--- 1/draft-ietf-sacm-rolie-softwaredescriptor-01.txt 2018-03-22 03:13:08.610752408 -0700 +++ 2/draft-ietf-sacm-rolie-softwaredescriptor-02.txt 2018-03-22 03:13:08.638753081 -0700 @@ -1,18 +1,18 @@ SACM Working Group D. Waltermire Internet-Draft S. Banghart Intended status: InformationalNational Institute of Standards and Techno -Expires: September 6, 2018 March 5, 2018 +Expires: September 22, 2018 March 21, 2018 Definition of the ROLIE Software Descriptor Extension - draft-ietf-sacm-rolie-softwaredescriptor-01 + draft-ietf-sacm-rolie-softwaredescriptor-02 Abstract This document extends the Resource-Oriented Lightweight Information Exchange (ROLIE) core to add the information type category and related requirements needed to support Software Record and Software Inventory use cases. The 'software-descriptor' information type is defined as a ROLIE extension. Additional supporting requirements are also defined that describe the use of specific formats and link relations pertaining to the new information type. @@ -25,65 +25,66 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 6, 2018. + This Internet-Draft will expire on September 22, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Additional Requirements for the Atom Publishing Protocol . . 3 - 4. Additonal Requirements for the Atom Syndication Format . . . 4 - 5. Information-type Extensions . . . . . . . . . . . . . . . . . 4 - 5.1. The "software-descriptor" information type . . . . . . . 4 - 5.2. Use of the rolie:format element . . . . . . . . . . . . . 5 - 5.2.1. The ISO SWID 2016 format . . . . . . . . . . . . . . 5 - 5.2.2. The Concise SWID format . . . . . . . . . . . . . . . 5 - 6. rolie:property Extensions . . . . . . . . . . . . . . . . . . 6 - 6.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 6 - 6.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 6 - 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 6 - 8. Other Registered Extensions . . . . . . . . . . . . . . . . . 7 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 - 9.1. software-descriptor information-type . . . . . . . . . . 7 - 9.2. swd:id property . . . . . . . . . . . . . . . . . . . . . 8 - 9.3. swd:swname property . . . . . . . . . . . . . . . . . . . 8 - 10. Security Considerations . . . . . . . . . . . . . . . . . . . 8 - 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 - 12.2. Informative References . . . . . . . . . . . . . . . . . 9 - Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 9 - Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 9 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 + 3. Information-type Extensions . . . . . . . . . . . . . . . . . 3 + 3.1. The "software-descriptor" information type . . . . . . . 4 + 4. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5 + 4.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 5 + 4.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5 + 5. Use of the rolie:format element . . . . . . . . . . . . . . . 5 + 5.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 5 + 5.1.1. Description . . . . . . . . . . . . . . . . . . . . . 5 + 5.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 6 + 5.2. The Concise SWID format . . . . . . . . . . . . . . . . . 6 + 5.2.1. Description . . . . . . . . . . . . . . . . . . . . . 7 + 5.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 + 6. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 8 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 + 7.1. Media Type Registrations . . . . . . . . . . . . . . . . 8 + 7.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 8 + 7.2. software-descriptor information-type . . . . . . . . . . 9 + 7.3. swd:id property . . . . . . . . . . . . . . . . . . . . . 10 + 7.4. swd:swname property . . . . . . . . . . . . . . . . . . . 10 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 + 10. Normative References . . . . . . . . . . . . . . . . . . . . 11 + Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 12 + Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 12 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction This document defines an extension to the Resource-Oriented Lightweight Information Exchange (ROLIE) [RFC8322] protocol to support the publication of software descriptor information. Software descriptor information is information that characterizes: an installable software package, or @@ -113,75 +114,64 @@ o End user organizations can consume sources of software descriptor information, and other related software vulnerability and configuration information to provide the data needed to automate software asset, patch, and configuration management practices. o Organizations can use software descriptors to support verification of other entities, thru mechanisms such as RIM or other integrity measurements. This document supports these use cases by describing the content - requirements for Collections of software descriptor information that - are to be published to or retrieved from a ROLIE repository. This - document also discusses requirements around the use of link - relationships and describing the data model formats used in a ROLIE - Entry describing a software descriptor information resource. + requirements for Collections and Entries of software descriptor + information that are to be published to or retrieved from a ROLIE + repository. This document also discusses requirements around the use + of atom:link and rolie:format. 2. Terminology The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [RFC5070]. -3. Additional Requirements for the Atom Publishing Protocol - - This document does not specify any additional requirements for use of - the Atom Publishing Protocol. - -4. Additonal Requirements for the Atom Syndication Format - - This document does not specify any additional requirements on the - Atom Syndication Format. - -5. Information-type Extensions +3. Information-type Extensions This document defines the following information type[s]: -5.1. The "software-descriptor" information type +3.1. The "software-descriptor" information type The "software-descriptor" information type represents any information that describes a piece of software. This document uses the definition of software provided by [RFC4949]. Note that as per this definition, this information type pertains to static software, that is, code on the disc. The software-descriptor information type is intended to provide a category for information that does one or more of the following: - identifies and characterizes software This software identification + identifies and characterizes software: This software identification and characterization information can be provided by a large variety of data, but always describes software in a pre-installed state. - provides software installer metadata This represents information + provides software installer metadata: This represents information about software used to install other software. This metadata identifies, and characterizes a software installation package or media. - describes stateless installation metadata Information that describes - the software post-deployment, such as files that may be deployed - during an installation. It is expected that this metadata is - produced generally for a given installation, and may not exactly - match the actual installed files on a given endpoint. + describes stateless installation metadata: Information that + describes the software post-deployment, such as files that may be + deployed during an installation. It is expected that this + metadata is produced generally for a given installation, and may + not exactly match the actual installed files on a given endpoint. Provided below is a non-exhaustive list of information that may be considered to be of a software-descriptor information type. o Naming information: IDs and names that aid in the identification of a piece of software o Version and patching information: Version numbers, patch identifiers, or other information that @@ -198,156 +188,283 @@ environments, target OSes, intended purpose or audience, etc. Note again that this list is not exhaustive, any information that in is the abstract realm of an incident should be classified under this information-type. This information type does not include descriptions of running software, or state and configuration information that is associated with a software installation. -5.2. Use of the rolie:format element +4. rolie:property Extensions - This document does not contain any additional requirements for the - rolie:format element, the formats that follow are provided as - examples of formats that describe the software descriptor information - type. + This document registers new valid rolie:property names as follows: -5.2.1. The ISO SWID 2016 format +4.1. urn:ietf:params:rolie:property:swd:id - The ISO SWID Tag 2016 format is a software descriptor and software - record data format. It provides several tags: primary, which - provides descriptive and naming information about software, patch, - which describes non-standalone software meant to patch existing - software, and corpus, which describes the software installation media - that installs a given piece of software. + This property provides an exposure point for an identification field + from the associated software descriptor. The value of this property + SHOULD be uniquely identifying information generated from the + software descriptor linked to by the entry's atom:content element. + swd:id property values SHOULD have a one-to-one mapping to individual + pieces of SWD content. + +4.2. urn:ietf:params:rolie:property:swd:swname + + This property provides an exposure point for the plain text name of + the software being described. Due to the great variance in naming + schemes, this property should be considered informative. + +5. Use of the rolie:format element + + This section defines usage guidance and additional requirements on + the rolie:format element above and beyond those specified in RFC8322. + The following formats are expected to be commonly used to express + software descriptor information. For this reason, this document + specifies additional requirements to ensure interoperability. + +5.1. The ISO SWID 2015 format + +5.1.1. Description + + ISO/IEC 19770-2:2015 defines a software record data format refered to + as a "SWID Tag". It provides several tag types: + + o primary: provides descriptive and naming information about + software, + + o patch: describes non-standalone software meant to patch existing + software, + + o corpus:describes the software installation media that installs a + given piece of software, + + o supplemental: provides additional metadata to be deployed + alongside a tag. For a more complete overview as well as normative requirements, refer - to :ISO/IEC 19770-2 [SWID] + to ISO/IEC 19770-2:2015 [SWID]. -5.2.2. The Concise SWID format + For additional requirements and guidance around creation of SWID + Tags, consult NIST Internal Report 8060 [NISTIR8060]. + +5.1.2. Requirements + + For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill + the following conditions: + + o The information type of the Entry is "software-descriptor". For a + typical Entry, this is derived from the information type of the + Feed it is contained in. For a standalone Entry, this is provided + by an atom:category element. + + o The document linked to by the "href" attribute of the atom:content + element is a SWID Tag as per ISO/IEC 19770-2:2015. + + A "SWID Tag Entry" MUST conform to the following requirements: + + o The value of the "type" attribute of the atom:content element MUST + be "application/swid2015+xml". + + o There MUST be one rolie:property with the "name" attribute equal + to "urn:ietf:params:rolie:property:swd:id" and the "value" + attribute exactly equal to the "" element in the attached + SWID Tag. This allows for ROLIE consumers to more easily search + for SWID tags without needing to download the tag itself. + + o There MUST be one rolie:property with the "name" attribute equal + to "urn:ietf:params:rolie:property:swd:swname", and the "value" + attribute equal to the value of the "" element in the + attached SWID Tag. As above, this field aids ROLIE consumers in + search and filtering Entries. + +5.2. The Concise SWID format +5.2.1. Description The Concise SWID (COSWID) format is an alternative representation of - the ISO SWID Tag 2016 format using a CBOR encoding defined by a CDDL - specification. It provides the same features and attributes as are - specified in ISO 19770-2, plus: + the SWID Tag format using a Concise Binary Object Representation + (CBOR) encoding. This provides the format with a reduced size that + is more sutiable for constrained devices. It provides the same + features and attributes as are specified in ISO 19770-2:2015, plus: - o a straight forward method to sign and encrypt SWID Tags using - COSE, and + o a straight forward method to sign and encrypt using COSE, and o additional attributes that provide an improved structure to include file hashes intended to be used as Reference Integrity Measurements (RIM). -6. rolie:property Extensions + For more information and the complete specification, refer to the + COSWID internet draft [I-D.ietf-sacm-coswid]. - This document registers new valid rolie:property names as follows: +5.2.2. Requirements -6.1. urn:ietf:params:rolie:property:swd:id + For an Entry to be considered as a "COSWID Tag Entry", it MUST + fulfill the following conditions: - This property provides an exposure point for an identification field - from the associated software descriptor. The value of this property - SHOULD be uniquely identifying information generated from the - software descriptor linked to by the entry's atom:content element. - swd:id property values SHOULD have a one-to-one mapping to individual - pieces of SWD content. + o The information type of the Entry is "software-descriptor". For a + typical Entry, this is derived from the information type of the + Feed it is contained in. For a standalone Entry, this is provided + by an atom:category element. -6.2. urn:ietf:params:rolie:property:swd:swname + o The document linked to by the "href" attribute of the atom:content + element is a COSWID Tag as per [I-D.ietf-sacm-coswid] - This property provides an exposure point for the plain text name of - the software being described. Due to the great variance in naming - schemes, this property should be considered informative. + A "COSWID Tag Entry" MUST conform to the following requirements: -7. atom:link Extensions + o The value of the "type" attribute of the atom:content element MUST + be "application/coswid+cbor". - This section defines the requirements around the implementation of - link relationships in the atom:link element in Entries. Each - relationship is named, described, and given a requirement level. + o There MUST be one rolie:property with the "name" attribute equal + to "urn:ietf:params:rolie:property:swd:id" and the "value" + attribute exactly equal to the "tag-id" element in the attached + COSWID Tag. This allows for ROLIE consumers to more easily search + for COSWID tags without needing to download the tag itself. - +--------------------+--------------------------------+-------------+ - | Name | Description | Conformance | - +--------------------+--------------------------------+-------------+ - | ancestor | Links to a software descriptor | MAY | - | | resource that defines an | | - | | ancestor of the software being | | - | | described by this Entry. | | - | patches | Links to a software descriptor | MAY | - | | resource that defines the | | - | | software being patched by this | | - | | software | | - | requires | Links to a software descriptor | MAY | - | | resource that defines a piece | | - | | of software required for this | | - | | software to function properly. | | - | installs | Links to a software descriptor | MAY | - | | resource that defines the | | - | | software being installed by | | - | | this software. | | - | installationrecord | Provides a link to a resource | MAY | - | | that describes an installation | | - | | of this software. | | - +--------------------+--------------------------------+-------------+ + o There MUST be one rolie:property with the "name" attribute equal + to "urn:ietf:params:rolie:property:swd:swname", and the "value" + attribute equal to the value of the "swid-name" element in the + attached COSWID Tag. As above, this field aids ROLIE consumers in + searching and filtering Entries. + +6. atom:link Extensions + + This section defines additonal link relationships that + implementations MUST support. These relationships are not registed + in the Link Relation IANA table as their use case is too narrow. + Each relationship is named and described. + + +--------------------+----------------------------------------------+ + | Name | Description | + +--------------------+----------------------------------------------+ + | ancestor | Links to a software descriptor resource that | + | | defines an ancestor of the software being | + | | described by this Entry. This is usually a | + | | previous version of the software. | + | patches | Links to a software descriptor resource that | + | | defines the software being patched by this | + | | software | + | requires | Links to a software descriptor resource that | + | | defines a piece of software required for | + | | this software to function properly, i.e., a | + | | dependencecy. | + | installs | Links to a software descriptor resource that | + | | defines the software that is installed by | + | | this software. | + | installationrecord | Links to a software descriptor resource that | + | | defines the software package that installs | + | | this software. | + +--------------------+----------------------------------------------+ Table 1: Link Relations for Resource-Oriented Lightweight Indicator Exchange -8. Other Registered Extensions +7. IANA Considerations - There are no additional extensions to define. +7.1. Media Type Registrations -9. IANA Considerations +7.1.1. ISO SWID -9.1. software-descriptor information-type + This document registers a MIME Type for the SWID Tag format. The + registration is as follows + + MIME media type name: application + + MIME subtype name: swid2015+xml + + Mandatory parameters: None. + + Optional parameters: "charset": This parameter has semantics + identical to the charset parameter of the "application/xml" media + type as specified in [RFC3023]. + + Encoding considerations: Identical to those of "application/xml" as + described in [RFC3023], Section 3.2. + + Security considerations: As defined in this specification, and in + [RFC8322]. In addition, as this media type uses the "+xml" + convention, it shares the same security considerations as described + in [RFC3023], Section 10. + + Interoperability considerations: There are no known interoperability + issues. + + Published specification: This specification. + + Applications that use this media type: No known applications + currently use this media type. + + Additional information: + + Magic number(s): As specified for "application/xml" in [RFC3023], + Section 3.2. + + File extension: .swidtag + + Fragment identifiers: As specified for "application/xml" in + [RFC3023], Section 5. + + Base URI: As specified in [RFC3023], Section 6. + + Macintosh File Type code: TEXT + + Person and email address to contact for further information: Stephen + Banghart + + Intended usage: COMMON + + Author/Change controller: IESG + +7.2. software-descriptor information-type IANA has added an entry to the "ROLIE Security Resource Information Type Sub-Registry" registry located at . The entry is as follows: name: software-descriptor index: TBD - reference: This document, Section 5.1 + reference: This document, Section 3.1 -9.2. swd:id property +7.3. swd:id property IANA has added an entry to the "ROLIE URN Parameters" registry located in . The entry is as follows: name: property:swd:id Extension IRI: urn:ietf:params:rolie:property:swd:id - Reference: This document, Section 6.1 + Reference: This document, Section 4.1 Subregistry: None -9.3. swd:swname property +7.4. swd:swname property IANA has added an entry to the "ROLIE URN Parameters" registry located in . The entry is as follows: name: property:swd:swname Extension IRI: urn:ietf:params:rolie:property:swd:swname - Reference: This document, Section 6.2 + Reference: This document, Section 4.2 Subregistry: None -10. Security Considerations +8. Security Considerations Use of this extension implies dealing with the security implications of both ROLIE and of software descriptors in general. As with any SWD information, care should be taken to verify the trustworthiness and veracity of the descriptor information to the fullest extent possible. Ideally, software descriptors should have been signed by the software manufacturer, or signed by whichever agent processed the source code. SWD documents from these sources are more likely to be accurate than @@ -356,53 +473,62 @@ These "authoritative" sources of SWD content should consider additional security for their ROLIE repository beyond the typical recommendations, as the central importance of the repository is likely to make it a target. Version information is often represented differently across manufacturers and even across product releases. If using SWD version information for low fault tolerance comparisons and searches, care should be taken that the correct version scheme is being utilized. -11. Privacy Considerations +9. Privacy Considerations This extension does not introduce any privacy considerations above or beyond that of the core ROLIE document. Any implementations using this extension should understand the privacy considerations of ROLIE and the Atom Publishing Protocol. -12. References +10. Normative References -12.1. Normative References + [I-D.ietf-sacm-coswid] + Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. + Waltermire, "Concise Software Identifiers", draft-ietf- + sacm-coswid-05 (work in progress), March 2018. + + [NISTIR8060] + Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, + "Guidelines for the Creation of Interoperable Software + Identification (SWID) Tags", NISTIR 8060, April 2016, + . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, DOI 10.17487/RFC5070, December 2007, . [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018, . -12.2. Informative References - - [SWID] ISO, "ISO/IEC 19770-2:2015". + [SWID] "Information technology - Software asset management - Part + 2: Software identification tag", ISO/IEC 19770-2:2015, + October 2015. Appendix A. Schema This document does not require any schema extensions. Appendix B. Examples of Use Use of this extension in a ROLIE repository will not typically change that repository's operation. As such, the general examples provided by the ROLIE core document would serve as examples. Provided below