[sacm] [sacmwg/draft-ietf-sacm-coswid] addressed comments from Roman Danyliw (#44)
David Waltermire <notifications@github.com> Mon, 12 July 2021 13:20 UTC
Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C62B3A1736 for <sacm@ietfa.amsl.com>; Mon, 12 Jul 2021 06:20:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.651
X-Spam-Level:
X-Spam-Status: No, score=-6.651 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S66Pk-PRjM9q for <sacm@ietfa.amsl.com>; Mon, 12 Jul 2021 06:20:00 -0700 (PDT)
Received: from smtp.github.com (out-25.smtp.github.com [192.30.252.208]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090153A1730 for <sacm@ietf.org>; Mon, 12 Jul 2021 06:19:59 -0700 (PDT)
Received: from github.com (hubbernetes-node-087297b.ash1-iad.github.net [10.56.116.34]) by smtp.github.com (Postfix) with ESMTPA id 282E9840A8D for <sacm@ietf.org>; Mon, 12 Jul 2021 06:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1626095999; bh=HPSClWck2q+cNI9V+4DqvPJSFW/RV0WEqBtjtz4aQLs=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=q/UqQW1ycIR9JQIXVXYaldcZIpwCr4zsountCDtEBVJ4PPHPGfmDPs8CMV/32Hbq9 YKgAhSHXrh7ViROndzVM2bvUqLxtIFT0AC2WnVzz8ft004Ih3Wop3u4DpXJ3czi8Ve TTZWQ6yDC5bcMlOo95+d71X1gXTuc2lxqExSIYow=
Date: Mon, 12 Jul 2021 06:19:59 -0700
From: David Waltermire <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid <reply+ACTMJUIHJIJ4AJ2YVVB3NXF67ARH7EVBNHHDQJVDS4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/pull/44@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_60ec417f21a48_1663c6fc131950"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: david-waltermire-nist
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/tkvXO1e2zQwXhkiw5pbw-scTMt0>
Subject: [sacm] [sacmwg/draft-ietf-sacm-coswid] addressed comments from Roman Danyliw (#44)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 13:20:05 -0000
Addressed the following comments: > ** [-15] Section 2.3 Are there any considerations that would need to > be made for versioning CoSWID beyond the native support provided with CBOR? [Per IETF 110] Add text on the order of native CDDL approach for handling version is used. If a future version of SWID is published which alters the semantics of exists fields, a future version of CoSWID SHOULD (MUST?) use a different tag to represent it. [daw: A new paragraph was added to section 2 detailing how index values are used to support revisions and extensions.] > ** [-15] Section 4.1 and 5.2.4. [SEMVER] doesn't meet the threshold > for a normative requirement and a "specification required" - it's just > a website. If this is used in SWID then that would be compelling argument to waiver it. > However, that should be explicitly stated here. If it isn't, we > should discuss it a bit more. > > [-16: Can the ISO spec please be used as the basis for this reference > (even it just points to the same website?)] [Per IETF 110] see -16. Use ISO SWID reference for the IANA registry and if desired, used [SEMVER] as an informal reference in the text [daw: This has been done in section 4.1.] > ** [17] Section 6.*. Various "FIXME" markers need to be populated. [daw: The FIXME markers have been replaced with actual text.] > > ** [-15] Section 6. What are the normative requirements, if any, on > signing the CoSWID? > > [-17] Is there something in SWID preventing normative guidance that > says SHOULD or MUST sign? [daw: Section 7 now details the construction of a signed CoSWID. A SHOULD sign requirement was also added to section 7.] [Per IETF 110] We discussed adding language on the order of "This document specifies a data format and an associated integrity mechanism agnostic of a deployment. Application which choose to use CoSWID will need to specify explicit guidance which security properties are needed and under which circumstances." > ** [-15] Section 6. Per "When an authoritative tag is signed, the software > provider can be authenticated as the originator of the signature", > what is the binding between the software provider and the key used to > provide the signature? Put in another way, how do I know the > signature on the CoSWID really belongs to the software provider? Same for a supplementary tag? [daw: Authenticating the signer is the software provider will require a match between a CoSWID entity and the signer. We are working out a means to do this.] > > [-16] Thanks for the new text. Unless more detailed will be provided, > please add that provisioning and validation logic of these tags will > be done via local policy and is outside the scope of this document] 2 [daw: Not sure which tags this applies to? Signing? All of section 2?] > > [-17] Section 9. Per "A trustworthy association between the signature > and the originator of the signature can be established via trust > anchors. A certification path between a trust anchor and a certificate > including a pub-key enabling the validation of a tag signature can > realize the assessment of trustworthiness of an authoritative tag.", > this is true. Additionally, there is also the problem of how to > associate the right key with the software provider or party permitted > to add tags. This significant complexity does not need to be solved > here, but please acknowledge that it is someone that needs to be addressed by the users, and is out of scope here. [daw: done.] > > ** [-15] Section 6. Per "Having a signed authoritative SWID/CoSWID > tag can be useful when the information in the tag needs to be trusted > such as when the tag is being used to convey reference integrity > measurements for software components ", when would this tag not need > to be trusted? Perhaps I misunderstood, but I thought the whole > premise of using SWIDs/CoSWIDs in the SACM context was to support > asset inventory (i.e., reference integrity measurement of software > components). I'm not clear on the use case for unsigned tags - that > said, I recognize that the SWID spec doesn't specify that either. [daw: This confusing text has been removed.] > [-17] Please add caution that without an integrity scheme, any user or > process that has write-access to the CoSWID tag can alter it. As > such, any consuming application need to treat this data with caution. [daw: done.] > ** [-17] Section 9. Per "Thus, authoritative CoSWID tags can be > trusted to represent authoritative information about the software > component", this seems too strong of a statement and dependent on the > custody of that tag. If it isn't signed, little, if anything, > extracted from CoSWID tag should be considered authoritative. [daw: We added a note about this.] > > ** [-17] Section 9. Nit. s/pub-key/public key/ [daw: Done.] > ** [-17] Section 9. Per "Input sanitization and loop detection are > two ways that implementations can address this concern", and the use > of signed tags whose signature is verified on use too. [daw: Added signature validation as a way.] Regards, Roman > Regards, > Roman You can view, comment on, or merge this pull request online at: https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/44 -- Commit Summary -- * addressed comments from Roman Danyliw -- File Changes -- M draft-ietf-sacm-coswid.md (26) -- Patch Links -- https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/44.patch https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/44.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/44
- [sacm] [sacmwg/draft-ietf-sacm-coswid] addressed … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] addres… David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] addres… Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] addres… Henk Birkholz