Re: [Uri-review] swid and swidpath URI scheme registration request
Ted Hardie <ted.ietf@gmail.com> Wed, 13 October 2021 10:21 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: uri-review@ietfa.amsl.com
Delivered-To: uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC4693A11EF; Wed, 13 Oct 2021 03:21:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyIEhAWXC-nV; Wed, 13 Oct 2021 03:21:29 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35AE73A0A90; Wed, 13 Oct 2021 03:21:29 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id l16-20020a9d6a90000000b0054e7ab56f27so2959418otq.12; Wed, 13 Oct 2021 03:21:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B6BmzJ9IYaZyzmJvUVGGkGt8wgH0WbvRPYcEuDiPwkw=; b=fGJ4B9upnVRh9UzbjWUZGdRhQdT+C2aQ48bmdqcws7XsoALLlmrJLACa2OlyUoUf4B wzE26/7C5PROcugGUiuaAY/qvtFlAP7Lfp2cBC6jFVhkN1dXF3E2tdMlx5NlKSITvaTz lWoklYAr1sMhxeKj0rMIy+6kk/W48NsHip5Z6bgOdOtSqn6D7DHZWWFEaVyf865F9rcX +COPuJKS0b2hkDcNmRB8fvuHRiK/ijkRWeC4AGyUD4uAAEifOd21AqjAYUNeL/OnvUL5 Jbbald6bDjWqPV4qVvdY/BSYzTfqhznF0/tRNFwnn1jPgRLN0dTPjMtUOw5f7+DICM1H lhYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B6BmzJ9IYaZyzmJvUVGGkGt8wgH0WbvRPYcEuDiPwkw=; b=qz7H1E94BcPeZt5W7Ml+QlNx3EdH3gfgxweS3qSdniGsksWJG4h+KK2ZhPwtU4PtFf 0D7Huo5ubFr6rbZmB6sMmomM8XD6O6jm+9neoslHizK6tQ2Nwiv94jRj7WQUeuXZyyMX TodPBSRJMuZezJ7pbRm+YPiWR8drrC3SuGGsJS4M6lKF2WNDM+tPm8wp0LzOE5CPOMAr Vi4liM/8IAFZUBaR6YEp4WoDARfVGarSXCFeI9BOuAX2tDPmqneOAuNwMMF9oLnQJB1i 7ByDh3xOnbtSACj70jHn2J3Tq8TWb/YGqkd9G92/cBn2WjihoqV0PRemxSTH/Fq50JL/ zrpg==
X-Gm-Message-State: AOAM531RPX1FKB0YZp2g13ccl6bBK2KP1jDzpwAIbgw3uNbD++bWaVj8 4a3TKuIgWrqMbu/v1un0AkTWPFOVQ4gr879nCQI=
X-Google-Smtp-Source: ABdhPJwatHK0xfG3Y+zFHnL0BwwlX7DYfo00uWAuxMqMfy/JRZaNJjcM/IoT0lNpkeYICyf3swKjpBUiyYKWzcFVl/U=
X-Received: by 2002:a05:6830:1045:: with SMTP id b5mr6598942otp.338.1634120488189; Wed, 13 Oct 2021 03:21:28 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR09MB48411AC3E02F488F11DE8252F0B29@MN2PR09MB4841.namprd09.prod.outlook.com> <CA+9kkMBxFQdG8=tEbRo_D6YvjLNfjCVJtZVXPUriWnOOoVZusw@mail.gmail.com> <MN2PR09MB48417AE1F2996DD5999766ADF0B29@MN2PR09MB4841.namprd09.prod.outlook.com>
In-Reply-To: <MN2PR09MB48417AE1F2996DD5999766ADF0B29@MN2PR09MB4841.namprd09.prod.outlook.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 13 Oct 2021 11:20:36 +0100
Message-ID: <CA+9kkMBawk1FX7xbFY9P-qioOxU+_hWD2JJFJ=jnd__g7Gv8zA@mail.gmail.com>
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
Cc: "iana@iana.org" <iana@iana.org>, "uri-review@ietf.org" <uri-review@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038019705ce3953b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uri-review/-QTjyzTHRu3wg6Kt8V58ddhQpY8>
Subject: Re: [Uri-review] swid and swidpath URI scheme registration request
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uri-review/>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 10:21:34 -0000
Hi Dave, Thanks for the reply and sorry for the delay in my response. First, I believe the specification would benefit from additional text laying out these rules. Second, I believe it is legal according to what you describe for someone to construct a free-form text id that looks like a UUID (not bright, obviously, but legal). Since the format doesn't have a flag to indicate which of the forms is in use, I believe that means you also need a security consideration to note that the URL taking the form of a UUID does not guarantee the same statistical likelihood of uniqueness that you would expect in a GUID. Lastly, I believe it would be valuable to call out explicitly that you are expecting percent encoding for IDN domain names and what to do if you encounter a domain name that uses the ASCII-compatible encoding (so, xn-- etc.). It's fine to say "nothing", that this is also acceptable, but otherwise some implementations might attempt to convert it back to Unicode and the percent encode it before comparison. best regards, Ted Hardie On Fri, Oct 8, 2021 at 8:01 PM Waltermire, David A. (Fed) < david.waltermire@nist.gov> wrote: > Ted, > > > > These schemes will be used in the link structure of a coswid (see section > 2.7). In a link the href is represented as text. The structure of the text > would not need to be parsed, so a textual comparison I believe is > appropriate. > > > > The text string form would be percent encoded as you indicated. The UUID > form would follow the “UUID” BNF defined in RFC4122 in section 3 and would > also be represented as text. > > > > If the text string contains Unicode characters, the codepoint would need > to be converted to a byte sequence in UTF-8 and then each byte would be > encoded per RFC3986 section 2.5. > > > > > > Regards, > > Dave > > > > > > > > > > *From:* Ted Hardie <ted.ietf@gmail.com> > *Sent:* Friday, October 8, 2021 11:29 AM > *To:* Waltermire, David A. (Fed) <david.waltermire@nist.gov> > *Cc:* iana@iana.org; uri-review@ietf.org; sacm@ietf.org > *Subject:* Re: [Uri-review] swid and swidpath URI scheme registration > request > > > > Hi David, > > > > My apologies, but I think I'm missing part of the scheme definition. In > Section 5.1, I see: > > > > > > For URIs that use the "swid" scheme, the scheme specific part MUST > > consist of a referenced software tag's tag-id. This tag-id MUST be > > URI encoded according to [RFC3986] Section 2.1. > > > > The following expression is a valid example: > > > > swid:2df9de35-0aff-4a86-ace6-f7dddd1ade4c > > > > I would have typically expected an ABNF production for the tag-id. > Instead, I see the following: > > tag-id (index 0): A 16 byte binary string or textual identifier > > uniquely referencing a software component. The tag identifier > > MUST be globally unique. If represented as a 16 byte binary > > string, the identifier MUST be a valid universally unique > > identifier as defined by [RFC4122]. There are no strict > > guidelines on how this identifier is structured, but examples > > include a 16 byte GUID (e.g. class 4 UUID) [RFC4122], or a text > > string appended to a DNS domain name to ensure uniqueness across > > organizations. > > Given the free-form nature of the text alternative, do I understand > correctly you intend to percent encode any reserved character? Is this > still the case if the DNS domain name is an IDN? > > > > Since the text format subsumes the UUID format, is there a presumption > that the equivalence rules for text are always preferred to the arithmetic > equivalence rules that UUIDs may use? > > regards, > > Ted Hardie > > > > > > > > On Fri, Oct 8, 2021 at 3:18 PM Waltermire, David A. (Fed) > <david.waltermire=40nist.gov@dmarc.ietf.org> wrote: > > This request is for the registrations of the "swid" and "swidpath" schemes > defined in sections 6.6.1 and 6.6.2 of > https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/18/ > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sacm-coswid%2F18%2F&data=04%7C01%7Cdavid.waltermire%40nist.gov%7C7c47eb061ac54402154108d98a706a24%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637693037692730320%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UYeM%2BXa%2BnhIiI%2FSAtmcmpAbA4hRPbPACzEdkNbh%2F8qY%3D&reserved=0> > . > > > > Please let us know if there are any questions or concerns. > > > > Regards, > > Dave Waltermire > > > > > > _______________________________________________ > Uri-review mailing list > Uri-review@ietf.org > https://www.ietf.org/mailman/listinfo/uri-review > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Furi-review&data=04%7C01%7Cdavid.waltermire%40nist.gov%7C7c47eb061ac54402154108d98a706a24%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637693037692730320%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AgSzdoVPSaUOj5EOpkc%2BrehZjTA9UlsfYXFgAUNd7gA%3D&reserved=0> > >
- [Uri-review] swid and swidpath URI scheme registr… Waltermire, David A. (Fed)
- Re: [Uri-review] swid and swidpath URI scheme reg… Ted Hardie
- Re: [Uri-review] swid and swidpath URI scheme reg… Waltermire, David A. (Fed)
- Re: [Uri-review] swid and swidpath URI scheme reg… Ted Hardie