| draft-ietf-sacm-rolie-softwaredescriptor-00.txt | draft-ietf-sacm-rolie-softwaredescriptor-01.txt | |||
|---|---|---|---|---|
| SACM Working Group D. Waltermire | SACM Working Group D. Waltermire | |||
| Internet-Draft S. Banghart | Internet-Draft S. Banghart | |||
| Intended status: InformationalNational Institute of Standards and Techno | Intended status: InformationalNational Institute of Standards and Techno | |||
| Expires: April 29, 2018 October 26, 2017 | Expires: September 6, 2018 March 5, 2018 | |||
| Definition of the ROLIE Software Descriptor Extension | Definition of the ROLIE Software Descriptor Extension | |||
| draft-ietf-sacm-rolie-softwaredescriptor-00 | draft-ietf-sacm-rolie-softwaredescriptor-01 | |||
| Abstract | Abstract | |||
| This document extends the Resource-Oriented Lightweight Information | This document extends the Resource-Oriented Lightweight Information | |||
| Exchange (ROLIE) core to add the information type category and | Exchange (ROLIE) core to add the information type category and | |||
| related requirements needed to support Software Record and Software | related requirements needed to support Software Record and Software | |||
| Inventory use cases. The 'software-descriptor' information type is | Inventory use cases. The 'software-descriptor' information type is | |||
| defined as a ROLIE extension. Additional supporting requirements are | defined as a ROLIE extension. Additional supporting requirements are | |||
| also defined that describe the use of specific formats and link | also defined that describe the use of specific formats and link | |||
| relations pertaining to the new information type. | relations pertaining to the new information type. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 29, 2018. | This Internet-Draft will expire on September 6, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| 6.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 6 | 6.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 6 | |||
| 6.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 6 | 6.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 6 | |||
| 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 6 | 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Other Registered Extensions . . . . . . . . . . . . . . . . . 7 | 8. Other Registered Extensions . . . . . . . . . . . . . . . . . 7 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9.1. software-descriptor information-type . . . . . . . . . . 7 | 9.1. software-descriptor information-type . . . . . . . . . . 7 | |||
| 9.2. swd:id property . . . . . . . . . . . . . . . . . . . . . 8 | 9.2. swd:id property . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9.3. swd:swname property . . . . . . . . . . . . . . . . . . . 8 | 9.3. swd:swname property . . . . . . . . . . . . . . . . . . . 8 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 12. Normative References . . . . . . . . . . . . . . . . . . . . 9 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 | ||||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 9 | ||||
| Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 9 | Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 9 | Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines an extension to the Resource-Oriented | This document defines an extension to the Resource-Oriented | |||
| Lightweight Information Exchange (ROLIE) protocol to support the | Lightweight Information Exchange (ROLIE) [RFC8322] protocol to | |||
| publication of software descriptor information. Software descriptor | support the publication of software descriptor information. Software | |||
| information is information that characterizes: | descriptor information is information that characterizes: | |||
| an installable software package, or | an installable software package, or | |||
| information about static software components that may be installed | information about static software components that may be installed | |||
| by a software package or patch. | by a software package or patch. | |||
| Software descriptor information includes identifying, versioning, | Software descriptor information includes identifying, versioning, | |||
| software creation and publication, and file artifact information. | software creation and publication, and file artifact information. | |||
| Software descriptor information provides data about what might be | Software descriptor information provides data about what might be | |||
| installed, but doesn't describe where or how a specific software | installed, but doesn't describe where or how a specific software | |||
| skipping to change at page 5, line 38 ¶ | skipping to change at page 5, line 38 ¶ | |||
| 5.2.1. The ISO SWID 2016 format | 5.2.1. The ISO SWID 2016 format | |||
| The ISO SWID Tag 2016 format is a software descriptor and software | The ISO SWID Tag 2016 format is a software descriptor and software | |||
| record data format. It provides several tags: primary, which | record data format. It provides several tags: primary, which | |||
| provides descriptive and naming information about software, patch, | provides descriptive and naming information about software, patch, | |||
| which describes non-standalone software meant to patch existing | which describes non-standalone software meant to patch existing | |||
| software, and corpus, which describes the software installation media | software, and corpus, which describes the software installation media | |||
| that installs a given piece of software. | that installs a given piece of software. | |||
| For a more complete overview as well as normative requirements, refer | For a more complete overview as well as normative requirements, refer | |||
| to TODO(ref?):ISO/IEC 19770-2 | to :ISO/IEC 19770-2 [SWID] | |||
| 5.2.2. The Concise SWID format | 5.2.2. The Concise SWID format | |||
| The Consise SWID format is an alternative representation of the ISO | The Concise SWID (COSWID) format is an alternative representation of | |||
| SWID Tag 2016 format using a CBOR encoding defined by a CDDL | the ISO SWID Tag 2016 format using a CBOR encoding defined by a CDDL | |||
| specification. It provides the same features and attributes as are | specification. It provides the same features and attributes as are | |||
| specified in ISO 19770-2, plus: | specified in ISO 19770-2, plus: | |||
| o a straight forward method to sign and encrypt SWID Tags using | o a straight forward method to sign and encrypt SWID Tags using | |||
| COSE, and | COSE, and | |||
| o additional attributes that provide an improved structure to | o additional attributes that provide an improved structure to | |||
| include file hashes intended to be used as Reference Integrity | include file hashes intended to be used as Reference Integrity | |||
| Measurements (RIM). | Measurements (RIM). | |||
| skipping to change at page 9, line 17 ¶ | skipping to change at page 9, line 17 ¶ | |||
| information for low fault tolerance comparisons and searches, care | information for low fault tolerance comparisons and searches, care | |||
| should be taken that the correct version scheme is being utilized. | should be taken that the correct version scheme is being utilized. | |||
| 11. Privacy Considerations | 11. Privacy Considerations | |||
| This extension does not introduce any privacy considerations above or | This extension does not introduce any privacy considerations above or | |||
| beyond that of the core ROLIE document. Any implementations using | beyond that of the core ROLIE document. Any implementations using | |||
| this extension should understand the privacy considerations of ROLIE | this extension should understand the privacy considerations of ROLIE | |||
| and the Atom Publishing Protocol. | and the Atom Publishing Protocol. | |||
| 12. Normative References | 12. References | |||
| 12.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||
| FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | |||
| <https://www.rfc-editor.org/info/rfc4949>. | <https://www.rfc-editor.org/info/rfc4949>. | |||
| [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident | [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident | |||
| Object Description Exchange Format", RFC 5070, | Object Description Exchange Format", RFC 5070, | |||
| DOI 10.17487/RFC5070, December 2007, | DOI 10.17487/RFC5070, December 2007, | |||
| <https://www.rfc-editor.org/info/rfc5070>. | <https://www.rfc-editor.org/info/rfc5070>. | |||
| [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- | ||||
| Oriented Lightweight Information Exchange (ROLIE)", | ||||
| RFC 8322, DOI 10.17487/RFC8322, February 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8322>. | ||||
| 12.2. Informative References | ||||
| [SWID] ISO, "ISO/IEC 19770-2:2015". | ||||
| Appendix A. Schema | Appendix A. Schema | |||
| This document does not require any schema extensions. | This document does not require any schema extensions. | |||
| Appendix B. Examples of Use | Appendix B. Examples of Use | |||
| Use of this extension in a ROLIE repository will not typically change | Use of this extension in a ROLIE repository will not typically change | |||
| that repository's operation. As such, the general examples provided | that repository's operation. As such, the general examples provided | |||
| by the ROLIE core document would serve as examples. Provided below | by the ROLIE core document would serve as examples. Provided below | |||
| is a sample SWD ROLIE entry: | is a sample SWD ROLIE entry: | |||
| End of changes. 10 change blocks. | ||||
| 12 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||