IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

Adam Montville <adam.w.montville@gmail.com> Mon, 31 July 2017 19:51 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05C6212778D for <sacm@ietfa.amsl.com>; Mon, 31 Jul 2017 12:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WS5iH_GWGAa8 for <sacm@ietfa.amsl.com>; Mon, 31 Jul 2017 12:51:50 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31F73124B0A for <sacm@ietf.org>; Mon, 31 Jul 2017 12:51:50 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id m88so225097iod.2 for <sacm@ietf.org>; Mon, 31 Jul 2017 12:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=yyKuEKueYfzd7FkSasf5pKduxcPL9lKRhi+VKXtyCuc=; b=a5qsVAvlcUt7r/O2oVk0ZKMulAAas05uVJtQ4HVffOLmv4KzPHLSr1wjU36Tl4jomp NGl9GRCY6CUYrFyZwmv+Ik2VE4GbK8jz1sE/GILKNttEdxFdoF/S/AyIKuLyq08oyKOw ei5JaQm9JICMJT4m0nNqTjx3oRb+Ysu6xjlwXtGr9SppGWhQBfNIV5Hwxz2HPscQsNBa DuWqatH0+AQIdxpQIg1limtrNEIBXvoKn3zIEQxqgNAmkPgz8YVW1UwMVVLUXFO20qkF 0GT6eO/MXmoKVB+u18EYmkAtPICQImThdMkB/SKwsNDJ+gNyv/C+XrKMTTG+9HGZ9zEW QhYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=yyKuEKueYfzd7FkSasf5pKduxcPL9lKRhi+VKXtyCuc=; b=DjI1iQE1ebZfclk7V6uFkU/SecvE0GNutWxRImSqw1Cqa3Moml8H0bcrF8AxyeAON8 ItJWpq0lxOBytnJ8TV0qnvIyRn1Y7VV8BfhudBpBg+MTYV48ZaCVtGltw15T45wPpaUM BEZ1jiezfdgW5Nbb3CYe3OEwI5zdzyBEVkgCx8Ip8DWBITc0MrYjQtytRlV3YmVpgBDZ kRVvS7RNsQNyA9xjXYM59uehXRCWuC6Tmt52Rg218AacF6F1DXmTYXDU7FlJSNDHqsL5 wK77YfxkT3cnGgW+XpoEL7IqD26Hswn2e5ATRu/xzPFkbsmnhm9i1snLeGm2zisNKCBm uGqw==
X-Gm-Message-State: AIVw112pas0XxW/EiySJxTw1CsqguUFZHAS8RVqIZg8qNueaEw3UbsDR 3n2HhvZnYB2TVjo7S8EhltMaXp0F8A==
X-Received: by 10.107.39.14 with SMTP id n14mr21944093ion.0.1501530709297; Mon, 31 Jul 2017 12:51:49 -0700 (PDT)
MIME-Version: 1.0
References: <E40D1FEF-2408-4508-AEBC-AC3052D3AAD3@isoc.org>
In-Reply-To: <E40D1FEF-2408-4508-AEBC-AC3052D3AAD3@isoc.org>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Mon, 31 Jul 2017 19:51:38 +0000
Message-ID: <CACknUNWFVWBaDuKs_sVpHU7m3jg_WmMrB3-CJy6HCJwj6AhLyQ@mail.gmail.com>
To: Karen O'Donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140443c8c0fa80555a25c20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/suyF5tVNi8La2wPvl0YUFA7m2lI>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 19:51:52 -0000

All:

The following comments are made as a contributor.

Should we be referencing the NIST interagency report related to SWID or the
ISO standard directly? The NIST document is more readily accessible, and if
they have parity, then we might gain points for referencing the freely
available resource.

Is there a reason to mention TCG + NEA in the introduction? If we're
looking at NEA, then let's just use NEA references and not the TCG ones
for, at least, the sake of consistency.

Propose modified definition for SW-PC: A Posture Collector (PC) that
collects endpoint software inventory information and that conforms to this
specification.

Propose modified definition for SW-PV: A Posture Validator (PV) that
interprets SW Attributes sent by SW-PCs and that conforms to this
specification.

Propose modified definition for SW Attribute: A PA-TNC attribute that
conveys software inventory information. (NOTE: We should ensure that PA-TNC
is the NEA-specific term.)

Propose renaming "SW Attribute" to "SWIMA Attribute", which seems more
accurate. Take a look a the "SW Attribute" subtypes listed in section 5.2
to understand my motivation. Assuming "SW" expands to "software" (which is
a reasonable presumption), then SW Request is not a SW Attribute. A SW
Attribute might be a configuration item that software contains, but not a
SW Request. The SW Request attribute is used to request software inventory
related information from an endpoint, and is thus more appropriately an
attribute associated with SWIMA than with "software". If this is
acceptable, then we should update the term in section 10.1.

Then, we may want to consider expanding "SW" to "SWIMA" wherever
appropriate (i.e. SW Request could become SWIMA Request), which is longer
to type but also inarguably more clear.

On Page 15 the draft states "All SW-PCs MUST at least be able to generate
Software Identifiers for the data model types specified in Section 6 of
this document." Section 6 describes data models for SWID 2009 and SWID
2015, but nothing else. Is this really what we desire? What about Linux
distribution package managers? What about discovered software outside
typical installation patterns? And, does it make sense, in a brokered
architecture like NEA, to require redundant capabilities in the anticipated
myriad collectors?

Are the subscription semantics of this draft intended to be extrapolated to
other types of information collection going over PT-TLS in the future? This
wasn't clear to me when reading the draft, but the IANA table additions
(section 10.2) relating to subscriptions appear to have names generic
enough to be reused. If that's the intent, then maybe we can figure out an
easy way to clarify this in the draft, so that subsequent collection drafts
are easier to create.

Kind regards,

Adam


On Fri, Jul 28, 2017 at 10:41 AM Karen O'Donoghue <odonoghue@isoc.org>
wrote:

> Folks,
>
> This begins a 3 week working group last call (WGLC) for the following
> document:
>
> Software Inventory Message and Attributes (SWIMA) for PA-TNC
> https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/
>
> We have chosen to do a 3 week WGLC to account for post IETF recovery and
> August vacations.
>
> Please review the referenced document and send any comments to the mailing
> list including your assessment of whether this document is mature enough to
> proceed to the IESG. Please note that these messages of support for
> progression to the mailing list will be used to determine WG consensus to
> proceed.
>
> Please send all comments in by Friday 18 August 2017.
>
> Thank you!
> Karen and Adam
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>

v2.23.0 | Report a Bug | By Email