Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk and Charles (#45)
Henk Birkholz <notifications@github.com> Mon, 18 October 2021 14:12 UTC
Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3F6013A0E26
for <sacm@ietfa.amsl.com>; Mon, 18 Oct 2021 07:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.549
X-Spam-Level:
X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HAY2vxFJkooA for <sacm@ietfa.amsl.com>;
Mon, 18 Oct 2021 07:12:47 -0700 (PDT)
Received: from smtp.github.com (out-25.smtp.github.com [192.30.252.208])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 45FD53A0DE2
for <sacm@ietf.org>; Mon, 18 Oct 2021 07:12:47 -0700 (PDT)
Received: from github-lowworker-ca5950c.va3-iad.github.net
(github-lowworker-ca5950c.va3-iad.github.net [10.48.17.57])
by smtp.github.com (Postfix) with ESMTP id 80B65840DEF
for <sacm@ietf.org>; Mon, 18 Oct 2021 07:12:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1634566366;
bh=ZUeW1gGKwXSqK/FKBeNEYyNLUZpuvEqvHyceiAc8MsI=;
h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
List-Archive:List-Post:List-Unsubscribe:From;
b=eAB9yjYOtAWxNXqsA2yJPSfvu84K4qkgVkE0wZrGRsmd6WiNCaVlSQCDewznLbo/Y
J0Py74mGnc2w7jKRObUBEYEWOfzAlgBaQccIK1z4g2Ax+zCADPMBqQ0zNLTBbIisVJ
SJkP4M0R6azbJJns2kRcv6wgs3afPJt7mvp1jZSE=
Date: Mon, 18 Oct 2021 07:12:46 -0700
From: Henk Birkholz <notifications@github.com>
Reply-To: sacmwg/draft-ietf-sacm-coswid
<reply+ACTMJUKBYSN4A5EHYAS24U57PFQ55EVBNHHD2PDRD4@reply.github.com>
To: sacmwg/draft-ietf-sacm-coswid <draft-ietf-sacm-coswid@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <sacmwg/draft-ietf-sacm-coswid/pull/45/review/782124410@github.com>
In-Reply-To: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
References: <sacmwg/draft-ietf-sacm-coswid/pull/45@github.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_616d80de722e1_3ce4c710224592";
charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: henkbirkholz
X-GitHub-Recipient: sacm
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: sacm@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/zChRiP9kR5CdRAn5KrS6zYSVHt4>
Subject: Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assigned to Henk
and Charles (#45)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>,
<mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>,
<mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 14:12:50 -0000
@henkbirkholz commented on this pull request.
> @@ -1641,28 +1639,30 @@ A signed CoSWID tag (see {{coswid-cose}}) whose signature has been validated can
When an authoritative tag is signed, the originator of the signature can be verified. A trustworthy association between the signature and the originator of the signature can be established via trust anchors. A certification path between a trust anchor and a certificate including a public key enabling the validation of a tag signature can realize the assessment of trustworthiness of an authoritative tag. Verifying that the software provider is the signer is a different matter. This requires an association between the signature and the tag's entity item associated corresponding to the software provider. No mechanism is defined in this draft to make this association; therefore, this association will need to be handled by local policy.
+Loss of control of signing credentials used to sign CoSWID tags would create doubt about the authenticity and integrity of any CoSWID tags signed using the compromised keys. In such cases, the legitimate tag signer (namely, the software provider for an authoritative CoSWID tag) can simply employ uncompromised signing credentials to create a new signature on the original tag. The tag version number would not be incremented since the tag itself was not modified. Consumers of CoSWID tags would need to validate the tag using the new credentials and would also need to revoke certificates associated with the compromised credentials to avoid validating tags signed with them. The process for doing this is beyond the scope of this specification.
ack
> @@ -1692,6 +1692,10 @@ providers are unlikely to do this, CoSWID tags can be created by any party and t
collected from an endpoint could contain a mixture of vendor and non-vendor created tags. For this
reason, a CoSWID tag might contain potentially malicious content. Input sanitization, loop detection, and signature verification are ways that implementations can address this concern.
+# Privacy Consideration
+
+As noted in {{sec-sec}}, collected information about an endpoint's software load, such as might be represented by an endpoints CoSWID tag collection, could be used to identify vulnerable software for attack. Collections of endpoint software information also can have privacy implications for users. The set of application a user installs can give clues to personal matters such as political affiliation, banking and investments, gender, sexual orientation, medical concerns, etc. While the collection of CoSWID tags on an endpoint wouldn't increase the privacy risk (since a party able to view those tags could also view the applications themselves), if those CoSWID tags are gathered and stored in a repository somewhere, visibility into the repository now also gives visibility into a user's application collection. For this reason, repositories of collected CoSWID tags not only need to be protected against collection by malicious parties, but even authorized parties will need to be vetted and made aware of privacy responsibilities associated with having access to this information. Likewise, users should be made aware that their software inventories are being collected from endpoints.
ack
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/sacmwg/draft-ietf-sacm-coswid/pull/45#discussion_r730964575
- [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks assi… Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … David Waltermire
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz
- Re: [sacm] [sacmwg/draft-ietf-sacm-coswid] tasks … Henk Birkholz