Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk and Charles (#45)
David Waltermire <notifications@github.com> Mon, 18 October 2021 13:53 UTC
Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 0E7A03A13E3
for <sacm@ietfa.amsl.com>; Mon, 18 Oct 2021 06:53:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.549
X-Spam-Level:
X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3ITFr5uPJMwQ for <sacm@ietfa.amsl.com>;
Mon, 18 Oct 2021 06:53:26 -0700 (PDT)
Received: from smtp.github.com (out-26.smtp.github.com [192.30.252.209])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2A08A3A13DD
for <sacm@ietf.org>; Mon, 18 Oct 2021 06:53:26 -0700 (PDT)
Received: from github-lowworker-b19c547.va3-iad.github.net
(github-lowworker-b19c547.va3-iad.github.net [10.48.17.66])
by smtp.github.com (Postfix) with ESMTP id D11315E0856
for <sacm@ietf.org>; Mon, 18 Oct 2021 06:53:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1634565204;
bh=RAARgklH5WxJ1v1gsL66P2vy8oS03biY2WRjUss8N2A=;
h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
List-Archive:List-Post:List-Unsubscribe:From;
b=mxav8Bu87YqV3OLXc9QfXhr2xvkn0Jm5ZJCWqlgdfexCUy/9nDwlrEo1IYjQe9LAW
LGhft+xoH8Re/Qqxv9SE+eth6UENzk6bYbsjFY/DHiXJ1pIpYbc2/qFyFbMst2LYcA
9F0+au+sxl72Taf2iOt76eTCadU6Vu1NOxAx2uBQ=
Date: Mon, 18 Oct 2021 06:53:24 -0700
From: David Waltermire <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid
<reply+ACTMJUI3V3TGJOMQMCELGVV7PFOVJEVBNHHD2PDRD4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/pull/45/review/782088231@github.com>
In-Reply-To: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
References: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_616d7c54c25a3_1cec710851a8";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: david-waltermire-nist
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/kytDQSgRLvZEjf4AxMyvaoJ6NmU>
Subject: Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk
and Charles (#45)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>,
<mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>,
<mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 13:53:29 -0000
@david-waltermire-nist commented on this pull request.
> @@ -1692,6 +1692,10 @@ providers are unlikely to do this, CoSWID tags can be created by any party and t
collected from an endpoint could contain a mixture of vendor and non-vendor created tags. For this
reason, a CoSWID tag might contain potentially malicious content. Input sanitization, loop detection, and signature verification are ways that implementations can address this concern.
+# Privacy Consideration
+
+As noted in {{sec-sec}}, collected information about an endpoint's software load, such as might be represented by an endpoints CoSWID tag collection, could be used to identify vulnerable software for attack. Collections of endpoint software information also can have privacy implications for users. The set of application a user installs can give clues to personal matters such as political affiliation, banking and investments, gender, sexual orientation, medical concerns, etc. While the collection of CoSWID tags on an endpoint wouldn't increase the privacy risk (since a party able to view those tags could also view the applications themselves), if those CoSWID tags are gathered and stored in a repository somewhere, visibility into the repository now also gives visibility into a user's application collection. For this reason, repositories of collected CoSWID tags not only need to be protected against collection by malicious parties, but even authorized parties will need to be vetted and made aware of privacy responsibilities associated with having access to this information. Likewise, users should be made aware that their software inventories are being collected from endpoints.
```suggestion
As noted in {{sec-sec}}, collected information about an endpoint's software load, such as what might be represented by an endpoint's CoSWID tag collection, could be used to identify vulnerable software for attack. Collections of endpoint software information also can have privacy implications for users. The set of application a user installs can give clues to personal matters such as political affiliation, banking and investments, gender, sexual orientation, medical concerns, etc. While the collection of CoSWID tags on an endpoint wouldn't increase the privacy risk (since a party able to view those tags could also view the applications themselves), if those CoSWID tags are gathered and stored in a repository somewhere, visibility into the repository now also gives visibility into a user's application collection. For this reason, repositories of collected CoSWID tags not only need to be protected against collection by malicious parties, but even authorized parties will need to be vetted and made aware of privacy responsibilities associated with having access to this information. Likewise, users should be made aware that their software inventories are being collected from endpoints. Furthermore, when collected and stored by authorized parties or systems, the inventory data needs to be protected as both security and privacy sensitive information.
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/45#pullrequestreview-782088231
- [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assi… Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz