IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

Patrick Dwyer <patrick.dwyer@owasp.org> Sat, 19 March 2022 13:26 UTC

Return-Path: <patrick.dwyer@owasp.org>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A6B3A12C3 for <urn@ietfa.amsl.com>; Sat, 19 Mar 2022 06:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=owasp.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3zqPWbZHAXc for <urn@ietfa.amsl.com>; Sat, 19 Mar 2022 06:26:15 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C41AC3A1288 for <urn@ietf.org>; Sat, 19 Mar 2022 06:26:14 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id a8so21795120ejc.8 for <urn@ietf.org>; Sat, 19 Mar 2022 06:26:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owasp.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=WRpCz9pD6xF1DeMBdyTGWll6TK+VhGjT6BW7bMtVJdE=; b=JaKsG1mjcEgiYr/iqzPPEBIn82euEQADXKtg5qM/4DHTkgLf5gUHOYiUoXk3DDDzUF ZgfR9Xs52pq0QadVM8qlurcnL98e3U3MA74rBWI8kFMztqhYQrGvyiFup2YiA46rQd2T agyuD8fzyN/LBL58AbwTH9iMrsyAlLcshk60ygwDsFF51i6jya3a71BinHjdeJJGU09V AoHnyWQ0HGIT4jpbmVroVyUg6sJLo9ibTwPtVqXvdI0DN/IZOrZEU3/Aj6zk1mAIn4me zNpYOLzfwmdQ/F9xCn/lYka+ES//LdocYnQTf6zOgHG1OTHf7kw3vKhhQMi8dKTYicRR uwEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=WRpCz9pD6xF1DeMBdyTGWll6TK+VhGjT6BW7bMtVJdE=; b=k3dA+1o32mePgD0BDQuS8nfCMmWP6ZxYCmoYQ4Fp5Cl0fayhakZNVl3m8vAve1lamr pI9JGG17595Pl4emh88OKUPduG7GtjwTJ7TzLX6CFJvm1jm7Na2/hyX8OJrIhEZeOxcG n94Gr7WZYQXLPG6OU+QkORK3WLYP5MPUbl/df99ggERgVMcVngVr4HStiQAdfpZQAaWD QJK+orc7nYePaM6PVQ/rX/AKfIqsyN5fA/jg5gz6Wvo16H/xe0+n8L6/Iic3R5mwDg0i 0x28pzy/lRd2aRBA+vz77LbjqLrB3hTDj9STpMNb+kPw0a2HV/F1VluTs8562p91ARjP NX0Q==
X-Gm-Message-State: AOAM5312L3SboZSTqAQdjWIRUkPEytdEGv4knUey9MxTB3IVNRLrd9X8 MVmmBLzMiro/HQbZalvhxN3hbw7ce5/TMs2DdtDDAO3q0RZJylk7
X-Google-Smtp-Source: ABdhPJwuRvYXGsLghd8aeCDaCQTfOJZrNVMzb0CH1PHB11DfFIDhuajLMGcVsgjmfczD/UMeCOohvbVGK8/IaCipJRI=
X-Received: by 2002:a17:906:3a18:b0:6cd:ba45:995f with SMTP id z24-20020a1709063a1800b006cdba45995fmr13615874eje.328.1647696372400; Sat, 19 Mar 2022 06:26:12 -0700 (PDT)
MIME-Version: 1.0
References: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com> <87tudxg6ju.fsf@hobgoblin.ariadne.com> <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com> <HE1PR07MB31961709C292E18F3D3D703FFA269@HE1PR07MB3196.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB31961709C292E18F3D3D703FFA269@HE1PR07MB3196.eurprd07.prod.outlook.com>
From: Patrick Dwyer <patrick.dwyer@owasp.org>
Date: Sat, 19 Mar 2022 23:26:01 +1000
Message-ID: <CACjy5ZfN2cSHwtDT_E8DLhPSbrycGKEHK_L2GpXJ6=5eHn9apg@mail.gmail.com>
To: urn@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/cwKJxrR5pnbK-JfxCCdKA68n_Xs>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Mar 2022 13:26:20 -0000

Hi all,

Is there anything else I need to do to register this URN namespace?

Regards,
Pat

On Tue, Feb 1, 2022 at 9:29 PM Hakala, Juha E <juha.hakala@helsinki.fi> wrote:
>
> Hello Patrick,
>
> this looks fine; I approve the request.
>
> All the best,
>
> Juha
>
> -----Alkuperäinen viesti-----
> Lähettäjä: urn <urn-bounces@ietf.org> Puolesta Patrick Dwyer
> Lähetetty: tiistai 1. helmikuuta 2022 4.28
> Vastaanottaja: urn@ietf.org
> Aihe: Re: [urn] Namespace Identifier: Requested of IANA - cdx
>
> Juha, thanks for more great feedback.
>
> Apologies for taking so long to get this revision back to the group.
>
> New version:
>
> Namespace Identifier:  Requested of IANA - cdx
>
> Version: 1
>
> Date: 2022-01-01
>
> Registrant: Patrick Dwyer, on behalf of the OWASP CycloneDX project.
> Email: patrick.dwyer@owasp.org
> Address:
> The OWASP Foundation Inc.
> 401 Edgewater Place, Suite 600
> Wakefield, MA 01880
>
> Purpose:
>
> CycloneDX is a software bill of materials OWASP standard. CycloneDX bill of materials documents (BOMs) are intended to be exchanged between different parties of the software supply chain.
>
> URNs in the "cdx" namespace are used as a means of persistently identifying CycloneDX BOMs.
>
> When creating a BOM, a CycloneDX URN can be used to reference an upstream BOM for a component rather than embedding it inline. This may be a consideration for performance reasons. Especially in resource constrained environments such as embedded devices. It can also be used when a software supplier does not have authority to share upstream BOM content directly.
>
> CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the f-component specifying the location of the element within the BOM identified by the URN.
>
> Syntax:
>
> The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in [RFC4122] and "f-component" as defined in [RFC3986].
>
>   namestring             = assigned-name [ "#" f-component ]
>   assigned-name          = "urn:cdx:" NSS
>   NSS                    = bom-serial-number "/" bom-version
>   bom-serial-number-uuid = UUID
>   bom-version            = nonzero-digit *digit ; an integer >= 1
>   nonzero-digit          = %x31-39 ; 1-9
>
> Assignment:
>
> CycloneDX URNs are assigned in a decentralised way, using the BOM serial number. BOM serial numbers are version 4 UUIDs as defined in [RFC4122]. Once assigned, BOM serial numbers are unique and persistent.
>
> Security and Privacy:
>
> As CycloneDX URNs are based on UUIDs they have the same security considerations as UUID URNs as per [RFC4122].
>
> Additionally, there are no specification limitations beyond [RFC3986] on what can be included in an f-component. Given that f-components may be published in CyclineDX URNs, producers of BOMs should avoid using any value on which there are sharing restrictions. For producers of BOMs who have high confidentiality requirements, it is recommended to use UUIDs for f-components.
>
> Interoperability:
>
> Although CycloneDX BOMs may use a UUID URN to identify a BOM via its BOM serial number, the serial number isn’t sufficient when referencing a BOM because a particular BOM may be revised over time. Even in the case of legacy software that is not conceptualized as changing, mistakes and omissions can be corrected over time causing changes in the BOM. This is allowed for by successive "cdx" URNs in which the BOM serial number is static and the version is incremented.
>
>
> On Fri, Jan 21, 2022 at 12:35 PM Dale R. Worley <worley@ariadne.com> wrote:
> >
> > Patrick Dwyer <patrick.dwyer@owasp.org> writes:
> > > Thanks for the great feedback Dale.
> > >
> > > Revised below:
> > >
> > > Namespace Identifier:  Requested of IANA - cdx
> > >
> > > Version:  1
> > >
> > > Date:  2022-01-01
> > [...]
> >
> > That covers everything I thought was an issue.  It looks good to me.
> >
> > Dale
>
> _______________________________________________
> urn mailing list
> urn@ietf.org
> https://www.ietf.org/mailman/listinfo/urn

v2.23.0 | Report a Bug | By Email