IETF Logo Mail Archive

Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Mon, 24 January 2022 11:26 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34883A0E75 for <sacm@ietfa.amsl.com>; Mon, 24 Jan 2022 03:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7tFXOLmrnHS for <sacm@ietfa.amsl.com>; Mon, 24 Jan 2022 03:26:09 -0800 (PST)
Received: from mail-edgeKA24.fraunhofer.de (mail-edgeka24.fraunhofer.de [153.96.1.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979C63A0E6B for <sacm@ietf.org>; Mon, 24 Jan 2022 03:26:08 -0800 (PST)
IronPort-SDR: yxOsMbxmXbrFajcMl/ejhEr0I5/Xxvfswk/5ClwyP37WEVsqPEQWg2DzVE7nDOKzyab8r9MbZ3 9fpSThFw7g4AWsswR87IPShTy0v98Bnq8klWg/Dlt8OLY4BiUinIYAOcG4kgVrNhqlpg7NN55l VsS319XDFXebLzLteBPntj0OXZhHDbZ/E1En+s5qw7VQyq/T3jrS+8fSih6rtXh7AG1UAxat3h zkbuhpgWbavOhlikW1tAyMsVasKEYglGGERh+zO/rFXe2JfxNC7y7DTYroD7hksXqmfYN2X6wU bfU=
X-IPAS-Result: A2GQBgCNi+5h/xmkZsBaHgEBCxIMQIFPC4FSVn6BQoRKg0gBAYU5hQ5dgXcuA5shgUKBEQMYFh0JCwEBAQEBAQEBAQgBKg0KBAEBAwSCCYJ1AoNcASU3Bg4BAgQBAQEBAwIDAQEBAQUBAQYBAQEBAQEFBAICgRiFLzkNgnBjTQY1AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQINIxEeIwYMMQEBAQECAQEBEBEVCAEBBScMDwsOCgICJgICJwslBgEMBgIBAR6CYgGCZQMNIAEBDp9TAYE6AoofeoExgQGCCAEBBgQEMYEJAgENQYMCGFyBWwMGCQGBBiqBXYExhx2ECCcQgVVEgRUnDAOCdD6CYwEBA4FDgzKCZZBJCWwNJCkFDAMNEAosAh47cAINKQEBDgEBF0uSAY1YgTOeKjQHghCBOIE3BguJN5RCBhQug3KMEYYlkVGWRyCMCWGULAuEeQIEAgQFAg4BAQaBd4IATSRPgmlRGQ+OIAwWg0+FFIUNAT1zOAIGCwEBAwmQOgEB
IronPort-PHdr: A9a23:0QfTohAY1EzTJYMjzuTbUyQVYBdPi9zP1kY95pkmjudIdaKut9TnM VfE7PpgxFnOQc3A6v1ChuaX1sKoWWEJ7Zub9nxXdptKWkwJjMwMlFkmB8iIQUTwMP/taXk8G 8JPHF9o9n22Kw5bAsH7MkbTvju89zcPHBX4OwdvYOj4Sebv
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.88,311,1635199200"; d="scan'208";a="39008887"
Received: from mail-mtaf25.fraunhofer.de ([192.102.164.25]) by mail-edgeKA24.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2022 12:26:05 +0100
IronPort-SDR: RWCl2kUrdy6fOHNzu7mXB2yZPktxUsRwtnAS3cA6BbMQM9A1vMHyLMmJuyUepkxuGYC5ihg2eO hbm/NI4UHngWngDpMnZrePci5DNQ75kJc=
X-IPAS-Result: A0BfBACNi+5hX3+zYZlaHgEBCxIMQAmBRguBUlYHTCtZJkOESYNIAQGFOYUOXQGBdi4DOAGaaIFCgREDVAsBAwEBAQEBCAEqDQoEAQGCEIJ1AoNZAiY3Bg4BAgQBAQEBAwIDAQEBAQUBAQUBAQECAQEFBAceHw4FDksGXgZogU+BYRMLNA2GQgEBAQECAQEBEBEVCAEBBQ8YDA8LDgoCAiYCAicLBwoUBgEMBgIBAR6CYgGCZQMNIAEBDp9TAYE6AoofeoExgQGCCAEBBgQEMYEJAgENQYMCGFyBWwMGCQGBBiqBXYExhx2ECDeBVUSBFScMA4J0PoJjAQEDgUODMoJlkEkJbA0kKQUMAw0QCiwCHjtwAg0pAQEOAQEXS5IBjViBM54qNAeCEIE4gTcGC4k3lEIGFC6DcowRhiWRUZZHIIxqlCwLhHkCBAIEBQIOAQEGgXeBf00kT4JpTgECAQINAQICAwECAQIJAQECjh0MFoNPhRSFDQE9QjE4AgYLAQEDCZA6AQE
IronPort-PHdr: A9a23:AOmgkRyN4hga2zrXCzPRngc9DxPP8534PQ8Qv5wgjb8GMqGu5I/rM 0GX4/JxxETIUoPW57Mh6aLWvqnsVHZG7cOHt3YPI5BJXgUO3MMRmQFoCcWZCEr9efjtaSFyH MlLWFJ/uX+hNk0AA8fiIVPIq2C07TkcFw+5OQcmTtk=
IronPort-Data: A9a23:+gGcCKAeIVROmxVW/y/lw5YqxClBgxIJ4kV8jS/XYbTApG4m1zNVy GAZUWnUOP2KZmKmLdxwOYyx8R5XvZaDn9Q3OVdlrnsFo1CmBibm6XR1Cm+qYkt+++WaFBoPA /02M4KGcYZoJpPljk/F3oLJ9BGQ7onVAOqsYAL4EnopH1U8EX190UsLd9MR2+aEv/DpW2thh vuv+6UzCHf9s9KjGjtJg04rgEoHUMXa4Fv0jHRnDRx4lAO2e00uMX4qDfrZw00U4mVjNrXSq +7rlNlV945ClvsnIovNfr3TKiXmTlNOVOSDoiI+ZkSsvvRNjgFszfkZaOInUEx8lmu3wuFox PFvl4PlHG/FPoWU8AgcewJdDzk4ML1N+PnJO3Git8yUwUDcNXfhqxlsJBhrZstJpaAuXjAIr KZHQNwORkjra+aewL+9Sa9mh94gLM7vLqsEu20mwyvQEPAmRp7OWePG6Le02R9p2JwVQ6qDP 5BxhTxHXB3BYxt+YlMsM8wTo925rUPwdzlUtwfAzUYwyzKKl1UqgOmF3MDuUsaGSe1ek1yE4 GXc8AzRGRgRMfSexCaLtHW2iYfnhzjyXJA6Hb6x8/drxlaUwwQ7ExocfUC8q/K+zEW5Xrp3M U4P4iM0rrMa8kuwUsPgWluzp3vsg/IHc4MNSKhrt0TUlfuRulzGQHYBCDUHZsYvqck2QjInz BmFkrsFGACDrpW4F23C1OuMlgq5EjVLEzIzfCMgbykatoyLTJ4IsjrDSdNqEaiQh9LzGC3tz z3ikMTYr+5O5SLs//jilW0rkw5AtbCUF1Rkt16/snaNv18oPdbNi5mAswCDhcusOrp1WXGtk RA5dyW2tb1VSMDS0XXSEaBURu7v+fPDO3vSm1dyGZkm+Tm3vXKuFWyx3N2cDBo5WirnUWWyC KM2he+2zMMLVEZGlYctP+qM5z0ClMAM7+jNWPHOdcZpaZNsbgKB9ywGTRfOgzq8zhJyyflkY s/znSOQ4ZAyV/oPIN2eGLx17FPX7nphmAs/uLiknk/4ieDCDJJrYetZbQTRBgzG0E90iF+Mq I8EZ5riJ+R3XODjfjLc8YMIZV4NN2MwBY3wpNdRe/KRSjeK60l+Y8I9NYgJItQ/94wMz7+g1 ijkBidwlQqu7VWaeFniV5yWQPayNXqJhSxkZnxE0JfB8yNLXLtDG49GJ8JoJuF2rbI6pRO2J tFcE/i97j10Ymyv01wggVPV9+SOrTyn2lCDOTSLej86c8IyTgDF4Ia7LBDu6G8AFCOqs8s5r bC6kA/WGMJRSwNnBcfQSfSu01Lo4SlDwr0vBROQL4kBYljo/ahrNzf10K09LfYMHhOflDGU4 ACbXEUDru7Xro5pq9TE3PjWr4qgH+ZkMFBdGm3XseS/OSXApzXx2o5cFuiSdC3bVGT69b/ka egMl6PwN/gOnVBrtYtgEu83nPxkuIa1/+dXl102Em/KYlKnDqJbDkOHhcQf5LdQwrJ5uBetX hzd8NdtOYKPZJHvHmkXKVd3de+Ez/wVxmLf4PlpckX34Ch7oOiOXUlIZULekylBNP14IIglh +k7sdMQ6wuxhwBsPtvf1nJY8GGFL3ohVaQ7t8hGUdGx1VdxkglPMc7GFyv7wJCTcNEQYEMkF TmZ2fjZjLNGy0ueLnc+SSrX0exGichcsRxG1gRZdQ3UwZ+U2bpug0wUqG5oCBpQiB4B3fh6J 25rMEN4P+OC8m4w1sREWmmtHSBHBQGYoxCglQFWyTeBF0T4BHbQKGAdOPqW+BxL+WxreDUGr qqTz3zoUGq3ccz8tsfotZWJdxA+oQRNyzD/
