IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-coswid

Carsten Bormann <cabo@tzi.org> Fri, 05 July 2019 10:21 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0A1412009C for <sacm@ietfa.amsl.com>; Fri, 5 Jul 2019 03:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08TtWUJ4c18t for <sacm@ietfa.amsl.com>; Fri, 5 Jul 2019 03:21:09 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 961E012017C for <sacm@ietf.org>; Fri, 5 Jul 2019 03:21:09 -0700 (PDT)
Received: from client-0014.vpn.uni-bremen.de (client-0014.vpn.uni-bremen.de [134.102.107.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 45g9q66RjSzyrW; Fri, 5 Jul 2019 12:21:06 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>
Date: Fri, 05 Jul 2019 12:21:06 +0200
Cc: "sacm@ietf.org" <sacm@ietf.org>
X-Mao-Original-Outgoing-Id: 584014862.6816961-512a09849d749a0407f6a14af51bbeee
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D332E03-0255-42E6-9603-142800C10F2B@tzi.org>
References: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>
To: Karen O'Donoghue <odonoghue@isoc.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/dlXLh3_nbELuICphhKrV0vlf2Sk>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 10:21:13 -0000

Nice piece of work.
While I didn’t have time to fully check the whole I-D, I skimmed it, and came up with the following.  I’ll also send a few editorial comments to the authors.

Grüße, Carsten

# Major

The term "private use" is used repeatedly but not explained.
Is this meant for random software authors to dump random information
into their coswid tags?  Are there any usage guidelines?  This sounds
like an X-Dash problem waiting to happen (please see RFC 6648).

The document qualifies some values as 8-bit, 16-bit etc.  That is
unnecessary.  Any value ranges that are important should be given, and
they need to be consistent (version-scheme cannot be both 8-bit and
have a private use range of 32768-65535).  If a value range is
important, it should also be visible in the CDDL.

The way URIs are used is trampling on the URI scheme space (coswid:,
swidpath:).  Maybe not much can be salvaged there, but shouldn't these
be registered?

# Minor

[SEMVER] -- is this really needed as a normative reference?
Please also compare draft-verdt-netmod-yang-semver

Similarly, [SWID-GUIDANCE] is not a great source for a normative
reference.  AFAICS, this is used to define
"primary/patch/corpus/supplemental".  Can this be drawn out of the
original [SWID]?

I don't think you have a fragment identifier scheme, even though the
media type registration is written for one (with a dangling internal
reference).  Since this is a +cbor media type, any fragment identifier
scheme would also have to include any defined for CBOR itself (none so
far), but beyond that RFC 7049 gives you freedom.  Do you want to use
those fragment identifiers?  If no, please update the fragment
identifier scheme text in the media type registration to no longer
point to it.

Is there a point in carrying around GUIDs in text form?  Text (in RFC
4122 form) is 36 bytes, binary is 16.



> On Jun 27, 2019, at 22:36, Karen O'Donoghue <odonoghue@isoc.org> wrote:
> 
> Folks,
> 
> As discussed at our virtual interim on Tuesday, this begins a three week working group last call for: 
> 
> Concise Software Identification Tags
> https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/
> 
> Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication. 
> 
> DEADLINE: Please reply by Friday 19 July 2019. 
> 
> Thanks!
> Karen and Chris

v2.23.0 | Report a Bug | By Email