IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

"Hakala, Juha E" <juha.hakala@helsinki.fi> Tue, 01 February 2022 11:29 UTC

Return-Path: <juha.hakala@helsinki.fi>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3019A3A2268 for <urn@ietfa.amsl.com>; Tue, 1 Feb 2022 03:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=helsinkifi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HTbDbdxfrkqa for <urn@ietfa.amsl.com>; Tue, 1 Feb 2022 03:29:13 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2093.outbound.protection.outlook.com [40.107.20.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB5C3A2267 for <urn@ietf.org>; Tue, 1 Feb 2022 03:29:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UIWENcG/gZJVxd9qjEMYKgUikwwFwq4iZT639r+byYnvMfT8igL4Mf16JsbWd9z+x5BDMGl+x0AWcNW4sIcR/+KqZvUK4Cs050yz4e3ebXV1hdGgf9074tqn6KrvBy/I9S5UI7L3GhLVKfCrTUN+sLK2tv81xgElSrDABnJuGJgEpvGqSmWDru8B8/8OPOwzDd3MdZii2O/RB2ngYrYzpMljyb6pOul/1QH2yG5G4McG6DXm3+SYxSBjCLjKDydtEkMRyTeok5SqnkJyH54oodv7tzFFMp6kr8DISkOeWQgHwio+n4eXEkRyc8XEr6Bb3WPDCFCmJia5tMCm1euBlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vqPdO0jcyIoRjlkPurHawvUccT1Zj1xRpWS3rq/12fo=; b=gNnNiLSWxvKHdjAZ10K+eA/v675JNxhiMQGvYP7h4nZEnWSR4rptzl1HO2NKuPbr3yKFwP5rQer0rSX19XODeetRgi7Ouo/vlIMYQT7ztzQ49Zmw3IqjuP0YT4HDBfmdUOcsAHQT0KXElq3Zf+9A8zTcXLtqxGYamcSnq0/BHTMXWU5DQn50egXmFMq5HFo/YKoMv2i5OYwS++7lVb9+3n1171w6euy1ao8E1B+8XYo7lHjTCRgeRKzSqo9v+uoTNi7LXnOF58d5fNBo3XxNlJgD2op14TovrhHGp5mT7QbYYhrnHU22bERQVgfnj9vlsQnYH/rlCQ21u50Fwevq7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=HelsinkiFI.onmicrosoft.com; s=selector1-HelsinkiFI-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vqPdO0jcyIoRjlkPurHawvUccT1Zj1xRpWS3rq/12fo=; b=GpqMgLZ6FV3B1c9zkqZcNEGhfGwg2ic0dDKQa4+R6bFXLAUyRRhOzxYYATHHkCkIazBtJDmdLeQ9cLgqyoFkdcFDh3hhVdCgf5gLUbncjJhvyz0utxqKhr4bxAylkOIAiQjnPYhCRUrSlvlav5tbtI+Vi0+o6s73U/QuWzbJI9w=
Received: from HE1PR07MB3196.eurprd07.prod.outlook.com (2603:10a6:7:2e::17) by AS8PR07MB7799.eurprd07.prod.outlook.com (2603:10a6:20b:396::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.8; Tue, 1 Feb 2022 11:29:10 +0000
Received: from HE1PR07MB3196.eurprd07.prod.outlook.com ([fe80::98d1:eee2:2165:61d7]) by HE1PR07MB3196.eurprd07.prod.outlook.com ([fe80::98d1:eee2:2165:61d7%4]) with mapi id 15.20.4951.010; Tue, 1 Feb 2022 11:29:10 +0000
From: "Hakala, Juha E" <juha.hakala@helsinki.fi>
To: Patrick Dwyer <patrick.dwyer@owasp.org>, "urn@ietf.org" <urn@ietf.org>
Thread-Topic: [urn] Namespace Identifier: Requested of IANA - cdx
Thread-Index: AQHYDm+P/DrlWeSZWkme8Xfkr9lwGqx+CbQAgACWroA=
Date: Tue, 01 Feb 2022 11:29:10 +0000
Message-ID: <HE1PR07MB31961709C292E18F3D3D703FFA269@HE1PR07MB3196.eurprd07.prod.outlook.com>
References: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com> <87tudxg6ju.fsf@hobgoblin.ariadne.com> <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com>
In-Reply-To: <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: fi-FI
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=helsinki.fi;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d5216c60-a0a4-48c9-a8e4-08d9e57610e1
x-ms-traffictypediagnostic: AS8PR07MB7799:EE_
x-microsoft-antispam-prvs: <AS8PR07MB77991EB9C5AA70DD9FD9D44EFA269@AS8PR07MB7799.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jyWKvvkYx1xPE0NKrQqyQOA8ptI+KITNF3vRdi7p4oA7rMZKdVTnErauA/dvlNNleeMb8tTZrS5WbUXJS6bgkieWEdnIhj8gxxX9lYsW+EvO6nfGhbbTSUlGJonSaUxBTbuz1+KGlzsdoLkvXePfP8vWPvAJOCy8VKYYmubXjop6iBpeRaMRmWztGK9tHRH6dem0Q2O+NLiEfeWz23fRTnGzDdC3o0BmZClxd24G6fse0ON5+uoUMncPe1wG5eh1fKgFYVF/96rV+ASyB7W46dF9gdC4QnacgQlLBXLcOuskzUy0G01mM2aQP8AEZpoUSwAXNujbss7+Si53Xf6eJ4vA4B3oZXgkTfIM845xl8O7rCqtNn4x7n6uHFyv14ZZOm4jCRrJok0dM90xgOCVYcofdxdN5SVmEsNNo+YKpjQoVzKiaJIGccXkwxQzcKW6rUs2Fpp6oaeoULpoD+8y0q+lwTymneTEV9Xzp8kBF2gTXe/ivoJIHuNVz1wcenQYArVrBUo/tbsnicJUSVCmkrFaDsLVvupW8k20+kK6DPje47+9HQWk09N+DMN5+cdOZhljc2Gx2dl2KLchz3H8EpkQXSDo3UZDQFisSBycFXiZnIHZCWanzqinyM1dCOnywBbsIzYtDaYu6dnHyWCH6mFXGDiMtUh3Ht+K9bBnMHUxMDx2o1XVGQQ0ni35KuYq5/FvH0E9mfsjmMNQ+uweQ3xiE7d54z25UKZ+k6gXSAV0/iTvsAbHJ953pYfMNF35/sviCQCpzGfD05suyaVWhXyNRwRZ6IJP8Tih1KZ4U1U=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3196.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(9686003)(6506007)(7696005)(53546011)(26005)(186003)(83380400001)(71200400001)(66574015)(2906002)(33656002)(38070700005)(66556008)(110136005)(8676002)(66946007)(8936002)(86362001)(966005)(66446008)(64756008)(122000001)(316002)(5660300002)(38100700002)(55016003)(52536014)(66476007)(76116006)(508600001)(786003)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D//yFtw6hllaoKHv0f2BFSEHfrAbx7IZ8vB0aC8cN2/SpgVJkUA6EDuVO5FPFIyGcmWfCKD2832XiKeDTTb7S16DwxFqDioJuuX6rpdC0cpp+cq1M31FLZkLT5j0ZEZnaaFwxnPx7b4xMzYuksvlVriHo9lBNdVC2WMRZPGQHFSUbT5LI6qHEMjicaF2IYqtZL3NpWT9abSGkS8//LwF4PRjDq33joiExCUX1tFN0qYUEDS69XAUi9EAh3RNYxqz2X5eQa/RgCS3D0cyKGXX1tkOJs1BfCHW+MMw2Fd855sWtVRuefLjkJWM+W58lQf1duw8e6R254tcJM6BUH2y5EU0AYLjuqNotiFN2Y6uyFe1hBOq3sbuGJy6jtdsW4ng/7oQLa1pW2/HpIYtPsXaNNNxZDLntNW37dNafUEWB0axijN5DS3CK1z+yVM0fNg2e739mvJNuhhOKOkbNJOYe0lU+vKnBxS+Z13LTgEWDcoB0G0rs53IKbjsLJcZBuxudDcWkfrd2aNR2NUm7TK1+MyJkt24qdLZQhcByHflt6u/3Xp5RAZD5tAWCEF5hQiyyJMZjsVDO5j22nDPR0AMhKtD4QLNRZHdbxjcKkskktAOvKkEYETufHxdHldTL6ZmQ7rf17R7FRFoYPCZGoJH7RxDSDmbBmco3DGa52GhrMtRvmSachqkkHOGjK0zosl5tL9eBumTst53HdZEn+x/95xcJ9RCCqd74fCalynSUzBbr5qC8D/z/mPGWhS9BEHFia1mMXoLgD+PZdgW92PUs6JYbtW3DPKpDDFQJVMSc5EMC4QkFW1EScoAxzF800jI0T1bkINHVZyr2zwWz6A1HXSTw+3jjSnLVwexV4DFXxSwtv5FSWk9PZqBl29ZeNgPtJ4gOlQxLKehgBKvurfRRvnrQnXB+OaE01pe+7mXfHfEZcleXbJBRnndk5WA3eeARmHbozs+Fubxg2+xOiST9kHo4frHNhGBW2yFiFbPagaWM0le0LlLxj1LmHjen+8Vj4TOjVpp1iXXjiRLATp21JDZkN/Oubskz+XSkO8VFy1+UZDQpN71wr4+LZYbR0jJTQ/uu0j+2DZzg7T+GTyuUxESuUJ/UrfmXwuGGOPVhb+khOByqcrr10JCqnPR2SgEm5xjO4KAAQ2hBW5OdEs5CfTQHabkfitRKWdxQz0Now9BBWmvT1F3lTomHhUQj8NYmSuiVM0O9rf2nS4TgxyNuyRKoAsSnTuuWQvjJky2rfHbUIr/rRPS9GGiSpr6FJHUOP5t7puyGTqO9bwh7wy3KH7tKrIzlKK3aDNAyBSdttjsFnkqnKWVHmD7cykue1hQjcbT7RfV2WWMJtImqa+uR8S8wZTs+8FV1XCCZRJ7DQB8tL9mkBBc18BJkA5mn/lKjNLsW0ocmVuwCPCoV695KpMLAQolULh0XBOre3BcCwRaE1QxnX1VPZJPm//81n4Fwi+PkiLaAIRGoBM/7z6OB3brPCzk7u9Yo9xvsbAuVAqVj68TH5lAgIEmHGo3roAhpn07w1X1NdzgNbdy6pcom+UTg2XPmIGgCCnBkjRbN7D/JteMi5nGFbH1RSYWApEVru8aC4gfK2mA0IzEHTr8aneW7j/ZaNuXttBQmZcZ/4A=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: helsinki.fi
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3196.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5216c60-a0a4-48c9-a8e4-08d9e57610e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2022 11:29:10.1136 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 98ae7559-10dc-4288-8e2e-4593e62fe3ee
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uXiycPkvIv55aAzbpio+qUYNJixiQ4uQpnFOYckxvV7EFMmKZXCBYI9XuE47TO5ud6/1S4BjeU7vcc4KtAI95g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7799
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/9IQdIvrRX4Xat_rDQO-hvcAb528>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2022 11:29:18 -0000

Hello Patrick, 

this looks fine; I approve the request. 

All the best, 

Juha

-----Alkuperäinen viesti-----
Lähettäjä: urn <urn-bounces@ietf.org> Puolesta Patrick Dwyer
Lähetetty: tiistai 1. helmikuuta 2022 4.28
Vastaanottaja: urn@ietf.org
Aihe: Re: [urn] Namespace Identifier: Requested of IANA - cdx

Juha, thanks for more great feedback.

Apologies for taking so long to get this revision back to the group.

New version:

Namespace Identifier:  Requested of IANA - cdx

Version: 1

Date: 2022-01-01

Registrant: Patrick Dwyer, on behalf of the OWASP CycloneDX project.
Email: patrick.dwyer@owasp.org
Address:
The OWASP Foundation Inc.
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Purpose:

CycloneDX is a software bill of materials OWASP standard. CycloneDX bill of materials documents (BOMs) are intended to be exchanged between different parties of the software supply chain.

URNs in the "cdx" namespace are used as a means of persistently identifying CycloneDX BOMs.

When creating a BOM, a CycloneDX URN can be used to reference an upstream BOM for a component rather than embedding it inline. This may be a consideration for performance reasons. Especially in resource constrained environments such as embedded devices. It can also be used when a software supplier does not have authority to share upstream BOM content directly.

CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the f-component specifying the location of the element within the BOM identified by the URN.

Syntax:

The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in [RFC4122] and "f-component" as defined in [RFC3986].

  namestring             = assigned-name [ "#" f-component ]
  assigned-name          = "urn:cdx:" NSS
  NSS                    = bom-serial-number "/" bom-version
  bom-serial-number-uuid = UUID
  bom-version            = nonzero-digit *digit ; an integer >= 1
  nonzero-digit          = %x31-39 ; 1-9

Assignment:

CycloneDX URNs are assigned in a decentralised way, using the BOM serial number. BOM serial numbers are version 4 UUIDs as defined in [RFC4122]. Once assigned, BOM serial numbers are unique and persistent.

Security and Privacy:

As CycloneDX URNs are based on UUIDs they have the same security considerations as UUID URNs as per [RFC4122].

Additionally, there are no specification limitations beyond [RFC3986] on what can be included in an f-component. Given that f-components may be published in CyclineDX URNs, producers of BOMs should avoid using any value on which there are sharing restrictions. For producers of BOMs who have high confidentiality requirements, it is recommended to use UUIDs for f-components.

Interoperability:

Although CycloneDX BOMs may use a UUID URN to identify a BOM via its BOM serial number, the serial number isn’t sufficient when referencing a BOM because a particular BOM may be revised over time. Even in the case of legacy software that is not conceptualized as changing, mistakes and omissions can be corrected over time causing changes in the BOM. This is allowed for by successive "cdx" URNs in which the BOM serial number is static and the version is incremented.


On Fri, Jan 21, 2022 at 12:35 PM Dale R. Worley <worley@ariadne.com> wrote:
>
> Patrick Dwyer <patrick.dwyer@owasp.org> writes:
> > Thanks for the great feedback Dale.
> >
> > Revised below:
> >
> > Namespace Identifier:  Requested of IANA - cdx
> >
> > Version:  1
> >
> > Date:  2022-01-01
> [...]
>
> That covers everything I thought was an issue.  It looks good to me.
>
> Dale

_______________________________________________
urn mailing list
urn@ietf.org
https://www.ietf.org/mailman/listinfo/urn

v2.23.0 | Report a Bug | By Email