IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

worley@ariadne.com Wed, 05 January 2022 23:52 UTC

Return-Path: <worley@alum.mit.edu>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910C83A0C6C for <urn@ietfa.amsl.com>; Wed, 5 Jan 2022 15:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.017
X-Spam-Level:
X-Spam-Status: No, score=0.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, PP_MIME_FAKE_ASCII_TEXT=1, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcastmailservice.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVTbW0BKtsbq for <urn@ietfa.amsl.com>; Wed, 5 Jan 2022 15:52:51 -0800 (PST)
Received: from resdmta-c1p-023854.sys.comcast.net (resdmta-c1p-023854.sys.comcast.net [IPv6:2001:558:fd00:56::d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AEF23A0C6B for <urn@ietf.org>; Wed, 5 Jan 2022 15:52:51 -0800 (PST)
Received: from resomta-c1p-023412.sys.comcast.net ([96.102.18.229]) by resdmta-c1p-023854.sys.comcast.net with ESMTP id 5CcgnLEapkmQ05G5Hn2ary; Wed, 05 Jan 2022 23:52:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20211018a; t=1641426767; bh=V1WqCrOtoNiqKXfmUWz/8N2PjGhAvBnRFy5SHS/7piQ=; h=Received:Received:Received:Received:From:To:Subject:Date: Message-ID; b=KOrp4hKreq8rbRNTrFRffH3erf5D4pYmpoYQ+rk0qYcSQmEV/zJ/8Tlj1eL2HZCYi HDf3t/bXndKiu6Gg5Hy3UjKOqVd8Zbo4lfdzttB88mClR6YCJacyMAJneujlm1Bj/i fFvWRo6B+EdNy5oSO7aCaaMsThv+k7gwvV8A1+9G7MmdX11NW18KVjI4jduUi8iXCs g/EoTE/0XiT55REFhqQDAwY/RBvCf8lP7e1TNIee+y6btookBjLA/muHLp4/mEnGsw IJjYE2sozrtfyKBm7a5/4wftS6YysGVXo6zXM/YBOtOYBPuYRaFi31orH3LNAslqxL spfn4oDqVZGMA==
Received: from hobgoblin.ariadne.com ([IPv6:2601:192:4a00:430::6324]) by resomta-c1p-023412.sys.comcast.net with ESMTPA id 5G5GnnjnSoda05G5GncZnj; Wed, 05 Jan 2022 23:52:47 +0000
X-Xfinity-VMeta: sc=-100.00;st=legit
Received: from hobgoblin.ariadne.com (localhost [127.0.0.1]) by hobgoblin.ariadne.com (8.16.1/8.16.1) with ESMTPS id 205NqjKa516908 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 5 Jan 2022 18:52:46 -0500
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.16.1/8.16.1/Submit) id 205Nqj8o516905; Wed, 5 Jan 2022 18:52:45 -0500
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Patrick Dwyer <patrick.dwyer@owasp.org>
Cc: urn@ietf.org
In-Reply-To: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org> (patrick.dwyer@owasp.org)
Sender: worley@ariadne.com
Date: Wed, 05 Jan 2022 18:52:45 -0500
Message-ID: <87ee5leo4y.fsf@hobgoblin.ariadne.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/3ARx5cyIPL-K9KhhlJqAMQAmOVo>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 23:52:56 -0000

I've got a number of editorial nits, and one technical question:  Should
it revise the syntax of bom-version based on its underlying semantics?

----------

There are some places where the sentence structure is rough, so you
probably want someone to copy-edit the text.

    Patrick Dwyer, on behalf of OWASP CycloneDX

You probably want to say "on behalf of OWASP", as CycloneDX isn't an
organization.  Alternatively, you may want to conceptualize "the
CycloneDX project" apart from OWASP, in which case you'd say "on
behalf of the CycloneDX project".

    CycloneDX is an open source software bill of materials OWASP
    standard.

I'm not sure of the significance of "open source" here.  Is CycloneDX
only applicable to open-source software?  Or is the standard somehow
open-source?

    The “cdx” namespace is used ...

Better, 'URNs in the "cdx" namespace are used ...'.

    CycloneDX also supports “BOM refs”. BOM refs are unique BOM scoped 
    references to a particular element. A URN with an optional BOM ref 
    f-component can be used to reference an element within another BOM.

    Referencing a specific element in a BOM is particularly relevant for use 
    cases like describing known vulnerabilities in a component in the 
    context of a particular assembled piece of software or embedded device.

This text is interesting, but it seems to me that you'd need quite a
bit more description to enable the reader to understand the import of
BOM refs.  So I think you should trim it back to provide just enough
context for why the grammar specifies f-components.  Say:

    CycloneDX also supports “BOM refs”. A BOM ref is a reference to a
    particular element within a BOM.  A "cdx" URN with an f-component is
    a BOM ref, with the fragment identifier specifying the element
    within the BOM identified by the URN.

That makes the purpose clear without even getting into the details of
what an "element of a BOM" is.

    bom-version            = 1*digit

There are a bunch of interesting questions here!  As written,
bom-version is a string of digits, and "00", "000", "1", and "0001"
are all different.  Is bom-version intended to denote an integer?  If
so, what range does the integer have; specifically, does it include
zero?  If it is intended to be an integer, you should adjust the
syntax to permit only the canonical way of writing those integers.

    CycloneDX URNs are assigned in a decentralised way, using the BOM serial 
    number. CycloneDX BOM serial numbers are unique to a specific BOM. And 
    are version 4 UUID URNs as defined in [RFC4122].

In the first sentence, it would be preferable to say
"bom-serial-number-uuid" rather than "BOM serial number", as that is
what the grammar says -- unless CycloneDX uses the term "BOM serial
number" a lot, in which case I'd change "bom-serial-number-uuid" to
"bom-serial-number" in the grammar.

In the second sentence, I'd clarify the correspondence between serial
numbers and BOMs by making both parts of the sentence singular, "A
CycloneDX BOM serial number is unique to a specific BOM."

I would clarify the third sentence by saying "A CycloneDX BOM serial
number is a version 4 UUID as defined in [RFC4122]."  (A BOM serial
number *itself* isn't a URN, as it is a UUID [RFC4122] and does not
start with "urn:".)

    Additionally, there are no specification limitations on what information 
    can be included in a “BOM ref”. When using BOM refs for f-components, 
    consideration must be given to any restrictions imposed on sharing of 
    information within a BOM. And what information may “leak” by including a 
    BOM ref as an f-component in a CycloneDX URN.

    For producers of BOMs who have high confidentiality requirements it is 
    recommended to use UUIDs for BOM refs.

I'm not clear what exactly counts as a "BOM ref" -- Is it the
URN-with-f-component, or is it just the f-component?  Or is it the
abstract concept and we also use the term vaguely to mean both the
URN-with-f-component and f-component?  It might be better to limit
this paragraph to talking about f-components to avoid any
complications:

    Additionally, there are no specification limitations beyond
    [RFC3986] on what can be included the f-component.  Given that
    f-components may be published in CyclineDX URNs, producers of BOMs
    should avoid using any value on which there are sharing
    restrictions.  For producers of BOMs who have high confidentiality
    requirements, it is recommended to use UUIDs for f-components.

--

    Although CycloneDX BOMs already use a UUID URN to identify a BOM this 
    information isn’t sufficient when referencing a BOM.

    A particular BOM may be revised over time. Especially in the case of 
    legacy software as mistakes and omissions are corrected. In this 
    scenario the BOM serial number remains static and the version is 
    incremented.

    It also isn’t sufficient for use cases that require referencing a 
    specific component within a BOM.

I think this can be clarified considerably:

    Although CycloneDX BOMs may use a UUID URN to identify a BOM via
    its BOM serial number, the serial number isn’t sufficient when
    referencing a BOM because a particular BOM may be revised over
    time.  Even in the case of legacy software that is not
    conceptualized as changing, mistakes and omissions can be
    corrected over time causing changes in the BOM.  This is allowed
    for by successive "cdx" URNs in which the BOM serial number
    remains static and the version is incremented.

Dale

v2.23.0 | Report a Bug | By Email