draft-ietf-sacm-rolie-softwaredescriptor-03.txt   draft-ietf-sacm-rolie-softwaredescriptor-04.txt 
SACM Working Group S. Banghart SACM Working Group S. Banghart
Internet-Draft D. Waltermire Internet-Draft D. Waltermire
Intended status: InformationalNational Institute of Standards and Techno Intended status: InformationalNational Institute of Standards and Techno
Expires: January 16, 2019 July 15, 2018 Expires: September 27, 2019 March 26, 2019
Definition of the ROLIE Software Descriptor Extension Definition of the ROLIE Software Descriptor Extension
draft-ietf-sacm-rolie-softwaredescriptor-03 draft-ietf-sacm-rolie-softwaredescriptor-04
Abstract Abstract
This document uses the "information-type" extension point as defined This document uses the "information-type" extension point as defined
in the Resource-Oriented Lightweight Information Exchange (ROLIE) in the Resource-Oriented Lightweight Information Exchange (ROLIE)
[RFC8322] Section 7.1.2 to better support Software Record and [RFC8322] Section 7.1.2 to better support Software Record and
Software Inventory use cases. This specification registers a new Software Inventory use cases. This specification registers a new
ROLIE information-type, "software-descriptor", that allows for the ROLIE information-type, "software-descriptor", that allows for the
categorization of information relevant to software description categorization of information relevant to software description
activities and formats. In particular, the usage of the ISO activities and formats. In particular, the usage of the ISO
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2019. This Internet-Draft will expire on September 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 30 skipping to change at page 2, line 30
5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6
6. Data format requirements . . . . . . . . . . . . . . . . . . 6 6. Data format requirements . . . . . . . . . . . . . . . . . . 6
6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6
6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6
6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7
6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7
6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8
6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8
7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8.1. Media Type Registrations . . . . . . . . . . . . . . . . 11 8.1. software-descriptor information-type . . . . . . . . . . 11
8.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 11 8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 11
8.2. software-descriptor information-type . . . . . . . . . . 12 8.3. swd:swversion property . . . . . . . . . . . . . . . . . 11
8.3. swd:swname property . . . . . . . . . . . . . . . . . . . 12 8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 12
8.4. swd:swversion property . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8.5. swd:swcreator property . . . . . . . . . . . . . . . . . 13 10. Normative References . . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 13
10. Normative References . . . . . . . . . . . . . . . . . . . . 13 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 13
Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines an extension to the Resource-Oriented This document defines an extension to the Resource-Oriented
Lightweight Information Exchange (ROLIE) [RFC8322] to support the Lightweight Information Exchange (ROLIE) [RFC8322] to support the
publication of software descriptor information. Software descriptor publication of software descriptor information. Software descriptor
information is information that characterizes static software information is information that characterizes static software
components, packages, and installers; including identifying, components, packages, and installers; including identifying,
versioning, software creation and publication, and file artifact versioning, software creation and publication, and file artifact
information. information.
skipping to change at page 4, line 33 skipping to change at page 4, line 33
Once this information is expressed, it needs to be stored and shared Once this information is expressed, it needs to be stored and shared
to internal and external parties. ROLIE provides a mechanism to to internal and external parties. ROLIE provides a mechanism to
handle this sharing in an automation-friendly way. handle this sharing in an automation-friendly way.
4. The "software-descriptor" information type 4. The "software-descriptor" information type
When an "atom:category" element has the scheme When an "atom:category" element has the scheme
"urn:ietf:params:rolie:category:information-type", the value is "urn:ietf:params:rolie:category:information-type", the value is
considered to be the information type of the associated resource. considered to be the information type of the associated resource.
The new information type value "software-descriptor", is described in The new information type value "software-descriptor", is described in
this section, and registered in Section 8.2. this section, and registered in Section 8.1.
The "software-descriptor" information type represents any static The "software-descriptor" information type represents any static
information that describes a piece of software. This document uses information that describes a piece of software. This document uses
the definition of software provided by [RFC4949]. Note that as per the definition of software provided by [RFC4949]. Note that as per
this definition, this information type pertains to static software, this definition, this information type pertains to static software,
that is, code on the disc. The "software-descriptor" information that is, code on the disc. The "software-descriptor" information
type is intended to provide a category for information that does one type is intended to provide a category for information that does one
or more of the following: or more of the following:
identifies and characterizes software: This software identification identifies and characterizes software: This software identification
skipping to change at page 11, line 7 skipping to change at page 11, line 7
| hasVulnerability | Links to a vulnerability description | | hasVulnerability | Links to a vulnerability description |
| | object that details a vulnerability that | | | object that details a vulnerability that |
| | this software has. | | | this software has. |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
Table 1: Link Relations for Resource-Oriented Lightweight Indicator Table 1: Link Relations for Resource-Oriented Lightweight Indicator
Exchange Exchange
8. IANA Considerations 8. IANA Considerations
8.1. Media Type Registrations 8.1. software-descriptor information-type
8.1.1. ISO SWID
This document registers a MIME Type for the SWID Tag format. The
registration is as follows
MIME media type name: application
MIME subtype name: swid2015+xml
Mandatory parameters: None.
Optional parameters: "charset": This parameter has semantics
identical to the charset parameter of the "application/xml" media
type as specified in [RFC3023].
Encoding considerations: Identical to those of "application/xml" as
described in [RFC3023], Section 3.2.
Security considerations: As defined in this specification, and in
[RFC8322]. In addition, as this media type uses the "+xml"
convention, it shares the same security considerations as described
in [RFC3023], Section 10.
Interoperability considerations: There are no known interoperability
issues.
Published specification: This specification.
Applications that use this media type: No known applications
currently use this media type.
Additional information:
Magic number(s): As specified for "application/xml" in [RFC3023],
Section 3.2.
File extension: .swidtag
Fragment identifiers: As specified for "application/xml" in
[RFC3023], Section 5.
Base URI: As specified in [RFC3023], Section 6.
Macintosh File Type code: TEXT
Person and email address to contact for further information: Stephen
Banghart <stephen.banghart@nist.gov>
Intended usage: COMMON
Author/Change controller: IESG
8.2. software-descriptor information-type
IANA has added an entry to the "ROLIE Security Resource Information IANA has added an entry to the "ROLIE Security Resource Information
Type Sub-Registry" registry located at Type Sub-Registry" registry located at
<https://www.iana.org/assignments/rolie/category/information-type> . <https://www.iana.org/assignments/rolie/category/information-type> .
The entry is as follows: The entry is as follows:
name: software-descriptor name: software-descriptor
index: TBD index: TBD
reference: This document, Section 4 reference: This document, Section 4
8.3. swd:swname property 8.2. swd:swname property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swname name: property:swd:swname
Extension IRI: urn:ietf:params:rolie:property:swd:swname Extension IRI: urn:ietf:params:rolie:property:swd:swname
Reference: This document, Section 5.1 Reference: This document, Section 5.1
Subregistry: None Subregistry: None
8.4. swd:swversion property 8.3. swd:swversion property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swversion name: property:swd:swversion
Extension IRI: urn:ietf:params:rolie:property:swd:swversion Extension IRI: urn:ietf:params:rolie:property:swd:swversion
skipping to change at page 13, line 4 skipping to change at page 11, line 48
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swversion name: property:swd:swversion
Extension IRI: urn:ietf:params:rolie:property:swd:swversion Extension IRI: urn:ietf:params:rolie:property:swd:swversion
Reference: This document, Section 5.1 Reference: This document, Section 5.1
Subregistry: None Subregistry: None
8.5. swd:swcreator property 8.4. swd:swcreator property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swcreator name: property:swd:swcreator
Extension IRI: urn:ietf:params:rolie:property:swd:swcreator Extension IRI: urn:ietf:params:rolie:property:swd:swcreator
skipping to change at page 13, line 49 skipping to change at page 12, line 48
manufacturers and even across product releases. If using software manufacturers and even across product releases. If using software
version information for low fault tolerance comparisons and searches, version information for low fault tolerance comparisons and searches,
care should be taken that the correct version scheme is being care should be taken that the correct version scheme is being
utilized. utilized.
10. Normative References 10. Normative References
[I-D.ietf-sacm-coswid] [I-D.ietf-sacm-coswid]
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identifiers", draft-ietf- Waltermire, "Concise Software Identifiers", draft-ietf-
sacm-coswid-06 (work in progress), July 2018. sacm-coswid-08 (work in progress), November 2018.
[NISTIR8060] [NISTIR8060]
Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, Waltermire, D., Cheikes, B., Feldman, L., and G. Witte,
"Guidelines for the Creation of Interoperable Software "Guidelines for the Creation of Interoperable Software
Identification (SWID) Tags", NISTIR 8060, April 2016, Identification (SWID) Tags", NISTIR 8060, April 2016,
<https://doi.org/10.6028/NIST.IR.8060>. <https://doi.org/10.6028/NIST.IR.8060>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
 End of changes. 12 change blocks. 
74 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/