IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

Peter Saint-Andre <stpeter@stpeter.im> Sat, 19 March 2022 21:37 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C36113A113A for <urn@ietfa.amsl.com>; Sat, 19 Mar 2022 14:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=TWklihxV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ISY59cog
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUV86HrfZE13 for <urn@ietfa.amsl.com>; Sat, 19 Mar 2022 14:36:56 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8037D3A0A25 for <urn@ietf.org>; Sat, 19 Mar 2022 14:36:56 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A769C5C009E; Sat, 19 Mar 2022 17:36:55 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sat, 19 Mar 2022 17:36:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; bh=PnxmeZBCI1vJpw pyeZSFya9HGkHO0Kd/ize9qfh3z/w=; b=TWklihxVT7HZyknwUMS9JpHrHA6JET QXffTG8OBqG0DcC1HqISHVLC8LrqlgaCnTm4UgKxgSKBwGKMp4pn1cl0pzzaVW8b Ur554tOEL9OEge9Mw+gEC/sbJ63jV3fOi9Jrn4np5ERsMWiwQKKa3bTls2mhu3bn en77wWq9sUaFTtxKF38UIhhi6380XllIc0bZk/ZaJUjDzeWb7RSqb9hKkgPrAYCj K1TF1CcSQmkf7S+M8/cWwQLeOTEOEPDqqrUoEOt3NiNHF6tKZ9IW2oLnNsI2uBAu UuOCrzL2C0nXelv5/0KDsHloQnz/lLbOtiCIQRtVJSzTxqwA/glpFyiA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=PnxmeZBCI1vJpwpyeZSFya9HGkHO0Kd/ize9qfh3z/w=; b=ISY59cog yEO9YK+lw/1VtDenh5RQbHwiXtS+4QdNr0D4S/7Suc6QlMSqG/DAh4KuvxON5wXH Ig/iMVpcmnDd6msej4U/lYmsMrQww4/r1k7SQrJmEx1kH8OqEHkDcbvBq6+A6rFI tKECnqIMXeq9q0z7fzNImdl5u0JGaQaAEm9ON9nrLMM5wvq8iQZylwiqLuA1Wnd/ 1/4w8yjdisLUfZ8DYZKRBygRN6rKQ7Bnd6fuw5RDgjF/hj9PTolF2FNmT6KBsJnJ 5Wgs2OkccTj6tE37NPVW/sA0EtBnHjOV8tXPvxiaudc454pqlO/WzbfC3PeVt/m3 LhVpYmtX75W95A==
X-ME-Sender: <xms:90w2YiuiVT4WM3HoLuVdvQFGJH-4eRvRM_bQ-JdS8DPGp_XNFKvVIA> <xme:90w2YnfKwovpwyvHoc1wN1HSWarZilCxV1edK-EHnGaI-styUgPTb9FeL32c3as5e 0uqZGQ2tUUY10kASA>
X-ME-Received: <xmr:90w2Ytx261Kwk4rO-GSEn_IX5lHfKILysq1itBQDsXk4EVzQ4aP5FG-yj3dP-J73BZjYzn-YiAlmgW91B8htTDKVT5LSsqLxSnC9mVU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudefkedgudehudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuvfhfhfgjtgfgsehtkeertddtfeejnecuhfhrohhmpefrvght vghrucfurghinhhtqdetnhgurhgvuceoshhtphgvthgvrhesshhtphgvthgvrhdrihhmqe enucggtffrrghtthgvrhhnpeevueefjeduieeiiedtiedvfeefkeejvefgleeghfdvvddv ffevgeffgedtudegteenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtphgv thgvrhdrihhm
X-ME-Proxy: <xmx:90w2YtOvvnrKqxZv1u2tcSqzsbkXofUqozMdK0rzRpwTkqNAewxVbg> <xmx:90w2Yi8z8OHQ1tZhAYyRzjPkiI4z_9qBpJ-MpQkpURiO-NUqEM8sJQ> <xmx:90w2YlWhfHNiSup4zacTOvhT9J0fmPzZx9pS_KhflvrUkLNQ01Lp1Q> <xmx:90w2YonCntP5pXHGGIqLMVeI7xCbZN1xem5nzuMfonMePXI9_SPOmw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 19 Mar 2022 17:36:54 -0400 (EDT)
Message-ID: <ebd5107b-d2bd-e5b0-6452-5e0f8a2e258d@stpeter.im>
Date: Sat, 19 Mar 2022 15:36:54 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Patrick Dwyer <patrick.dwyer@owasp.org>, urn@ietf.org
References: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com> <87tudxg6ju.fsf@hobgoblin.ariadne.com> <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com> <HE1PR07MB31961709C292E18F3D3D703FFA269@HE1PR07MB3196.eurprd07.prod.outlook.com> <CACjy5ZfN2cSHwtDT_E8DLhPSbrycGKEHK_L2GpXJ6=5eHn9apg@mail.gmail.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <CACjy5ZfN2cSHwtDT_E8DLhPSbrycGKEHK_L2GpXJ6=5eHn9apg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/h2CBqYMh4iWy1L0Tuprc9IkuuhE>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Mar 2022 21:37:02 -0000

Hi Pat,

Your latest iteration looks good to me (and Dale and Juha), so I think 
we're ready to proceed. I will follow up with IANA and report back.

