| draft-ietf-sacm-rolie-softwaredescriptor-03.txt | draft-ietf-sacm-rolie-softwaredescriptor-04.txt | |||
|---|---|---|---|---|
| SACM Working Group S. Banghart | SACM Working Group S. Banghart | |||
| Internet-Draft D. Waltermire | Internet-Draft D. Waltermire | |||
| Intended status: InformationalNational Institute of Standards and Techno | Intended status: InformationalNational Institute of Standards and Techno | |||
| Expires: January 16, 2019 July 15, 2018 | Expires: September 27, 2019 March 26, 2019 | |||
| Definition of the ROLIE Software Descriptor Extension | Definition of the ROLIE Software Descriptor Extension | |||
| draft-ietf-sacm-rolie-softwaredescriptor-03 | draft-ietf-sacm-rolie-softwaredescriptor-04 | |||
| Abstract | Abstract | |||
| This document uses the "information-type" extension point as defined | This document uses the "information-type" extension point as defined | |||
| in the Resource-Oriented Lightweight Information Exchange (ROLIE) | in the Resource-Oriented Lightweight Information Exchange (ROLIE) | |||
| [RFC8322] Section 7.1.2 to better support Software Record and | [RFC8322] Section 7.1.2 to better support Software Record and | |||
| Software Inventory use cases. This specification registers a new | Software Inventory use cases. This specification registers a new | |||
| ROLIE information-type, "software-descriptor", that allows for the | ROLIE information-type, "software-descriptor", that allows for the | |||
| categorization of information relevant to software description | categorization of information relevant to software description | |||
| activities and formats. In particular, the usage of the ISO | activities and formats. In particular, the usage of the ISO | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 16, 2019. | This Internet-Draft will expire on September 27, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 30 ¶ | skipping to change at page 2, line 30 ¶ | |||
| 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6 | 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6 | |||
| 6. Data format requirements . . . . . . . . . . . . . . . . . . 6 | 6. Data format requirements . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6 | 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6 | |||
| 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6 | 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 | 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7 | 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7 | |||
| 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8 | 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8 | 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9 | 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Media Type Registrations . . . . . . . . . . . . . . . . 11 | 8.1. software-descriptor information-type . . . . . . . . . . 11 | |||
| 8.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 11 | 8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. software-descriptor information-type . . . . . . . . . . 12 | 8.3. swd:swversion property . . . . . . . . . . . . . . . . . 11 | |||
| 8.3. swd:swname property . . . . . . . . . . . . . . . . . . . 12 | 8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 12 | |||
| 8.4. swd:swversion property . . . . . . . . . . . . . . . . . 12 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.5. swd:swcreator property . . . . . . . . . . . . . . . . . 13 | 10. Normative References . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10. Normative References . . . . . . . . . . . . . . . . . . . . 13 | Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 14 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines an extension to the Resource-Oriented | This document defines an extension to the Resource-Oriented | |||
| Lightweight Information Exchange (ROLIE) [RFC8322] to support the | Lightweight Information Exchange (ROLIE) [RFC8322] to support the | |||
| publication of software descriptor information. Software descriptor | publication of software descriptor information. Software descriptor | |||
| information is information that characterizes static software | information is information that characterizes static software | |||
| components, packages, and installers; including identifying, | components, packages, and installers; including identifying, | |||
| versioning, software creation and publication, and file artifact | versioning, software creation and publication, and file artifact | |||
| information. | information. | |||
| skipping to change at page 4, line 33 ¶ | skipping to change at page 4, line 33 ¶ | |||
| Once this information is expressed, it needs to be stored and shared | Once this information is expressed, it needs to be stored and shared | |||
| to internal and external parties. ROLIE provides a mechanism to | to internal and external parties. ROLIE provides a mechanism to | |||
| handle this sharing in an automation-friendly way. | handle this sharing in an automation-friendly way. | |||
| 4. The "software-descriptor" information type | 4. The "software-descriptor" information type | |||
| When an "atom:category" element has the scheme | When an "atom:category" element has the scheme | |||
| "urn:ietf:params:rolie:category:information-type", the value is | "urn:ietf:params:rolie:category:information-type", the value is | |||
| considered to be the information type of the associated resource. | considered to be the information type of the associated resource. | |||
| The new information type value "software-descriptor", is described in | The new information type value "software-descriptor", is described in | |||
| this section, and registered in Section 8.2. | this section, and registered in Section 8.1. | |||
| The "software-descriptor" information type represents any static | The "software-descriptor" information type represents any static | |||
| information that describes a piece of software. This document uses | information that describes a piece of software. This document uses | |||
| the definition of software provided by [RFC4949]. Note that as per | the definition of software provided by [RFC4949]. Note that as per | |||
| this definition, this information type pertains to static software, | this definition, this information type pertains to static software, | |||
| that is, code on the disc. The "software-descriptor" information | that is, code on the disc. The "software-descriptor" information | |||
| type is intended to provide a category for information that does one | type is intended to provide a category for information that does one | |||
| or more of the following: | or more of the following: | |||
| identifies and characterizes software: This software identification | identifies and characterizes software: This software identification | |||
| skipping to change at page 11, line 7 ¶ | skipping to change at page 11, line 7 ¶ | |||
| | hasVulnerability | Links to a vulnerability description | | | hasVulnerability | Links to a vulnerability description | | |||
| | | object that details a vulnerability that | | | | object that details a vulnerability that | | |||
| | | this software has. | | | | this software has. | | |||
| +----------------------+--------------------------------------------+ | +----------------------+--------------------------------------------+ | |||
| Table 1: Link Relations for Resource-Oriented Lightweight Indicator | Table 1: Link Relations for Resource-Oriented Lightweight Indicator | |||
| Exchange | Exchange | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 8.1. Media Type Registrations | 8.1. software-descriptor information-type | |||
| 8.1.1. ISO SWID | ||||
| This document registers a MIME Type for the SWID Tag format. The | ||||
| registration is as follows | ||||
| MIME media type name: application | ||||
| MIME subtype name: swid2015+xml | ||||
| Mandatory parameters: None. | ||||
| Optional parameters: "charset": This parameter has semantics | ||||
| identical to the charset parameter of the "application/xml" media | ||||
| type as specified in [RFC3023]. | ||||
| Encoding considerations: Identical to those of "application/xml" as | ||||
| described in [RFC3023], Section 3.2. | ||||
| Security considerations: As defined in this specification, and in | ||||
| [RFC8322]. In addition, as this media type uses the "+xml" | ||||
| convention, it shares the same security considerations as described | ||||
| in [RFC3023], Section 10. | ||||
| Interoperability considerations: There are no known interoperability | ||||
| issues. | ||||
| Published specification: This specification. | ||||
| Applications that use this media type: No known applications | ||||
| currently use this media type. | ||||
| Additional information: | ||||
| Magic number(s): As specified for "application/xml" in [RFC3023], | ||||
| Section 3.2. | ||||
| File extension: .swidtag | ||||
| Fragment identifiers: As specified for "application/xml" in | ||||
| [RFC3023], Section 5. | ||||
| Base URI: As specified in [RFC3023], Section 6. | ||||
| Macintosh File Type code: TEXT | ||||
| Person and email address to contact for further information: Stephen | ||||
| Banghart <stephen.banghart@nist.gov> | ||||
| Intended usage: COMMON | ||||
| Author/Change controller: IESG | ||||
| 8.2. software-descriptor information-type | ||||
| IANA has added an entry to the "ROLIE Security Resource Information | IANA has added an entry to the "ROLIE Security Resource Information | |||
