Re: [urn] Namespace Identifier: Requested of IANA - cdx
worley@ariadne.com Wed, 05 January 2022 23:52 UTC
Return-Path: <worley@alum.mit.edu>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910C83A0C6C for <urn@ietfa.amsl.com>; Wed, 5 Jan 2022 15:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.017
X-Spam-Level:
X-Spam-Status: No, score=0.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, PP_MIME_FAKE_ASCII_TEXT=1, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcastmailservice.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVTbW0BKtsbq for <urn@ietfa.amsl.com>; Wed, 5 Jan 2022 15:52:51 -0800 (PST)
Received: from resdmta-c1p-023854.sys.comcast.net (resdmta-c1p-023854.sys.comcast.net [IPv6:2001:558:fd00:56::d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AEF23A0C6B for <urn@ietf.org>; Wed, 5 Jan 2022 15:52:51 -0800 (PST)
Received: from resomta-c1p-023412.sys.comcast.net ([96.102.18.229]) by resdmta-c1p-023854.sys.comcast.net with ESMTP id 5CcgnLEapkmQ05G5Hn2ary; Wed, 05 Jan 2022 23:52:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20211018a; t=1641426767; bh=V1WqCrOtoNiqKXfmUWz/8N2PjGhAvBnRFy5SHS/7piQ=; h=Received:Received:Received:Received:From:To:Subject:Date: Message-ID; b=KOrp4hKreq8rbRNTrFRffH3erf5D4pYmpoYQ+rk0qYcSQmEV/zJ/8Tlj1eL2HZCYi HDf3t/bXndKiu6Gg5Hy3UjKOqVd8Zbo4lfdzttB88mClR6YCJacyMAJneujlm1Bj/i fFvWRo6B+EdNy5oSO7aCaaMsThv+k7gwvV8A1+9G7MmdX11NW18KVjI4jduUi8iXCs g/EoTE/0XiT55REFhqQDAwY/RBvCf8lP7e1TNIee+y6btookBjLA/muHLp4/mEnGsw IJjYE2sozrtfyKBm7a5/4wftS6YysGVXo6zXM/YBOtOYBPuYRaFi31orH3LNAslqxL spfn4oDqVZGMA==
Received: from hobgoblin.ariadne.com ([IPv6:2601:192:4a00:430::6324]) by resomta-c1p-023412.sys.comcast.net with ESMTPA id 5G5GnnjnSoda05G5GncZnj; Wed, 05 Jan 2022 23:52:47 +0000
X-Xfinity-VMeta: sc=-100.00;st=legit
Received: from hobgoblin.ariadne.com (localhost [127.0.0.1]) by hobgoblin.ariadne.com (8.16.1/8.16.1) with ESMTPS id 205NqjKa516908 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 5 Jan 2022 18:52:46 -0500
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.16.1/8.16.1/Submit) id 205Nqj8o516905; Wed, 5 Jan 2022 18:52:45 -0500
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Patrick Dwyer <patrick.dwyer@owasp.org>
Cc: urn@ietf.org
In-Reply-To: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org> (patrick.dwyer@owasp.org)
Sender: worley@ariadne.com
Date: Wed, 05 Jan 2022 18:52:45 -0500
Message-ID: <87ee5leo4y.fsf@hobgoblin.ariadne.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/3ARx5cyIPL-K9KhhlJqAMQAmOVo>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 23:52:56 -0000
I've got a number of editorial nits, and one technical question: Should it revise the syntax of bom-version based on its underlying semantics? ---------- There are some places where the sentence structure is rough, so you probably want someone to copy-edit the text. Patrick Dwyer, on behalf of OWASP CycloneDX You probably want to say "on behalf of OWASP", as CycloneDX isn't an organization. Alternatively, you may want to conceptualize "the CycloneDX project" apart from OWASP, in which case you'd say "on behalf of the CycloneDX project". CycloneDX is an open source software bill of materials OWASP standard. I'm not sure of the significance of "open source" here. Is CycloneDX only applicable to open-source software? Or is the standard somehow open-source? The âcdxâ namespace is used ... Better, 'URNs in the "cdx" namespace are used ...'. CycloneDX also supports âBOM refsâ. BOM refs are unique BOM scoped references to a particular element. A URN with an optional BOM ref f-component can be used to reference an element within another BOM. Referencing a specific element in a BOM is particularly relevant for use cases like describing known vulnerabilities in a component in the context of a particular assembled piece of software or embedded device. This text is interesting, but it seems to me that you'd need quite a bit more description to enable the reader to understand the import of BOM refs. So I think you should trim it back to provide just enough context for why the grammar specifies