Re: [Suit] Ripple20

Dick Brooks <> Tue, 16 June 2020 17:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 940EC3A0783 for <>; Tue, 16 Jun 2020 10:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4D_kTn4T2GaF for <>; Tue, 16 Jun 2020 10:12:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 542E03A077D for <>; Tue, 16 Jun 2020 10:12:06 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id A99445C0035; Tue, 16 Jun 2020 13:12:05 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute1.internal (MEProxy); Tue, 16 Jun 2020 13:12:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=fD1Xb9 sygLdQR2OFyC9ZoTaml0KMV83UT8hMmkVAMeE=; b=nOT1+zQKdHukhANwQSawrJ PeCFY//u8EsJGH+/PGQAw4Rb01gHHSURVgp1y0mgTfIU8DeHUW621NjgbmWYx7rG HZykQkobtIBtxauFnaMM70P4hlMvhl5/qhK7ND2OWPf/jZARm9U1mBV94Xbas2Jt yeHcudg5nKxuh6NWP8NX/JVaE8EgpA7GsW+NMo9sBMQxSdjCFbLjORhltxWEeEjx D1nz1DQmMl3ghMQOVvFXvt4UtkXF6P67t7qymJw6XleExEzGfJnBg7NQc4mnvqSX jAl+QDH8eHTUNExp9VrLEpftNZuriJSxI0Ws42d07cG5GZ+xvHcOJusCvohEMGNQ ==
X-ME-Sender: <xms:Zf3oXkMaTGbuwQghvT_14CWlZJ5yvZM8EvykcgNHq8OgV005PZcngQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudejtddguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfhfjgfuffhokfggtgfothesrhdtghepvddtvdenucfhrhhomhepfdff ihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrg hlhihtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepkedvvedugfejvdfhveehhfej gfdvgeegtddvtdffueegjeekheefveekteeiteeunecuffhomhgrihhnpehrvghlihgrsg hlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhmpdhthhgvhhgrtghkvghrnhgvfihs rdgtohhmpdhivghtfhdrohhrghenucfkphepvdduiedrudelfedrudegvddrvddvnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepughitghksehr vghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:Zf3oXq98uYXpL2LFVWK6HTcYkLlzfSIxtURHq8uZDzPejVL6wCVXYQ> <xmx:Zf3oXrSos0CXUzRr0Fz4cl5gPyVANqXK7vgD_xvUMvJpNhdGdKURrQ> <xmx:Zf3oXsv449iWuQAJPe5qL8Q1rGZusEXtNShY_3vCwpBRU45pr_z-7g> <xmx:Zf3oXmpqHmnV0Tilt1k7cMTqyhxOVP6_q70zONtv8qWQKtQnw2jL_Q>
Received: from farpoint (unknown []) by (Postfix) with ESMTPA id 1C458328005D; Tue, 16 Jun 2020 13:12:05 -0400 (EDT)
From: "Dick Brooks" <>
To: "'Eliot Lear'" <>, "'Russ Housley'" <>
Cc: "'suit'" <>
References: <> <>
In-Reply-To: <>
Date: Tue, 16 Jun 2020 13:12:00 -0400
Organization: Reliable Energy Analytics
Message-ID: <44c701d64401$415e3f40$c41abdc0$>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_44C8_01D643DF.BA4FAC80"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG+wxrzAypCg1McIomWLtn0vlY2pAG9USWcqPyO9YA=
Content-Language: en-us
Archived-At: <>
Subject: Re: [Suit] Ripple20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Jun 2020 17:12:09 -0000



                I want to thank you for pointing me to the NTIA SBOM work. I
spoke with Allan Friedman of NTIA this morning. I explained the importance
of having SBOM metadata aligned with CVE database vendors to enable
automated CVE searches that should produce a better signal/noise ratio as
part of  a risk assessment supporting NERC CIP-010-3 R1, Part 1.6 (software
verification). Today's CVE search results produce a significant number of
false positives, rendering them nearly useless.


FYI:  I've offered to assist NTIA within the energy industry, hopefully
starting with a communication to DOE regarding the 5/1 emergency Executive
Order on cybersecurity and the potential benefits of an SBOM.





Dick Brooks

 <> Never trust software, always
verify and report! T


Email:  <>

Tel: +1 978-696-1788


From: Suit <> On Behalf Of Eliot Lear
Sent: Tuesday, June 16, 2020 12:39 PM
To: Russ Housley <>
Cc: suit <>
Subject: Re: [Suit] Ripple20


Thanks for passing that along, Russ.  This is also an interesting test case
for the discussion that we just had re SBOM.  The focus of that work has
largely been on OSS.  Well.



On 16 Jun 2020, at 18:22, Russ Housley <
<> > wrote:


Just in case anyone forgot why SUIT is so important to the IoT ecosystem...





Suit mailing list <>