07/.  The following feedback does not appear to be discussed or
> resolved:
> >>>> along the same line - it would seem to me that the IANA repository
> >>>> should be at https://www.iana.org/assignments/coswid  (or co_swid)
> >>>> not https://www.iana.org/assignments/swid
> >>> I believe the comment is about the following text in a few places in Section
> 6.2.*:
> >>>     [TO BE REMOVED: This registration should take place at the following
> >>>     location: https://www.iana.org/assignments/swid]
> >>> Earlier in the text in Section 6.2:
> >>> "6.2.  Software Tag Values Registries
> >>>     The following IANA registries provide a mechanism for new values to
> >>>     be added over time to common enumerations used by SWID and
> CoSWID."
> >>> It would seem that if in fact things should stay in "assignments/swid",
> there is a missing registration procedure item -- nothing can be added if it isn't
> in the SWID specification.  I under the impression from earlier conversations
> that we wanted to provide flexibility for CoSWID to potentially extend it's own
> data model independent of SWID (i.e., there could be data elements in CoSWID
> that were not in SWID).  If so, this suggests that "assignment/coswid" should be
> used instead (as Scott was suggesting).
> >>
> >> This seems to be a misunderstanding that we did not capture well. The
> registry we are looking for must serve both the SWID space and the CoSWID.
> >> While these are fueled by two documents - namely from ISO-IEC and IETF - it
> is beneficial for interoperoperabitly to align them. Now - we understand that
> SWID is not CoSWID and that the IETF is not responsible in any way how ISO
> operates. Yet, IETF will be in charge of the registry from now on - and ISO
> action will have to work throgh the IETF process as defined in the I-D. And that
> is a decision made in consensus with the ISO authors and the SACM WG.
> >>
> >> There is no requirement in CoSWID or the registration procedures that
> require anything added to a registery must first exist in the ISO-IEC SWID
> specification.
> >>
> >> In summary, that is why it is okay to do the registry under 'swid'. This is also
> why the name 'swid' was chosen as a neutral name for software identification
> that can serve both uses for the registered values.
> >
> > OK - is that going to be clarified in the document?

Has something changed?  During the AD review (https://mailarchive.ietf.org/arch/msg/sacm/lZsk8wlOprU-WKPxgQAYLfBzDdE/):

==[ snip ]==
** There are a number of places in the text where normative guidance is framed as "SWID/CoSWID".  Is this document suggesting any behavior of SWID, or is that just a short-hand because this CoSWID is just a different representation of the SWID information (?) /data(?) model?  What is the SWID behavior relative to the IANA registries?

** In the long term, will SWID and CoSWID diverge and how should this be handled? This spec seems to defined a number of helpful extension points.  Does SWID have to use those? It might be helpful to clarify that in the text.  Section 2.2 (i.e., "The inclusion of extension points ...") and Section 2.3 ("... references to the IANA registries will be added to the next revision of [SWID]")hints that only future version of SWID might pick up these extensions.  The Section 5 IANA registrations call the registries "SWID/CoSWID" which seems confusing since SWID doesn't use them now.  Can you help me understand the state of play with SWID.  Without the background, it seems like a big leap that we're going to make registries for future work in another SDO (if they haven't already asked).
==[ snip ]==

I posed a similar question but the answer was different.  In these earlier discussions I walked away understanding that CoSWID was a fork of SWID and it was acceptable that minor inconsistencies.  The abstract even says " CoSWID supports a similar set of semantics and features as SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information."  For this reason, the IANA registry text present in -15 was even renamed from "SWID/CoSWID" to "CoSWID".

If I understand the explanation above correctly, now it seems that SWID is going to be using the CoSWID registries.  Does that imply some new co-evolution strategy?  Did something change from Fall 2021?

In rechecking the language in Section 6.* around which ranges have which registration procedures (standards action vs. specification required), I wanted to raise a two new points:

** (Based on unrelated discussions around the CWT registry that encountered a similar situation)  This document provides crisp guidance for the DE.  Should this DE guidance be applied for both "standards action" and "specification required" registry entries. I ask because per RFC8126, only "specification required" required applies DE review.  If you want DE review for all registrations s/standards action/standards action with expert review/.

** If SWID and CoSWID is going to be using these registries, does ISO understanding and it is intentional that SWID/ISO will not be able to register values in the lower/smaller "standards action" range?

Regards,
Roman

v2.23.0 | Report a Bug | By Email