Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
Adam Montville <adam.w.montville@gmail.com> Fri, 04 August 2017 16:15 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFF613217D for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 09:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-ND-clKA3PM for <sacm@ietfa.amsl.com>; Fri, 4 Aug 2017 09:15:17 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7B6131EB3 for <sacm@ietf.org>; Fri, 4 Aug 2017 09:15:17 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id j32so7700173iod.0 for <sacm@ietf.org>; Fri, 04 Aug 2017 09:15:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=AHe9XybKLYV7vvUTN+iL+lq/nf3LqULo5GpbKs/J9D0=; b=tTtuK0FmtxHT84xCrD/5kO1AiWhn2hT7lxAuahSWX7iFOcot/fNxIconvPTa6tyT3+ ESPcsi/dNMpGcu6jZd+t4e18Xty2kIdAwYKwxfpFZ26vpKjLyQQT2Eg73lNc53j1ed5r DCjDq8V6m0+VYqNIWY8SAUJkcv2d65fu8a1D3WrNloFhHv58PV9kG68GbQo10OImXmdU ImKrM3p56k5KFuyPK4a8ztYgGW9vDRVAw31COxtryop2HEkgcXKBZULOfrNHGDJSc6T/ t0fCjOQEdUI6MzuIuDr7YEv8izcq/NlnZDGKqs4JsTO8V3Uy8HWlmBXHLHULtJXx0HPY TNpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=AHe9XybKLYV7vvUTN+iL+lq/nf3LqULo5GpbKs/J9D0=; b=Vwz5NFKqAYQ0LEAzvcHrMr0nxINRHnDV6vi3RXBMCW3gskGcllWsNABKVKcBAmveBT KmSExdOnpxAEL51MeIBSfFfHnkTz3rOYEa6m/omb39bmK3u8WoUjNgPN6Mb2eK7ANBRE EasASt1Qsq0Du/NL/rZ8ti13nl/7BNl0ZVrCO7b1tbVYkvjpYBIpGETzmb5X4KN6qR+x UdmLIuLPADDn/EFEWRBBPsCFFaGoJLoZwti3B7dVVKf3YKqcuyUHvqHdtdviciLxKEQn xbBDLR/NzSGnKIDBNWgMJffREIEMT/3p2BYs9FkA8Q/ioLaMcgQHVCmbvhTy/ljLBEa/ /R9g==
X-Gm-Message-State: AHYfb5idaTFvs/QOdIBX3a8fITuEGa65n8dTnRAq4F3jxBz7TdrfBydr yb0oavwYgLBU+OdGV6aCJxgVbwCwQQ==
X-Received: by 10.107.37.140 with SMTP id l134mr3014703iol.182.1501863316358; Fri, 04 Aug 2017 09:15:16 -0700 (PDT)
MIME-Version: 1.0
References: <E40D1FEF-2408-4508-AEBC-AC3052D3AAD3@isoc.org> <CACknUNWFVWBaDuKs_sVpHU7m3jg_WmMrB3-CJy6HCJwj6AhLyQ@mail.gmail.com> <BN6PR09MB118639CCEE0BDF2ADE51838BABB10@BN6PR09MB1186.namprd09.prod.outlook.com> <CACknUNXVeheegfdr8yesXoTL35Mf4ACpCfi1hwmM+maSo8ckJw@mail.gmail.com> <BN6PR09MB1186705A6A6FBFF5A55C6580ABB60@BN6PR09MB1186.namprd09.prod.outlook.com>
In-Reply-To: <BN6PR09MB1186705A6A6FBFF5A55C6580ABB60@BN6PR09MB1186.namprd09.prod.outlook.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Fri, 04 Aug 2017 16:15:05 +0000
Message-ID: <CACknUNX=5wi5=enQy34Nx8BRvFsGL=L28XuHqYpOeNsf7UeyYg@mail.gmail.com>
To: "Schmidt, Charles M." <cmschmidt@mitre.org>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="001a11405e24790d870555efcdab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/pSle8xvGklLWl_PDsmFbdbDvllE>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 16:15:20 -0000
I think I'm all set, Charles, thanks for your patience. :-) On Fri, Aug 4, 2017 at 9:10 AM Schmidt, Charles M. <cmschmidt@mitre.org> wrote: > Hi Adam, > > Sounds like we are mostly aligned. I've trimmed the points where it looks > like we are on the same page and responded inline to the others. > > > > On Page 15 the draft states "All SW-PCs MUST at least be able to > > generate > > > Software Identifiers for the data model types specified in > Section 6 > > of this > > > document." Section 6 describes data models for SWID 2009 and > > SWID 2015, > > > but nothing else. Is this really what we desire? What about Linux > > distribution > > > package managers? > > > > Adding on to Stephen's comments, I'll note that we intend SWIMA to > > be extensible. If someone wished to report RPM records or other types of > > packages, they are welcome to do so. The just need to define an > > authoritative way of deriving a Software Identifier from the record. > > However, I don't think we want to *require* support for such packages in > all > > SW-PCs. > > > > [AWM] I was looking at this a bit differently, I think. If there is a > collector > > capable of expressing RPM packages, as an example, and they want to > > extend this to shuttle that information over PT-TLS, then would they > need to > > also collect 2009 and 2015 SWIDs? It seems contrary to the point of > having > > posture brokers. Maybe I'm missing something. > > <CMS> > I think that this stems from confusion about what "MTI" means for records > in SWIMA. SWIMA never requires that any given type of record be collected > from an endpoint. An endpoint might have hundreds of SWID tags on it, but a > compliant SWIMA specification might never touch them and instead choose to > gather some other indicator of software installation. (For example, a SWIMA > implementation might feel that RPM records are likely to be more complete > and accurate than any SWID tags that might get installed across the > endpoint.) The SWIMA specification is explicit that it only requires > collection to be done in an internally consistent manner (i.e., it cannot > use one source in one report and ignore that source in a subsequent report) > but it never requires the use of any specific source of information. In > short, a SWIMA implementation can make use of whatever information is > available in whatever way it chooses, provided that it uses those sources > consistently. > > All the MTI requirement means is that every compliant SWIMA-PC MUST know > how to take any 2009 or 2015 SWID tag it does collect (*if* it collects any > at all) and deterministically derive a standard Software Identifier from > that record. The issue this tries to address is that we would need a > one-to-one mapping between information records describing software and the > Software Identifier that is the shorthand for the described software. > Unfortunately, there are lots of ways to do such a mapping, so there could > be variation across implementations as to how a given piece of software is > represented by a Software Identifier. By making 2009 and 2015 SWID tags > MTI, all we are doing is ensuring that every SWIMA implementation will have > the same one-to-one mapping between a given tag and its Software > Identifier. This means that, at least for SWID tags, two collectors (from > different vendors) will use the same Software Identifier for the same SWID > tag, and thus those Identifiers can be directly compared. > > This might get at your "redundancy" comment too - if MTI meant "required > collection", then yes, requiring both types of tags be collected could be > redundant. However, that is not the requirement. All the MTI statement > requires is that SWIMA implementations are universally consistent in their > mapping of 2009 and 2015 SWID tags to Software Identifiers. I don't think > that is redundant - it is just better covering the bases. > > > > What about discovered software outside typical > > > installation patterns? > > > > As Andreas notes, such software can still be represented using SWID > > tags. They could also be represented using other record formats, as I > note > > above. > > > > [AWM] Do we need to mention how? If so, is this the right place to do > that? > > <CMS> > If you are talking about "how to convert to a SWID tag", I think that is > beyond the scope of SWIMA. (Maybe if SACM decides someday to endorse SWID > tags as the official record format for software information, that might be > reasonable, but for now I think it would be premature.) > > If you are talking about how to represent records other than SWID tags > within SWIMA messages, I'm not sure that is necessary because the > specification itself is completely generic. We just talk about records and > Software Identifiers. > > > > And, does it make sense, in a brokered architecture like > > > NEA, to require redundant capabilities in the anticipated myriad > > collectors? > > > > Not sure how this is "redundant". The group agreed that 2009 SWID > > tags should be supported for legacy reasons, while 2015 tags should be > > supported for future compliance. In general, SWIMA has virtually no > control > > over the nature of the records on the endpoint - they might be SWID 2009, > > SWID 2015, something completely different, or a combination thereof. > > SWIMA is concerned with collection and conveyance of available > information. > > Normalization of that information into one preferred record format is > > beyond the scope of SWIMA. (Deliberately so, since our early > conversations > > on SWIMA involved a lot of holy wars about preferred record formats, none > > of which appear to "dominate" are target environment today.) Maybe SACM > > will eventually get behind a single format, and when they do SWIMA will > be > > ready and able to convey it. Until then, SWIMA's goal is to support > collection > > and conveyance of whatever software records might be available. > > > > [AWM] Maybe I should ask this way. Is the expectation that RPM package > > management collectors, for example, would require a separate > specification > > for shuttling over PT-TLS, or that they would extend this draft? If a > separate > > specification, then I retract my comments, because then SWID data models > > aren't necessary. If an extension of this draft, then my comment remains. > > <CMS> > See my earlier comment about redundancy - if this is related to concerns > about require collection of records, SWIMA never imposes such a requirement. > > To answer your question, no - ideally we would hope that those collectors > would not use a separate PA-TNC binding. In fact, no extension of this > draft is necessary for RPM package manifests to be used directly in SWIMA. > Any representation of installed software can be directly conveyed by SWIMA. > Of course, if that representation hasn't been standardized in the IANA > table, then two different vendors might identify that data model > differently and use a different algorithm to derive Software Identifiers > from those records, making direct comparison between their findings more > challenging, but at least within that vendor's product space there would be > no problem. (The advantage of the IANA table entries, is that the data > model type identifier of the record will be the same across all > implementations and the algorithm to derive the Software Identifier will be > the same, allowing any such records to be directly compared across vendor > boundaries.) > > So, in the current draft, any vendor could declare that an RPM manifest > entry was a utilized Data Model Type, create a way to create a Software > Identifier from each manifest entry, and start sending those to a consumer > via SWIMA with no extensions necessary. Of course, vendor 2 might do the > same thing, but would use a different type identifier and Software > Identifier algorithm. In either case, however, the information is collected > and delivered. > > Does this address your questions? > > Thanks, > Charles >
- [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc Karen O'Donoghue
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Adam Montville
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Andreas Steffen
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Adam Montville
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Schmidt, Charles M.
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Henk Birkholz
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Ruben Oliva
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Adam Montville
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Schmidt, Charles M.
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Schmidt, Charles M.
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Waltermire, David A. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Adam Montville
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Nancy Cam-Winget (ncamwing)
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Schmidt, Charles M.
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Andreas Steffen
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Nancy Cam-Winget (ncamwing)
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Schmidt, Charles M.
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Karen O'Donoghue
- Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-pat… Adam Montville