IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

Peter Saint-Andre <stpeter@stpeter.im> Mon, 28 March 2022 21:30 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3758E3A1572 for <urn@ietfa.amsl.com>; Mon, 28 Mar 2022 14:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=W0NcAlMp; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Gelzuaf7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2aDZRKPEx1v for <urn@ietfa.amsl.com>; Mon, 28 Mar 2022 14:30:23 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC4293A1571 for <urn@ietf.org>; Mon, 28 Mar 2022 14:30:22 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E1D495C0181; Mon, 28 Mar 2022 17:30:21 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 28 Mar 2022 17:30:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; bh=AaqKcAfjh0yv6+ WoTJZ6hF5FhSWvIw8CcW5dw7LfFdM=; b=W0NcAlMpn7fJDciD1U5BvFSIFBi4L7 F6QomspqsM18Ll/qS/EQVKGCJARZEHixdlkrFoWozJqbHisCst8pD3XsfKrrLHQx 05vrrx1PKSId1W84xMBawhQ0axNt/TgcfagU+VktDQ9ViueS+RhQ0bIPV5+eqrQw bWeOfeJgth+7uoGt+vM53kWkhEdfvCt79KN2ONkK6C26hI9Yh2LMi2O1uLOTRVIP r0+0Ovi1GIXjySwyeVUwGjHjBdaJaxBExd47woyD6wnH+Ei3Ci8Suvt6z/L2sm9j RdjLMEbGVDG04lVrOQxtjLFGv6rqOIPzHQHKC2+qQX35xyBuOJayqacQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=AaqKcAfjh0yv6+WoTJZ6hF5FhSWvIw8CcW5dw7LfFdM=; b=Gelzuaf7 EwlwF+hamut7ZO3eGLXWnnmwP9OFdYgqwL1JzdY0DsO6bgucSSqX3a3VxbbMldkk O2LcC8la4uKVlwAWmATt8Vb9vmrSprgdldGj365VdxiYJllaDO2q/jiH+1nIWGZ/ zmQoITTcbsf7v+rWFpSNgNtGr4vCcXvysMnr4IcEbdhigMBLWb0t6mCpSF6Ny12a wzb7kDKrkxfSQq2x+8zETIkcOxGpr1Rz0eIGVFkY8ct9laPNnpX547TSZzM9zIqK MUq0sj9bd4Y3Xbbs2s22XHMBUOAsZLhLDng+MZd1WmKojFIUR2Qrfn0rZir1z+Bj S/3pfb7haQIZmg==
X-ME-Sender: <xms:7ShCYuckbMEQNTJ9kPfkn5_ckW66QABN_WQoXbbq_5hfdLemBo89LA> <xme:7ShCYoNcHSO2gVEpJqMeWbJnEsGGxVKLSIDn1Fmx8gYpDXwkNYXUcY3iS_H0RRXss aUWzys3qGCPSfZPIg>
X-ME-Received: <xmr:7ShCYvhtwi6GeSLvNkJP3Pl5gKVegJFIBQvR4HgSAtXfQaQ1mDpdFCPw2gaYmFVEjjqDCo29RgXviejhmi7k3V8NuYHOoQFsJbdH8ac>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudehjedgudeivdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuhffvfhgjtgfgsehtkeertddtfeejnecuhfhrohhmpefrvght vghrucfurghinhhtqdetnhgurhgvuceoshhtphgvthgvrhesshhtphgvthgvrhdrihhmqe enucggtffrrghtthgvrhhnpeevjeejteeltdeffeeggeeikeehhfevtddugeeghefgjeeh feehkedvleefudekgfenucffohhmrghinhepihgrnhgrrdhorhhgpdhivghtfhdrohhrgh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhp vghtvghrsehsthhpvghtvghrrdhimh
X-ME-Proxy: <xmx:7ShCYr8OGU2PQOnRjeejG_Ua4x7mDZBrvO0BmQxZuUkNmQJN01Bqyw> <xmx:7ShCYqulQs37ul3Gsw9_vjqtFmpiQ4tdXtvJsrpWfCJ2wF6n3alMFA> <xmx:7ShCYiHIwsq99e_Q_lTRAaaOZsDoCb9NuAXfQVoRIN9PEldFMZziVw> <xmx:7ShCYvWSVV56ObRE54LIzAxzG3CheCbsvmUVVArJCQPuJgYiSAXwPg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 28 Mar 2022 17:30:21 -0400 (EDT)
Message-ID: <b07c9130-a489-68d6-c64d-fd124cdf6cdf@stpeter.im>
Date: Mon, 28 Mar 2022 15:30:19 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Patrick Dwyer <patrick.dwyer@owasp.org>, urn@ietf.org
References: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com> <87tudxg6ju.fsf@hobgoblin.ariadne.com> <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com> <HE1PR07MB31961709C292E18F3D3D703FFA269@HE1PR07MB3196.eurprd07.prod.outlook.com> <CACjy5ZfN2cSHwtDT_E8DLhPSbrycGKEHK_L2GpXJ6=5eHn9apg@mail.gmail.com> <ebd5107b-d2bd-e5b0-6452-5e0f8a2e258d@stpeter.im>
In-Reply-To: <ebd5107b-d2bd-e5b0-6452-5e0f8a2e258d@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/4X5H85y09_cyo0VyQVxGBmvol94>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 21:30:28 -0000

Hi everyone,

This namespace has now been registered:

https://www.iana.org/assignments/urn-formal/cdx

Peter

On 3/19/22 3:36 PM, Peter Saint-Andre wrote:
> Hi Pat,
> 
> Your latest iteration looks good to me (and Dale and Juha), so I think 
> we're ready to proceed. I will follow up with IANA and report back.
> 
> Peter
> 
> On 3/19/22 7:26 AM, Patrick Dwyer wrote:
>> Hi all,
>>
>> Is there anything else I need to do to register this URN namespace?
>>
>> Regards,
>> Pat
>>
>> On Tue, Feb 1, 2022 at 9:29 PM Hakala, Juha E 
>> <juha.hakala@helsinki.fi> wrote:
>>>
>>> Hello Patrick,
>>>
>>> this looks fine; I approve the request.
>>>
>>> All the best,
>>>
>>> Juha
>>>
>>> -----Alkuperäinen viesti-----
>>> Lähettäjä: urn <urn-bounces@ietf.org> Puolesta Patrick Dwyer
>>> Lähetetty: tiistai 1. helmikuuta 2022 4.28
>>> Vastaanottaja: urn@ietf.org
>>> Aihe: Re: [urn] Namespace Identifier: Requested of IANA - cdx
>>>
>>> Juha, thanks for more great feedback.
>>>
>>> Apologies for taking so long to get this revision back to the group.
>>>
>>> New version:
>>>
>>> Namespace Identifier:  Requested of IANA - cdx
>>>
>>> Version: 1
>>>
>>> Date: 2022-01-01
>>>
>>> Registrant: Patrick Dwyer, on behalf of the OWASP CycloneDX project.
>>> Email: patrick.dwyer@owasp.org
>>> Address:
>>> The OWASP Foundation Inc.
>>> 401 Edgewater Place, Suite 600
>>> Wakefield, MA 01880
>>>
>>> Purpose:
>>>
>>> CycloneDX is a software bill of materials OWASP standard. CycloneDX 
>>> bill of materials documents (BOMs) are intended to be exchanged 
>>> between different parties of the software supply chain.
>>>
>>> URNs in the "cdx" namespace are used as a means of persistently 
>>> identifying CycloneDX BOMs.
>>>
>>> When creating a BOM, a CycloneDX URN can be used to reference an 
>>> upstream BOM for a component rather than embedding it inline. This 
>>> may be a consideration for performance reasons. Especially in 
>>> resource constrained environments such as embedded devices. It can 
>>> also be used when a software supplier does not have authority to 
>>> share upstream BOM content directly.
>>>
>>> CycloneDX also supports "BOM refs". A BOM ref is a reference to a 
>>> particular element within a BOM. A "cdx" URN with an f-component is a 
>>> BOM ref, with the f-component specifying the location of the element 
>>> within the BOM identified by the URN.
>>>
>>> Syntax:
>>>
>>> The syntax for a CycloneDX URN namestring is defined using the 
>>> Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in 
>>> [RFC4122] and "f-component" as defined in [RFC3986].
>>>
>>>    namestring             = assigned-name [ "#" f-component ]
>>>    assigned-name          = "urn:cdx:" NSS
>>>    NSS                    = bom-serial-number "/" bom-version
>>>    bom-serial-number-uuid = UUID
>>>    bom-version            = nonzero-digit *digit ; an integer >= 1
>>>    nonzero-digit          = %x31-39 ; 1-9
>>>
>>> Assignment:
>>>
>>> CycloneDX URNs are assigned in a decentralised way, using the BOM 
>>> serial number. BOM serial numbers are version 4 UUIDs as defined in 
>>> [RFC4122]. Once assigned, BOM serial numbers are unique and persistent.
>>>
>>> Security and Privacy:
>>>
>>> As CycloneDX URNs are based on UUIDs they have the same security 
>>> considerations as UUID URNs as per [RFC4122].
>>>
>>> Additionally, there are no specification limitations beyond [RFC3986] 
>>> on what can be included in an f-component. Given that f-components 
>>> may be published in CyclineDX URNs, producers of BOMs should avoid 
>>> using any value on which there are sharing restrictions. For 
>>> producers of BOMs who have high confidentiality requirements, it is 
>>> recommended to use UUIDs for f-components.
>>>
>>> Interoperability:
>>>
>>> Although CycloneDX BOMs may use a UUID URN to identify a BOM via its 
>>> BOM serial number, the serial number isn’t sufficient when 
>>> referencing a BOM because a particular BOM may be revised over time. 
>>> Even in the case of legacy software that is not conceptualized as 
>>> changing, mistakes and omissions can be corrected over time causing 
>>> changes in the BOM. This is allowed for by successive "cdx" URNs in 
>>> which the BOM serial number is static and the version is incremented.
>>>
>>>
>>> On Fri, Jan 21, 2022 at 12:35 PM Dale R. Worley <worley@ariadne.com> 
>>> wrote:
>>>>
>>>> Patrick Dwyer <patrick.dwyer@owasp.org> writes:
>>>>> Thanks for the great feedback Dale.
>>>>>
>>>>> Revised below:
>>>>>
>>>>> Namespace Identifier:  Requested of IANA - cdx
>>>>>
>>>>> Version:  1
>>>>>
>>>>> Date:  2022-01-01
>>>> [...]
>>>>
>>>> That covers everything I thought was an issue.  It looks good to me.
>>>>
>>>> Dale
>>>
>>> _______________________________________________
>>> urn mailing list
>>> urn@ietf.org
>>> https://www.ietf.org/mailman/listinfo/urn
>>
>> _______________________________________________
>> urn mailing list
>> urn@ietf.org
>> https://www.ietf.org/mailman/listinfo/urn
>

v2.29.0 | Report a Bug | By Email | System Status