| Type Sub-Registry" registry located at | Type Sub-Registry" registry located at | |||
| <https://www.iana.org/assignments/rolie/category/information-type> . | <https://www.iana.org/assignments/rolie/category/information-type> . | |||
| The entry is as follows: | The entry is as follows: | |||
| name: software-descriptor | name: software-descriptor | |||
| index: TBD | index: TBD | |||
| reference: This document, Section 4 | reference: This document, Section 4 | |||
| 8.3. swd:swname property | 8.2. swd:swname property | |||
| IANA has added an entry to the "ROLIE URN Parameters" registry | IANA has added an entry to the "ROLIE URN Parameters" registry | |||
| located in <https://www.iana.org/assignments/rolie/>. | located in <https://www.iana.org/assignments/rolie/>. | |||
| The entry is as follows: | The entry is as follows: | |||
| name: property:swd:swname | name: property:swd:swname | |||
| Extension IRI: urn:ietf:params:rolie:property:swd:swname | Extension IRI: urn:ietf:params:rolie:property:swd:swname | |||
| Reference: This document, Section 5.1 | Reference: This document, Section 5.1 | |||
| Subregistry: None | Subregistry: None | |||
| 8.4. swd:swversion property | 8.3. swd:swversion property | |||
| IANA has added an entry to the "ROLIE URN Parameters" registry | IANA has added an entry to the "ROLIE URN Parameters" registry | |||
| located in <https://www.iana.org/assignments/rolie/>. | located in <https://www.iana.org/assignments/rolie/>. | |||
| The entry is as follows: | The entry is as follows: | |||
| name: property:swd:swversion | name: property:swd:swversion | |||
| Extension IRI: urn:ietf:params:rolie:property:swd:swversion | Extension IRI: urn:ietf:params:rolie:property:swd:swversion | |||
| skipping to change at page 13, line 4 ¶ | skipping to change at page 11, line 48 ¶ | |||
| IANA has added an entry to the "ROLIE URN Parameters" registry | IANA has added an entry to the "ROLIE URN Parameters" registry | |||
| located in <https://www.iana.org/assignments/rolie/>. | located in <https://www.iana.org/assignments/rolie/>. | |||
| The entry is as follows: | The entry is as follows: | |||
| name: property:swd:swversion | name: property:swd:swversion | |||
| Extension IRI: urn:ietf:params:rolie:property:swd:swversion | Extension IRI: urn:ietf:params:rolie:property:swd:swversion | |||
| Reference: This document, Section 5.1 | Reference: This document, Section 5.1 | |||
| Subregistry: None | Subregistry: None | |||
| 8.5. swd:swcreator property | 8.4. swd:swcreator property | |||
| IANA has added an entry to the "ROLIE URN Parameters" registry | IANA has added an entry to the "ROLIE URN Parameters" registry | |||
| located in <https://www.iana.org/assignments/rolie/>. | located in <https://www.iana.org/assignments/rolie/>. | |||
| The entry is as follows: | The entry is as follows: | |||
| name: property:swd:swcreator | name: property:swd:swcreator | |||
| Extension IRI: urn:ietf:params:rolie:property:swd:swcreator | Extension IRI: urn:ietf:params:rolie:property:swd:swcreator | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 12, line 48 ¶ | |||
| manufacturers and even across product releases. If using software | manufacturers and even across product releases. If using software | |||
| version information for low fault tolerance comparisons and searches, | version information for low fault tolerance comparisons and searches, | |||
| care should be taken that the correct version scheme is being | care should be taken that the correct version scheme is being | |||
| utilized. | utilized. | |||
| 10. Normative References | 10. Normative References | |||
| [I-D.ietf-sacm-coswid] | [I-D.ietf-sacm-coswid] | |||
| Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. | Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. | |||
| Waltermire, "Concise Software Identifiers", draft-ietf- | Waltermire, "Concise Software Identifiers", draft-ietf- | |||
| sacm-coswid-06 (work in progress), July 2018. | sacm-coswid-08 (work in progress), November 2018. | |||
| [NISTIR8060] | [NISTIR8060] | |||
| Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, | Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, | |||
| "Guidelines for the Creation of Interoperable Software | "Guidelines for the Creation of Interoperable Software | |||
| Identification (SWID) Tags", NISTIR 8060, April 2016, | Identification (SWID) Tags", NISTIR 8060, April 2016, | |||
| <https://doi.org/10.6028/NIST.IR.8060>. | <https://doi.org/10.6028/NIST.IR.8060>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| End of changes. 12 change blocks. | ||||
| 74 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||