IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-coswid

"Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov> Thu, 25 July 2019 00:40 UTC

Return-Path: <alexander.nelson@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E631206F6 for <sacm@ietfa.amsl.com>; Wed, 24 Jul 2019 17:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJa-EVAywse9 for <sacm@ietfa.amsl.com>; Wed, 24 Jul 2019 17:40:32 -0700 (PDT)
Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0726.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::726]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BFAF120601 for <sacm@ietf.org>; Wed, 24 Jul 2019 17:40:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ctwF3Cdq7lAH+tpl7F/eIC/H7zOxDecw+svbV5Jy7obZRqohZaqU7sw2cEm+l5VJMUqOhe2H9PAuf1cOGIVVz6WqbtWHCRso1qeJDZO3GDmva7K6906Phhqr9Y9wR+fkWP1xkpz1vwOG8wmEbVR9Sl8LpJMTpcODJQ4Bm4fPeEdarS9e1BezbIYcN+LfZTTaB9c3iHlBpcMxpmJRonLj70VRCVjKMjn2adSk5mxbdNOeKYDjq31tXJIy9S4GTuBbMGIkzJNNMT2VWaOt6Ydc5yHL+gc/CZAP+Zfx1l3BECtgVci4zJVOqiQPdq2buN5CDtrYEsefaeiys/Vzv9IT9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtHf1t1PATLpAgbWMYeEdgNgnM8ADb+Yl/utgr/BYWA=; b=NLE9AhGcFqmtOQ3N2M3JKExrLKqxYkQHXD3Aj2bGw0sftitjtrJXS1pa3gIrSTX2BZUUquZ/r+95PgbQROvKQvFymaYuGKKIsb6PzEpRyQFdYnnqo9Pu1tZWts71wi/hbJf1RfB0gC3isWjZQjTh026MgAysEASJG0a2UqtdXhiRq4zOPDdWl4KiFtWptN9oHtoKkHdAXAmoQGRWVK1qMl1jZVjKu6AjNbQy3YtidG6QaXZTx3d9aP6kW0dkw5Fu2EgUGg1dyjpTW6uajgci/9c9ukD8dYiVw0mbOHQz8Jp9N1Sbg+fPhyb8RhEX/H4ji+SfL3klg/HpYdoGGV5Flw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=nist.gov;dmarc=pass action=none header.from=nist.gov;dkim=pass header.d=nist.gov;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtHf1t1PATLpAgbWMYeEdgNgnM8ADb+Yl/utgr/BYWA=; b=fqjSOabojaF/xqMxcmY/hFxcelUMqhYncn6JCnGpLTCBsTc9k9aWrXqM9rEosdJQAGRkxqLv3u/hUu+R/fx6YZP6bF0MfmiFkzs5NVa41OrnaSfqn0TwPQg0eVsStIe+m/XAHJXakgkrFSS2DP0HmousSt8a66+nscLr4QzhA6Q=
Received: from DM6PR09MB3593.namprd09.prod.outlook.com (20.179.50.88) by DM6PR09MB3337.namprd09.prod.outlook.com (20.179.50.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.10; Thu, 25 Jul 2019 00:40:29 +0000
Received: from DM6PR09MB3593.namprd09.prod.outlook.com ([fe80::814b:c4f1:2a32:125f]) by DM6PR09MB3593.namprd09.prod.outlook.com ([fe80::814b:c4f1:2a32:125f%4]) with mapi id 15.20.2115.005; Thu, 25 Jul 2019 00:40:29 +0000
From: "Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov>
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
CC: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-coswid
Thread-Index: AQHVLSf2XuoB2t2Q6k63GMXAgOgNQ6a5KSyAgAAGmgCAIXkGAA==
Date: Thu, 25 Jul 2019 00:40:29 +0000
Message-ID: <615CE4A8-BAB9-4B4D-8F6F-F4928892407E@nist.gov>
References: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org> <B2B300AC-5C2B-476D-BA8F-06B0F6BABC91@nist.gov> <SN6PR09MB32644026844432FF8C27AE75F0FB0@SN6PR09MB3264.namprd09.prod.outlook.com>
In-Reply-To: <SN6PR09MB32644026844432FF8C27AE75F0FB0@SN6PR09MB3264.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=alexander.nelson@nist.gov;
x-originating-ip: [2610:20:6033:252::da6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c51801e7-7bc2-4a86-a0d2-08d71098b1a5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM6PR09MB3337;
x-ms-traffictypediagnostic: DM6PR09MB3337:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR09MB33376824824A14E89AD21587FDC10@DM6PR09MB3337.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(39860400002)(396003)(376002)(346002)(199004)(189003)(51914003)(53754006)(54896002)(57306001)(50226002)(37006003)(6246003)(6116002)(606006)(53936002)(6512007)(5660300002)(14454004)(236005)(966005)(25786009)(68736007)(316002)(99286004)(7736002)(76176011)(6506007)(71200400001)(71190400001)(6436002)(102836004)(6862004)(4326008)(53546011)(8936002)(8676002)(478600001)(6636002)(14444005)(256004)(86362001)(2906002)(33656002)(229853002)(6306002)(476003)(2616005)(66946007)(446003)(11346002)(81156014)(81166006)(6486002)(36756003)(66446008)(486006)(64756008)(66556008)(66476007)(91956017)(76116006)(46003)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR09MB3337; H:DM6PR09MB3593.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: vuqUMosa/ZEeY0Nrfg2LQwaJ/CsfGMCc1i2BvC3YqKpDv9Q3Rwrc70cjLhg58yn8fl1RNzpxKwXgwY1qHCUf14w5FZBgxdhkpQlLKdNhzeByDlE0QiwIzB00YNnAwU9FdEATlBbzOGoNljH6acoDUReBhhSvswIxtclmCV7NonBUHgsdQkREeEakQj+1Ja41k9eq+LWOwaPW45siQQWU3CLzd0UfdUe3Dmbi9+7fHndm83Z0EFGvLWHj7g6kpvRbHdqv5l5Rgzdr/3es24TEbo1TbInydN7MhgICZeKrVQAyismJkDmSDHHqiZvLTB+wzUD05/F8lEjtLdZnMk2HdGYEkkVYjXZDl7v7tOebW/kSwj9zefwso1pScdCl1wdRk7TIjJwHiufxcX7wSJL9coGwRoA02h84sqfEHXgK10A=
Content-Type: multipart/alternative; boundary="_000_615CE4A8BAB94B4D8F6FF4928892407Enistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: c51801e7-7bc2-4a86-a0d2-08d71098b1a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 00:40:29.5211 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ajn@NIST.GOV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3337
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/iwD6YMzeC2IOtsllYwJ0f7QTww0>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 00:40:41 -0000

