Re: [sacm] WGLC for draft-ietf-sacm-coswid

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Thu, 25 July 2019 14:56 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEC1C120130 for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:56:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3Xq9i1d_u1I for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:56:33 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0730.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd01::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F621200E3 for <sacm@ietf.org>; Thu, 25 Jul 2019 07:56:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K4a4sPu36XbXgga+hx04V/rWfs5RfSy2ITyBJH6HcxmYVJQ0S5QdPwYag1zvH0SxVbFnmRQPyI445WxIJZ/D8GnIlSADCnU6zflOJc2wht/vDIOcJfn88r0Z2yHSNOp7XUWqBLpuxkKyLwecPYm0sUO2Y2J1TL3xhWDGReNAXEX+7g3LTzhtWkxu6rKgUiKAsWhnX9bLe2mBbY6EVWDjae+xsbiZulpYqO5h5klBPpNNnSYgKMjUp5qXj9Ou9Ciutl6/iFdtqWmrLOvv44t74cF49wEXfj348B/DLxGxO4As8AWm3VmwsMsMjvFMfcZ+P0hZBWC8urfqrQy/PZKRvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MEpzqEeHfoMqf4RRT7FClObPbqmr8nG6Ibmy9D/dyIA=; b=j4s4ZM5QuY43R3jbqUtoRhW3Jd/k8YyDY/7yXxYnxE+wtWX+s01EjQmba8j8SUoZYglFndA/hN6IF2cA3TZsEprmq+F78fu+TpQlBCQkWzacp6yIUhk+Y5Aupa8YJn+ORADpzZHlz/Jt8T4qJI69VVpDujXOI8kmZFogHX0Cb7wqQ638R7Qkvkv3JOT5IWvcO/ccHIOa/2y8j7kz60YpdYiuIH2bSbGBFxxtteT9OAwNrNoOndU4zur82jEUOGLfhipTToBVADWRbC87wF6qsPATZZIB5kRxoigFzdgHNdA3NVuCjNWDJAQkNgSx3f+Hob8jhhvtP+s/drzhI0uS9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nist.gov;dmarc=pass action=none header.from=nist.gov;dkim=pass header.d=nist.gov;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MEpzqEeHfoMqf4RRT7FClObPbqmr8nG6Ibmy9D/dyIA=; b=BmoTT8v/tq6aWSqiZSCy5p2Kc6k7LxN/NJVnD6AzwDek5MS8iOcsKEVJ3QH9Qqmdy2z1k2/JwbU6ER9A4K7jvhnk10dwUIzafgPlr+GrKSgJzDatGmcoA8WSYl4uo+RFcjNS7ZUfr9b6XMrUZwAHFDZhIRa667KKDSZqd+5BIU8=
Received: from CY4PR09MB2245.namprd09.prod.outlook.com (10.172.140.135) by CY4PR09MB1237.namprd09.prod.outlook.com (10.172.67.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.14; Thu, 25 Jul 2019 14:56:29 +0000
Received: from CY4PR09MB2245.namprd09.prod.outlook.com ([fe80::103a:14af:d29:ffba]) by CY4PR09MB2245.namprd09.prod.outlook.com ([fe80::103a:14af:d29:ffba%11]) with mapi id 15.20.2094.017; Thu, 25 Jul 2019 14:56:29 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "Nelson, Alexander J. (Fed)" <alexander.nelson=40nist.gov@dmarc.ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-coswid
Thread-Index: AQHVLSf2XuoB2t2Q6k63GMXAgOgNQ6a5KSyAgCJteMA=
Date: Thu, 25 Jul 2019 14:56:29 +0000
Message-ID: <CY4PR09MB224593EFC5630DC7D7857B0CF0C10@CY4PR09MB2245.namprd09.prod.outlook.com>
References: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>, <B2B300AC-5C2B-476D-BA8F-06B0F6BABC91@nist.gov>
In-Reply-To: <B2B300AC-5C2B-476D-BA8F-06B0F6BABC91@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [2610:20:6005:219::f1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b02209f2-82c3-40fd-c3ba-08d71110467f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:CY4PR09MB1237;
x-ms-traffictypediagnostic: CY4PR09MB1237:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR09MB123756D4EFD63F456897F531F0C10@CY4PR09MB1237.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(376002)(136003)(346002)(396003)(53754006)(189003)(199004)(6436002)(2906002)(6116002)(86362001)(478600001)(966005)(606006)(6606003)(19627405001)(74316002)(76116006)(91956017)(14454004)(33656002)(66946007)(229853002)(52536014)(64756008)(66476007)(66556008)(66446008)(5660300002)(6246003)(25786009)(1015004)(68736007)(53936002)(236005)(9686003)(71200400001)(71190400001)(7736002)(476003)(486006)(110136005)(11346002)(446003)(99286004)(2501003)(14444005)(256004)(7696005)(186003)(46003)(102836004)(6506007)(76176011)(53546011)(8936002)(8676002)(81166006)(81156014)(316002)(55016002)(6306002)(54896002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1237; H:CY4PR09MB2245.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: O6yuYmz+9qMpT5bZWMPKtFggeAR8zoM74ACu2NSgQtysNrXMkC63CxctYoASk0sBp8zYbo+dyOidxkGXFPPagHgCeClG+hdH+euQ9b2JieCfx0N2quhDX5LUWYZby5yI20elVasL0VapXxOUPaqg6cCpx2M1YTh0qO0h698QsS7C68u1OK1PTSlf1bIkNfqxkO+swUv+OxqyIHBEyzHgsfemmtrPaWOXKvhpWqzDEEbGkNAMqVsQkDiC/jrs4B+BnJMSDBrmGhua6oAYE8h9m/SvAluqeljNCYAsPGcu+4wZkhoC9x6QrdZRcxeA2tUHHQx2kOdz/oz63z4zz9EMacTLj1ltEaX+JTULp24scsA/uAYeKT0XciVZlC/I1BGEQ5fJNj6skUM8f8hglhjanCoO1j56l9BZcOArhklJIZw=
Content-Type: multipart/alternative; boundary="_000_CY4PR09MB224593EFC5630DC7D7857B0CF0C10CY4PR09MB2245namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: b02209f2-82c3-40fd-c3ba-08d71110467f
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 14:56:29.4462 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: davidwal@NIST.GOV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1237
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/0kWR9PKUbdglxPkXTLa2sOf1uNo>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 14:56:37 -0000

