IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

Patrick Dwyer <patrick.dwyer@owasp.org> Tue, 01 February 2022 02:28 UTC

Return-Path: <patrick.dwyer@owasp.org>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BD873A09F9 for <urn@ietfa.amsl.com>; Mon, 31 Jan 2022 18:28:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=owasp.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1CmLguV1MId for <urn@ietfa.amsl.com>; Mon, 31 Jan 2022 18:27:57 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE293A09FF for <urn@ietf.org>; Mon, 31 Jan 2022 18:27:57 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id r10so31181146edt.1 for <urn@ietf.org>; Mon, 31 Jan 2022 18:27:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owasp.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=LihdTAb0tjbtnZGfby2JulIvD2TMDP55Wh0cGsYFolc=; b=caU7H0ba79bgP3kSBi5G9wMyifP+ZSawdImbybSyfIFp493ZxlQlruws8yFnE8Xh6M QRcPHJ+Maop0YrcueONopE0VppQXjzkdmDv94urlwSZuNeg7VPyFswZGTROLLAKExFuL B/GmaYIxZUx3LYnl5Hs/nHgQpjnrDeUwjZc+VQcCh5RUvP02Lfbjj7jmK3qduupSEAF2 fQO2y3Sy+fAf8PRDkwJl+yderC25PuP7gZVKSqT/jjucAYaPYbYaowhKrTDh9MhgH+IL SxpqR6+aJY/8n+bS0D/x1EUuASbJ/f5I8YV0dVfOWfuGi7IXOuFRmP5+vwvJ0edZVW8D lHlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=LihdTAb0tjbtnZGfby2JulIvD2TMDP55Wh0cGsYFolc=; b=wZizzRw0hJ4RwAEta6qWnOVFM9dAKi8MljcPPizGasP9j4NfcTVu8iSTMUD7EoLOac ePKhK4lz4Weo8yBUzwXakBuTDtzQ8xUAnK9obFV0xbTeyMpFE7AX3OWQ1mRV1cgfsVNh tj0e76k6hdX0bk0H2pzWBguKE/rTmXaAKmyuGwFXYZ6KPbsQKZglRvszTiC6je3ktFjL qFF7DupUBKG1ZOPOI5zcO7yVJUARePHzPVwE/6kTH6ReqMZKfHl3aPA3b8+TAPRY+ZzP bee1n1hqXviYCCTwGUHuLp4KJo3zMiaGmaz6bzeYoAbyK0S8FsCRw8weZCO5EFTcfpRl Hqew==
X-Gm-Message-State: AOAM5304qJYahSDKd8mrhFN3hmBbR9XcO/KNMyEyDfPwH2TdZ0RaT78Q hBxWJquygAn5gKNCvtejCIxPCYEka8kT6AcCxMJkTbSL1dG+s5Lg
X-Google-Smtp-Source: ABdhPJwwDydu+wNhjJRAe2GdAtyf29Yh0i3kyKqLsQZggjcNdY1KbIN1wAGD1kuWQl7f4v19/z5hHOeBSACCbbGFGe0=
X-Received: by 2002:a50:9555:: with SMTP id v21mr23308328eda.214.1643682474228; Mon, 31 Jan 2022 18:27:54 -0800 (PST)
MIME-Version: 1.0
References: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com> <87tudxg6ju.fsf@hobgoblin.ariadne.com>
In-Reply-To: <87tudxg6ju.fsf@hobgoblin.ariadne.com>
From: Patrick Dwyer <patrick.dwyer@owasp.org>
Date: Tue, 01 Feb 2022 12:27:42 +1000
Message-ID: <CACjy5ZdU=OpwNoLDmNh5jtZi2zJJHPHNHCBmEFStouRKpM8t0Q@mail.gmail.com>
To: urn@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/rUmAjRHZGygdeKUCYMz19WOafqk>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2022 02:28:03 -0000

Juha, thanks for more great feedback.

Apologies for taking so long to get this revision back to the group.

New version:

Namespace Identifier:  Requested of IANA - cdx

Version: 1

Date: 2022-01-01

Registrant: Patrick Dwyer, on behalf of the OWASP CycloneDX project.
Email: patrick.dwyer@owasp.org
Address:
The OWASP Foundation Inc.
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Purpose:

CycloneDX is a software bill of materials OWASP standard. CycloneDX
bill of materials documents (BOMs) are intended to be exchanged
between different parties of the software supply chain.

URNs in the "cdx" namespace are used as a means of persistently
identifying CycloneDX BOMs.

When creating a BOM, a CycloneDX URN can be used to reference an
upstream BOM for a component rather than embedding it inline. This may
be a consideration for performance reasons. Especially in resource
constrained environments such as embedded devices. It can also be used
when a software supplier does not have authority to share upstream BOM
content directly.

CycloneDX also supports "BOM refs". A BOM ref is a reference to a
particular element within a BOM. A "cdx" URN with an f-component is a
BOM ref, with the f-component specifying the location of the element
within the BOM identified by the URN.

Syntax:

The syntax for a CycloneDX URN namestring is defined using the
Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in
[RFC4122] and "f-component" as defined in [RFC3986].

  namestring             = assigned-name [ "#" f-component ]
  assigned-name          = "urn:cdx:" NSS
  NSS                    = bom-serial-number "/" bom-version
  bom-serial-number-uuid = UUID
  bom-version            = nonzero-digit *digit ; an integer >= 1
  nonzero-digit          = %x31-39 ; 1-9

Assignment:

CycloneDX URNs are assigned in a decentralised way, using the BOM
serial number. BOM serial numbers are version 4 UUIDs as defined in
[RFC4122]. Once assigned, BOM serial numbers are unique and
persistent.

Security and Privacy:

As CycloneDX URNs are based on UUIDs they have the same security
considerations as UUID URNs as per [RFC4122].

Additionally, there are no specification limitations beyond [RFC3986]
on what can be included in an f-component. Given that f-components may
be published in CyclineDX URNs, producers of BOMs should avoid using
any value on which there are sharing restrictions. For producers of
BOMs who have high confidentiality requirements, it is recommended to
use UUIDs for f-components.

Interoperability:

Although CycloneDX BOMs may use a UUID URN to identify a BOM via its
BOM serial number, the serial number isn’t sufficient when referencing
a BOM because a particular BOM may be revised over time. Even in the
case of legacy software that is not conceptualized as changing,
mistakes and omissions can be corrected over time causing changes in
the BOM. This is allowed for by successive "cdx" URNs in which the BOM
serial number is static and the version is incremented.


On Fri, Jan 21, 2022 at 12:35 PM Dale R. Worley <worley@ariadne.com> wrote:
>
> Patrick Dwyer <patrick.dwyer@owasp.org> writes:
> > Thanks for the great feedback Dale.
> >
> > Revised below:
> >
> > Namespace Identifier:  Requested of IANA - cdx
> >
> > Version:  1
> >
> > Date:  2022-01-01
> [...]
>
> That covers everything I thought was an issue.  It looks good to me.
>
> Dale

v2.23.0 | Report a Bug | By Email