IronPort-HdrOrdr: A9a23:lvjfRaxHjPu2/HxHxzCzKrPw8L1zdoMgy1knxilNoH1uA7alfq +V7ZEmPHPP+U8ssTQb6Ki90cq7IE80l6QFhbX57Y3SOjUO0VHAROoOgeTfKn/balbDH4VmtZ uIHZIOb+EZPTJB4/rS0U2dKf5l+vm/mZrDuQ6n9QYOcShaL5hn8QtjBgveOX0efngkOXJUea Dsm/Z6mw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.88,311,1635199200"; d="scan'208";a="164364502"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaF25.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2022 12:26:04 +0100
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Mon, 24 Jan 2022 12:26:04 +0100
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (104.47.1.52) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Mon, 24 Jan 2022 12:26:04 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MyolkLTvU8dyzp+2FoyZ+wi1hIPH0DKm0dfnXdOY7Y2rydzfw5s7xTClQPK9yn1AqmFBhgaIlwwrCR7SpBsjgFCzSjKkBL5gwus/fKZKc43hsoLsVPLfy2inqKtk6LlO4PTg6AAy1nICaIHqNZf+wRloHMx2hGiGTHxgsZ8rjqrR+x44sngUS+YrQ7PCN+V6qnCaA4LdNEGUw9uP8KkCnl+mDZQDVgeYUBbC/0SIsZ9FHXRqs9Kb1xZOO/c4zbmA2SHeBizIP64RsX58jfcjIefykposO4wdWowqxLfDmPWm/08xaN7a/bfr23A9ysm0Lf9jI5rDml/ySaltUlw3uA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tgdW0GHuq6KWkyBK/twhFjbYNuTs+zAwChT0IVMxomA=; b=mkwv3tsuQwK86p+myxaqjfwcomv/nb4ZseyWmHw2SgWdljiPn8dWoHukGxXW/5TNkcuQvYWM15GhXyt52NpzTGnGgzO7z6N6kLMk4DbStdB+u6u8uHd31TqQDX9JjDAcUmALFHYlnGr//sygtYj3Wwd2YUFA2NscdE2WAwIKEK6DptyBkGNxCq/JqsbcwaQFlOIDWQMXUUUpEox3dtZQXkyE049Q0RceTzPBK7rsYYIcecO41PzPg8UKcZdSKDLSua1WJs3N61VlG0gmQnGHyGag5asU2lGZ/fZFWEqLqOSvPa8j5hwQ5noX2dQpTfApQ86sfmGMILJeM4ME06Mcmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tgdW0GHuq6KWkyBK/twhFjbYNuTs+zAwChT0IVMxomA=; b=H47/QQ3SPcOkQ9hjwp5ry0z9wssq4gvwLH4tIXqkYvB90mn4mL9AMcKsuSEujKAWStepmQAio5FR4wKZja/0XYIxZRCAhGVwQPwUtM/v+ObKBnVNH39y2v0wbXBy41JoVVnG/Oa7KC1qBW1/8DccnPIkrGLL01EW4JOLSmbUdlQ=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sit.fraunhofer.de;
Received: from DU2P194MB1709.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:276::9) by DU2P194MB1565.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:2b6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.10; Mon, 24 Jan 2022 11:26:03 +0000
Received: from DU2P194MB1709.EURP194.PROD.OUTLOOK.COM ([fe80::a144:da10:fd89:c788]) by DU2P194MB1709.EURP194.PROD.OUTLOOK.COM ([fe80::a144:da10:fd89:c788%7]) with mapi id 15.20.4909.017; Mon, 24 Jan 2022 11:26:03 +0000
Message-ID: <17f95b5f-2890-b658-eabb-4bee19ad3404@sit.fraunhofer.de>
Date: Mon, 24 Jan 2022 12:26:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Roman Danyliw <rdd@cert.org>, sacm@ietf.org, "Salz, Rich" <rsalz@akamai.com>, Scott Bradner <sob@sobco.com>, Robert Sparks <rjsparks@nostrum.com>
References: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
In-Reply-To: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: AS9PR0301CA0027.eurprd03.prod.outlook.com (2603:10a6:20b:468::14) To DU2P194MB1709.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:276::9)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4a9fa9b8-dc51-4e9f-380a-08d9df2c4e07
X-MS-TrafficTypeDiagnostic: DU2P194MB1565:EE_
X-Microsoft-Antispam-PRVS: <DU2P194MB156584E597D357150DF619C2A85E9@DU2P194MB1565.EURP194.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: dY9qXWXHdTrgGgspNg3taQAycamys0MqWfbe3Eosh3dAojKvVSMV/4vOa6vde+mGJ0VxBUyE9nXM3/Ce9Wte9HmnjTLaQFZ0abiDlE2Sjt0CYVdXbj221wpo6F1dVAru7r+DA8dK9L6BTNJ9/owt5XNxf7AXJFtFXZAn77BsS9XMgyzUP4onXYzQ4Qf7IsfY6ti9x2KVg2WhjOfE0FOE8KZ/NpSn3YTNqHTq0dZ9nYAOiuwcR9HeRC7lH55ZlnhdRNhYsoW/TjIM+78jPdCXEhPd86khjoMztRYG0Yh6X+FC1ehLe2Opgv4KqIVuIVSiqXfdPGiSmryCAMocdd2pdjSjDilVOR7YgOGyfkmNH4wlFQwHzgIC/QVlsDncCXvJCypgLAYDp8LXD6uwxcafecaj+h54PFFRBZkIBBdOcqDgA7zaCc6fsD/qLuxN1VpLqxmwnyqymjqJee9FDYANewjzPkSnZ1qQfZVcH3Y84y2Swmms47WX0fAg6f8U04Ji/Nv3Fm0MX9/vFatvlLG3LSlvFPLlnE2viUD2bH2e68KygveG//JChwmo9xd/DR0PAI0BChp9kIq++6DQBX9ZTJTD8738U+ZfBnU2NyCwOUedjUWar3IF/Z4k7BlNJNoVNyqn3Y5syd97NXBY1f1VCEmstOrn8FOnDqDDze2XNBJxifreofOIf+uJ9nag1NjUIJozFPaAPWSB4BA2chNqnvI96vLBvEGfD8lr78xFzl8Yqxt9IgJ3D1Hxo2T9i4ikeec/NH4eLtZCBlXVuSRT2yaZqfWUAoCmSeqYYqtgfKgLPMzPz6lprCCt+ANyVXxP20Ie/MSqSiUokYxFexThNNLnGNUN7OYijYcam/kZ/GRQcerBoNGsRMmuvfkWgOY0
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU2P194MB1709.EURP194.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(31686004)(31696002)(83380400001)(6486002)(86362001)(82960400001)(316002)(66946007)(66476007)(66556008)(186003)(2906002)(44832011)(8676002)(52116002)(2616005)(508600001)(6512007)(38100700002)(38350700002)(6506007)(966005)(8936002)(26005)(5660300002)(53546011)(110136005)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Ihaf8kVLILWWFVs/hUEJuDUiJrPhm/K5X6ZjuZjZIROgzC2srlvbWRHsvT5s8pFkWkIkIHC4WbMqXv0PhdYeGTfwj3fxdMnQPD48w+ew1vd2MgeHHqUdNHLbOguOAV1FLZVX55q4u/J8XwCr62ZdnVbMfFqg7k2rRdse3ZidAHfAZzsxHBY5ivjECTV7IOIpyojNZ5IBoGOrtShK+ke01px5iqNolQvSnh27QcOaJ2RIqFrekxXL3tfEvJGYuCWCdLh1Fom+pZ0tlenddY9wbaRiV7sj5ojiZEL0nxMiz+ieeGV6uo7iCAx7rbMEO134q1nudlm8NOWbg3cU6G0xtn/rri8PeqLDWkcFmDKguQLkY/MJYiKG1LcCIdGMq2nsJlllpwh570dHiVzB53RIsFVuhvOHtXOzeYaC3CVxd9BUCDltkb3hj04SJUbF16EN6cTnsTF+fcYdsN+i823dqJk46NCLsXAc/AoCkFNNXV8JvdpdhTWAvjVcUhCRRAMXHGXAhHnCtSxOBIksL2YQHHnkDqY78kghs51tbQ9pb4pSRH9lPRaug40qHE+sn5MCS+LnqRy24z68+d5s1+ZBow36zaveY+f3ekuwM0J0QQN8SUv0o1TslXzCOB7NEvvE6xo1++5JoIxbYGl/5d1zYnKXWpMa8Gls2Hh89u/lNZ+gcRn7rTJ+f+WVpQgaiPKNyprJA8isCKxBkIrK7QA0VUwbp5aesOpt+hK215zZNVOD3de7nZgU7QAiLA2Bag+8pyMGn99PY7REpeveyhN5YQG/5zEvSD9FULvo3tr2ObZ151fNURcZw32BQnV7Xdy2FLWq2LYitE8JMLnlLG3llxvaKcWpYzOh+1D7B09q5xnc9UR1lnkyCC6j5yQkpTbijIXK/WYzQ70wUHdbVR45OC83nk/WLCn0AhaJ20itJRyJ0cQTc6SgBuh9tylxr4RIYIZlkw+6iVSCQpCyp4Ge7Lg9PADYK9NcT2+GOD6WzdWSpAigES9XpJFOBDlqy0Tq4vZyLH660P4PqGqjIaKc8SAbdh7hNK1Hz8vviOC3Rjp76K7h7xaYmeqPSc9LibobakC2862Q+8BNiXxEhFv7I1Em5vI4prQbeR5Br9SSgyNFj42awX75glXaxBiM8zfVsj+vZq3/LzXLfNyBEfzNBsrEXBj66yxSPCoJ5Nrp/7pMTqqEiD0ru0ledCoR72H61XsNXrd9fN105PSo23OUf/ltbfqYNcP1x0/nIyk2H70l38Ws0wulj/Vn/4FVPVx1lLMly2hVwC/T79q2NZMm3U7HYE5FiB0tKu1YCA9tWVGmEfSUenl9j4kSvirrMu+VQ3tJW3+Xl4SsGrqjWxhtQaGICTlASzjls+AEbQf3yNh9R+14l3KMyFORy+5juO2cQbXIDCBZiMeUQFogZi6tSYz0NxCaRAb6maK8HN3VfVbCv/IU6lhD+xMZud72C/9ZUSGsUlKtVuBGTl4sFI771qoyaiYeupRCIpmTrlf0MiclXSHOrC24MefyilBq7ucdxGI8H9uoLKCoQLtQUlFOc2QZ82JZJT1f3ZoNDw+tm/Nf0qOdrcyWwP2URI35j4kj65G0idrerFDBYEtAaPlRE8kgICmvJjceSeIR63ZGM36weV/Dlzzncq1APM4pvi4QTrwpBJDEPGdObpoUWwGOwA==
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a9fa9b8-dc51-4e9f-380a-08d9df2c4e07
X-MS-Exchange-CrossTenant-AuthSource: DU2P194MB1709.EURP194.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2022 11:26:03.1236 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: no9xarNtSNQ1g54qxqI7Qsp3ICjBec/pGJp+k6jTMnBCEXC4hejctWX7GfgazHT3l1mfVGC+mE2MmYYOQzgAEL6xBCBCghU57+wK57ua0tE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2P194MB1565
X-OriginatorOrg: sit.fraunhofer.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/aoMc3Y5ZaY5HiMcnQkxORfoNBgU>
Subject: Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 11:26:14 -0000