Peter

On 3/19/22 7:26 AM, Patrick Dwyer wrote:
> Hi all,
> 
> Is there anything else I need to do to register this URN namespace?
> 
> Regards,
> Pat
> 
> On Tue, Feb 1, 2022 at 9:29 PM Hakala, Juha E <juha.hakala@helsinki.fi> wrote:
>>
>> Hello Patrick,
>>
>> this looks fine; I approve the request.
>>
>> All the best,
>>
>> Juha
>>
>> -----Alkuperäinen viesti-----
>> Lähettäjä: urn <urn-bounces@ietf.org> Puolesta Patrick Dwyer
>> Lähetetty: tiistai 1. helmikuuta 2022 4.28
>> Vastaanottaja: urn@ietf.org
>> Aihe: Re: [urn] Namespace Identifier: Requested of IANA - cdx
>>
>> Juha, thanks for more great feedback.
>>
>> Apologies for taking so long to get this revision back to the group.
>>
>> New version:
>>
>> Namespace Identifier:  Requested of IANA - cdx
>>
>> Version: 1
>>
>> Date: 2022-01-01
>>
>> Registrant: Patrick Dwyer, on behalf of the OWASP CycloneDX project.
>> Email: patrick.dwyer@owasp.org
>> Address:
>> The OWASP Foundation Inc.
>> 401 Edgewater Place, Suite 600
>> Wakefield, MA 01880
>>
>> Purpose:
>>
>> CycloneDX is a software bill of materials OWASP standard. CycloneDX bill of materials documents (BOMs) are intended to be exchanged between different parties of the software supply chain.
>>
>> URNs in the "cdx" namespace are used as a means of persistently identifying CycloneDX BOMs.
>>
>> When creating a BOM, a CycloneDX URN can be used to reference an upstream BOM for a component rather than embedding it inline. This may be a consideration for performance reasons. Especially in resource constrained environments such as embedded devices. It can also be used when a software supplier does not have authority to share upstream BOM content directly.
>>
>> CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the f-component specifying the location of the element within the BOM identified by the URN.
>>
>> Syntax:
>>
>> The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in [RFC4122] and "f-component" as defined in [RFC3986].
>>
>>    namestring             = assigned-name [ "#" f-component ]
>>    assigned-name          = "urn:cdx:" NSS
>>    NSS                    = bom-serial-number "/" bom-version
>>    bom-serial-number-uuid = UUID
>>    bom-version            = nonzero-digit *digit ; an integer >= 1
>>    nonzero-digit          = %x31-39 ; 1-9
>>
>> Assignment:
>>
>> CycloneDX URNs are assigned in a decentralised way, using the BOM serial number. BOM serial numbers are version 4 UUIDs as defined in [RFC4122]. Once assigned, BOM serial numbers are unique and persistent.
>>
>> Security and Privacy:
>>
>> As CycloneDX URNs are based on UUIDs they have the same security considerations as UUID URNs as per [RFC4122].
>>
>> Additionally, there are no specification limitations beyond [RFC3986] on what can be included in an f-component. Given that f-components may be published in CyclineDX URNs, producers of BOMs should avoid using any value on which there are sharing restrictions. For producers of BOMs who have high confidentiality requirements, it is recommended to use UUIDs for f-components.
>>
>> Interoperability:
>>
>> Although CycloneDX BOMs may use a UUID URN to identify a BOM via its BOM serial number, the serial number isn’t sufficient when referencing a BOM because a particular BOM may be revised over time. Even in the case of legacy software that is not conceptualized as changing, mistakes and omissions can be corrected over time causing changes in the BOM. This is allowed for by successive "cdx" URNs in which the BOM serial number is static and the version is incremented.
>>
>>
>> On Fri, Jan 21, 2022 at 12:35 PM Dale R. Worley <worley@ariadne.com> wrote:
>>>
>>> Patrick Dwyer <patrick.dwyer@owasp.org> writes:
>>>> Thanks for the great feedback Dale.
>>>>
>>>> Revised below:
>>>>
>>>> Namespace Identifier:  Requested of IANA - cdx
>>>>
>>>> Version:  1
>>>>
>>>> Date:  2022-01-01
>>> [...]
>>>
>>> That covers everything I thought was an issue.  It looks good to me.
>>>
>>> Dale
>>
>> _______________________________________________
>> urn mailing list
>> urn@ietf.org
>> https://www.ietf.org/mailman/listinfo/urn
> 
> _______________________________________________
> urn mailing list
> urn@ietf.org
> https://www.ietf.org/mailman/listinfo/urn

v2.23.0 | Report a Bug | By Email