Re: [sacm] WGLC for draft-ietf-sacm-coswid
"Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov> Wed, 03 July 2019 17:07 UTC
Return-Path: <alexander.nelson@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B4F1203C3 for <sacm@ietfa.amsl.com>; Wed, 3 Jul 2019 10:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJRCle0joiaw for <sacm@ietfa.amsl.com>; Wed, 3 Jul 2019 10:07:14 -0700 (PDT)
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-dm2gcc01on070b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd01::70b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104BA1203BF for <sacm@ietf.org>; Wed, 3 Jul 2019 10:07:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TJ+9Z3z9oEqJ4uNwdCsPiyjlR1f/N73KymVRHRIGSbc=; b=vwQL2mxlvh73ZWxFsVaqhCrNatc6mTryCwdmNXX8ZmL/QdQML/kJbv52eY0LX5NTzroJeDxL4J5q8T02uFIFNu+lvSMXSG8hZea/YjSpLFu06RuMnskgea2bKN6aN8G9Jdb+m9IG+c3jbM0zOdcmZBrc45PDZLlogcyxhOnYy4I=
Received: from BN8PR09MB3587.namprd09.prod.outlook.com (20.179.75.217) by BN8PR09MB3329.namprd09.prod.outlook.com (20.179.72.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Wed, 3 Jul 2019 17:07:09 +0000
Received: from BN8PR09MB3587.namprd09.prod.outlook.com ([fe80::527:a5f4:a58d:24ec]) by BN8PR09MB3587.namprd09.prod.outlook.com ([fe80::527:a5f4:a58d:24ec%6]) with mapi id 15.20.2032.019; Wed, 3 Jul 2019 17:07:09 +0000
From: "Nelson, Alexander J. (Fed)" <alexander.nelson@nist.gov>
To: "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-coswid
Thread-Index: AQHVLSf2XuoB2t2Q6k63GMXAgOgNQ6a5KSyA
Date: Wed, 03 Jul 2019 17:07:08 +0000
Message-ID: <B2B300AC-5C2B-476D-BA8F-06B0F6BABC91@nist.gov>
References: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>
In-Reply-To: <C9EA170C-8435-427D-A483-E4A0BEA706BA@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=alexander.nelson@nist.gov;
x-originating-ip: [2610:20:6033:252::ba6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5f581e59-302d-484d-8f0b-08d6ffd8e225
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:BN8PR09MB3329;
x-ms-traffictypediagnostic: BN8PR09MB3329:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN8PR09MB3329BCF8D5B364A1CB61CAF3FDFB0@BN8PR09MB3329.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(376002)(346002)(396003)(53754006)(199004)(189003)(66446008)(66556008)(64756008)(66476007)(2501003)(36756003)(606006)(6486002)(46003)(76116006)(2906002)(7736002)(6916009)(229853002)(5660300002)(33656002)(76176011)(73956011)(66946007)(68736007)(53936002)(71200400001)(71190400001)(476003)(446003)(11346002)(8676002)(54896002)(6306002)(2616005)(50226002)(2351001)(478600001)(86362001)(6246003)(5640700003)(81156014)(6512007)(486006)(45080400002)(81166006)(966005)(316002)(1730700003)(57306001)(14444005)(14454004)(256004)(6116002)(6436002)(8936002)(236005)(102836004)(99286004)(53546011)(6506007)(25786009)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3329; H:BN8PR09MB3587.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KNICX7PMNzB1X2bdureaPw3bJeiohlnsiE6hcSXPVQyzlz/QAOVumVJ1GkoB3wdbARFQBnXdijgyEYBdnMKwYW9/5OF7dne/zOjIlG+BC7bqT+pV4o41fSmBqEezeDf54qjMnQAyab3PUj2iuZkWi9+5/NEebTYFizw6uOcIK3PJz8lAY2G1HzV/z1EDAU68H117sVLCeTpeQ3BYecEdvj2YDHbYckAoS08mrlmrtBVBTTLJhGdgZKTlaj1wmuWvzsSW0sc8a3qwmfDukfSsOOF79swsbAoLqq1tKiEYXztpxg5dmILRA9u8XDw1EFpB5m0QRSuxyW0rMRgs/roc2pF6x+35AxsU9y11rL4cJ0ikfhM+pgiv1arsUJAXAVbWO7cyrdec59J00ZAAYZbrOdC1QfPZXT59S9FCez1Y/Zw=
Content-Type: multipart/alternative; boundary="_000_B2B300AC5C2B476DBA8F06B0F6BABC91nistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f581e59-302d-484d-8f0b-08d6ffd8e225
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 17:07:09.0015 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ajn@NIST.GOV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3329
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/wUODRbOnHuxFvEekKbyYGKGNE-U>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-coswid
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 17:07:25 -0000
Hello all,
I am a colleague of Dave's, and am working at NIST to assist with SWID adoption. I have reviewed this draft for CoSWID, and found a few helpful notes for my own implementation efforts, so I am glad to have been asked for input.
I find this draft to be nearly ready for publication. There are a few minor editorial issues that should be resolved before publication, listed at the end of this message. I also found I had a few questions and possible discrepancy identifications, listed first.
Questions:
* Before I started reading the document, I thought that CoSWID would be a losslessly-translatable representation of SWID data, between XML and CBOR. >From Section 2's third paragraph, this is stated to not be a goal feature. (In case it isn't clear, I don't object to this.) Is it at least possible to translate from one format to the other, not necessarily bilaterally, and perhaps under certain conditions like "if there are no extension elements or attributes, SWID XML can be mechanically translated to CoSWID"? From my reading, it looks like that example statement I just wrote would hold.