f-components. Say: CycloneDX also supports âBOM refsâ. A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the fragment identifier specifying the element within the BOM identified by the URN. That makes the purpose clear without even getting into the details of what an "element of a BOM" is. bom-version = 1*digit There are a bunch of interesting questions here! As written, bom-version is a string of digits, and "00", "000", "1", and "0001" are all different. Is bom-version intended to denote an integer? If so, what range does the integer have; specifically, does it include zero? If it is intended to be an integer, you should adjust the syntax to permit only the canonical way of writing those integers. CycloneDX URNs are assigned in a decentralised way, using the BOM serial number. CycloneDX BOM serial numbers are unique to a specific BOM. And are version 4 UUID URNs as defined in [RFC4122]. In the first sentence, it would be preferable to say "bom-serial-number-uuid" rather than "BOM serial number", as that is what the grammar says -- unless CycloneDX uses the term "BOM serial number" a lot, in which case I'd change "bom-serial-number-uuid" to "bom-serial-number" in the grammar. In the second sentence, I'd clarify the correspondence between serial numbers and BOMs by making both parts of the sentence singular, "A CycloneDX BOM serial number is unique to a specific BOM." I would clarify the third sentence by saying "A CycloneDX BOM serial number is a version 4 UUID as defined in [RFC4122]." (A BOM serial number *itself* isn't a URN, as it is a UUID [RFC4122] and does not start with "urn:".) Additionally, there are no specification limitations on what information can be included in a âBOM refâ. When using BOM refs for f-components, consideration must be given to any restrictions imposed on sharing of information within a BOM. And what information may âleakâ by including a BOM ref as an f-component in a CycloneDX URN. For producers of BOMs who have high confidentiality requirements it is recommended to use UUIDs for BOM refs. I'm not clear what exactly counts as a "BOM ref" -- Is it the URN-with-f-component, or is it just the f-component? Or is it the abstract concept and we also use the term vaguely to mean both the URN-with-f-component and f-component? It might be better to limit this paragraph to talking about f-components to avoid any complications: Additionally, there are no specification limitations beyond [RFC3986] on what can be included the f-component. Given that f-components may be published in CyclineDX URNs, producers of BOMs should avoid using any value on which there are sharing restrictions. For producers of BOMs who have high confidentiality requirements, it is recommended to use UUIDs for f-components. -- Although CycloneDX BOMs already use a UUID URN to identify a BOM this information isnât sufficient when referencing a BOM. A particular BOM may be revised over time. Especially in the case of legacy software as mistakes and omissions are corrected. In this scenario the BOM serial number remains static and the version is incremented. It also isnât sufficient for use cases that require referencing a specific component within a BOM. I think this can be clarified considerably: Although CycloneDX BOMs may use a UUID URN to identify a BOM via its BOM serial number, the serial number isnât sufficient when referencing a BOM because a particular BOM may be revised over time. Even in the case of legacy software that is not conceptualized as changing, mistakes and omissions can be corrected over time causing changes in the BOM. This is allowed for by successive "cdx" URNs in which the BOM serial number remains static and the version is incremented. Dale
- [urn] Namespace Identifier: Requested of IANA - c… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… worley
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Hakala, Juha E
- Re: [urn] Namespace Identifier: Requested of IANA… worley
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Hakala, Juha E
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer