IETF Logo Mail Archive

[sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid

Roman Danyliw <rdd@cert.org> Thu, 21 October 2021 14:16 UTC

Return-Path: <rdd@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF133A16EF for <sacm@ietfa.amsl.com>; Thu, 21 Oct 2021 07:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2CP54FYtbfOT for <sacm@ietfa.amsl.com>; Thu, 21 Oct 2021 07:16:28 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0100.outbound.protection.office365.us [23.103.209.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 387C33A16ED for <sacm@ietf.org>; Thu, 21 Oct 2021 07:16:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ycqk/gtN653riu3sWhDc2QXkYJigOwnXnztPz8FHUZHRgS6pUPcgEREKlR/Yg+pl/fRph02rvQh72usWKj/ILvUq7UqwzT3Dsahl9itdhQe+FxohxuU55k6B18jyO10TPl411R/yWg0HuRQfda5RLdzhzEdyNJyB7UM6M8JPYodZirhXd+0aQboZLkWTbRXKlnJI4uDnvNLiXfMgaOCN0Dm6idf0OvnG/jUJU6Ad9hZv99FPJ+Lx4Qe7rCMOPo060FTvdh3hC4Kn02IDdK7EiwYMRFSXEjcj2J+2JMelH4aP9ED45K1xs7K0Zxrg7Lgtmyswy2D8SfetGhCBXb5nrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+6h+sn+8H7jJOBWbHA71+9/ow90nfHO0u46xsQBCW+0=; b=qzWYR86QKSxsoInu/Va1qmipy3hij4WMM1uBYKE64mugBQnROYPiNTN+Hak+72sEIzYCzy5henJCbGPpepHYAZT3NTm9cFY6IeD4g3gMiji26FLkysdZU1nrIX2oUUfiLC4aLRSucdzM0YSWVuxhyCHKheGpYiCOU+9BiVKEjWs4LDtw9vhCleOW1kLw9UrwV/0F1e4Tt2RSG/EWPGmJeD225Or/y3Y+nDxpkDtiAOUK6Mm2OVPIX36qDXPXNUG/JUPOABnhtvzMMpf4sYyfjN8tOuVmMT0Ssj3ijKMlIfM5DtwMrh2G45qmBLZHSdYNMwuS/veIMB8hvUrjZ9XLNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+6h+sn+8H7jJOBWbHA71+9/ow90nfHO0u46xsQBCW+0=; b=R1BlwA5CFrHI54AC54p1Fx5eBI5O3T6PMEADWLvCXK79PNwjQlBPdsN1kkjdRmnxbGm+Rp6G4s1q74xv4/jCqsMi9j+lKDx5xtCdbJ0xF+i4XXAEy5cDqnVvLryYKMfbGLORwW/andYSSV30/m9YUkq0pbi6LEYWRUDy1f105Rc=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.16; Thu, 21 Oct 2021 14:16:20 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4628.018; Thu, 21 Oct 2021 14:16:20 +0000
From: Roman Danyliw <rdd@cert.org>
To: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: IETF LC Directorate reviews for draft-ietf-sacm-coswid
Thread-Index: AdfGhTwT/qbeeBAKRhu9IJN+7GZ3wg==
Date: Thu, 21 Oct 2021 14:16:20 +0000
Message-ID: <BN1P110MB0939568CF0E61FF364CD6B7EDCBF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 73630213-50ff-42ad-ca2b-08d9949d5ad3
x-ms-traffictypediagnostic: BN1P110MB0612:
x-microsoft-antispam-prvs: <BN1P110MB0612D751EDC53B227357FCECDCBF9@BN1P110MB0612.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 68/+pb5wDRcAfFi6UgG0ZPYSHRvW/AB5Aw6gkve8trLa9Puv2L8zPY6yb4uJqAl6f5jFvDieaMHw9Pv8yksum8+JYjsZnkw5eQ2CXnnf6n6mBVjZkPAP7VS9D07tydZ0FMagRAnnh2+2TXe5svNYAkOoQJ4aTmWGhazUoQodviMpo02XcbXgbMCLUVRwqmEZxHASaElurd9+LWFvIR35SBrZFbwPLKhEAbNmIyRoB0kIzCwFYWvFk4PO5v7DodzpP8hTouA+42bkQXgQ5x+QQJeYXWnKTLoWZUBCSwLnxhPy2Le0tnWtlG8QJanPwVSZqLpjyyahQwW80buPZnMn3ePJ8G41QclefIjK2ZGKlG8YjpjrgrEk8rKcTEQIHLoeq/wvc09WsYQh/DyJ3bPJUT9tG3iiv2uXZmVGLEskNpHxHjR+zhCLpugnfZAXDsHCpaHOffXG5k0ohYfvy55Jv1/l+5tGwsja4vaq/VMD1LKxIcxskNNNQq1Q9tiSkUhMo0KqeDm+Qkn9j1bEUP/IpUcOBfbayMIcoQ7+B6Xoakz204ZdoOtsCfCo37qEhBNJ7WpDKJfiq/9ToCkutyFosLEsnZdYCAUSB6OTAA/8Oxl+L/Xc/yUtuym3z4Y4cBLYvdWQ+L69HILbI3QdCuDjGiKNaqMKPTr04Un+6agLyhJRyN8QBfKMw067xeyKIM2Sx0RgDb1qjItcG/0gjBWDaQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(66476007)(38070700005)(2906002)(71200400001)(76116006)(38100700002)(26005)(86362001)(55016002)(83380400001)(186003)(66946007)(6506007)(8936002)(82960400001)(9686003)(122000001)(8676002)(498600001)(966005)(64756008)(5660300002)(66446008)(33656002)(52536014)(7696005)(66556008)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XxCrcry1GP3IcygPThOUpKLUls8uFATozAZs86ZBD8s1KEq00P8CiJrj4yeg/Xkuu3mab4HqhGRcJfSN3h7d9IuOjLhiTiIEmYMgVEEDOgtqAUJhuRi09SU4llD2yA8cvOcrgk7Ezj5dzApY+/6HbzX60vmCGSQ6jLSLe7kshIcvZEx/cGChdz7zEsH6YgZkvR1mhIymo4fISTPTT/qpeov80nkB6zAtqc/LVlwluD4YZ1rMxCaJXM0HHGIPGnQctZwiEODnGx9YwO5TFp/phW4iuED/8eCFWdZHa5Mu830lENknDrku6nseWVpB25wtlp092oX/ZtlSGvOMDJnFQeVcIsA0EEJ7Q0tuyPxZmOSarkW6S1V32VkRzVH0E+S4o/VYzkHSDjsD16UnvYnP40btDjX2fNiScgxvOwAIiCq/EyHt8wVhhXAlVm7KeYOCNbljhYUPIVkQNkNPoLlAk5czhDWVGaw2uYEpw3buBLRV00rLLi/yBSPudHMovtmeP46vVBPmg4PV+VhpR1sCxmf9TIokzYh4ktXXGDRSAz2lgIluQNwFNRJActlTFPFoRoOqDMYWRfrMTVmWCVr8YW1+4CpwiWr9R5ctjcZkqBlVCztonX7G1scCFTdKL8mxKWrrPi2DiEuYC1Gyv0itcs4TIV/Z3cQFE+ThDQnUZD2DO334fgpdXXUoMiyDF2ayyogLP/BZJUzwAEO4V0RKgw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 73630213-50ff-42ad-ca2b-08d9949d5ad3
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2021 14:16:20.2992 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0612
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/l-WgSI8rWQZPramFcUlTHzxe_4Y>
Subject: [sacm] IETF LC Directorate reviews for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 14:16:34 -0000

Hi!

Thanks for -19 of draft-ietf-sacm-coswid.  Since the conclusion of IETF LC, I reviewed it based on the provided feedback.  I didn't see direct replies to the directorate reviews but from cross-walking their feedback against the -18-to-19 diff, I believe the following are still unresolved/undiscussed.

(1) Scott Bradner did an OPSDIR review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07/.  The following feedback does not appear to be discussed or resolved:

> along the same line - it would seem to me that the IANA repository should be at
> https://www.iana.org/assignments/coswid  (or co_swid) not
> https://www.iana.org/assignments/swid

I believe the comment is about the following text in a few places in Section 6.2.*:

   [TO BE REMOVED: This registration should take place at the following
   location: https://www.iana.org/assignments/swid]

Earlier in the text in Section 6.2:

"6.2.  Software Tag Values Registries

   The following IANA registries provide a mechanism for new values to
   be added over time to common enumerations used by SWID and CoSWID."

It would seem that if in fact things should stay in "assignments/swid", there is a missing registration procedure item -- nothing can be added if it isn't in the SWID specification.  I under the impression from earlier conversations that we wanted to provide flexibility for CoSWID to potentially extend it's own data model independent of SWID (i.e., there could be data elements in CoSWID that were not in SWID).  If so, this suggests that "assignment/coswid" should be used instead (as Scott was suggesting).

(2) Rich Salz did an ARTART review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02/.  The following feedback does not appear to be discussed or resolved:

> In 2.3, why are there three separate bools for corpus/patch/supplemental as opposed to a single enumeration? 

If this is a design choice, please answer Rich.

> Can the tag-id be a digest of the source file?

I think the answer is yes.  It might be worth saying so.

> What are the implications of it not being unique? That should be listed in the security considerations.

I see that this new text was added: "Failure to ensure global uniqueness can create ambiguity in tag use since the tag-id serves as the global key for matching and lookups".  To Rich's point, there are likely security implications to this collision.  Please explicitly describe those.

(3) Robert Sparks did a SECDIR review -- https://datatracker.ietf.org/doc/review-ietf-sacm-coswid-18-secdir-lc-sparks-2021-08-11/.  The following feedback does not appear to have been discussed or resolved:

> Consider RFC6648 (BCP 178) where you are reserving "x_" name prefixes for private use.

Section 4.2 says:

   The values above are registered in the IANA "Software Tag Entity Role
   Values" registry defined in Section 6.2.5.  Additional values will
   likely be registered over time.  Additionally, the index values 128
   through 255 and the name prefix "x_" have been reserved for private
   use.

Section 6.2.5 says:

                   +=========+=========================+
                   | Range   | Registration Procedures |
                   +=========+=========================+
                   | 0-127   | Standards Action        |
                   +---------+-------------------------+
                   | 128-255 | Specification Required  |
                   +---------+-------------------------+

               +=======+=================+=================+
               | Index | Role Name       | Specification   |
               +=======+=================+=================+
               | 0     | Reserved        |                 |
               +-------+-----------------+-----------------+
...
               +-------+-----------------+-----------------+
               | 7-255 | Unassigned      |                 |
               +-------+-----------------+-----------------+

>From the Sec 6.2.5 text, it looks like values 128 - 255 could in fact be assigned.  However, Sec 4.2 says they are reserved for private use.  There may other cases of this.

Thanks,
Roman

v2.23.0 | Report a Bug | By Email