Re: [sacm] ROLIE Software Descriptor Review

"Banghart, Stephen A. (Fed)" <> Thu, 28 March 2019 14:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C45D1204F6 for <>; Thu, 28 Mar 2019 07:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8GjzjoejuZBa for <>; Thu, 28 Mar 2019 07:33:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 472AB1204EA for <>; Thu, 28 Mar 2019 07:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=70OJFA2kar+NjLdTzLeH27Uv1kWO2HJFvSAGfZym1B0=; b=K8BefloDTDIG5VW3bWpt6HiCUMAGpl7n5QkF6eBzdVKacEVnge403CuJjBdzfoYT6nmdtZlAmZyK4GSrZuOwAGmcPilRuIKQStEr7PiKfI4Q3HD6F4UxDkBfaOzvF+6Bvvgw1v5jJmbBJ9C33dB2RV9dBeqvvnbWW+xpFSm4tEU=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Thu, 28 Mar 2019 14:33:07 +0000
Received: from ([fe80::e987:b649:89d8:4904]) by ([fe80::e987:b649:89d8:4904%5]) with mapi id 15.20.1750.014; Thu, 28 Mar 2019 14:33:07 +0000
From: "Banghart, Stephen A. (Fed)" <>
To: Jessica Fitzgerald-McKay <>, "" <>
Thread-Topic: [sacm] ROLIE Software Descriptor Review
Thread-Index: AQHU5K+hoqOWp574CEKv4SUjmRqxG6YhG4/R
Date: Thu, 28 Mar 2019 14:33:06 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9f358ca3-ea2b-42c5-c1d4-08d6b38a4b5b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN3PR09MB0610;
x-ms-traffictypediagnostic: BN3PR09MB0610:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(346002)(366004)(136003)(39850400004)(54094003)(189003)(199004)(51914003)(51444003)(5660300002)(186003)(316002)(52536014)(110136005)(486006)(99286004)(14454004)(476003)(76176011)(53546011)(6506007)(2906002)(6436002)(102836004)(66574012)(478600001)(26005)(7736002)(229853002)(74316002)(105004)(446003)(6246003)(53936002)(6116002)(105586002)(66066001)(8936002)(8676002)(14444005)(33656002)(256004)(71190400001)(11346002)(19627405001)(2501003)(81166006)(68736007)(106356001)(81156014)(7696005)(25786009)(54896002)(97736004)(9686003)(55016002)(3846002)(71200400001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR09MB0610;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JkNEzKMm2stqUTMZXhQMq6yiZYP50AaVWRJx7juhLnGC6Ogjx9PMuIrOLaEBJHDFeYscRboRqqVfk7b3zkxmlUHnUhU8TWo5a4ClQl5VmbG9DGOA2nsZX3SKsRDwohwvpwG/0oLD4CoF/vzLUGYEEXgbMkzTJjqok6yEnvjwe4wNXicQQyKR/PuJ1MmgqECkYkkOBwQjXW0TpTYFqCPsKQQu5KANY8mI3u+mtRB1t+e60aj7XOtpLhn5hHOVEAIuZpNMOFZij1BcN/x/oNB9/CVqb2QrRz9lU1vjCVcSP+EmpOxKb0ceYaP/Rz4XfDfpr7woZe5JWG9wNVBbPWOhTMyq5+3I86crnsXjpPLXCrr+O9xB9uIgrOEcy+m1f0V7p6wJh7zuoG9h565vFu9gB4yBY5wjZ76PJsxVfxu//Ys=
Content-Type: multipart/alternative; boundary="_000_BN3PR09MB060981E61E71DA4DF1FEB402F0590BN3PR09MB0609namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f358ca3-ea2b-42c5-c1d4-08d6b38a4b5b
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 14:33:06.8085 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0610
Archived-At: <>
Subject: Re: [sacm] ROLIE Software Descriptor Review
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Mar 2019 14:33:24 -0000


Thanks for the great review, I've gone through and addressed your concerns. I'll wait for the rest of the reviews and publish the new version.

I don't think there are any changes in particular you would need to respond to, but I've provided a brief description of each below:

-The authors' place of work could be listed as "NIST" (as it is in other I-Ds and RFCS) to avoid the current craziness in the header information

> Fixed.

Section 1
- The sentence " Software descriptor information is information that characterizes static software components, packages, and installers; including identifying, versioning, software creation and publication, and file artifact information." doesn't flow well, in my opinion. I would revise to "Software descriptor information is information that characterizes static software components, packages, and installers; including identification, version, software creation and publication, and file artifact iinformation."

> Updated

- What does "smaller state space" mean?

> Fair enough, its pretty vague. I've changed it to "tightly limited scope".

- "ROLIE Feeds" is used before it is defines. I wonder if these are use cases for ROLIE Software Descriptor Information, and "ROLIE Feeds" is unnecessary here.

>ROLIE Feeds are defined in section 6.1 of the ROLIE core. I've added a reference out to that.

- "Value added information" sounds like a marketing term. Maybe you can just say checklists or assessment requirements?