And here are the corresponding responses. Scott, Rich, and Robert are 
included to the TO, analogously.

On 21.10.21 16:16, Roman Danyliw wrote:
> Hi!
> 
> Thanks for -19 of draft-ietf-sacm-coswid.  Since the conclusion of IETF LC, I reviewed it based on the provided feedback.  I didn't see direct replies to the directorate reviews but from cross-walking their feedback against the -18-to-19 diff, I believe the following are still unresolved/undiscussed.
> 
> (1) Scott Bradner did an OPSDIR review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07/.  The following feedback does not appear to be discussed or resolved:
> 
>> along the same line - it would seem to me that the IANA repository should be at
>> https://www.iana.org/assignments/coswid  (or co_swid) not
>> https://www.iana.org/assignments/swid
> 
> I believe the comment is about the following text in a few places in Section 6.2.*:
> 
>     [TO BE REMOVED: This registration should take place at the following
>     location: https://www.iana.org/assignments/swid]
> 
> Earlier in the text in Section 6.2:
> 
> "6.2.  Software Tag Values Registries
> 
>     The following IANA registries provide a mechanism for new values to
>     be added over time to common enumerations used by SWID and CoSWID."
> 
> It would seem that if in fact things should stay in "assignments/swid", there is a missing registration procedure item -- nothing can be added if it isn't in the SWID specification.  I under the impression from earlier conversations that we wanted to provide flexibility for CoSWID to potentially extend it's own data model independent of SWID (i.e., there could be data elements in CoSWID that were not in SWID).  If so, this suggests that "assignment/coswid" should be used instead (as Scott was suggesting).