* Section 2.2, the "software-name (index 1)" text describes what I think is the first potential spot for non-ASCII text to be entered into CoSWID data, in the case of vendors that produce non-English data. I didn't see in this document any requirements imposed for character encodings. SWID imposes UTF-8 as an encoding (per NISTIR 8060, Section 4.3). Could this document include a reminder statement on character encodings being required to be UTF-8?
- This might also apply in Section 5.2.1, the penultimate bullet describing registered names' syntax requirements.
* Section 6's 2nd paragraph describes a requirement of authoritative tags being signed by the software provider that is also the originator. Forgive me if I'm misremembering, but I did not think that signing was a requirement for defining a tag to be authoritative. NISTIR 8060, Section 3.2, quotes the SWID specification's Section 6.1.10 to say that "Signatures are not a mandatory part of the software identification standard...". Further, NISTIR 8060, Section 4.2, provides a scoped-to-that-document definition of "authoritative tag creator" that does not describe signing. So, it looks to me like Section 6 imposes a stronger requirement for an "authoritative" CoSWID tag than an XML-based SWID tag.
Editorial issues:
* Section 1 makes reference to "CBOR," but the first instance of the acronym expansion and citation is in the first sentence of Section 1.2. It may be better to move that expansion and citation to Section 1.
* Figure 1's "x" annotations aren't directly explained, and could be interpreted to mean removal of the tag at that stage. From the following bulleted narrative, it instead appears to mean the tag can be removed or replaced. A sentence in the figure's caption would help to prevent this conclusion. Though, if the reader is assumed to have the patience to wait for a page, then there's no problem.
* Suggested grammar fix, section 2:
s/and stop point are not needed saving bytes/and stop point are not needed, saving bytes/
* Request for grammar adjustment, Section 2.1: """... that are typically stored in the "any attribute" of an ISO-19770-2:2015 in XML representation.""" Does this need the following substitution?
s/2015 in XML/2015 element in XML/
* Section 2.2, I'm curious - what happened to the mapping of 7? No editorial action needed, the skip just caught my eye.
* Section 2.2, typo: "The value of an version-scheme ..."
* Section 2.2, typesetting error: The three bullets following "The value of an version-scheme item MUST be one of the following" appear to be set at an incorrect bullet level. Elsewhere in the document, these sub-lists use asterisks as bullets instead of empty circles. It appears these three bullets should be asterisks, not empty circles.
* Section 2.3, bullet 2 ("""If the patch item is set to "true", the tag SHOULD..."""): Would it be beneficial here to note the associated schemes for link hrefs? This could be a forward reference to Section 2.6.
* Section 2.7, bullet "description (index 46)": Is it permitted to have a description be multiple lines? I don't know if CBOR supports this.
* Section 2.7, typo: "For examplem, this ..."
* Section 2.7, bullet "unspsc-code": Non-blocking issue, a matter of web reference hygiene. May this URL be provided with the "https" protocol instead of the "http" protocol? (Bibliography entries refer to web resources with the "https" protocol.)
* Section 2.8.8, bullet "path-elements (index 26)", typo: "a heirarchy".
* Table 3, typo: "e.g.,1.2.3, ..." (missing space character)
* Section 5.2.1, typo: "a new a new"
* Section 6, paragraph 2: It may be beneficial to provide a reference to RFC 8152 near the mention of signing CoSWID tags.
--Alex
On Jun 27, 2019, at 4:36 PM, Karen O'Donoghue <odonoghue@isoc.org<mailto:odonoghue@isoc.org>> wrote:
Folks,
As discussed at our virtual interim on Tuesday, this begins a three week working group last call for:
Concise Software Identification Tags
https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-coswid%2F&data=02%7C01%7Calexander.nelson%40nist.gov%7C22e5bc09733f48ffbd6d08d6fb3f246a%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C636972645963180804&sdata=740Bq0AAyUgFS%2Fqhj6N0zCKYprCQisIfy%2BVMKdIE4RQ%3D&reserved=0>
Please reply to this email thread with an indication that you have read the document, any comments you may have, and your assessment of whether or not it is ready to proceed to publication.
DEADLINE: Please reply by Friday 19 July 2019.
Thanks!
Karen and Chris
_______________________________________________
sacm mailing list
sacm@ietf.org<mailto:sacm@ietf.org>
https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsacm&data=02%7C01%7Calexander.nelson%40nist.gov%7C22e5bc09733f48ffbd6d08d6fb3f246a%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636972645963210782&sdata=QgjyLJMaeZUPWnvQg0H2fzqe%2BqrcHZX4KzooJ7KuuPE%3D&reserved=0
- [sacm] WGLC for draft-ietf-sacm-coswid Karen O'Donoghue
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Nelson, Alexander J. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Waltermire, David A. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Ira McDonald
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Carsten Bormann
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Carsten Bormann
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Fuchs, Andreas
- [sacm] REMINDER: WGLC for draft-ietf-sacm-coswid Karen O'Donoghue
- Re: [sacm] REMINDER: WGLC for draft-ietf-sacm-cos… Adam Montville
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Ira McDonald
- Re: [sacm] REMINDER: WGLC for draft-ietf-sacm-cos… Monty Wiseman
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Mark D. Baushke
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Jarrett Lu
- Re: [sacm] REMINDER: WGLC for draft-ietf-sacm-cos… Smith, Ned
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Nelson, Alexander J. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Waltermire, David A. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Waltermire, David A. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Nelson, Alexander J. (Fed)
- Re: [sacm] WGLC for draft-ietf-sacm-coswid Waltermire, David A. (Fed)