> I've updated this to  "...and to provide downsteam services
>            (e.g., software configuration checklist repositories)."
>I've also removed the rest of that sentence (Past the quoted section above), because on a re-read I found it way to long.

- The bulleted section that begins "End user organizations" has a misplaced comma. I think you were trying to separate multiple "and" statements. Perhaps the first "and" should become "as well as" to make this section more clear.

> Agreed. Updated to: "End user organizations can consume software
>           descriptor information along with related software..."

- The bulleted section that begins "Organizations can use" has an unnecessary comma, "thru" should be "through", and expand RIM.

>Fixed. On investigation I can't even find what RIM is supposed to stand for. I seem to remember Henk suggesting its addition. I'll ask him to define it.

Section 2

- I think it is worth pointing to definitions of words like "Entry" or "Feed" in whichever RFC they are defined.

>Entry and Feed are both defined in the ROLIE Core RFC8322, I'll add an explicit statement for that.

Section 3

- Drop "This" at the beginning of the second sentence


- While I agree with your second sentence, I wonder if we can back it up. Is there a source for this information?

>I'm struggling to find a source. I've changed it to "significant portion", which is closer to a truism.

- In the third sentence, I think that a device can have a secure and managed OS and still not have good representation of the other software on the device.

> I've added "with strict software whitelisting" to the secure and managed OS. My idea was to refer to secure OSes where software is infrequently, if ever, installed beyond the original deployment.

- Expand SWID on first use (which is actually in the Abstract, I just noticed it when I got to Section 3. I think you could make the argument that you don't want to make the abstract longer than necessary, and so choose to expand it here, though)

- drop comma in first sentence, second paragraph, between "format" and "expressed"

> Done

Section 4

- last sentence first paragraph requires no commas

- in the list of things software-descriptor information can do, the first two items in the list begin with full sentences. The remaining item, as well as all the items in the non-exhaustive list below it, start with a sentence fragment. I personally prefer the style that begins with the sentence fragments, and suggest editing items one and two to match that style

 - bullet that begins "Version and patching information" is incomplete

- bullet that begins "Vendor or source information" -drop the word "from"

- bullet that begins "descriptive information and data"- expand the acronym OSs

>Fixed all the above

- The two paragraphs after the non-exhaustive list both start out asking the reader to note something. Maybe more appropriate for the first of these paragraph than the second.

>I've simply removed the first of the two paragraphs, since we already mention that the list is non-exhaustive.

Section 5.1

- I can't be sure, but I think there's an extra space between "As such" and the following comma

>At least in my editor there is no space. I'll keep an eye on it.

Section 6.1.1

- spacing is inconsistent within the bulleted list

Section 6.1.2

- second bullet drop "as" in "as per"

- in the SWID Tag Entry requirements list, second bullet, drop "for" in "This allows for"

>Fixed the above

- in the SWID Tag Entry requirements third bullet, "this field aids ROLIE consumers in search and filtering Entries" doesn't flow well. Maybe "This helps ROLIE consumers search and filter entries"

>Yeah that sounds better, updated

- in the SWID Tag Entry requirements fourth bullet, "it's" -> "its"

Section 6.2.1

- second sentence, "This provides" -> "CBOR provides"

- third sentence, "It provides" -> "COSWID provides"

Section 6.2.2

- second bullet, "as per" -> "per"

- in the COSWID Tag Entry requirements list, second bullet, drop "for" in "This allows for"

- in the COSWID Tag Entry requirements third bullet, edit to "This helps ROLIE consumers search and filter entries"

>Fixed all the above

Section 7

- Why are these relationships required if they are only used in edge cases? Alternatively, why not create registries for all required elements of the format?

>They are niche in the context of the link relation IANA table, which covers the entire internet. Additionally "supporting" these link relations in your >implementation shoundn't actually take any work at all (barring some extremely strict implementation, thus the requirement)

- Maybe I do not fully understand what you mean, but the sentence "These relations come in related pairs" seems odd. I think "related" is unnecessary, and I cannot tell if "relations" should be "relationships".

>This entire is sentence is actually pretty confusing and I'm not convinced it actually says anything that matters. I'm just going to remove it.

- the chart would be easier to read with more whitespace between the descriptions, as well as an ascii indicator of which pairs go together (I know, it is obvious, but readability is a thing)

>I'll take a look at this

- in description of "patches vulnerability", "are describing" -> "describes"

Section 9

- second paragraph, "should have been" -> "should be"

- fourth paragraph, "utilized" -> "used"

Section 10

- why no link in SWID tag reference?

>Fixed the above

Stephen Banghart

From: sacm <>; on behalf of Jessica Fitzgerald-McKay <>;
Sent: Wednesday, March 27, 2019 11:12 AM
Subject: [sacm] ROLIE Software Descriptor Review

I reviewed version -06 of this ID. It looked very good to me. What follows is mostly a long list of nits, in which I quibble over Stephen's use of commas.
I'm happy to discuss any of these suggestions. Once these revisions are made, I think this document is ready for WGLC

[snip, replicated above]