Re: [sacm] IETF 95 Agenda on SWID world
Tony Rutkowski <tony@yaanatech.com> Wed, 20 April 2016 20:30 UTC
Return-Path: <tony@yaanatech.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAEC412E830 for <sacm@ietfa.amsl.com>; Wed, 20 Apr 2016 13:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFPaUgm7jB-E for <sacm@ietfa.amsl.com>; Wed, 20 Apr 2016 13:30:54 -0700 (PDT)
Received: from sc9-admin2.yaanatech.net (63-128-177-42-static.dzbja.com [63.128.177.42]) by ietfa.amsl.com (Postfix) with ESMTP id B1B0F12E811 for <sacm@ietf.org>; Wed, 20 Apr 2016 13:30:54 -0700 (PDT)
Received: from extmail1.yaanatech.com (extmail1.yaanatech.com [63.128.177.51]) by sc9-admin2.yaanatech.net (Postfix) with ESMTP id 5FBB4F4; Wed, 20 Apr 2016 20:30:54 +0000 (UTC)
Received: from [192.168.1.51] (pool-173-67-205-17.clppva.fios.verizon.net [173.67.205.17]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by extmail1.yaanatech.com (Postfix) with ESMTP id 8377058086; Wed, 20 Apr 2016 20:26:53 +0000 (UTC)
References: <04C2FAE9-476B-489F-81CB-48BCAAFA29D6@gmail.com> <SN2PR0601MB099226A18B2F660403AB4DC8A89A0@SN2PR0601MB0992.namprd06.prod.outlook.com> <E6535DCE-089D-4EEA-BA8F-AA1F1D5C42A5@gmail.com> <57064BF9.4060805@yaanatech.com> <000f4262.2ad8cf8730523b39@pulsesecure.net>
To: Lisa Lorenzin <llorenzin@pulsesecure.net>, "adam.w.montville@gmail.com" <adam.w.montville@gmail.com>
From: Tony Rutkowski <tony@yaanatech.com>
Organization: Yaana Technologies
Message-ID: <a24a2c3f-cacf-3119-06eb-9de8f560fdba@yaanatech.com>
Date: Wed, 20 Apr 2016 16:30:45 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <000f4262.2ad8cf8730523b39@pulsesecure.net>
Content-Type: multipart/mixed; boundary="------------F4D69D7E6E4B6779D11F9192"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sacm/cwChikgJAx8fRO7YL-7jdP4_Hf4>
Cc: "sacm@ietf.org" <sacm@ietf.org>
Subject: Re: [sacm] IETF 95 Agenda on SWID world
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: tony@yaanatech.com
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 20:30:57 -0000
Hi Lisa, My apologies for the delay, but I did promise you an updated list of the diverse SWID platforms that are part of the rather expansive ecosystem as it has evolved over the years. The list ordering here conveys a sense of acceptance and use to the extent that is possible. There is also some significant overlap of specialty SWIDs such as OIDs for ASN.1 code that has been extensively used by the IETF for MIBs. To recap my points: 1) SWIDs are a unique, trusted identifier together with attribute tags for software and an essential component of cybersecurity in general and asset management in particular 2) SWIDs for this purpose have existed for decades and been the subject of many standards and platforms 3) The USG's effort to create a means to provide interoperability among SWIDs by developing a common structured expression for “software units” in the form of ISO/IEC 19770-2 is useful (even if a bad choice of venue and implementation tactics reminiscent of the mistakes make three decades ago), 4) From what I can tell, the 2015 version is much improved and simplified versus the old 2009 version - and apparently what is now being used within the SACM/NISTIR 8060/ TCG work now ongoing 5) If the USG wants to encourage greater use of the 19770-2 platform, it would be helpful to identify all the significant industry SWID instantiations such as provided in the attached slide, and create a “SWID common structured expression” work item in OASIS or other open standards body with well- versioned freely available specifications, and using 19770-2:2015 to develop structured mappings among the industry instantiations. 6) Not covered here are SWID lookup mechanisms - which deserve treatment in conjunction with the topic. On 2016-04-07 8:55 AM, Lisa Lorenzin wrote: > > Hi Tony, > > > I'm not deeply familiar with the SWID community - I'm afraid I don't > know enough about that space to unpack what you're referring to. > Of the dozen other industry efforts you mention, can you suggest one > or two that have the relevant properties and/or are widely deployed? > > > Regards, > > Lisa >
- [sacm] Updated IETF 95 Agenda Posted Adam Montville
- Re: [sacm] Updated IETF 95 Agenda Posted Lisa Lorenzin
- Re: [sacm] Updated IETF 95 Agenda Posted Adam Montville
- [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Adam Montville
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Lisa Lorenzin
- Re: [sacm] IETF 95 Agenda on SWID world Cheikes, Brant A.
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski
- Re: [sacm] IETF 95 Agenda on SWID world Tony Rutkowski