Re: [sacm] AD Review of draft-ietf-sacm-coswid-15
Jessica Fitzgerald-McKay <jmfmckay@gmail.com> Wed, 14 October 2020 13:29 UTC
Return-Path: <jmfmckay@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D663A0BDF for <sacm@ietfa.amsl.com>; Wed, 14 Oct 2020 06:29:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ag2_nH-G1ef2 for <sacm@ietfa.amsl.com>; Wed, 14 Oct 2020 06:29:18 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B063A0CCD for <sacm@ietf.org>; Wed, 14 Oct 2020 06:29:17 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id x1so3149886eds.1 for <sacm@ietf.org>; Wed, 14 Oct 2020 06:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MEONig1BCJGdfnm5n9O1hNAMvT/ntHiaIGcFgrZyvpo=; b=FR6oq4NhSO9YzcwOC9Saa5ixs0CMWzt5CmMzAwCtSKwHtLWhNn38tf84SlC6Myk1O8 nAsz1+GXyqtn5Hjb41dkUfJd8gmabJdYpeGlvzEqfw+YhBr8O4iw1+bl9yqjv7M6v9rz gzyvLNikPo7W2jwZrfS7xMyqcE5f12JCIWse1qoCVBCFRUu61qHNzLlQ2cPvLLSHPoYo jCCJoohnH6+pJplYEsToWgd/kX/Bi1+mU4e71I8D/hEzbdLbwN+RXkqhdBGomIf+9u4I Qn7orcRbCjYYjZpSea9SiDhoyZysKEIuxhqy7oiZNyDCEAxjwt9BX3ybAzf2VsUGfqjW 9jvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MEONig1BCJGdfnm5n9O1hNAMvT/ntHiaIGcFgrZyvpo=; b=jba4aZxjBCBxKNgvBx9h9OMhtYnX7zku0o26B+4US3yov4V154b08uSEM6DqL3uCQJ 9q4kKqJTMkzh++0DUAZuaH+Vb/99u5TGbb4rbeyogYVlTug/ip8LApYHF7JHz5sHZr1A lOJL+ZtB9o01vCnLyEG8Kr21HM5/bP2Ra1fyKBUhRxt0RO+8bWuhRwk0JOe2KkUVvOi2 y0TQiHD7CMcPh0rqcnTbbSymQSdvpsb4CQV/OYvXRv4Z3ZdQy7DVo9RUPOdsXYi/6lf4 vGqmUHbPM6z4AzcXRKeJv99CZHJWNboGGZdoiXZFHKVMQHX2YSSPeXqgy+3y+l9h3HK7 HOnA==
X-Gm-Message-State: AOAM530pZbVjJzqv4YRBEwxmzn8TS+3gwLoKlVtTK+9PjYnJkpBSQhDu oP5gz709FGwM4phsaE+sjI1DAWtXySocCSZKwz0=
X-Google-Smtp-Source: ABdhPJydDDRgC3u6DjJQZETZ71DrSsVQsE2kWth0hfUkEOzegVwmKnPHw5mHTstsmKpgvMHonP3RzwvOSLTar5wiOAM=
X-Received: by 2002:aa7:c714:: with SMTP id i20mr5499391edq.136.1602682155684; Wed, 14 Oct 2020 06:29:15 -0700 (PDT)
MIME-Version: 1.0
References: <d2439fe599dd48508c7cedaed3be7764@cert.org>
In-Reply-To: <d2439fe599dd48508c7cedaed3be7764@cert.org>
From: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Date: Wed, 14 Oct 2020 09:29:04 -0400
Message-ID: <CAM+R6NXLyOFm10omDFLKS=EGv6xq77r9+dVPFwY=CCAGuuWL8g@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>, "<sacm@ietf.org>" <sacm@ietf.org>
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "Schmidt, Charles M." <cmschmidt@mitre.org>, "Waltermire, David A." <david.waltermire@nist.gov>, Jessica Fitzgerald-McKay <jmfitz2@cyber.nsa.gov>
Content-Type: multipart/alternative; boundary="00000000000093d7ad05b1a18491"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/bZQbifylYCtoUubcd0Xn977Wx6I>
Subject: Re: [sacm] AD Review of draft-ietf-sacm-coswid-15
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 13:29:21 -0000
Roman, Thank you for the review. The authors met this morning to start working through your comments. We're going to need to meet a few more times before we can reply substantively, but we have high hopes we'll be able to address your comments in a new draft before the IETF 109 submission deadline! Thanks, Jess On Thu, Oct 1, 2020 at 11:55 AM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > I conducted an AD review of draft-ietf-sacm-coswid-15. Thanks for the > work on this document. My feedback is as follows: > > ** For shepherd write-up, please note CoSWID implementations: > https://github.com/usnistgov/swid-tools/ > > ** There are a number of places in the text where normative guidance is > framed as "SWID/CoSWID". Is this document suggesting any behavior of SWID, > or is that just a short-hand because this CoSWID is just a different > representation of the SWID information (?) /data(?) model? What is the > SWID behavior relative to the IANA registries? > > ** In the long term, will SWID and CoSWID diverge and how should this be > handled? This spec seems to defined a number of helpful extension points. > Does SWID have to use those? It might be helpful to clarify that in the > text. Section 2.2 (i.e., "The inclusion of extension points ...") and > Section 2.3 ("... references to the IANA registries will be added to the > next revision of [SWID]")hints that only future version of SWID might pick > up these extensions. The Section 5 IANA registrations call the registries > "SWID/CoSWID" which seems confusing since SWID doesn't use them now. Can > you help me understand the state of play with SWID. Without the > background, it seems like a big leap that we're going to make registries > for future work in another SDO (if they haven't already asked). > > ** Section 1. Per the remote attestation use case, would the RATS > architecture draft be more appropriate than [I-D.birkholz-rats-tuda]? > > ** Section 1. > A SWID tag consisting > of only required fields might be a few hundred bytes in size; > however, a tag containing many of the optional fields can be many > orders of magnitude larger > > My rough read of this text is that if the required-only fields will > generate a tag of ~300 bytes, a tag with optional fields would be ~3000 > bytes. It would be helpful to note here the respective sizes of CoSWID > tag. For the shepherd report, it might be useful to frame who exactly is > doing inventory management and vul assessment to the degree that the device > is actually providing information, but doesn't have the bandwidth/compute > resources to serve 3Kb. > > ** Section 1.1. This section doesn't explicitly state with normative > language that this lifecycle applies > > ** Section 1.1. Figure 1. What is the perspective of this lifecycle - > should it be viewed from a particular host? I ask because the Corpus tag > appears to have no change of state -- get removed at all during the > Lifecycle? Perhaps at Software Installation? Minimally at Software > Removal? > > ** Section 1.1. Typo. s/xSuplemental/xSupplemental/ > > ** Section 1.1. Editorial. After reading this section, I was wondering > about what's the difference between patching and upgrading? Does one bump > the version number and the other does not? Perhaps a forward reference to > Section 2.3 would be appropriate here. > > ** Section 2.1. Recommend using normative language: > > OLD: > All names registered with IANA according to requirements in section > Section 5.2 also need to be valid according to the XML Schema NMToken > data type > > NEW > All names registered with IANA according to requirements in section > Section 5.2 also MUST be valid according to the XML Schema NMToken > data type > > ** Section 2.3 Are there any considerations that would need to be made > for versioning CoSWID beyond the native support provided with CBOR? > > ** Section 2.3. Per "If the software component's version number is > modified, then the correct course of action would be to replace the > previous primary tag for the component with a new primary tag that > reflected this new version.", would normative language be more appropriate > here: "If the software component's version number is modified, then the new > a new primary reflecting this new version SHOULD (MUST?) replace the > previous primary tag for this component"? Additionally, if SHOULD is > chosen, under what circumstances would this not be followed (i.e., why not > a MUST)? > > ** Section 2.3. Global Typo. s/section Section/Section/g > > ** Section 2.3. Per "This item represents a query as defined by the W3C > Media Queries Recommendation (see > [W3C.REC-css3-mediaqueries-20120619])" can normative language be applied > here to constrain the format. Perhaps "This item MUST be formatted as > query defined by the W3C Media Queries Recommendation (see > [W3C.REC-css3-mediaqueries-20120619]) format. > > ** Section 2.3. It isn't apparent to me from this text on how to use CSS > to provide hints on a target platform (e.g., how do I use color-index or > aspect ratio?). Is there a reference in the SWID text that can help? > > ** Section 2.6. s/entity-name (index 32)/entity-name (index 31)/ > > ** Section 2.6 Editorial. s/an registration ID/a registration ID/ > > ** Section 2.6. Per "In a given scope, the registration id MUST be used > consistently for CoSWID tag production.", can you clarify what you mean by > consistently? > > ** Section 2.7. href. Per "If no URI scheme is provided ...", then how > is this a valid URI? Per Section 3 of RFC3986, the scheme is mandatory. > The example "./folder/supplemental.coswid" is not a valid URI. > > ** Section 2.7. swidpath. This syntax seems underspecified. What does > XPATH on CBOR mean? What is the mapping? Tthe example provide seem to be > using the SWID names not the CoSWID names, is that a requirement? > Practically, I don't know of any Xpath library that ingests CBOR so all the > semantics here are unique. FYSA, draft-ietf-regext-rdap-sorting-and-paging > was attempting to specify XPATH on JSON, > https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-sorting-and-paging/ballot/, > the discussion on how to resolve this with the right normative reference > might be helpful here. > > ** Section 2.7. swidpath examples. Please do not use "contoso.com" in > the example. Use example.com instead. > > ** Section 2.7. Typo. s/a Ownership/an Ownership/ > > ** Section 2.7. Typo. s/Link Use Value Value/Link Use Value/ > > ** Section 2.8. Typo. s/identfies/identifies/ > > ** Section 2.8. unspsc-code. Please cite the URL of unspsc.org by > reference. > > ** Section 2.9.1. Should the Status field of the Named Information Hash > Algorithm Registry be considered when choosing an appropriate hash > algorithm? > > ** Section 2.9.1. Per path-elements, what is the equivalent of that in > SWID? > > ** Section 2.9.4. The date field here is a CDDL time type. In SWID, the > equivalent is a xs:date. Wouldn't it be more appropriate to use a CDDL > tstr here? > > ** Section 2.10. It would be helpful to be clear on where the naming > convention and semantics don't align between SWID and CoSWID don't line > up. I caught the following: > > -- Names > (SWID) Process@name is (CoSWID) process-name > > (SWID) File@name is (CoSWID) fs-name > > -- Semantics > (CoSWID) file-entry has a hash-entry, but does that have an equivalent in > SWID? > > (CoSWID) Section 2.9.1. Per path-elements, what is the equivalent of that > in SWID? > > ** Section 4.1. Typo. s/gudelines/guidelines/ > > ** Section 4.1. Editorial. s/decimal number ./decimal number./ > > ** Section 4.1 and 5.2.4. [SEMVER] doesn't meet the threshold for a > normative requirement and a "specification required" - it's just a > website. If this is used in SWID then that would be compelling argument to > waiver it. However, that should be explicitly stated here. If it isn't, > we should discuss it a bit more. > > ** Section 5.2.1. Typo. s/Proceedures/Procedures/ > > ** Section 5.2.1. Per "The latter SHOULD be used only for the > registrations requested by SDOs outside of the IETF", can you explain the > thinking on additional caveat of "by SDOs outside of the IETF"? How will > the threshold for what is an acceptable SDO be judged? > > ** Section 5.2.4. Global Typo. s/proceedures/procedures/g > > ** Section 5.2.4. Global Typo. s/inital/initial/g > > ** Section 5.2.6. Global Typo. s/guidlines/guidelines/g > > ** Section 5.3. Per Section 5.1 of RFC6838, was a message sent to > media-types@iana.org for preliminary review? I didn't see it on that > mailing list (did I miss it?). Please kick that off. > > ** Section 5.3. Editorial. s/RFC-7049/[RFC7049] > > ** Section 5.6. Per Step 3.2 of Section 7.2 of RFC7595, has this been sent > to uri-review@ietf.org? I didn't see it on that mailing list (did I miss > it?). Please kick that off. > > ** Section 5.6.1 and 5.6.2. Please use the template described in Section > 7.4 of RFC 7595. The fields below are part of the "old template". > > ** Section 5.6.1. Typo. s/speific/specific/ > > ** Section 5.6.1. Global Typo. s/indentify/identify/g > > ** Section 5.6.2. The uri scheme syntax seems under-specified. Please > provide a bit more formal syntax which includes all of the scheme elements > (perhaps as simply as just not stating it as an example) > > ** Section 5.6.2. Editorial. There are words missing in paragraph ending > with "... rence related tags on the same device using this URI scheme" > > ** Section 5.7. Per the "Software Data Model Types" registry: > > -- "Defining Specification" is actually named "Reference" in the registry > -- In the derived SW identifiers syntax, are those bare underscores or are > those quotes really supposed to be in there? > > ** Section 5.7. Typo. s/ietm/item/ > > ** Section 6. Per "SWID/CoSWID tags are intended to be easily > discoverable ...", can a reference be provided on how this discoverability > is realized. > > ** Section 6. Per "As such, any security considerations regarding > SWID/CoSWID tag focys on the application of SWID/CoSWID tags to address > security challenges ...", wouldn't there also be integrity and authenticity > concerns about the SWID? > ** Section 6. What are the normative requirements, if any, on signing the > CoSWID? > > ** Section 6. Per "When an authoritative tag is signed, the software > provider can be authenticated as the originator of the signature", what is > the binding between the software provider and the key used to provide the > signature? Put in another way, how do I know the signature on the CoSWID > really belongs to the software provider? Same for a supplementary tag? > > ** Section 6. Per "Having a signed authoritative SWID/CoSWID tag can be > useful when the information in the tag needs to be trusted ...", when would > this tag not need to be trusted? What is the use case for unsigned tags? > > ** Section 6. > OLD > For this reason, it is important to protect the > confidentiality of SWID/CoSWID tag information that has been > collected from an endpoint > > NEW > For this reason, it is important to protect the > confidentiality of SWID/CoSWID tag information that has been > collected from an endpoint in transit and at rest > > Section 6. Per "For this reason, tools that consume SWID/CoSWID tags > ought to treat ...", is normative language or less colloquial language more > appropriate here - s/ought/should/? > > ** Appendix A. The SWID spec is clear on how to provide integrity on the > SWID tags. Here, there is what seems like an example of how to use COSE. > The language is soft. For example, "Concise SWID can be wrapped in ...". > For the purposes of interop, why isn't there a canonical way to sign CoSWID > specified? Is it envisioned that an approach other than what's described > in Appendix A would be used? If there are multiple ways, please discuss > how the interop would work. If there aren't, please use normative language > to describe how to realize the desired security properties (which I think > is integrity and authenticity). Editorially, it would also help the reader > if you would clearly state which CoSWID elements would be protected with > the described approach (i.e., the whole tag) > > Regards, > Roman > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm >
- [sacm] AD Review of draft-ietf-sacm-coswid-15 Roman Danyliw
- Re: [sacm] AD Review of draft-ietf-sacm-coswid-15 Jessica Fitzgerald-McKay
- Re: [sacm] AD Review of draft-ietf-sacm-coswid-15 Roman Danyliw
- Re: [sacm] AD Review of draft-ietf-sacm-coswid-15 Carsten Bormann
- Re: [sacm] AD Review of draft-ietf-sacm-coswid-15 David Kemp
- Re: [sacm] AD Review of draft-ietf-sacm-coswid-15 Carsten Bormann