Re: [sacm] Alexey Melnikov's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
"Schmidt, Charles M." <cmschmidt@mitre.org> Tue, 27 February 2018 22:14 UTC
Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A894812E868; Tue, 27 Feb 2018 14:14:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id annSIh_kkVhJ; Tue, 27 Feb 2018 14:14:44 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD7D12E867; Tue, 27 Feb 2018 14:14:44 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 34ACA6C00BA; Tue, 27 Feb 2018 17:14:44 -0500 (EST)
Received: from imshyb01.MITRE.ORG (unknown [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 21DA86C00B5; Tue, 27 Feb 2018 17:14:44 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 27 Feb 2018 17:14:43 -0500
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Tue, 27 Feb 2018 17:14:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SmWSKlroArH7LPYNMeN+g0Vkfwa0KhwCKxurOdDTzD4=; b=u5j3oeBwivR8TzcAVIJO2raY3J9snZCP/trVXKf+zwg5ppHi6GFaH1umAs0B0wYDfKhW+js62/OglLkBszkNhoYk96+iVsB74+EaOhtoK85+U1C/u5e0fVBWWHkNKhcQJVIcKkmCLlUwvPm4LRBWMtJSLIDPFHaciXsW/tk2zTA=
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) by DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.527.15; Tue, 27 Feb 2018 22:14:41 +0000
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1]) by DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1%13]) with mapi id 15.20.0527.021; Tue, 27 Feb 2018 22:14:41 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sacm-nea-swima-patnc@ietf.org" <draft-ietf-sacm-nea-swima-patnc@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "odonoghue@isoc.org" <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
Thread-Index: AQHTq885rTk/nfyCS0SIr2ppMLMKqKO40q0Q
Date: Tue, 27 Feb 2018 22:14:41 +0000
Message-ID: <DM5PR0901MB23752FA74B7D4738D87F3CEAABC00@DM5PR0901MB2375.namprd09.prod.outlook.com>
References: <151929844942.21080.18258275006008735633.idtracker@ietfa.amsl.com>
In-Reply-To: <151929844942.21080.18258275006008735633.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.80.55.86]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2375; 7:fFrFbUa+InpLe8KTaI54mxH2Xm7sWNyYPS2wrYkPdpH1m0TNkK2nkFi0OSFjQDLMOG3Hu/xScIjhqkYasSzK4W8MY/AAGQAEyQHG9FXbWk3u4TJJtoZrFYHFAP9cIEHfS8yEvlfvsW7+uQuXbL2Pt17LNfxHw+GjHrnBBbjwVtgLjR+ZGaywKpat34P/DAymZYZ5Djm5a/qYnK8gd9Rte7Ml9ECXgSDJlp8tbx275tjPahsP4eLp+BhjnoWoiL0x
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e0d4dfc5-81eb-40bf-e854-08d57e2f7f90
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR0901MB2375;
x-ms-traffictypediagnostic: DM5PR0901MB2375:
x-microsoft-antispam-prvs: <DM5PR0901MB23750351F721E6D39899647CABC00@DM5PR0901MB2375.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(788757137089)(211171220733660)(1591387915157);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231220)(944501161)(3002001)(10201501046)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR0901MB2375; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2375;
x-forefront-prvs: 05961EBAFC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(366004)(396003)(39380400002)(39860400002)(199004)(189003)(13464003)(25786009)(8676002)(33656002)(6436002)(14454004)(68736007)(26005)(2900100001)(186003)(966005)(106356001)(74316002)(81166006)(15974865002)(2906002)(5250100002)(229853002)(3280700002)(81156014)(8936002)(59450400001)(2950100002)(305945005)(6506007)(6116002)(316002)(6306002)(76176011)(105586002)(99286004)(102836004)(53546011)(3846002)(86362001)(7736002)(66066001)(8666007)(55016002)(4326008)(54906003)(9686003)(53936002)(7696005)(5660300001)(97736004)(3660700001)(110136005)(478600001)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2375; H:DM5PR0901MB2375.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 2NHRM2CXuTe1EZaPaeFNR1+mEFT5qmtwNAIsJppIgp8rIBg/XcOA2tJNghuOLfXqcNkW4N2NqaanUIo2QiFr2RMk3I11wQit09EjHonWTJj7xHLpULXvUVtLIA023+fAMIt0VmHgTuigk0W9sQC7lQw8mCflbahaCXeN9PtwjNE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e0d4dfc5-81eb-40bf-e854-08d57e2f7f90
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2018 22:14:41.0933 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2375
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/qk-GKyV0qvB-H1e_8kPdNydbwTs>
Subject: Re: [sacm] Alexey Melnikov's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 22:14:47 -0000
Hello, Thank you very much for the feedback. Overall, I agree with your comments and am addressing them. I did have a couple questions/responses: > 1) In Section 5.8, in the table (I believe this is repeated at least 3 more > times elsewhere in the document): > > Software Locator: > A string containing the Software Locator value. > This is expressed as a URI. This field value > MUST be normalized to Network Unicode format as > described in Section 3.4.4. > <snip> >I suggest: > > A string containing the Software Locator value. > This is expressed as a URI [RFC3986]. This field value > MUST be first normalized to Network Unicode format as > described in Section 3.4.4, then converted to UTF-8 [RFC3629] > (if not already in UTF-8), then encoded as a URI. I agree that spelling out the process better makes sense. However, I don't think the middle step you mention (convert to UTF-8) is necessary. RFC5198 (Network Unicode) already requires that all characters be in UTF-8. As such, my proposed text is: A string containing the Software Locator value. This field value MUST be first normalized to Network Unicode format as described in Section 5.5 and then encoded as a URI. Does this seem reasonable? > 2) SWID registry is using "http://invalid.unavailable" Tag Creator RegID value. > > invalid.unavailable is not a valid domain name and "unavailable" is not > registered in the special-use domain registry > <https://www.iana.org/assignments/special-use-domain-names/special-use- > domain-names.xhtml> > > I am not entirely sure how big of a problem this is, but use of something > which can be interpreted as a URI in a non existing non special-use domain seems > like a bad idea. Unfortunately, this convention was set out in the ISO SWID specification. While I agree that it is unfortunate, I think it is better to fit with the convention used in other SWID documents than to try to correct it here. I will add a note to the effect that this conforms to the conventions of the ISO SWID standard. I also updated the 2009 SWID specification reference as that uses "unknown" for the same purpose. > 2) When referencing RFC 5198 (Network Unicode format), I personally prefer > a stricter version that disallows control characters (other than CR LF). In RFC > 5198, use of control characters is only "SHOULD NOT". So you might want to > make a stronger statement on this. I am open to this, but would like to get others' input as well. This is not an area with which I have much familiarity and worry about implementation impact if we impose requirements that might go beyond what is present in existing tools. My gut reaction is to leave the use of the standard unchanged unless there is an operational need to do otherwise, and I don't know that this is the case. I'll defer to others' opinions on this. > 5) In Section 4.3. Required Exchanges > > All SWIMA-PVs and SWIMA-PCs MUST support both types of exchanges. > > I question the value in requiring SWIMA-PVs in supporting both types of > exchanges. For example, if a SWIMA-PV never uses subscriptions, it doesn't > seem > to need to handle subscription responses. > > Similar text in 5.2: > > All SWIMA-PVs MUST be capable of sending SWIMA Request attributes and > be capable of receiving and processing all SWIMA Response attributes > as well as PA-TNC Error attributes. I'm afraid I am not following your concern here. In 4.3, if the SWIMA-PV has no ability to support subscriptions then I don’t think we want to claim that it is SWIMA compliant. (We don’t want vendors selling “SWIMA-compliant” tools that cannot support subscriptions.) In 5.2, if the SWIMA-PV cannot send a SWIMA Request or receive the response that comes back, then it cannot participate in SWIMA at all. These requirements seem necessary to interoperability. > 6) Use of fields which can contain both human readable and possibly > machine readable information - I think this is rather handwavy and I wish you would > be more specific. Also consider issues raised in BCP 18 (RFC 2277), in particular > language tagging of human readable text. I hear your concerns. Unfortunately, I do not have a good solution that won't add several pages to the specification. Are you aware of any existing standard that could be co-opted for this field? Thanks, Charles > -----Original Message----- > From: Alexey Melnikov [mailto:aamelnikov@fastmail.fm] > Sent: Thursday, February 22, 2018 6:21 AM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-sacm-nea-swima-patnc@ietf.org; sacm@ietf.org; Karen > O'Donoghue <odonoghue@isoc.org>; sacm-chairs@ietf.org; > odonoghue@isoc.org; sacm@ietf.org > Subject: Alexey Melnikov's Discuss on draft-ietf-sacm-nea-swima-patnc-02: > (with DISCUSS and COMMENT) > > Alexey Melnikov has entered the following ballot position for > draft-ietf-sacm-nea-swima-patnc-02: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This is generally a well written document, despite certain repetition of text. > It was a pleasure to read. > > I have a couple of issues that I would like to discuss. I believe they would be > easy to resolve: > > 1) In Section 5.8, in the table (I believe this is repeated at least 3 more > times