Re: [sacm] IETF 95 Agenda on SWID world
Adam Montville <adam.w.montville@gmail.com> Thu, 07 April 2016 12:28 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B983112D81D for <sacm@ietfa.amsl.com>; Thu, 7 Apr 2016 05:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.93
X-Spam-Level:
X-Spam-Status: No, score=-1.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VcmPfCbiNBb for <sacm@ietfa.amsl.com>; Thu, 7 Apr 2016 05:28:09 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE61A12D79B for <sacm@ietf.org>; Thu, 7 Apr 2016 05:28:08 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id k135so25919375qke.0 for <sacm@ietf.org>; Thu, 07 Apr 2016 05:28:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=yJkx4Vmg/3WAy/Q8+itnM+0vkpQVLbPIA4GGWig19HY=; b=mwMpeF0OawdPBg/QTPJmJe0QXgVFzCrQahMAv/8bMFTyDkx19s5+Wk6e6OuWg2pK0g i5O+JApYlCZz6EdG3aajJ9VkL2rXVshDxcasEzB+ZwcVGe552dD+lLMCRC/78quTx7YS vPD1qFcYK07AoOoiPuQ7l3XUs/5qrxdwp58ePipRwWsrEQQmmXyfHSCqyt7gWZb9VWN3 VjuGNgkgyoopNdsCH6K1YXgtp9Ck2U8dDMFMldZkmy0Gu+Cl19W3pEGUoPELoWfWmAfS g7JKzuimEVK8jZdoW4o0wQJwxC+/77UbQL4KqRs3AjwnL4ysJYlPEm/sVal9CYf5wwy6 o16Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=yJkx4Vmg/3WAy/Q8+itnM+0vkpQVLbPIA4GGWig19HY=; b=BgVH6FCagy0TMJ6MzGnobu8DxrsPX/ZuaT/dfoyKArA2FogjmRA9sgGWQm0ed1qmxR parW5ggR7dkMyzxJfQA8n4CPVdn2/053S+HXyip5ZTbrT57KzV9CMqmpr8E5MJFNQdVf nhoq5+WAurKnk8VDU7PM03IAogn9a1nEonf5kIYK/z2WMlgVbzmqGxxVazK/Z3jEYPru ftlY09UWZXjRtDomO9d25p9nnbyePxvWzOwXRZxIY7gw9xDciRn94h7woRtgrdWV8CMQ 0TCP3th4bwxgncwoOOJ1i+M8xelv6T5Fm8kJe4S58RoGCqLPLKcXGDEeFxHnlRHfiSlc FSjw==
X-Gm-Message-State: AD7BkJKcK+30lnMhkUErRpySVxYwjz4RruVCMykdj5qJVSBlfBAKEnFM/fcryj+mQsno6Q==
X-Received: by 10.55.221.8 with SMTP id n8mr3156209qki.50.1460032087985; Thu, 07 Apr 2016 05:28:07 -0700 (PDT)
Received: from [172.16.7.230] ([200.61.9.66]) by smtp.gmail.com with ESMTPSA id a22sm1777453qkg.49.2016.04.07.05.28.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Apr 2016 05:28:07 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_E37951DF-0879-4E37-A4DD-36E6D4DB46CD"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Adam Montville <adam.w.montville@gmail.com>
In-Reply-To: <57064BF9.4060805@yaanatech.com>
Date: Thu, 07 Apr 2016 09:28:03 -0300
Message-Id: <93818705-EDFF-479F-8D36-930EB2E6BA24@gmail.com>
References: <04C2FAE9-476B-489F-81CB-48BCAAFA29D6@gmail.com> <SN2PR0601MB099226A18B2F660403AB4DC8A89A0@SN2PR0601MB0992.namprd06.prod.outlook.com> <E6535DCE-089D-4EEA-BA8F-AA1F1D5C42A5@gmail.com> <57064BF9.4060805@yaanatech.com>
To: tony@yaanatech.com
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sacm/bu0XXD6HKkV_WU9I-UOHwbuX5uw>
Cc: "<sacm@ietf.org>" <sacm@ietf.org>
Subject: Re: [sacm] IETF 95 Agenda on SWID world
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 12:28:11 -0000
Tony, Thanks for your comments, insights, and references. I think SWID is a starting point, as any reasonable engineer would recognize that no single software identification standard will get security automation across the goal line. To clarify the SWID XML/CBOR confusion, that was an example of the boundaries between information models, data models, and serializations. If you have an opportunity, you should review the MeetEcho recording. Kind regards, Adam > On Apr 7, 2016, at 9:00 AM, Tony Rutkowski <tony@yaanatech.com> wrote: > > Hi Adam, > > Interesting to seem the presentations and > brainstorming on materials. A few "inquiring > minds" questions. > > For the Information Model Update presentation, > slide 9 portrays two SWIDS: "SWID XML Schema" > and "SWID CBOR Data Definition." It's not clear > what the former represents, and the latter > presumably will eventually be revealed in > draft-birkholz-sacm-coswid-00. > > The SWID CBOR effort usefully begins to head > slowly in the right direction of getting real, but it > refers to ISO/IEC 19770-2:2015 as the source > of SWID information structures, and combined > with ISO/IEC 19770-5:2013 also referenced, sets > one back $389 to take a peek at them. Maybe that's > easy change for a government agency, but no one in > the real world is going to spend that amount to > take a peek at a specification. > > The problem here is compounded because NISTIR > 8060 is out on the street for comment, but it references > the 2009 version. To make matters worse, the NISTIR > references the 2015 version as an extension schema, > but the URL to get the extension schema is broken. > http://csrc.nist.gov/ns/swid/2015-extensions/1.0 > > Not that this isn't elegant work, but it has the surreal > attributes that pervaded the OSI world 30 years ago > where the previous generation of some of the same > government agency actors inhabited standards > meetings - writing for years some of the best > specifications that no one ever used. > > There are at least a dozen other industry SWID > standards efforts out there if there was an interest > in looking. They have better properties for the > context, and some of those are used on a significant > scale. But then again, it's kind of fun watching the > deja vu of OSI getting reinvented in the IETF! > > --tony > > ps. If the authors revise the SWID CBOR draft, finding > the details of X.1520 is easy. In English, it is at: > <https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.1520-201401-I!!PDF-E&type=items> > > > > >
- [sacm] Updated IETF 95 Agenda Posted Adam Montville
- Re: [sacm] Updated IETF 95 Agenda Posted Lisa Lorenzin
- Re: [sacm] Updated IETF 95 Agenda Posted Adam Montville
- [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Adam Montville
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Lisa Lorenzin
- Re: [sacm] IETF 95 Agenda on SWID world Cheikes, Brant A.
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski