Re: [Suit] How are firmware and firmware versions expressed in manifest?

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 09 June 2020 07:21 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101873A0A8B for <suit@ietfa.amsl.com>; Tue, 9 Jun 2020 00:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NYQYdqme; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=NYQYdqme
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irNDqd6jrntc for <suit@ietfa.amsl.com>; Tue, 9 Jun 2020 00:21:55 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2058.outbound.protection.outlook.com [40.107.21.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D3093A0A88 for <suit@ietf.org>; Tue, 9 Jun 2020 00:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJgKK3s7hgxLCmzveZFt2haAh8rApdEZkbnuczNEjrM=; b=NYQYdqmeCsbR1bhbzbLD9C7nn4PPfI4lbkxM1ly39LM68Pmb4ONUa06NQ4MiCKZaMO3m4ScG7GsjNl0oXkf8GGU6ZAd1pDMqgY195gcQh8A6OqXpx5DlO+eTO0DU2J95gvi31jKfShzaUvVv166Fe6bjyR7VinokCUlfMdIpds0=
Received: from AM4PR0302CA0011.eurprd03.prod.outlook.com (2603:10a6:205:2::24) by VI1PR0802MB2541.eurprd08.prod.outlook.com (2603:10a6:800:b1::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.22; Tue, 9 Jun 2020 07:21:51 +0000
Received: from AM5EUR03FT058.eop-EUR03.prod.protection.outlook.com (2603:10a6:205:2:cafe::48) by AM4PR0302CA0011.outlook.office365.com (2603:10a6:205:2::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Tue, 9 Jun 2020 07:21:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT058.mail.protection.outlook.com (10.152.17.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Tue, 9 Jun 2020 07:21:50 +0000
Received: ("Tessian outbound 4f5776643448:v59"); Tue, 09 Jun 2020 07:21:50 +0000
X-CR-MTA-TID: 64aa7808
Received: from e8b2d97970f3.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id BD65FD53-04C4-4C49-9E76-AAB1D4737DBB.1; Tue, 09 Jun 2020 07:21:45 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e8b2d97970f3.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 09 Jun 2020 07:21:45 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NQHfg/zjO1cAZgqWMeitNsp+L1SMOW/qLEJBaEpIG63biDyyYzB0m3MRMg8FkYTkAePLGLGFuHUd8cVqhdo5EqlHaee/ycn9dw4eB7r5Dq+qmsgOQhccmHdZQMRilx+CHch5M637WTbofnv5JQ0RLH2ovvx8B36iFTnxDVQel/JuoF7eX6Mhg7U76LWLZ9EXiLxowW3O06fS6D45A/eMfgIh0gmkRY30w6y2r84viN8ZOatxeroxRchQWt0ELpcDYQs4BjG+6LC0Prc7AATGNsROFwEmsL+7ihmNFFM+vhXYNqdOPD5I3lRHA3Bl3eRRfTWTDpmeN6E+A+/gj+O9fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJgKK3s7hgxLCmzveZFt2haAh8rApdEZkbnuczNEjrM=; b=nbsZuiqq9gypyUBNja0/KQuV/A2yjKm9RX6emToO5hIP/Wc3riKOWnyVvu4BDHBg7JOm38O2U97zAOxBHq8/IxmcHpb/VfJSVPcngkL12KdCx6zTERpxMcnivQoW6MB+lR1R6bcokBygRQzUq2Zjb6mgZd/6i5LvGU7sKSvJsQNnbD6eMOzmKxx6uEIFHfQUusVfW+mwpVWCZG1DgLGgy2jY+z5JBR91uwP7PrlA9ygAuSQj0xUwA1Glq36b4RZNIei3FbRPZPqIOg8BW6PoJDsi4CTHYqrhZBQbFxMh3LMof0gSqLq/WLvJt0qsSS8IHBY0O8D+Sqd2Sc4jMQOk7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJgKK3s7hgxLCmzveZFt2haAh8rApdEZkbnuczNEjrM=; b=NYQYdqmeCsbR1bhbzbLD9C7nn4PPfI4lbkxM1ly39LM68Pmb4ONUa06NQ4MiCKZaMO3m4ScG7GsjNl0oXkf8GGU6ZAd1pDMqgY195gcQh8A6OqXpx5DlO+eTO0DU2J95gvi31jKfShzaUvVv166Fe6bjyR7VinokCUlfMdIpds0=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB5363.eurprd08.prod.outlook.com (2603:10a6:208:188::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Tue, 9 Jun 2020 07:21:44 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 07:21:44 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Eliot Lear <lear@cisco.com>
CC: Michael Richardson <mcr@sandelman.ca>, Dick Brooks <dick@reliableenergyanalytics.com>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Suit] How are firmware and firmware versions expressed in manifest?
Thread-Index: AdY5iIX3N33NtGULTtOAukxF+Y4+yAAR9vKAAC3Wx2AAEkCYgAAahNIAAAZpzwAAAp+aoAAIpk6AABYvlVAAAcXjAAAB5a2gAA6+kQAAgn2FMA==
Date: Tue, 9 Jun 2020 07:21:43 +0000
Message-ID: <AM0PR08MB37169FEF72412DE604B7CD09FA820@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB371631B7C1E6B50DCA29049AFA880@AM0PR08MB3716.eurprd08.prod.outlook.com> <8b6d01d639d0$62614150$2723c3f0$@reliableenergyanalytics.com> <AM0PR08MB37166AD36B5AA36EA7D7CA9BFA890@AM0PR08MB3716.eurprd08.prod.outlook.com> <20437.1591317129@localhost> <1076601d63b3a$d53f5d90$7fbe18b0$@reliableenergyanalytics.com> <BF5D5E46-4A7C-44A7-8554-5DE1E03A3F21@cisco.com> <AM0PR08MB3716C555048993639B14D76FFA860@AM0PR08MB3716.eurprd08.prod.outlook.com> <5820.1591393073@localhost> <AM0PR08MB3716939E832E5483CB8575EBFA870@AM0PR08MB3716.eurprd08.prod.outlook.com> <04B8CB97-9BB2-49CC-A3EB-875596C1B134@cisco.com> <AM0PR08MB371644959A30C6390D4EE480FA870@AM0PR08MB3716.eurprd08.prod.outlook.com> <4dfd0498-85fb-fe94-11d5-66f1375126e8@sit.fraunhofer.de>
In-Reply-To: <4dfd0498-85fb-fe94-11d5-66f1375126e8@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 5d773da9-4d74-4b27-97af-26a0d32062c9.0
x-checkrecipientchecked: true
Authentication-Results-Original: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: ebde2f24-655f-4eab-add4-08d80c45c701
x-ms-traffictypediagnostic: AM0PR08MB5363:|VI1PR0802MB2541:
X-Microsoft-Antispam-PRVS: <VI1PR0802MB25417357490E5FB41EFBC701FA820@VI1PR0802MB2541.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 042957ACD7
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: H1lwW9bMKoD2zUATPXzT3v8Gwl97x8Q7tSJXJWcLpKUFnWS0XkUWpEQWbdzwuk4nyeG7Xb6G86DpAggnsk+Nm8y/j0iueB4HzEVFX9yy6ssv2IQCxQ/9iVRW2zMOtZTpy7K128QP7n9Bn71xOeKb/hL5T8YnnoJFe2P43QLq5DlODqPhBF1d2Ux3KyN4Bt4CjqpvLX0UxXsZ1UXe+mdHK4lxvyi47h0V+Ns69ZnHXuZEZ+bwmFjA3e4c/+yet932efV9MXvQmJfd9h6I/zdUNk+DFhTiLUndvJ3l52PfkAbS0z6LN7BBiJi81YBHcbYGJGPT7AQ4mQcUH4qRal2pss1b3GveHhY/c+eYAFFmEA97h9VsWJ2+pCCbgm1mBGfHMVR4hl+esEa5E9fDbl14I54kYKBzfvkRxCR5Yqm9nkxlYJx0RgaJRSTEPPsE3SKdEWV4KDYBnGqVmm2fXi+zNw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(396003)(346002)(136003)(376002)(52536014)(86362001)(33656002)(83380400001)(71200400001)(478600001)(66446008)(83080400001)(5660300002)(66946007)(66476007)(8936002)(8676002)(45080400002)(64756008)(66556008)(76116006)(2906002)(53546011)(966005)(6506007)(4326008)(7696005)(316002)(54906003)(110136005)(55016002)(26005)(186003)(9686003)(460985005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 0FDhb/HKYzghl5iUMhSowsySmC07fqAFLhmS+X1SAjOKzhwx2oSayMAtY9IeDMuGBpEYQ4CIwtMcq+FzMviBeDFdTqtUA8MKxHERnAqfiwSEJ0lk6AcAx7Pk1dxtDkKcfFMoHhIHaHDQmVDB5J8RJH+P6zEuoHVeu3myIXROeo8onmFMvz+O/+QA0JP77/kp3qPRfmdsm4634EFW3eM/z4UGF/4FLfyfCdX8+b1zHb3JKy7dnkOOFR+A1pOCDayF/N0GW1jwTw9/zIvPELGZvsh60mTSGxnMYBQdjtmsxgs/2kJttZhoFNEQnCvqKn4oENiMBfqAyx+TPCbkfU5FFou9a2qbIzcBdUdUkEPo1bsOe6WLsSlKyGwd5ci8PAd16pb82QOC0b+dcrxqy8d3vwXtcuxaQdQS/CZ0B1cahhzZjuiRsAVrF2ab2qXUgl++v6tGetNM1o/u6xDLua0eBuID9fvNcVwiZTol05t10/DW+82WwyEkIG2eTUg+Lq6B
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5363
Original-Authentication-Results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT058.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(396003)(136003)(46966005)(8936002)(83380400001)(33656002)(53546011)(2906002)(316002)(36906005)(110136005)(8676002)(356005)(26005)(6506007)(47076004)(82310400002)(7696005)(83080400001)(186003)(82740400003)(54906003)(81166007)(4326008)(336012)(966005)(55016002)(30864003)(9686003)(478600001)(86362001)(52536014)(5660300002)(70586007)(70206006)(45080400002)(460985005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9e63ee23-904b-4dbb-dde0-08d80c45c344
X-Forefront-PRVS: 042957ACD7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: WBMLkCVmvJah2rjJwZSF9HGM5idBxf3RSekPiTRymswukKU9wykFLu7pd6iOAgKN85fhSvyhatmE4Wv1FWAlH1+vhqJdwpFmO+WoYhXy6SdDFO4vW3CPoDQqcVPS8yd5kwYW/ZeIQIDT3Dm66w/NHew/Kf39R0eXvDH8HiLY11OuKMlWtESe7qQwTdmVqvgnOQ160CuHbfmad/U2MRqCVASeCnCIerDzAiZRy8utlrEDJyQ7YNdFoKrknC3O8n/fJ0c8GNAOTgqahSANaCIoJi4yTQOdMN91TWoUzNOfHG1Prfy0H3B8EFu2QuY2G7nPuUgffX5ksLWvSfyAsVtqrtj7gO10eDi/CX2RC0aMIjlOYM6iskg6o6u6+9olw3NbHzGGiEuGTZsJTPh0pAb0UDlPxjQsLOrTklYbz4zvOO18x8MwdJvzEz5XmbzvF23RmmqRH7iNuCmh76rzvkb2G9hYLK7G4vphOpALCN53NzUlQvPQgJqlhgXXFiAlmxHD
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2020 07:21:50.3188 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ebde2f24-655f-4eab-add4-08d80c45c701
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2541
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/nEPns1Y9ZjjBlmmSGmZeUM8rfmQ>
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 07:21:59 -0000

Thanks, Henk, for sharing your views on this subject.

In the manifest we currently allow various pieces of information to be conveyed. Those are placed in severable fields, i.e. fields that can be removed from the manifest prior to forwarding it to the IoT device (without impacting the security wrapper).

We have extension points in the manifest (in the envelope to be more precise) to get other "encodings" / "formats" added in the future.

It sounds to me that this entire idea of describing software on a device is a still work in progress and further work is needed. Luckily, there is nothing in the manifest that depends on the process of this work. It would still be good, maybe in a separate document, to explain how this COSID & co is supposed to provide extra value.

Ciao
Hannes


-----Original Message-----
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Sent: Saturday, June 6, 2020 7:00 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Eliot Lear <lear@cisco.com>
Cc: Michael Richardson <mcr@sandelman.ca>ca>; Dick Brooks <dick@reliableenergyanalytics.com>om>; suit@ietf.org
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?

Hi all,

my comment preliminary about this is (as my previous comment seems to have been gobbled up by something) is basically this:

Yes. In summary (my previous, gobbled up comment was more elaborate):

* SBOM seems to be a sub-set of CoSWID, and
* a co-author of CosSWID is a member of the NTIA SBOM group.

Effectively, as I tried to post previously, I am looking at this:

> Performing program introspection for risks...
> *************** PROPERTIES *******************
> ----> Manufacturer : Microsoft
> ----> ProductCode : {B6B7DDDB-1FF6-47F6-AB32-457052610E19}
> ----> ProductName : PowerToys (Preview) ProductVersion : 0.15.2
> *************** FILES AND COMPONENTS *******************
> ----> Executable; FileName:  ruguzy_l.exe|PowerToys.exe  in module:
> powertoys_exe
> ----> Executable; FileName:  h-ey7k2x.exe|PowerToysSettings.exe  in module:
> settings_exe
> ----> Executable; FileName:  syxida6a.dll|Notifications.dll  in module:
> notifications_dll

I am rather sure that CoSWID can represent exactly this sub-set of of application context. In general, CoSWID are more on the semantic inter-operational side of things (in contrast of SBOM). In essnece, CoSWID can express this SBOM context. The question here is (,I think), if SBOM efforts intend to go down into this lane of representation context.

We can talk more about this. But while CoSWID in fact incorporates the SBOM context, I wonder if the strict prescriptions of CoSWID are in fact appropriate for the rather loose context of expressiveness of SBOM.

If your target of SBOM is - effectually - resilient and reliable post-processing, then CoSWID is seems to be a viable candidate.

If your goal is to convey a rather unspecified set of software components via a loose set of attributes (which I think SBOM is all about today), CoSWID seems to be way too specific due to the corresponding goal of semantic interoperability. please correct me, if I am wrong here.

Viele Grüße,

Henk




On 06.06.20 12:03, Hannes Tschofenig wrote:
> Thanks, Eliot. This is very useful background on the terminology. I
> have hear about this NTIA effort but didn’t follow it.
>
> I am not surprised that you already wrote a draft about it. Thanks for
> the pointer.
>
> Ciao
>
> Hannes
>
> PS: I am still wondering how COSWID fits into all of this now.
>
> *From:* Eliot Lear <lear@cisco.com>
> *Sent:* Saturday, June 6, 2020 11:04 AM
> *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> *Cc:* Michael Richardson <mcr@sandelman.ca>ca>; Dick Brooks
> <dick@reliableenergyanalytics.com>om>; suit@ietf.org; Henk Birkholz
> <henk.birkholz@sit.fraunhofer.de>
> *Subject:* Re: [Suit] How are firmware and firmware versions expressed
> in manifest?
>
> The NTIA is conducting an effort relatied to this known as SBOM
> (Software Bill of Materials).  They are in trials with healthcare
> delivery organizations (HDOs) medical device manufacturers (MDMs) and
> software providers, including people from the Linux Foundation.  There
> are several different formats discussed, including Software ID Tags
> (SWID) (ISO-19770) and Software Package Data Exchange (SPDX) which
> looks very much like what you showed, Dick.  NTIA takes no position on
> what formats are used.  NIST is planning to move toward SWID as they
> transition away from the structure used in the National Vulnerability
> Database (NVD).  I take no position on which of these formats is
> better, so long as a downstream consumer can easily determine which
> format is being presented ;-)
>
> The goal of SBOM is to provide transparency throughout the supply
> chain as to what is running on an IoT device.  SBOMs at a minimum are
> intended to provide a manifest, and then optionally some additional
> stuff like a dependency graph, licensing information, and maybe some
> additional security attributes such as access requirements, and links
> assertions about whether a particular component has a vulnerability or
> has been patched.
>
> The US FDA is planning to require SBOMs as a part of pre-sales
> qualification.
>
> There are great many open issues with regard to SBOMs, some of which
> this group and the TEEP folk may wish to pursue.  The biggest issue is
> around naming.  When referring to Java, is that com.sun.java or
> com.oracle.java or does it matter?  When referring to a supplier, is
> that IBM or Red Hat (or if it’s REALLY old software, Cygnus)?
>
> A similar issue arises with versioning.  Is that openssl 1.0.1 version
> patched or unpatched and how does one know?
>
> Another issue is how an SBOM is retrieved.  What is its well known
> location?  Does the BOM reside on the device, and is there an
> interface to retrieve it?  If not, where else is it?  Is it even retrievable?
>   Does it require permissions to do so if it resides at a vendor
> locale, and if so, how is versioning managed?
>
> This is the basis for draft-lear-opsawg-mud-sbom-00.txt that Scott
> Rose from NIST and I put together, and would like to present at
> opsawg.  The goal of that draft is simply a means o discovery to
> determine how to retrieve an SBOM.  An example of how one would use
> this extension for an on-the-box approach in its simplest form would
> be that the manufacturer advertises a RESTful interface at
> /.well-known/sbom and returns its favorite format (let’s say SPDX).
> The back end interface could be as simple as ‘cat
> /var/lib/dkpg/installed’ or perhaps a bit more complex using a more secure interface to retrieve a signed manifest.
>
> Anyway, I provide this information mostly without fully understanding
> the context here, but it seems relevant, given the line of discussion.
>   NTIA project information can be found at
> https://www.ntia.doc.gov/SoftwareTransparency.
>
> Eliot
>
>
>
>     On 6 Jun 2020, at 10:19, Hannes Tschofenig
>     <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>
>     I think the BOM terminology is misleading because hardware is not
>     software. The bill of material to produce an IoT product typically
>     does not change (unless you desolder parts) while the software and
>     configuration will regularly change.
>
>     Leaving that aside, I believe someone active in COSWID needs to
>     clarify what COSWID does. My understanding was that it documents the
>     software libraries on devices. Whether it would be " libcurl 1.0.2"
>     alone or all the libraries that are used to build "libcurl 1.0.2" is
>     a granularity question that the COSWID specs should / could also
>     answer. That's why I thought it would be useful to have it included
>     in the manifest (as supplementary information; as a severable field).
>
>     If COSWID does not do this then someone needs to explain to me what
>     purpose it serves.
>
>     Ciao
>     Hannes
>
>     -----Original Message-----
>     From: Michael Richardson <mcr@sandelman.ca <mailto:mcr@sandelman.ca>>
>     Sent: Friday, June 5, 2020 11:38 PM
>     To: Hannes Tschofenig <Hannes.Tschofenig@arm.com
>     <mailto:Hannes.Tschofenig@arm.com>>
>     Cc: Eliot Lear <lear@cisco.com <mailto:lear@cisco.com>>; Dick Brooks
>     <dick@reliableenergyanalytics.com
>     <mailto:dick@reliableenergyanalytics.com>>;suit@ietf.org
>     <mailto:suit@ietf.org>; Saad EL JAOUHARI <saadeljaou@gmail.com
>     <mailto:saadeljaou@gmail.com>>; Henk Birkholz
>     <henk.birkholz@sit.fraunhofer.de
>     <mailto:henk.birkholz@sit.fraunhofer.de>>
>     Subject: Re: [Suit] How are firmware and firmware versions expressed
>     in manifest?
>
>
>     Hannes Tschofenig <Hannes.Tschofenig@arm.com
>     <mailto:Hannes.Tschofenig@arm.com>> wrote:
>
>         FWIW I thought that COSWID would provide information about the
>         software
>         libraries on a device.
>
>
>     No, AFAIK, it just identifies the materials. (i.e. "libcurl
> 1.0.2")
>
>     Assembling them into a BOM requires another process:
>       "curl 1.0.2" contains "libcurl 1.0.2", "curl-main",
>                             "libssl 1.1.1f", "glibc 2.19", "pcre 1.0.2"
>
>     I could mis-understand though.
>
>     --
>     ]               Never tell me the odds!                 | ipv6 mesh
>     networks [
>     ]   Michael Richardson, Sandelman Software Works        |    IoT
>     architect   [
>     ] mcr@sandelman.ca <mailto:mcr@sandelman.ca>
>     http://www.sandelman.ca/        |   ruby on rails    [
>
>     IMPORTANT NOTICE: The contents of this email and any attachments are
>     confidential and may also be privileged. If you are not the intended
>     recipient, please notify the sender immediately and do not disclose
>     the contents to any other person, use it for any purpose, or store
>     or copy the information in any medium. Thank you.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose
> the contents to any other person, use it for any purpose, or store or
> copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.