IETF Logo Mail Archive

Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid

Roman Danyliw <rdd@cert.org> Thu, 13 January 2022 21:56 UTC

Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F38A3A1585 for <sacm@ietfa.amsl.com>; Thu, 13 Jan 2022 13:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ss9cLX8_5Vwk for <sacm@ietfa.amsl.com>; Thu, 13 Jan 2022 13:56:21 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0132.outbound.protection.office365.us [23.103.209.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CA1A3A1580 for <sacm@ietf.org>; Thu, 13 Jan 2022 13:56:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=mZT9Mvg0ztYbxxnftIcdLKj37IjXLAcF0jhqkG/qCezgfsK+0+vgmxP3EOIqqt4xZiPeaxExEFMtaWbU8NMg5c0yAbJ8S/riXndbAfPpjp+JuHmp36E6MT+SyxMu3elVXzyulhsWGj52tf/9wlV/fPb3wjcI2BiF2boIKxulAXf+C0zx0kr3ttYG2wEcnoHcTenESX8Veqm2lpbLF11ijlQpIqQ75vHSb/xhaWO4ZFi+VcAe2E5l+H+vJs4OK34gR4x+9TnNNOYnA+IBR915ec7WIbB/o7D3U3L1IpgpddJKjtQjLs9a1t0vrdGvAFsIaUSfjtBc8oIoUC1LAMy2/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BjwFqdkZigFcjg8CL4GL/Udrrvc12u6PLbyycODyvlI=; b=p9dYI4DlUaaypj1nmU+P5yzw6/bRWT77MDRqKJ98yu5TE4BO2QCR6HnMceD0FhhR4HR8+b9TS+kUtcr+seS/0MaJ/vfnzNxa+JT1zzTTouBQHTdu/jhxfj0K0MwhDaLK72TPen4KXsM8I16ny2fX0RXSOd5zImGIABdshbhXZW7WvFr9JrOGcPtGd7ji6vfguiUJQcSBm0a5CmnVCHjQijDiCVBiRN8UnS1AVqThzU8OD+REBVNUuMaJPUQz8wU1fUyGJQYFDTTITtobjqLpNkvX9HfuW2W3pQWzaybEAqrWxjvtTHhfkXUEvusGuRR/Ra7YhRm84Kd+MoTzdy4Ssw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BjwFqdkZigFcjg8CL4GL/Udrrvc12u6PLbyycODyvlI=; b=Q1H3tTZW4YZ9YatqI9awO9SHSB7OPuDzpHm/wxnQLij4CWAZL+CfBlvZ0O/Ev/TLa7rDjtYG0/e22AAhbt5K7msyWS/u/L58YA7mDuIJbM4oOFEncG8rotjzRdmHiC6+i+OBphtLoecbbwS6pwz5AptKaP2uGwOkm6JCiUbqTYg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1137.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.10; Thu, 13 Jan 2022 21:56:16 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0%4]) with mapi id 15.20.4888.011; Thu, 13 Jan 2022 21:56:16 +0000
From: Roman Danyliw <rdd@cert.org>
To: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: IETF LC Directorate reviews for draft-ietf-sacm-coswid
Thread-Index: AdfGhTwT/qbeeBAKRhu9IJN+7GZ3wgh73ZOgCBTfKiA=
Date: Thu, 13 Jan 2022 21:56:15 +0000
Message-ID: <BN2P110MB1107647B715B63BA6A83633ADC539@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <BN1P110MB09393F74F44A974C60D81FB7DC6A9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN1P110MB09393F74F44A974C60D81FB7DC6A9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e8ff548d-94a7-4de2-0a40-08d9d6df85de
x-ms-traffictypediagnostic: BN2P110MB1137:EE_
x-microsoft-antispam-prvs: <BN2P110MB113742E64183D76C3A596B88DC539@BN2P110MB1137.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xOwQzg+AfukX8LUzVrfOwR8jFj23c7v5UWMVuvNfDKEhKth/9TGQlgr1lYfVB0CZZYYGNVE4aQJNxQDCfxpIqMXtPRbalzAVF00enx1VJ3DMm760AmgNS3x3CdJByCpg8qmOMckmBb+YKD/40SvfkJRONrJqoaVFy9Ua5CDze4UdpNB02Q3hvbC1JiixDOH8/FH/U7ojOl5Qe2z6cpIwwDZU265gmkljK9sMpGKCV1b4KxftMaC4dmyK9cz+Stjal3ddXifxoXWUNi2BPNJxMJS15gGqPMpDdZEgemmegDbvUaC8lP6VD4dvsFZm3KTjq6q1VNgBB9w5dvmJiFUec9/oUVww8F8meisEmjRtkziRDf2UbHws3YSqqCRwutVjUEn9jQHvGe3IQE94OWNIX1AhqMRk9UFJf+zdyORzYiEKfUekDJvCjuWvmAOwAb8BwXkGpeeg8ni3TJgtOly0FjbhSAfjGF0nkImzpZ6hPfBRQR4EMPbLWDI/oPhtComK25yPt3K7cCmwWgTTK3alyLZRarl89ek7UFawGeJvbhOk4uYXYAd4oUagnw6eaZXLcLXlV54aYvBDDIwDs509GOO4Q3/JlFzblNBAIkvVWMY9hv/GmY+eD6B2jhw5xrVYmYIzJq/tbLn0sbxBVS/G1IITkB9FD1yXZt8YJaDGlP3jLtqDl2uVTEBUESQGUjLVD0929sG+5q1uoyZdXLKf1NfvT1BaDdFxaIF2C4aIDzk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(38070700005)(82960400001)(122000001)(8936002)(33656002)(7696005)(9686003)(38100700002)(71200400001)(83380400001)(2906002)(55016003)(8676002)(64756008)(66446008)(66556008)(26005)(5660300002)(66946007)(52536014)(66476007)(498600001)(76116006)(186003)(53546011)(6506007)(966005)(86362001)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VmUfA2NKPR90k0+66j2zfiWxyxVEmIOy+wR2R4BLtZrt8segnj1BpMLwkcUaZ7QPmmGdk+ubgA6UzNDyXXr0ZCChTRvjr4RXWDOSfsc6p6UKMfgxKXOLeKWILzAOenNoKH3T+YXcDCLYv6Zq0V2HkA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e8ff548d-94a7-4de2-0a40-08d9d6df85de
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2022 21:56:16.0065 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1137
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/dmYykWlVGnT25KHdIhtffUfEbtw>
Subject: Re: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jan 2022 21:56:27 -0000

Hi!

Checking in again.  What is the notional schedule to resolve this feedback?

Regards,
Roman

> -----Original Message-----
> From: Roman Danyliw <rdd@cert.org>
> Sent: Friday, December 3, 2021 1:40 PM
> To: Roman Danyliw <rdd@cert.org>rg>; <sacm@ietf.org> <sacm@ietf.org>
> Subject: RE: IETF LC Directorate reviews for draft-ietf-sacm-coswid
> 
> Hi!
> 
> I wanted to check in on the progress of addressing this IETF LC feedback.  At
> IETF 112, we had discussed and agreed that these would be responded to by
> the week after the meeting (Friday, Nov 19).
> 
> Thanks,
> Roman
> 
> > -----Original Message-----
> > From: sacm <sacm-bounces@ietf.org> On Behalf Of Roman Danyliw
> > Sent: Thursday, October 21, 2021 10:16 AM
> > To: <sacm@ietf.org> <sacm@ietf.org>
> > Subject: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
> >
> > Hi!
> >
> > Thanks for -19 of draft-ietf-sacm-coswid.  Since the conclusion of
> > IETF LC, I reviewed it based on the provided feedback.  I didn't see
> > direct replies to the directorate reviews but from cross-walking their
> > feedback against the -18-to-19 diff, I believe the following are still
> unresolved/undiscussed.
> >
> > (1) Scott Bradner did an OPSDIR review --
> > https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-opsdir-lc-
> > bradner- 2021-08-07/.  The following feedback does not appear to be
> > discussed or
> > resolved:
> >
> > > along the same line - it would seem to me that the IANA repository
> > > should be at https://www.iana.org/assignments/coswid  (or co_swid)
> > > not https://www.iana.org/assignments/swid
> >
> > I believe the comment is about the following text in a few places in
> > Section
> > 6.2.*:
> >
> >    [TO BE REMOVED: This registration should take place at the following
> >    location: https://www.iana.org/assignments/swid]
> >
> > Earlier in the text in Section 6.2:
> >
> > "6.2.  Software Tag Values Registries
> >
> >    The following IANA registries provide a mechanism for new values to
> >    be added over time to common enumerations used by SWID and CoSWID."
> >
> > It would seem that if in fact things should stay in
> > "assignments/swid", there is a missing registration procedure item --
> > nothing can be added if it isn't in the SWID specification.  I under
> > the impression from earlier conversations that we wanted to provide
> > flexibility for CoSWID to potentially extend it's own data model
> > independent of SWID (i.e., there could be data elements in CoSWID that
> > were not in SWID).  If so, this suggests that "assignment/coswid" should be
> used instead (as Scott was suggesting).
> >
> > (2) Rich Salz did an ARTART review --
> > https://datatracker.ietf.org/doc/review-
> > ietf-sacm-coswid-18-artart-lc-salz-2021-08-02/.  The following
> > feedback does not appear to be discussed or resolved:
> >
> > > In 2.3, why are there three separate bools for
> > > corpus/patch/supplemental as
> > opposed to a single enumeration?
> >
> > If this is a design choice, please answer Rich.
> >
> > > Can the tag-id be a digest of the source file?
> >
> > I think the answer is yes.  It might be worth saying so.
> >
> > > What are the implications of it not being unique? That should be
> > > listed in the
> > security considerations.
> >
> > I see that this new text was added: "Failure to ensure global
> > uniqueness can create ambiguity in tag use since the tag-id serves as
> > the global key for matching and lookups".  To Rich's point, there are
> > likely security implications to this collision.  Please explicitly describe those.
> >
> > (3) Robert Sparks did a SECDIR review --
> > https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-secdir-lc-
> > sparks- 2021-08-11/.  The following feedback does not appear to have
> > been discussed or resolved:
> >
> > > Consider RFC6648 (BCP 178) where you are reserving "x_" name
> > > prefixes for
> > private use.
> >
> > Section 4.2 says:
> >
> >    The values above are registered in the IANA "Software Tag Entity Role
> >    Values" registry defined in Section 6.2.5.  Additional values will
> >    likely be registered over time.  Additionally, the index values 128
> >    through 255 and the name prefix "x_" have been reserved for private
> >    use.
> >
> > Section 6.2.5 says:
> >
> >                    +=========+=========================+
> >                    | Range   | Registration Procedures |
> >                    +=========+=========================+
> >                    | 0-127   | Standards Action        |
> >                    +---------+-------------------------+
> >                    | 128-255 | Specification Required  |
> >                    +---------+-------------------------+
> >
> >                +=======+=================+=================+
> >                | Index | Role Name       | Specification   |
> >                +=======+=================+=================+
> >                | 0     | Reserved        |                 |
> >                +-------+-----------------+-----------------+
> > ...
> >                +-------+-----------------+-----------------+
> >                | 7-255 | Unassigned      |                 |
> >                +-------+-----------------+-----------------+
> >
> > >From the Sec 6.2.5 text, it looks like values 128 - 255 could in fact be
> assigned.
> > However, Sec 4.2 says they are reserved for private use.  There may
> > other cases of this.
> >
> > Thanks,
> > Roman
> >
> > _______________________________________________
> > sacm mailing list
> > sacm@ietf.org
> > https://www.ietf.org/mailman/listinfo/sacm

v2.8.7 | Report a Bug | By Email