Re: [urn] Namespace Identifier: Requested of IANA - cdx
Peter Saint-Andre <stpeter@stpeter.im> Tue, 04 January 2022 21:53 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994FC3A0D0B for <urn@ietfa.amsl.com>; Tue, 4 Jan 2022 13:53:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=h77ciljL; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=bqe+hITK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XsrgH4AppDw for <urn@ietfa.amsl.com>; Tue, 4 Jan 2022 13:52:56 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF523A0CD0 for <urn@ietf.org>; Tue, 4 Jan 2022 13:52:56 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id ACA4C3200993; Tue, 4 Jan 2022 16:52:54 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 04 Jan 2022 16:52:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=E I5xFE/IDgCf2aRn0yy3iRuntbCrPl3Pc6eNcNBhixc=; b=h77ciljLU7h1g1u7f pm/Kr67JvE12hIQQmcJn/IZNeKvv3wBhthoG4fsgpjdApQuVcOr/9m6+ZD/TgRxc XERskjhLjzQvPa55GenbVCwqiDP4GdHacMLqxLZF6wclYWMFVjT1cdWLrcc6oSpT 3JgGL6cwin6QsYpHxGaUOKOUy9lXhkpdz8d/2qGRrWDq/4vV+pazs27bTBPt09NB dpIiXmNRgJu0okfHnh35ZhU526HWsmSrB0ct82M+WeovGfJ5TlHoQA2Gday3ObLc WsBT0x8/oNK40513pa1Jl5BFToQkeok8L44a1S4xiHvovT9sqKwhmNOQ93MuyrLU 8L56w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=EI5xFE/IDgCf2aRn0yy3iRuntbCrPl3Pc6eNcNBhi xc=; b=bqe+hITK7ZBtUksRsO7ZQn4J9zeAZxry/POmAK/vZNJEeLE1qVPwC/aLm gNj4bKBnIqhrJm/GrbhoN5LoIcTtOLtuXzPNPOIOf/vNPw2Bg3vCsFhGTQiQ+7Yo z2uwg0TxTHcYZ/GN6PRqtIxdlLwHexgiNBhrF7gUNyUPlZlIbzLnlA3+yLiQAErO EN96xtI2fSA4Epg8Im62qnFYqDqE9SqfgiEq1DSYYHEukums5OqeyZHEKddAQkg9 n5UJl1sSct4Fpa8zxCBKJykc1JiFgy8Npn//78X0nSa6jgcwrZxYTOJo1GAJQEn7 PmaRpsBiAUGbg9xec7Skf+1z4qwFQ==
X-ME-Sender: <xms:tcHUYTIq4XSopvFDCkYIOiwBRTO2Nk_nEJsV89pmgSXI8kK82u-4_g> <xme:tcHUYXL_1Zk8AiiLH5X-xrdBlOHMBlX43xrUH9nnoQScgtTLWjcZCGTddjiPjLpz2 ADnz3GqDypzy9o88w>
X-ME-Received: <xmr:tcHUYbuHFhQC8SkowB4NxXYoZMc88cjeoz0ADn7TsqV68b30ASJgIrRI1Fp6ohGYhXyAsa6E0n_TDVyvniCXLmksrq136H4iSQ9oIsg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudeffedgudehgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enfghrlhcuvffnffculddqiedmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredt tdefjeenucfhrhhomheprfgvthgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvg hrsehsthhpvghtvghrrdhimheqnecuggftrfgrthhtvghrnhepleetteeliefgudeuhedu ieejvdegheeufeefkeffleetveeftedvueduffeigfeinecuffhomhgrihhnpegthigtlh honhgvugigrdhorhhgpdhnthhirgdrghhovhdpihgvthhfrdhorhhgnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtph gvthgvrhdrihhm
X-ME-Proxy: <xmx:tcHUYcY40Vpsq8cH0yZw_bDx95wzDbuSI6-opqEc2oz9FUig11SCFA> <xmx:tcHUYabU4upy3zaesZqEdvHWoUa3LxxV0_ZPP58NAQ4fSRP5lPElGw> <xmx:tcHUYQBLkEs2TosCHsm8qTFfNFjLt5X6Bjd9uAlQy0GzFXWM9BiGlA> <xmx:tsHUYdxWMPHWEMXmkx1Pr8POrCSdAxTH-qELC36XXpwBjemHgXbbng>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 4 Jan 2022 16:52:53 -0500 (EST)
Message-ID: <527b6c9f-3b80-848e-c479-55848c3dec6a@stpeter.im>
Date: Tue, 04 Jan 2022 14:52:48 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Patrick Dwyer <patrick.dwyer@owasp.org>
Cc: urn@ietf.org
References: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org> <30b772a4-e339-613d-7cc3-fba9e6995f1b@stpeter.im> <CACjy5Zc=-5-0ufcP8O8xUDFSmq+DQcftf9fJ=fg90L=9=sDkaA@mail.gmail.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <CACjy5Zc=-5-0ufcP8O8xUDFSmq+DQcftf9fJ=fg90L=9=sDkaA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/HkALiHVpk_IQTxTcoleWH4cyXOs>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 21:53:00 -0000
Ah, that makes sense. Thus you don't need to embed that information in a single f-component, which is good. As far as I'm concerned, this registration can be accepted. Let's see what the other members of the review team have to say. Peter On 1/4/22 2:43 PM, Patrick Dwyer wrote: > Hi Peter, > > Excellent consideration. That is possible. Each component has an > independent "BOM ref". So whether a component is within a bundled > assembly, or part of a complex dependency graph, it can be directly > referenced. > > Regards, > Pat > > On Wed, Jan 5, 2022 at 7:18 AM Peter Saint-Andre <stpeter@stpeter.im> wrote: >> >> Hi Patrick, >> >> Thanks for posting this. In general it looks good to me. >> >> Out of curiosity, I have one question: do you have or need a way to >> identify components of components? Would the f-component syntax limit >> this ability? >> >> Peter >> >> On 12/31/21 11:39 PM, Patrick Dwyer wrote: >>> Hi folks, >>> >>> Seeking your review on this URN namespace registration. >>> >>> Regards, >>> Pat >>> >>> Namespace Identifier: Requested of IANA - cdx >>> >>> Version: 1 >>> >>> Date: 2022-01-01 >>> >>> Registrant: >>> >>> Patrick Dwyer, on behalf of OWASP CycloneDX >>> Email: patrick.dwyer@owasp.org >>> Address: >>> The OWASP Foundation Inc. >>> 401 Edgewater Place, Suite 600 >>> Wakefield, MA 01880 >>> >>> Purpose: >>> >>> CycloneDX is an open source software bill of materials OWASP standard. >>> CycloneDX bill of materials documents (BOMs) are intended to be >>> exchanged between different parties of the software supply chain. >>> >>> The “cdx” namespace is to be used as a means of persistently identifying >>> CycloneDX BOMs. >>> >>> When creating a BOM that describes multiple components, a CycloneDX URN >>> can be used to reference an upstream BOM for a component rather than >>> embedding it inline. This may be a consideration for performance >>> reasons. Especially in resource constrained environments such as >>> embedded devices. But can also be used when a software supplier does not >>> have authority to share upstream BOM content directly. >>> >>> CycloneDX also supports “BOM refs”. BOM refs are unique BOM scoped >>> references to a particular element. A URN with an optional BOM ref >>> f-component can be used to reference an element within another BOM. >>> >>> Referencing a specific element in a BOM is particularly relevant for use >>> cases like describing known vulnerabilities in a component in the >>> context of a particular assembled piece of software or embedded device. >>> >>> Syntax: >>> >>> The syntax for a CycloneDX URN namestring is defined using the Augmented >>> Backus-Naur Form (ABNF) below. And uses “UUID” as defined in [RFC4122] >>> and “fragment” as defined in [RFC3986]. >>> >>> namestring = assigned-name [ "#" f-component ] >>> assigned-name = "urn:cdx:" NSS >>> NSS = bom-serial-number-uuid "/" bom-version >>> bom-serial-number-uuid = UUID >>> bom-version = 1*digit >>> f-component = fragment >>> >>> Assignment: >>> >>> CycloneDX URNs are assigned in a decentralised way, using the BOM serial >>> number. CycloneDX BOM serial numbers are unique to a specific BOM. And >>> are version 4 UUID URNs as defined in [RFC4122]. >>> >>> Security and Privacy: >>> >>> As CycloneDX URNs are based on UUIDs they have the same security >>> considerations as UUID URNs as per [RFC4122]. >>> >>> Additionally, there are no specification limitations on what information >>> can be included in a “BOM ref”. When using BOM refs for f-components, >>> consideration must be given to any restrictions imposed on sharing of >>> information within a BOM. And what information may “leak” by including a >>> BOM ref as an f-component in a CycloneDX URN. >>> >>> For producers of BOMs who have high confidentiality requirements it is >>> recommended to use UUIDs for BOM refs. >>> >>> Interoperability: >>> >>> Although CycloneDX BOMs already use a UUID URN to identify a BOM this >>> information isn’t sufficient when referencing a BOM. >>> >>> A particular BOM may be revised over time. Especially in the case of >>> legacy software as mistakes and omissions are corrected. In this >>> scenario the BOM serial number remains static and the version is >>> incremented. >>> >>> It also isn’t sufficient for use cases that require referencing a >>> specific component within a BOM. >>> >>> Resolution: >>> >>> No prescriptive resolution mechanisms are envisioned. >>> >>> Resolution mechanisms will be determined between parties in the software >>> supply chain, or by organizations using CycloneDX BOMs internally. >>> >>> Documentation: >>> >>> Please note, this URL will be updated to reference the URN registration. >>> >>> https://cyclonedx.org/capabilities/rfc-tbd/ >>> >>> Additional Information: >>> >>> More information about CycloneDX can be found on the project homepage at >>> https://cyclonedx.org >>> >>> More general information about software bill of materials can be found >>> at https://www.ntia.gov/sbom >>> >>> >>> _______________________________________________ >>> urn mailing list >>> urn@ietf.org >>> https://www.ietf.org/mailman/listinfo/urn >>
- [urn] Namespace Identifier: Requested of IANA - c… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… worley
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Hakala, Juha E
- Re: [urn] Namespace Identifier: Requested of IANA… worley
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Hakala, Juha E
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Peter Saint-Andre
- Re: [urn] Namespace Identifier: Requested of IANA… Patrick Dwyer