[SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
Dick Brooks <dick@reliableenergyanalytics.com> Sun, 14 April 2024 11:59 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F53C14F68A for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 04:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="TuV1x/k9"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="EgrlK7OG"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-dD96ntfsJV for <scitt@ietfa.amsl.com>; Sun, 14 Apr 2024 04:59:11 -0700 (PDT)
Received: from wfhigh4-smtp.messagingengine.com (wfhigh4-smtp.messagingengine.com [64.147.123.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D09EC14F618 for <scitt@ietf.org>; Sun, 14 Apr 2024 04:59:11 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfhigh.west.internal (Postfix) with ESMTP id 7A2241800130 for <scitt@ietf.org>; Sun, 14 Apr 2024 07:59:03 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Sun, 14 Apr 2024 07:59:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :reply-to:subject:subject:to:to; s=fm3; t=1713095942; x= 1713182342; bh=2ehkHy7nkxLlVpSf354XnkjmXL6NNHhbegJfyqr9Hm4=; b=T uV1x/k9XgZSl9Br/6g0KYm7MI/ClyfbaPqFLjhyH7B7TKakCAXOQHWae6XJIOmRK YmqxP7rBbYmWkxjV/W9SwmWIY32145z+GmHK/Csvvkgop7TsndtyfCL1JoVCsn0T IYnXNjnIXWRTFi+glKtfmWCh/JDbypRzKt9Fntdr8Hoxg/N2iAceAlM3uRfKx+kk UhMow66pzY4ONP68p86IgirHtOTdKk2KG040XUZbjMTgpBj0GHGBwfDwZEpf89OP caXTguofvU68RCinQxCqandJWw3LaSL8R53FPfXfNZVr/QwED3Q92jU0vD/NP1bm /ddAx3Cjn+6KGWk5/6nAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1713095942; x=1713182342; bh=2ehkHy7nkxLlVpSf354XnkjmXL6NNHhbegJ fyqr9Hm4=; b=EgrlK7OGoV5gTXntyixf5D9WfOyndtCoSsA1vqhrXy/k8p2vj9E 3T2keWrkLasrwTWc52bnBqJGKmKKqnU5XQxsGalMETGCSWjQrRLG3/ABs13bQSfR jYxCRGVu0XlD649fa3xx7xVEpeub1r5tJ+Dmd+megFJZwe6y6XrH/ZhGbewFskAt wZkSTJitHd4Cs+xCl86+S6I/iHxUisWxKG8q8FZYkN5U6sV51nOCu265WmQQaLv3 VHJH2HiLr7tPWykHmgwsFMQF1f6LH5zhDIcnZIParksh0TZs9H4BOURqL0OiNJ0Q W/tg7zh19gP3BZ7dePyIINK/6tJ4ZspqU7Q==
X-ME-Sender: <xms:BsUbZqjJUvVYu-vIH7yEGlUb70scA3fSNQwA-cDZjX8IUhdVJ8q8_A> <xme:BsUbZrDoQrRjXEI0DxhPFb6S8cBIQiB4tlMDSAHeY3KKmy1LrFQGSfxR46cvPGshc 4SdETkxn0_7JOZsUQ>
X-ME-Received: <xmr:BsUbZiGLK_cwaZd7Jx-hsciWN-yLdmsjmUUBaAlnXXujygDMf6IEww4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeiledggeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpehrhffvufffohfkgggtofhtsehrtd erpedvtddvnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoughitghksehrvghl ihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrh hnpeefvdegudefgedvgfehleeftdfhheekkeejtdeuleevvefhjeefgfevueefudegveen ucffohhmrghinheprhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgt khesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:BsUbZjRP2YELojv91ByOjaN8H9GaZGF4zlird8sgcZ1Vkl3r0uxzwA> <xmx:BsUbZnw1496l5IPvByxsvV5P5-jtaDrV-OmwQb9weR64M1FW9jx-Cg> <xmx:BsUbZh7KAWBTh7wa_ldwLpdKrpN0np63zG8JGXgGV2--tg4QCeJEmA> <xmx:BsUbZkyUn0a8rlGUvAj-mq01VrGAfbjjWKVpF0ZIe8In2aXV_4rjPQ> <xmx:BsUbZgqND49RwrzYMoPsHN_lD6fplqzrWJ-lS6_Sp1KM9AeMfKwcXwn4>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <scitt@ietf.org>; Sun, 14 Apr 2024 07:59:02 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: scitt@ietf.org
Date: Sun, 14 Apr 2024 07:58:57 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <1792a01da8e63$24605350$6d20f9f0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_1792B_01DA8E41.9D4EB350"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdqOYagUu25OKxySSGajGYMfpk5mFg==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/XDeZdxUsf2gCPfc2fNVgLv0ocqs>
Subject: [SCITT] Question regarding changes to the Vendor Response File format (now IETF property)
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2024 11:59:17 -0000
Hello Everyone, I will be presenting to a US Government Agency tomorrow showing how a software supplier can satisfy the new US Government secure software attestation requirements using CISA's RSAA repository and the "Secure Software Attestation Form". The process I will demonstrate includes the uploading of the attestation form along with other artifacts including SBOM's VDR's and a Vendor Response File, like the one we demo'd in SF at IETF 117. I will share my slides after the presentation on 4/15, if anyone is interested, please email me directly - I will not post the slides on the IETF list. One item that appears to be missing from the VRF, under the "Product" section (see XML schema for VRF structure) is a "DescriptionURL", which contains a link to a product description. Would there be any objection to adding a "DescriptionURL" to the VRF Schema within the Product structure? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788