elsewhere in the document): > > Software Locator: > > A string containing the Software Locator value. > This is expressed as a URI. This field value > MUST be normalized to Network Unicode format as > described in Section 3.4.4. > > At minimum this text is misleading (or can be misread) and at maximum it is > wrong. I think what you are trying to say is that the location value is first > normalized to Network Unicode format as described in Section 3.4.4, then it > is > converted in UTF-8 and then it is encoded as a URI. (As opposed to doing > something else, e.g. convert to URI first and then trying to normalize it). If > this is correct, I suggest: > > A string containing the Software Locator value. > This is expressed as a URI [RFC3986]. This field value > MUST be first normalized to Network Unicode format as > described in Section 3.4.4, then converted to UTF-8 [RFC3629] > (if not already in UTF-8), then encoded as a URI. > > 2) SWID registry is using "http://invalid.unavailable" Tag Creator RegID value. > > invalid.unavailable is not a valid domain name and "unavailable" is not > registered in the special-use domain registry > <https://www.iana.org/assignments/special-use-domain-names/special-use- > domain-names.xhtml> > > I am not entirely sure how big of a problem this is, but use of something > which > can be interpreted as a URI in a non existing non special-use domain seems > like > a bad idea. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Minor: > > 1) Please add a Normative Reference to [RFC3629] when mentioning UTF-8. > > 2) When referencing RFC 5198 (Network Unicode format), I personally prefer > a > stricter version that disallows control characters (other than CR LF). In RFC > 5198, use of control characters is only "SHOULD NOT". So you might want to > make > a stronger statement on this. > > 3) In Section 3.4.4. Software Locators > > The location is expressed as a URI string consisting of a scheme and > path. [RFC3986] The location URI does not include an authority part. > > The last sentence: is this just a fact for file: URIs or is it absolute > prohibition for all other schemes that can be used here? > > 4) In Section 3.8.1. Establishing Subscriptions > > A SWIMA-PC MUST have the ability to record and support multiple > simultaneous subscriptions from a single party and from multiple > parties. A SWIMA-PV MUST have the ability to record and support > multiple simultaneous subscriptions to a single party and > subscriptions to multiple parties. > > In order to improve interoperability it might be useful to specify a minimal > limit on the number of multiple subscriptions per PV. > > 5) In Section 4.3. Required Exchanges > > All SWIMA-PVs and SWIMA-PCs MUST support both types of exchanges. > > I question the value in requiring SWIMA-PVs in supporting both types of > exchanges. For example, if a SWIMA-PV never uses subscriptions, it doesn't > seem > to need to handle subscription responses. > > Similar text in 5.2: > > All SWIMA-PVs MUST be capable of sending SWIMA Request attributes and > be capable of receiving and processing all SWIMA Response attributes > as well as PA-TNC Error attributes. > > 6) Use of fields which can contain both human readable and possibly > machine > readable information - I think this is rather handwavy and I wish you would > be > more specific. Also consider issues raised in BCP 18 (RFC 2277), in particular > language tagging of human readable text. > > 7) IANA Considerations Sections 10.2 and 10.3 contain: > > Software Inventory Message > and Attributes for PA-TNC > > as the reference. This is not actually useful, because these tables are going > to be extracted and copied to the www.iana.org website. You should add > "[RFCXXXX]" to them, so that RFC Editor knows to replace it with the RFC > number > of this document once it is published. > > Nit: > > 8) 3.4. Core Software Reporting Information > > Different parameters in the SWIMA Request can influence what > information is returned in the SWIMA Response. However, while each > SWIMA Response provides different additional information about this > installed software, they all share a common set of fields that > support reliable software identification on an endpoint. These > fields include: Software Identifiers, the Data Model Type, Record > Identifiers, Software Locators, and Source Identifiers. These fields > are present for each reported piece of software in each type of SWIMA > Response. The following sections examine these three types of > > five types as per the previous sentence? > > information in more detail. >
- [sacm] Alexey Melnikov's Discuss on draft-ietf-sa… Alexey Melnikov
- Re: [sacm] Alexey Melnikov's Discuss on draft-iet… Schmidt, Charles M.