This seems to be a misunderstanding that we did not capture well. The 
registry we are looking for must serve both the SWID space and the CoSWID.
While these are fueled by two documents - namely from ISO-IEC and IETF - 
it is beneficial for interoperoperabitly to align them. Now - we 
understand that SWID is not CoSWID and that the IETF is not responsible 
in any way how ISO operates. Yet, IETF will be in charge of the registry 
from now on - and ISO action will have to work throgh the IETF process 
as defined in the I-D. And that is a decision made in consensus with the 
ISO authors and the SACM WG.

There is no requirement in CoSWID or the registration procedures that 
require anything added to a registery must first exist in the ISO-IEC 
SWID specification.

In summary, that is why it is okay to do the registry under 'swid'. This 
is also why the name 'swid' was chosen as a neutral name for software 
identification that can serve both uses for the registered values.


> 
> (2) Rich Salz did an ARTART review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02/.  The following feedback does not appear to be discussed or resolved:
> 
>> In 2.3, why are there three separate bools for corpus/patch/supplemental as opposed to a single enumeration?
> 
> If this is a design choice, please answer Rich.

This was a design decision to keep CoSWID in sync with ISO-IEC SWID, 
which has 3 separate bools. This allows interoperability between SWID 
and CoSWID which is a design requirement.


> 
>> Can the tag-id be a digest of the source file?
> 
> I think the answer is yes.  It might be worth saying so.

Yes. There are few requirements on how to structure the tag-id. It is 
treated as a simple string, which allows a digest to be used. This would 
only be practical if the SWID tags is for software that is a single 
file. That is fringe case.

> 
>> What are the implications of it not being unique? That should be listed in the security considerations.
> 
> I see that this new text was added: "Failure to ensure global uniqueness can create ambiguity in tag use since the tag-id serves as the global key for matching and lookups".  To Rich's point, there are likely security implications to this collision.  Please explicitly describe those.

Addressing missing statements for clarifications in the Security 
Consideration Section via 
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/45

NEW:
Since the tag-id of a CoSWID tag can be used as a global index value,
failure to ensure the tag-id's uniqueness can cause collisions or
ambiguity in CoSWID tags that are retrieved or processed using this
identifier. CoSWID is designed to not require a registry of identifiers.
As a result, CoSWID requires the tag creator employ a method of
generating a unique tag identifier. Specific methods of generating a
unique identifier are beyond the scope of this specification. A
collision in tag-ids may result in false positives/negatives in software
integrity checks or mis-identification of installed software,
undermining CoSWID use cases such as vulnerability identification,
software inventory, etc. If such a collision is detected, then the tag
consumer should contact the maintainer of the CoSWID to have them issue
a correction addressing the collision.

> 
> (3) Robert Sparks did a SECDIR review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-secdir-lc-sparks-2021-08-11/.  The following feedback does not appear to have been discussed or resolved:
> 
>> Consider RFC6648 (BCP 178) where you are reserving "x_" name prefixes for private use.
> 
> Section 4.2 says:
> 
>     The values above are registered in the IANA "Software Tag Entity Role
>     Values" registry defined in Section 6.2.5.  Additional values will
>     likely be registered over time.  Additionally, the index values 128
>     through 255 and the name prefix "x_" have been reserved for private
>     use.
> 
> Section 6.2.5 says:
> 
>                     +=========+=========================+
>                     | Range   | Registration Procedures |
>                     +=========+=========================+
>                     | 0-127   | Standards Action        |
>                     +---------+-------------------------+
>                     | 128-255 | Specification Required  |
>                     +---------+-------------------------+
> 
>                 +=======+=================+=================+
>                 | Index | Role Name       | Specification   |
>                 +=======+=================+=================+
>                 | 0     | Reserved        |                 |
>                 +-------+-----------------+-----------------+
> ...
>                 +-------+-----------------+-----------------+
>                 | 7-255 | Unassigned      |                 |
>                 +-------+-----------------+-----------------+
> 
>>From the Sec 6.2.5 text, it looks like values 128 - 255 could in fact be assigned.  However, Sec 4.2 says they are reserved for private use.  There may other cases of this.

The text around 'x_' was an actually an artifact and has been removed.


> 
> Thanks,
> Roman
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email