IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

Peter Saint-Andre <stpeter@stpeter.im> Tue, 04 January 2022 21:53 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994FC3A0D0B for <urn@ietfa.amsl.com>; Tue, 4 Jan 2022 13:53:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=h77ciljL; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=bqe+hITK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XsrgH4AppDw for <urn@ietfa.amsl.com>; Tue, 4 Jan 2022 13:52:56 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF523A0CD0 for <urn@ietf.org>; Tue, 4 Jan 2022 13:52:56 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id ACA4C3200993; Tue, 4 Jan 2022 16:52:54 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 04 Jan 2022 16:52:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=E I5xFE/IDgCf2aRn0yy3iRuntbCrPl3Pc6eNcNBhixc=; b=h77ciljLU7h1g1u7f pm/Kr67JvE12hIQQmcJn/IZNeKvv3wBhthoG4fsgpjdApQuVcOr/9m6+ZD/TgRxc XERskjhLjzQvPa55GenbVCwqiDP4GdHacMLqxLZF6wclYWMFVjT1cdWLrcc6oSpT 3JgGL6cwin6QsYpHxGaUOKOUy9lXhkpdz8d/2qGRrWDq/4vV+pazs27bTBPt09NB dpIiXmNRgJu0okfHnh35ZhU526HWsmSrB0ct82M+WeovGfJ5TlHoQA2Gday3ObLc WsBT0x8/oNK40513pa1Jl5BFToQkeok8L44a1S4xiHvovT9sqKwhmNOQ93MuyrLU 8L56w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=EI5xFE/IDgCf2aRn0yy3iRuntbCrPl3Pc6eNcNBhi xc=; b=bqe+hITK7ZBtUksRsO7ZQn4J9zeAZxry/POmAK/vZNJEeLE1qVPwC/aLm gNj4bKBnIqhrJm/GrbhoN5LoIcTtOLtuXzPNPOIOf/vNPw2Bg3vCsFhGTQiQ+7Yo z2uwg0TxTHcYZ/GN6PRqtIxdlLwHexgiNBhrF7gUNyUPlZlIbzLnlA3+yLiQAErO EN96xtI2fSA4Epg8Im62qnFYqDqE9SqfgiEq1DSYYHEukums5OqeyZHEKddAQkg9 n5UJl1sSct4Fpa8zxCBKJykc1JiFgy8Npn//78X0nSa6jgcwrZxYTOJo1GAJQEn7 PmaRpsBiAUGbg9xec7Skf+1z4qwFQ==
X-ME-Sender: <xms:tcHUYTIq4XSopvFDCkYIOiwBRTO2Nk_nEJsV89pmgSXI8kK82u-4_g> <xme:tcHUYXL_1Zk8AiiLH5X-xrdBlOHMBlX43xrUH9nnoQScgtTLWjcZCGTddjiPjLpz2 ADnz3GqDypzy9o88w>
X-ME-Received: <xmr:tcHUYbuHFhQC8SkowB4NxXYoZMc88cjeoz0ADn7TsqV68b30ASJgIrRI1Fp6ohGYhXyAsa6E0n_TDVyvniCXLmksrq136H4iSQ9oIsg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudeffedgudehgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enfghrlhcuvffnffculddqiedmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredt tdefjeenucfhrhhomheprfgvthgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvg hrsehsthhpvghtvghrrdhimheqnecuggftrfgrthhtvghrnhepleetteeliefgudeuhedu ieejvdegheeufeefkeffleetveeftedvueduffeigfeinecuffhomhgrihhnpegthigtlh honhgvugigrdhorhhgpdhnthhirgdrghhovhdpihgvthhfrdhorhhgnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtph gvthgvrhdrihhm
X-ME-Proxy: <xmx:tcHUYcY40Vpsq8cH0yZw_bDx95wzDbuSI6-opqEc2oz9FUig11SCFA> <xmx:tcHUYabU4upy3zaesZqEdvHWoUa3LxxV0_ZPP58NAQ4fSRP5lPElGw> <xmx:tcHUYQBLkEs2TosCHsm8qTFfNFjLt5X6Bjd9uAlQy0GzFXWM9BiGlA> <xmx:tsHUYdxWMPHWEMXmkx1Pr8POrCSdAxTH-qELC36XXpwBjemHgXbbng>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 4 Jan 2022 16:52:53 -0500 (EST)
Message-ID: <527b6c9f-3b80-848e-c479-55848c3dec6a@stpeter.im>
Date: Tue, 04 Jan 2022 14:52:48 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Patrick Dwyer <patrick.dwyer@owasp.org>
Cc: urn@ietf.org
References: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org> <30b772a4-e339-613d-7cc3-fba9e6995f1b@stpeter.im> <CACjy5Zc=-5-0ufcP8O8xUDFSmq+DQcftf9fJ=fg90L=9=sDkaA@mail.gmail.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <CACjy5Zc=-5-0ufcP8O8xUDFSmq+DQcftf9fJ=fg90L=9=sDkaA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/HkALiHVpk_IQTxTcoleWH4cyXOs>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 21:53:00 -0000

Ah, that makes sense. Thus you don't need to embed that information in a 
single f-component, which is good.

As far as I'm concerned, this registration can be accepted. Let's see 
what the other members of the review team have to say.

Peter

On 1/4/22 2:43 PM, Patrick Dwyer wrote:
> Hi Peter,
> 
> Excellent consideration. That is possible. Each component has an
> independent "BOM ref". So whether a component is within a bundled
> assembly, or part of a complex dependency graph, it can be directly
> referenced.
> 
> Regards,
> Pat
> 
> On Wed, Jan 5, 2022 at 7:18 AM Peter Saint-Andre <stpeter@stpeter.im> wrote:
>>
>> Hi Patrick,
>>
>> Thanks for posting this. In general it looks good to me.
>>
>> Out of curiosity, I have one question: do you have or need a way to
>> identify components of components? Would the f-component syntax limit
>> this ability?
>>
>> Peter
>>
>> On 12/31/21 11:39 PM, Patrick Dwyer wrote:
>>> Hi folks,
>>>
>>> Seeking your review on this URN namespace registration.
>>>
>>> Regards,
>>> Pat
>>>
>>> Namespace Identifier:  Requested of IANA - cdx
>>>
>>> Version:  1
>>>
>>> Date:  2022-01-01
>>>
>>> Registrant:
>>>
>>> Patrick Dwyer, on behalf of OWASP CycloneDX
>>> Email: patrick.dwyer@owasp.org
>>> Address:
>>> The OWASP Foundation Inc.
>>> 401 Edgewater Place, Suite 600
>>> Wakefield, MA 01880
>>>
>>> Purpose:
>>>
>>> CycloneDX is an open source software bill of materials OWASP standard.
>>> CycloneDX bill of materials documents (BOMs) are intended to be
>>> exchanged between different parties of the software supply chain.
>>>
>>> The “cdx” namespace is to be used as a means of persistently identifying
>>> CycloneDX BOMs.
>>>
>>> When creating a BOM that describes multiple components, a CycloneDX URN
>>> can be used to reference an upstream BOM for a component rather than
>>> embedding it inline. This may be a consideration for performance
>>> reasons. Especially in resource constrained environments such as
>>> embedded devices. But can also be used when a software supplier does not
>>> have authority to share upstream BOM content directly.
>>>
>>> CycloneDX also supports “BOM refs”. BOM refs are unique BOM scoped
>>> references to a particular element. A URN with an optional BOM ref
>>> f-component can be used to reference an element within another BOM.
>>>
>>> Referencing a specific element in a BOM is particularly relevant for use
>>> cases like describing known vulnerabilities in a component in the
>>> context of a particular assembled piece of software or embedded device.
>>>
>>> Syntax:
>>>
>>> The syntax for a CycloneDX URN namestring is defined using the Augmented
>>> Backus-Naur Form (ABNF) below. And uses “UUID” as defined in [RFC4122]
>>> and “fragment” as defined in [RFC3986].
>>>
>>>       namestring             = assigned-name [ "#" f-component ]
>>>       assigned-name          = "urn:cdx:" NSS
>>>       NSS                    = bom-serial-number-uuid "/" bom-version
>>>       bom-serial-number-uuid = UUID
>>>       bom-version            = 1*digit
>>>       f-component            = fragment
>>>
>>> Assignment:
>>>
>>> CycloneDX URNs are assigned in a decentralised way, using the BOM serial
>>> number. CycloneDX BOM serial numbers are unique to a specific BOM. And
>>> are version 4 UUID URNs as defined in [RFC4122].
>>>
>>> Security and Privacy:
>>>
>>> As CycloneDX URNs are based on UUIDs they have the same security
>>> considerations as UUID URNs as per [RFC4122].
>>>
>>> Additionally, there are no specification limitations on what information
>>> can be included in a “BOM ref”. When using BOM refs for f-components,
>>> consideration must be given to any restrictions imposed on sharing of
>>> information within a BOM. And what information may “leak” by including a
>>> BOM ref as an f-component in a CycloneDX URN.
>>>
>>> For producers of BOMs who have high confidentiality requirements it is
>>> recommended to use UUIDs for BOM refs.
>>>
>>> Interoperability:
>>>
>>> Although CycloneDX BOMs already use a UUID URN to identify a BOM this
>>> information isn’t sufficient when referencing a BOM.
>>>
>>> A particular BOM may be revised over time. Especially in the case of
>>> legacy software as mistakes and omissions are corrected. In this
>>> scenario the BOM serial number remains static and the version is
>>> incremented.
>>>
>>> It also isn’t sufficient for use cases that require referencing a
>>> specific component within a BOM.
>>>
>>> Resolution:
>>>
>>> No prescriptive resolution mechanisms are envisioned.
>>>
>>> Resolution mechanisms will be determined between parties in the software
>>> supply chain, or by organizations using CycloneDX BOMs internally.
>>>
>>> Documentation:
>>>
>>> Please note, this URL will be updated to reference the URN registration.
>>>
>>> https://cyclonedx.org/capabilities/rfc-tbd/
>>>
>>> Additional Information:
>>>
>>> More information about CycloneDX can be found on the project homepage at
>>> https://cyclonedx.org
>>>
>>> More general information about software bill of materials can be found
>>> at https://www.ntia.gov/sbom
>>>
>>>
>>> _______________________________________________
>>> urn mailing list
>>> urn@ietf.org
>>> https://www.ietf.org/mailman/listinfo/urn
>>

v2.23.0 | Report a Bug | By Email