Alex,


Thank you for your feedback. I have addressed your comments in -12. Responses to your comments are below marked [daw:].

Regards,
Dave

________________________________
From: sacm <sacm-bounces@ietf.org> on behalf of Nelson, Alexander J. (Fed) <alexander.nelson=40nist.gov@dmarc.ietf.org>
Sent: Wednesday, July 3, 2019 1:07 PM
To: sacm@ietf.org <sacm@ietf.org>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid

Hello all,

I am a colleague of Dave's, and am working at NIST to assist with SWID adoption.  I have reviewed this draft for CoSWID, and found a few helpful notes for my own implementation efforts, so I am glad to have been asked for input.

I find this draft to be nearly ready for publication.  There are a few minor editorial issues that should be resolved before publication, listed at the end of this message.  I also found I had a few questions and possible discrepancy identifications, listed first.


Questions:

* Before I started reading the document, I thought that CoSWID would be a losslessly-translatable representation of SWID data, between XML and CBOR.  >From Section 2's third paragraph, this is stated to not be a goal feature.  (In case it isn't clear, I don't object to this.)  Is it at least possible to translate from one format to the other, not necessarily bilaterally, and perhaps under certain conditions like "if there are no extension elements or attributes, SWID XML can be mechanically translated to CoSWID"?  From my reading, it looks like that example statement I just wrote would hold.

[daw: I added some text to section 2 third paragraph to make the relationship between SWID and CoSWID attribute names more clear. Please let me know if you think more clarification is needed.]

* Section 2.2, the "software-name (index 1)" text describes what I think is the first potential spot for non-ASCII text to be entered into CoSWID data, in the case of vendors that produce non-English data.  I didn't see in this document any requirements imposed for character encodings.  SWID imposes UTF-8 as an encoding (per NISTIR 8060, Section 4.3).  Could this document include a reminder statement on character encodings being required to be UTF-8?
  - This might also apply in Section 5.2.1, the penultimate bullet describing registered names' syntax requirements.

[daw: I added a new section 2.1 "Character Encoding" to address UTF-8 encoding and Net-Unicode. Sections 5.2.1 thru 5.2.5 also require that the registered names are valid according to the XML Schema NMToken data type to ensure compatibility with the SWID specification. This imposes additional constraints on the UTF-8 strings that can be registered.]

* Section 6's 2nd paragraph describes a requirement of authoritative tags being signed by the software provider that is also the originator.  Forgive me if I'm misremembering, but I did not think that signing was a requirement for defining a tag to be authoritative.  NISTIR 8060, Section 3.2, quotes the SWID specification's Section 6.1.10 to say that "Signatures are not a mandatory part of the software identification standard...".  Further, NISTIR 8060, Section 4.2, provides a scoped-to-that-document definition of "authoritative tag creator" that does not describe signing.  So, it looks to me like Section 6 imposes a stronger requirement for an "authoritative" CoSWID tag than an XML-based SWID tag.

[daw: I reorganized the text in section 6 to make the distinction between authoritative and signed more clear.]

Editorial issues:

* Section 1 makes reference to "CBOR," but the first instance of the acronym expansion and citation is in the first sentence of Section 1.2.  It may be better to move that expansion and citation to Section 1.

[daw: Fixed.]

* Figure 1's "x" annotations aren't directly explained, and could be interpreted to mean removal of the tag at that stage.  From the following bulleted narrative, it instead appears to mean the tag can be removed or replaced.  A sentence in the figure's caption would help to prevent this conclusion.  Though, if the reader is assumed to have the patience to wait for a page, then there's no problem.

[daw: I clarified that the "x" means the tag was removed.]

* Suggested grammar fix, section 2:

    s/and stop point are not needed saving bytes/and stop point are not needed, saving bytes/

* Request for grammar adjustment, Section 2.1:  """... that are typically stored in the "any attribute" of an ISO-19770-2:2015 in XML representation."""  Does this need the following substitution?

    s/2015 in XML/2015 element in XML/

[daw: I adjusted the wording in a slightly different way. Is the new wording ok?]

* Section 2.2, I'm curious - what happened to the mapping of 7?  No editorial action needed, the skip just caught my eye.

[daw: The index value 7 is used for hash. We didn't reorder the index values since they are already being used in some implementations.]

* Section 2.2, typo: "The value of an version-scheme ..."

[daw: Fixed.]

* Section 2.2, typesetting error: The three bullets following "The value of an version-scheme item MUST be one of the following" appear to be set at an incorrect bullet level.  Elsewhere in the document, these sub-lists use asterisks as bullets instead of empty circles.  It appears these three bullets should be asterisks, not empty circles.

[daw: Fixed.]

* Section 2.3, bullet 2 ("""If the patch item is set to "true", the tag SHOULD..."""): Would it be beneficial here to note the associated schemes for link hrefs?  This could be a forward reference to Section 2.6.

[daw: Added a forward reference.]

* Section 2.7, bullet "description (index 46)": Is it permitted to have a description be multiple lines?  I don't know if CBOR supports this.

[daw: Added a discussion around allowing multiple lines.]

* Section 2.7, typo: "For examplem, this ..."

[daw: Fixed.]

* Section 2.7, bullet "unspsc-code":  Non-blocking issue, a matter of web reference hygiene.  May this URL be provided with the "https" protocol instead of the "http" protocol?  (Bibliography entries refer to web resources with the "https" protocol.)

[daw: Yes. Fixed.]

* Section 2.8.8, bullet "path-elements (index 26)", typo: "a heirarchy".

[daw: Fixed.]

* Table 3, typo: "e.g.,1.2.3, ..." (missing space character)

[daw: Fixed.]

* Section 5.2.1, typo: "a new a new"

[daw: Fixed.]

* Section 6, paragraph 2: It may be beneficial to provide a reference to RFC 8152 near the mention of signing CoSWID tags.

[daw: I added a reference to the COSE appendix instead.]


--Alex


On Jun 27, 2019, at 4:36 PM, Karen O'Donoghue <odonoghue@isoc.org<mailto:odonoghue@isoc.org>> wrote:

Folks,

As discussed at our virtual interim on Tuesday, this begins a three week working group last call for:

Concise Software Identification Tags
https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-coswid%2F&data=02%7C01%7Cdavid.waltermire%40nist.gov%7C91c6b28941ce4a772c3c08d6ffd8f9e3%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636977704712452256&sdata=PAS8N3br%2FthOhPonKJzuWUlIsn9bQvqSZ%2F6hbE3%2FhDU%3D&reserved=0>

Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication.

DEADLINE: Please reply by Friday 19 July 2019.

Thanks!
Karen and Chris
_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm