[sacm] Benjamin Kaduk's No Objection on draft-ietf-sacm-coswid-21: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Sun, 20 March 2022 00:55 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: sacm@ietf.org
Delivered-To: sacm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C73FE3A187F; Sat, 19 Mar 2022 17:55:04 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-sacm-coswid@ietf.org, sacm-chairs@ietf.org, sacm@ietf.org, Christopher Inacio <inacio@cert.org>, Karen O'Donoghue <odonoghue@isoc.org>, inacio@cert.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.46.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <164773770478.16566.17827036591223512834@ietfa.amsl.com>
Date: Sat, 19 Mar 2022 17:55:04 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/grqqgUliP9brEVSJn5Y0U52mV3s>
Subject: [sacm] Benjamin Kaduk's No Objection on draft-ietf-sacm-coswid-21: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2022 00:55:06 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-sacm-coswid-21: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Many thanks for the updates in the -21 to address my previous Discuss and Comment points; it was a pleasure to read. A few final notes on the -21 (with I think just one remaining unchanged from my previous remarks): Section 2.3 * tag-version (index 12): An integer value that indicate the specific release revision of the tag. Typically, the initial value of this field is set to 0 and the value is increased for subsequent tags produced for the same software component release. To apply a slightly finer point to my previous comment, do we want to s/increased/incremented by one/? Section 2.7 * rel (index 40): An integer or textual value that (integer label with text escape, see Section 2, for the "Software Tag Link Link [...] relations/link-relations.xhtml as defined by [RFC8288]. When a string value defined in the IANA "Software Tag Link Relationship Values" registry matches a Relation Name defined in the IANA "Link Relation Types" registry, the index value in the IANA "Software Tag Link Relationship Values" registry MUST be used instead, as this relationship has a specialized meaning in the context of a CoSWID tag. String values correspond to registered entries in the "Software Tag Link Relationship Values" registry. I'm not sure if the last sentence still makes sense (there were heavy edits near it as part of the move to "integer label with text escape"). A similar comment applies to "use (index 42)" as well. Section 2.9.2 My previous inquiry about forcing a certain filesystem structure on CoSWID consumers got a very helpful reply. My follow-up question is: is it worth mentioning in the document the corollary of the [Co]SWID structure that the on-filesystem path is fixed by the tag publisher? Section 5.2 Tags to be evaluated (the base collection) include all tags in the context of where the "swidpath URI" is referenced from. For example, when a tag is installed on a given device, that tag can reference related tags on the same device using a URI with this scheme. This definition of "the context" feels rather under-specified and prone to conflicting interpretations. NITS >From -20 to -21 a number of internal references changed from Section 2.5 to "Section 2.4, paragraph 2", which mostly don't seem to make sense to me. Please double-check. Section 2.3 * version-scheme (index 14): An integer or textual value representing the versioning scheme used for the software-version item, as an integer label with text escape (Section 2, for the needs a close paren somewhere Section 9 Converse, generators of CoSWID tags need to ensure that only public "Conversely"
- [sacm] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker