[sacm] CoSWiD review

Chris Inacio <inacio@cert.org> Mon, 25 March 2019 13:35 UTC

Return-Path: <inacio@cert.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9679A1204BD; Mon, 25 Mar 2019 06:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id J3FetN5-54k3; Mon, 25 Mar 2019 06:35:42 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 021031204A3; Mon, 25 Mar 2019 06:35:41 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu []) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x2PDZe2N044812; Mon, 25 Mar 2019 09:35:40 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu x2PDZe2N044812
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1553520940; bh=yfNV5mrtI82FWdQaJkunFAKLbFF8uNfOkfLtyDfD5Xo=; h=From:To:Subject:Date:From; b=DfCzM0WTkG9Al95lj/nsirJIsQxf69k2awHMj2/q6yAYg/8a7uy74jnnWrJyVajcP m2MA8IgDTVNvwDDdCJCsdTNAkLWeeSqcLuFGnbp/cquszq1tQ1YYEtj18wLWfPCg37 fr5wJZEIJc42YJLzYGD5KEXPVjGK8XAMoPxF8bUM=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu []) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x2PDZdxX009539; Mon, 25 Mar 2019 09:35:39 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([]) by CASCADE.ad.sei.cmu.edu ([]) with mapi id 14.03.0435.000; Mon, 25 Mar 2019 09:35:39 -0400
From: Chris Inacio <inacio@cert.org>
To: "draft-ietf-sacm-coswid@ietf.org" <draft-ietf-sacm-coswid@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: CoSWiD review
Thread-Index: AQHU4w+iJQnlvgq2Qky/gC1kHc9H8A==
Date: Mon, 25 Mar 2019 13:35:39 +0000
Message-ID: <etPan.5c98d92a.174793da.1328d@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_etPan5c98d92a174793da1328dcertorg_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/m_f6dZioeMnbfkG-ynkhp8R5gUM>
Subject: [sacm] CoSWiD review
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:35:46 -0000

General: I’m going to assume that the CDDL has been validated. Is there a method of checking/ensuring that? Is the only tool for CDDL still the Ruby based tool from Carsten?

Section 2.5: Same thing as the unspsc, can we do better than just having a raw URI in the document as reference: http://www.w3.org/TR/xpath20/

Section 2.6: Is there a better reference for unspsc, other than having a link in the middle of the document.

Section 3.2: The roles/values in the table I think should align with the role values defined in the CDDL 2.8.

Section 2.3: Still have a TBD for more description.


Abstract: “Next to the inherent capability of SWID tags to express arbitrary context information, Concise SWID (CoSWID) tags support the definition of additional semantics via well-defined data definitions incorporated by extension points.”

I’m not sure I’m okay with that sentence - it makes a lot of assumptions of the reader and their familiarity with SWID, and also, I’m not sure that SWID can represent arbitrary context information. And, please be clear about what context information.

Section 2.6: Depending on how a software organizations distributes revisions, this
this value could be specified in a primary (if distributed as an value could be specified

Organizations -> organization

Table in section 3.2: Can you change the description to be more “…definition…” [ref] instead duplicating it as “From [SAM] ”…description…“ ”. The “[ref]” basically means this is from that source. (Chris’ personal style preference here, so up to authors to ignore this.)

Chris Inacio