IETF Logo Mail Archive

Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document

Adam Montville <adam.w.montville@gmail.com> Fri, 20 May 2016 00:37 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA1512D53C for <sacm@ietfa.amsl.com>; Thu, 19 May 2016 17:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nojHNMXGrTID for <sacm@ietfa.amsl.com>; Thu, 19 May 2016 17:37:23 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0704512B005 for <sacm@ietf.org>; Thu, 19 May 2016 17:37:23 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id x201so156180491oif.3 for <sacm@ietf.org>; Thu, 19 May 2016 17:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=l987hbn1cvXQpN9dfKF3QRyePs76p/egTDVctcl8Dog=; b=NJgK/ChEHUZVaUSMwYQ//6z3Ktv2/swWH0QlUshvizDkU+cPnGW+GgVtXkeQMTuwaU t9ZACRRV8HozERGgj2Sy831moBrtVRl5bVs98Q0M3mexUAriH6bWslId4NDoZK6xCTAQ 1FshQfjS1emVL+XQa2Cc/FjNdye7c0tcnuFukqXPL5de1/kVaXw6z+ils9cxIZ3jbDBJ 21/HIMOQs1Invu9t9X8afd6D+d0L5O4jX2J4eGzgNx0zAyR0xqMaVQ7IP8KDNd0FzdQF rAN/LiUm4HcXSH+lRh67R2Thqy0WtZ7GWafew1rFgWdR39SOcyIvHwO+9JL1OjQge2d4 4XjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=l987hbn1cvXQpN9dfKF3QRyePs76p/egTDVctcl8Dog=; b=X/48EAPx9fVmrHYNN2BGJwE9OVfaGcHznREXy66t/zs9RK7vtiMjwDoRRDXq41jf/e jW6MdaocxsRGykoJKiZdO1ZPopvKMUqE1MtqPo6/Y01HtKcde7OTCekPdaM2SG4tfroB 5CexI+xWAJQ2hAtzMydAyRLiGZ0OQE2W63nVzfilW/QPr5d1NPgRA9TrjK36VPljLrSO /danhLY6xiu8kAludr2AVY+cG5zjseU7PKheEP019q8dq2fZrhNJj4Z0Dfv56PJHyZ2W t9DP1sdYZMfKhPxREwQlaNZb1Lkk03J+r9/8hPeJ1ilUMBpgUzcLjkTqPbo92L6zo5vN zUsw==
X-Gm-Message-State: AOPr4FXdcAMXTD7jKBoTVwq3FJGP/ehb9dQYaGjOM3KD023NG3hV3kC9jcYJNLVE7jEf3Q==
X-Received: by 10.202.97.69 with SMTP id v66mr99304oib.172.1463704642377; Thu, 19 May 2016 17:37:22 -0700 (PDT)
Received: from adams-mbp.attlocal.net (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id w9sm4695104otw.16.2016.05.19.17.37.20 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 May 2016 17:37:20 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_68DB7BEF-FFA9-41F4-814D-262AB4210917"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Adam Montville <adam.w.montville@gmail.com>
In-Reply-To: <SN1PR09MB09900FB2B7AE3C48324891A2AB4A0@SN1PR09MB0990.namprd09.prod.outlook.com>
Date: Thu, 19 May 2016 19:37:19 -0500
Message-Id: <F16B187C-5D4D-40C4-A708-21BBFE30C053@gmail.com>
References: <17198AFF-DF5A-46BC-B84A-2AAF1717BD90@isoc.org> <e8798c66-2ac8-7b24-4ab3-d28b4868c94a@yaanatech.com> <BN1PR03MB1231A9F5A4EE487623E5C82AF490@BN1PR03MB123.namprd03.prod.outlook.com> <0aa7684f-5a47-c00a-4b5b-e19484dd718a@yaanatech.com> <CAA=AuEfepDpmQF7TOLe2nvkgEPU9LD49Fc8bSvUCW+F_6yYy5A@mail.gmail.com> <BN1PR03MB1236FEF6EE3127323F9294AAF490@BN1PR03MB123.namprd03.prod.outlook.com> <SN1PR09MB0990AD2634A81C9A7128D120AB490@SN1PR09MB0990.namprd09.prod.outlook.com> <0418b8dc-9fd8-f8d2-3461-ce8e019fe22a@yaanatech.com> <8eb2719e-6baa-013a-daf5-5f2b269a75c1@ThreatGuard.com> <SN1PR09MB09900FB2B7AE3C48324891A2AB4A0@SN1PR09MB0990.namprd09.prod.outlook.com>
To: "Schmidt, Charles M." <cmschmidt@mitre.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sacm/pnU28R7n_Ry-1IVwdLPbz4F4zDk>
Cc: "sacm@ietf.org" <sacm@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, "tony@yaanatech.com" <tony@yaanatech.com>, Gunnar Engelbach <gunnar.engelbach@threatguard.com>, Jerome Athias <athiasjerome@gmail.com>, Michael Godsey <mgodsey@microsoft.com>
Subject: Re: [sacm] Call for adoption of draft-coffin-sacm-nea-swid-patnc as a SACM WG document
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 00:37:25 -0000

This is a good discussion.

From my personal perspective, I would not want to preclude other identification mechanisms from being used in the future, but we do have to start somewhere and grow from there.  In that light, I do not believe this draft should marry our work to SWID and only SWID till death do us part.  Software identification has to be flexible—that’s just the reality of it.  But, at some point, there has to be a semantic layer to pull it all together.

The second point I want to make is that this is a call to adopt the draft into the working group, presumably to do work on it.  So the fact that the draft currently only references this or that version of a standard matters less now than if it makes its way to IESG down the road.

Kind regards,

Adam

> On May 19, 2016, at 3:27 PM, Schmidt, Charles M. <cmschmidt@mitre.org> wrote:
> 
> Tony/Gunnar,
> 
> I agree. Details below.
> 
>> 	Two questions not asked: who might do the
>> 	work to bridge the gap with the gazillion other
>> 	software identifier approaches out there, and
>> 	whether some form of out-of-band SWID capability
>> 	(as is used with may of the other SWID mechanisms)
>> 	cannot be included.  For a lot of IoT stuff, it is
>> 	essential.
>> 
>> This right here is an excellent point.  There are other software ID
> mechanisms
>> out there and SWID is not going to cover everything for which there is an
>> alternative.
>> 
>> Because this proposal is so SWID-specific, I can't get behind it.
> However, if it
>> was genericized to allow for use of current and possible future tagging
>> mechanisms, I could certainly support that.
> 
> This makes sense. Even those strongly attached to the use of SWID tags would
> like to make sure that this specification can handle future revisions of the
> ISO SWID specification, and as you both note, there are other structures out
> there which people might wish to use.
> 
> Basically, it seems to me that we want to support a common, core set of
> functionality related to inventory and inventory events, but that we want to
> have some flexibility in the data (I'll call these "records") used to convey
> that information to a policy server. Are we in agreement on this? (I don't
> think we want the nature of what one can infer from a report to change based
> on the record structure used to convey that report.)
> 
> Given this, the following are the core capabilities of SWID M&A for
> reporting records as I see them:
> 1) Records need to be associated with specific instances of a specific
> software product and version thereof.
> --- If the same version of the same product is installed multiple times,
> there will need to be multiple records naming the same product and version -
> one associated with each actual installation. (We need to convey that a
> given product+version is installed "exactly X times" rather than "at least
> one instance".)
> --- Changes to a software product need to result in a change in the
> associated record. (The record needs to distinguish between AcmeApp v1.2.3
> and AcmeApp v1.2.4, since this is critical to multiple consumers of this
> data.)
> --- Records associated with a product+version need to be consistent over
> time and across endpoints. (There needs to be an easy way for the SWID-PV to
> say "this is the same product+version" across different reports and between
> reports from different machines.)
> 2) If the record is more than about 200 bytes, there needs to be a concise
> identifier for this record. In SWID tags, this is created by the combination
> of the TagCreatorRegID and the TagID fields. (Concise identifiers are used
> in multiple places in SWID M&A to convey information without bloating
> messages.)
> 
> Do you (or anyone) have any questions or concerns about any of these core
> capabilities, or have any others to add? I think all of the other SWID M&A
> capabilities (monitoring for changes, tracking and ordering of events,
> subscriptions, processing targeted requests, etc.) are fairly neutral with
> regard to the record structure used in messages assuming the two
> requirements above are met. Let me know if you disagree about that.
> 
> Capabilities do not need to be inherent in the record itself. (For example,
> there is nothing in a SWID tag that allows one to distinguish between
> multiple installations of a single product.) There just needs to be a
> reliable, deterministic mechanism by which these capabilities can be met
> while using the record.
> 
> I will work on putting together some proposals on how different record types
> can be clearly labeled in SWID M&A messages so recipients can know the type
> of content they are getting prior to parsing. (Probably want a way for
> SWID-PVs to express a preference too... need to think about this.) While I
> am doing that, if you have a favorite non-ISO-SWID record that you would
> like to see supported, could you put together any necessary requirements
> that would be needed to ensure it aligns with the core capabilities
> described above? I think that would be very useful for fleshing out this
> flexibility.
> 
> I am interested in your thoughts on this. Thanks for the input.
> 
> Charles
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email