Hi Dave,

I have a *non-blocking* question.

I see this new line 252 in the pull request:
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/13/commits/fe48345500c5109c062fc2920d81563499af8566#diff-6215c4faa2636284809e7c3c7762b136R252

"""
In most cases, mapping attribute names between SWID and CoSWID can be done automatically by converting between CamelCase and KebabCase attribute names. However, some CoSWID CDDL attribute names show greater variation relative to their corresponding SWID XML Schema attributes. This is done when the change improves clarity in the specification. For example the "name" and "version" SWID fields corresponds to the "software-name" and "software-version" CoSWID fields, respectively. As such, it is not always possible to mechanically translate between corresponding attribute names in the two formats. In such cases, a manual mapping will need to be used.
"""

I have a lingering question after reading this.  "Mechanical translation" to me is unambiguous bidirectional translation.  A mapping of changed names still counts to me as unambiguous bidirectional translation if there is no chance of ambiguity from the shorter source name.  Given the context of where an attribute (such as `name`) is permitted to appear, is there actually any ambiguity possible in the translation process between swid and coswid?

Again, this question is not meant to halt advancing the document to publication.  The text is accurate regardless of the polarity of the response.

--Alex


On Jul 3, 2019, at 1:33 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>> wrote:

Thanks for the feedback Alex. I’ll fix these issue at the end of the WGLC along with any other comments that come up.

Regards,
Dave

From: sacm <sacm-bounces@ietf.org<mailto:sacm-bounces@ietf.org>> On Behalf Of Nelson, Alexander J. (Fed)
Sent: Wednesday, July 3, 2019 1:07 PM
To: sacm@ietf.org<mailto:sacm@ietf.org>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid

Hello all,

I am a colleague of Dave's, and am working at NIST to assist with SWID adoption.  I have reviewed this draft for CoSWID, and found a few helpful notes for my own implementation efforts, so I am glad to have been asked for input.

I find this draft to be nearly ready for publication..  There are a few minor editorial issues that should be resolved before publication, listed at the end of this message.  I also found I had a few questions and possible discrepancy identifications, listed first.


Questions:

* Before I started reading the document, I thought that CoSWID would be a losslessly-translatable representation of SWID data, between XML and CBOR.  From Section 2's third paragraph, this is stated to not be a goal feature.  (In case it isn't clear, I don't object to this.)  Is it at least possible to translate from one format to the other, not necessarily bilaterally, and perhaps under certain conditions like "if there are no extension elements or attributes, SWID XML can be mechanically translated to CoSWID"?  From my reading, it looks like that example statement I just wrote would hold.

* Section 2.2, the "software-name (index 1)" text describes what I think is the first potential spot for non-ASCII text to be entered into CoSWID data, in the case of vendors that produce non-English data.  I didn't see in this document any requirements imposed for character encodings.  SWID imposes UTF-8 as an encoding (per NISTIR 8060, Section 4.3).  Could this document include a reminder statement on character encodings being required to be UTF-8?
  - This might also apply in Section 5.2.1, the penultimate bullet describing registered names' syntax requirements.

* Section 6's 2nd paragraph describes a requirement of authoritative tags being signed by the software provider that is also the originator.  Forgive me if I'm misremembering, but I did not think that signing was a requirement for defining a tag to be authoritative.  NISTIR 8060, Section 3.2, quotes the SWID specification's Section 6.1.10 to say that "Signatures are not a mandatory part of the software identification standard...".  Further, NISTIR 8060, Section 4.2, provides a scoped-to-that-document definition of "authoritative tag creator" that does not describe signing.  So, it looks to me like Section 6 imposes a stronger requirement for an "authoritative" CoSWID tag than an XML-based SWID tag.


Editorial issues:

* Section 1 makes reference to "CBOR," but the first instance of the acronym expansion and citation is in the first sentence of Section 1.2.  It may be better to move that expansion and citation to Section 1.

* Figure 1's "x" annotations aren't directly explained, and could be interpreted to mean removal of the tag at that stage.  From the following bulleted narrative, it instead appears to mean the tag can be removed or replaced.  A sentence in the figure's caption would help to prevent this conclusion.  Though, if the reader is assumed to have the patience to wait for a page, then there's no problem.

* Suggested grammar fix, section 2:

    s/and stop point are not needed saving bytes/and stop point are not needed, saving bytes/

* Request for grammar adjustment, Section 2.1:  """... that are typically stored in the "any attribute" of an ISO-19770-2:2015 in XML representation."""  Does this need the following substitution?

    s/2015 in XML/2015 element in XML/

* Section 2.2, I'm curious - what happened to the mapping of 7?  No editorial action needed, the skip just caught my eye.

* Section 2.2, typo: "The value of an version-scheme ...."

* Section 2.2, typesetting error: The three bullets following "The value of an version-scheme item MUST be one of the following" appear to be set at an incorrect bullet level.  Elsewhere in the document, these sub-lists use asterisks as bullets instead of empty circles.  It appears these three bullets should be asterisks, not empty circles.

* Section 2.3, bullet 2 ("""If the patch item is set to "true", the tag SHOULD..."""): Would it be beneficial here to note the associated schemes for link hrefs?  This could be a forward reference to Section 2.6.

* Section 2.7, bullet "description (index 46)": Is it permitted to have a description be multiple lines?  I don't know if CBOR supports this.

* Section 2.7, typo: "For examplem, this ..."

* Section 2.7, bullet "unspsc-code":  Non-blocking issue, a matter of web reference hygiene.  May this URL be provided with the "https" protocol instead of the "http" protocol?  (Bibliography entries refer to web resources with the "https" protocol.)

* Section 2.8.8, bullet "path-elements (index 26)", typo: "a heirarchy".

* Table 3, typo: "e.g.,1.2.3, ..." (missing space character)

* Section 5.2.1, typo: "a new a new"

* Section 6, paragraph 2: It may be beneficial to provide a reference to RFC 8152 near the mention of signing CoSWID tags.


--Alex



On Jun 27, 2019, at 4:36 PM, Karen O'Donoghue <odonoghue@isoc.org<mailto:odonoghue@isoc.org>> wrote:

Folks,

As discussed at our virtual interim on Tuesday, this begins a three week working group last call for:

Concise Software Identification Tags
https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-coswid%2F&data=02%7C01%7Calexander.nelson%40nist.gov%7Ccccd2dc6ec0945b3171f08d6ffdc923e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636977720150173920&sdata=YhUBozxvW75VgvPCbhJIKZrIiFWi5amh%2FbK%2BYh0hDSc%3D&reserved=0>

Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication.

DEADLINE: Please reply by Friday 19 July 2019.

Thanks!
Karen and Chris
_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://www.ietf.org/mailman/listinfo/sacm<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Calexander.nelson%40nist.gov%7Ccccd2dc6ec0945b3171f08d6ffdc923e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636977720150183913&sdata=q6NOkQpscmwZoKX2w3EHUiDP%2FIFuyq60IKXqdxxt0dc%3D&reserved=0>

v2.23.0 | Report a Bug | By Email