IETF Logo Mail Archive

Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

Gunnar Engelbach <gunnar.engelbach@threatguard.com> Sat, 18 June 2016 17:06 UTC

Return-Path: <gunnar.engelbach@threatguard.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF2DE12D672 for <sacm@ietfa.amsl.com>; Sat, 18 Jun 2016 10:06:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=threatguard-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MK5i-bQymOgE for <sacm@ietfa.amsl.com>; Sat, 18 Jun 2016 10:06:10 -0700 (PDT)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B2612D0A2 for <sacm@ietf.org>; Sat, 18 Jun 2016 10:06:10 -0700 (PDT)
Received: by mail-pa0-x22d.google.com with SMTP id wo6so1256880pac.3 for <sacm@ietf.org>; Sat, 18 Jun 2016 10:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=threatguard-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:references:cc:message-id:date:user-agent :mime-version:in-reply-to; bh=dWAcAEGHdCC8/DLJEfm+wORnTQLYxHh4w3fGclirms4=; b=xSv86Y0Ga4XdK65RuG9vNQRYLukRpeaNQiiTTpijjhAvqVSDoSqA9GMte6EEzeFh1u aQxoxg7YYUy6577Szy/7u6kJ4FV1jKmjpUfT3/a5QueZlAyI1aUB04Ywoh6WbcsWDGQ3 lWw4iwOpnu6uh6+kR9OF+tDrxzNlGDgz4tBFLoaEoIH6SdTqbTfiEy7vdVJ7LgV8S1om XhpVS/fFlSN+C7asipIdrgrqFEcLgmfTwHq9YxI0xCevq7rkjgv9BjvXlKjzNJEGL2nt SGY9ra5VQJfqPtfz4RCIyGIEursfTxoUXhpWY2VsNtgIiMcfOzzhja08QBXMvhlmrGSn s0Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:cc:message-id:date :user-agent:mime-version:in-reply-to; bh=dWAcAEGHdCC8/DLJEfm+wORnTQLYxHh4w3fGclirms4=; b=GIeqlJC48DjOYkLYMyelF+9IkxfpMRgAX08n4uCzYJ9c3+7bYuuusuwnQIQOZvBv7l oTVSxMwHO/NWCfr3VQOkfYIb/VB1NdcfxkvpWCIYgZGYtVvQibrzAgJsP4KjK19Irb6Y wlN0wAhxkTzN8r+mw1tJKIpyTgHfmkp/VA//upgdUUKds0b9YrcgCuSdiwL8BfXsTXNS Azusm1qUYwJBd70iSpZMrl7zTg834EL5HmmJZL+xslTorWp/EtdMfAFsHBi5BmBuGh8v Rb91FW94kPubZaaJ0yAeNlkSeHWxbWVrUr9PIDMC6t9zwVK/4p/smntFYX3FQpkCH5Iz q+lA==
X-Gm-Message-State: ALyK8tK50ST8zk9hZw5cem+YIIVB5UJrkyPOOQi2Jeh5WZ0x7+ENfWz+R2qtO9zp3xoTLg==
X-Received: by 10.67.4.137 with SMTP id ce9mr4145463pad.120.1466269569675; Sat, 18 Jun 2016 10:06:09 -0700 (PDT)
Received: from [172.16.1.122] (75-142-12-171.dhcp.mdfd.or.charter.com. [75.142.12.171]) by smtp.gmail.com with ESMTPSA id k22sm36354012pfj.16.2016.06.18.10.06.08 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 18 Jun 2016 10:06:08 -0700 (PDT)
From: Gunnar Engelbach <gunnar.engelbach@threatguard.com>
X-Google-Original-From: Gunnar Engelbach <Gunnar.Engelbach@ThreatGuard.com>
To: Adam Montville <adam.w.montville@gmail.com>, "Dan (Dan) Romascanu" <dromasca@avaya.com>
References: <17198AFF-DF5A-46BC-B84A-2AAF1717BD90@isoc.org> <EC234EFE-95AB-444B-8A5D-782ADBD60559@gmail.com> <1c99b26c-bdac-5798-1bd9-e957b11ae4bd@yaanatech.com> <db612b00-c11a-88c1-45da-35e0693305e9@ThreatGuard.com> <6062111F-9C39-4C7C-B008-F7E23FED40DE@gmail.com> <9904FB1B0159DA42B0B887B7FA8119CA7520D40F@AZ-FFEXMB04.global.avaya.com> <E79698DE-B183-4AE1-8F6C-08744E8BFFDF@gmail.com>
Message-ID: <94680da4-b547-6ee8-2510-ea10eb1e02ff@ThreatGuard.com>
Date: Sat, 18 Jun 2016 10:06:15 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <E79698DE-B183-4AE1-8F6C-08744E8BFFDF@gmail.com>
Content-Type: multipart/alternative; boundary="------------289E678FBB4155228021069F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/c9hoHx7R4YMtTH2_dxDoGjbsubk>
Cc: "<sacm@ietf.org>" <sacm@ietf.org>, "tony@yaanatech.com" <tony@yaanatech.com>
Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2016 17:06:13 -0000

While we're on the topic,

There is an effort in progress to determine a data model for SACM 
endpoint collection.  Software identity information is just a set of 
endpoint attributes.  So is there a reason why software identity is 
treated differently?


--gun


On 6/18/2016 5:38 AM, Adam Montville wrote:
> Hi.  Because we would like to move our requirements through IESG, I 
> would like to drive this to ground.   There are three things that 
> we’re talking about doing when it comes to selecting a data model for 
> software identification:
>
> 1) Extensibility
> 2) Accessibility (not cost prohibitive)
> 3) Completeness
>
> There is a data model requirement for (1) - DM-014 Attribute 
> Extensibility.  There does not seem to be a requirement for 
> accessibility (2) or completeness (3).
>
> My question is this: Do we need such requirements?
>
> I would assert that we do not.  Accessibility is something that we 
> will always judge by virtue of the fact that we operate within the 
> culture of the IETF.  Completeness is not something we need to put 
> into the requirements draft by virtue of DM-002 Data Model Structure, 
> which indicates that a data model can be structured monolithically or 
> composed of modules/sub-modules—this seems to imply that we could be 
> ok with “completeness” potentially coming from more than one place.
>
> Thoughts?
>
> Adam
>
>
>> On Jun 13, 2016, at 9:12 AM, Romascanu, Dan (Dan) <dromasca@avaya.com 
>> <mailto:dromasca@avaya.com>> wrote:
>>
>> Re: Requirements – is this not 
>> whathttps://datatracker.ietf.org/doc/draft-ietf-sacm-requirements/is 
>> about? Maybe it needs an update.
>> Regards,
>> Dan
>> *From:*sacm [mailto:sacm-bounces@ietf.org]*On Behalf Of*Adam Montville
>> *Sent:*Friday, June 10, 2016 2:25 PM
>> *To:*Gunnar Engelbach
>> *Cc:*<sacm@ietf.org <mailto:sacm@ietf.org>>;tony@yaanatech.com 
>> <mailto:tony@yaanatech.com>
>> *Subject:*Re: [sacm] Call for adoption of 
>> draft-coffin-sacm-nea-swid-patnc as a SACM WG document
>> This seems like a fine approach.
>> As part of that third item, I’d like to get requirements from our own 
>> drafts as well, starting perhaps with the vulnerability scenario, but 
>> also considering our requirements and other drafts.
>>
>>     On Jun 9, 2016, at 7:44 PM, Gunnar Engelbach
>>     <gunnar.engelbach@threatguard.com
>>     <mailto:gunnar.engelbach@threatguard.com>> wrote:
>>
>>
>>
>>     Hey Tony, funny thing that you should say that.  You seem to have
>>     a better awareness of the other efforts going on out there than I
>>     do, so I could use your help in identifying other good candidates
>>     and what will be necessary to support as many of them as possible.
>>
>>     What I'd really like to do is take a more formal approach --
>>     gather some requirements and then see from among the existing
>>     efforts which is the best from among those that are good enough. 
>>     If any.
>>
>>     But first is a matter of setting the requirements.  Stated
>>     generally, I really only have three:
>>
>>       1)  Is extensible -- as a fork outside of the current owner, if
>>     necessary, to be sure it continues to meet SACM needs without
>>     relying on the good graces of the current owner
>>
>>       2)  Readily accessible (eg., spec is not cost prohibitive for
>>     any users)
>>
>>       3)  The most complete (that is, closest to being able to
>>     represent the other tag types without loss of data or
>>     shoe-horning data into fields that weren't really meant for that
>>     type of data)
>>
>>
>>     I'm sure Charles, et al, will have other requirements, so feel
>>     free to chime in. However, I think the simpler and more informal
>>     we can keep this list the quicker we can grind through it.
>>
>>
>>     --gun
>>
>>
>>
>>     On 6/9/2016 2:33 PM, Tony Rutkowski wrote:
>>
>>         Hi Adam,
>>
>>         A good solution.  Charles and Gunnar should also engage
>>         in some proactive outreach.  Simply stating that "no other
>>         solutions to the problem of software identification have
>>         been submitted" is preposterous when there are so many
>>         out there.  IMHO, one of the long-standing problems with
>>         SACM is its institutional and participatory insularity in an
>>         arena where so many almost identical activities are occurring
>>         in other venues where there is far greater industry
>>         participation.
>>         Ignoring them diminishes the value of whatever SACM
>>         accomplishes.
>>
>>         --tony
>>
>>         On 2016-06-09 3:47 PM, Adam Montville wrote:
>>
>>             All:
>>             After several on-list discussions, the last virtual
>>             interim, and the discussions surrounding this call for
>>             adoption, the chairs acknowledge that there are some key
>>             concerns with this draft, but also see that there is
>>             rough consensus for adoption.  We additionally note that
>>             no other solutions to the problem of software
>>             identification have been submitted to the working group [1].
>>             Because the topic of software identification, and SWID in
>>             particular, appears to be a contentious one, we are
>>             designating Charles Schmidt and Gunnar Engelbach as
>>             editors of the working group draft [2].  We believe that
>>             Charles and Gunnar will bring the necessary balance to
>>             this draft, so that the key concerns are sufficiently
>>             addressed.
>>             Kind regards,
>>             Adam & Karen
>>             [1] This draft adoption does not preclude future
>>             alternative submissions
>>             [2] Note that original authors will remain authors, but
>>             Charles and Gunnar will hold the pen.
>>
>>                 On May 17, 2016, at 11:21 AM, Karen O'Donoghue
>>                 <odonoghue@isoc.org <mailto:odonoghue@isoc.org>> wrote:
>>                 Folks,
>>                 As discussed during our last couple of meetings, this
>>                 is the official call for adoption of
>>                 https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-patnc/ as
>>                 a SACM working group document.
>>                 Please reply with any comments or concerns along your
>>                 support of this action to the mailing list.
>>                 Thanks,
>>                 Karen and Adam
>>                 _______________________________________________
>>                 sacm mailing list
>>                 sacm@ietf.org <mailto:sacm@ietf.org>
>>                 https://www.ietf.org/mailman/listinfo/sacm
>>
>>
>>
>>
>>
>>             _______________________________________________
>>
>>             sacm mailing list
>>
>>             sacm@ietf.org <mailto:sacm@ietf.org>
>>
>>             https://www.ietf.org/mailman/listinfo/sacm
>>
>>
>>
>>
>>
>>         _______________________________________________
>>
>>         sacm mailing list
>>
>>         sacm@ietf.org <mailto:sacm@ietf.org>
>>
>>         https://www.ietf.org/mailman/listinfo/sacm
>>
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org <mailto:sacm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/sacm
>

v2.23.0 | Report a Bug | By Email