--- 1/draft-ietf-sacm-rolie-softwaredescriptor-06.txt 2019-06-28 13:13:34.037403747 -0700 +++ 2/draft-ietf-sacm-rolie-softwaredescriptor-07.txt 2019-06-28 13:13:34.073404656 -0700 @@ -1,49 +1,49 @@ SACM Working Group S. Banghart Internet-Draft D. Waltermire -Intended status: InformationalNational Institute of Standards and Techno -Expires: September 28, 2019 March 27, 2019 +Intended status: Informational NIST +Expires: December 27, 2019 June 25, 2019 Definition of the ROLIE Software Descriptor Extension - draft-ietf-sacm-rolie-softwaredescriptor-06 + draft-ietf-sacm-rolie-softwaredescriptor-07 Abstract This document uses the "information-type" extension point as defined in the Resource-Oriented Lightweight Information Exchange (ROLIE) [RFC8322] Section 7.1.2 to better support Software Record and Software Inventory use cases. This specification registers a new ROLIE information-type, "software-descriptor", that allows for the categorization of information relevant to software description activities and formats. In particular, the usage of the ISO - 19770-2:2015 (SWID Tag) and the Concise SWID (COSWID) formats in - ROLIE are standardized. Additionally, this document discusses - requirements and usage of other ROLIE elements in order to best - syndicate software description information. + 19770-2:2015 Software Identification Tag (SWID Tag) and the Concise + SWID (COSWID) formats in ROLIE are standardized. Additionally, this + document discusses requirements and usage of other ROLIE elements in + order to best syndicate software description information. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 28, 2019. + This Internet-Draft will expire on December 27, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -61,170 +61,171 @@ 4. The "software-descriptor" information type . . . . . . . . . 4 5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5 5.1. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5 5.2. urn:ietf:params:rolie:property:swd:swversion . . . . . . 6 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6 6. Data format requirements . . . . . . . . . . . . . . . . . . 6 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7 - 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8 + 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 7 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 - 8.1. software-descriptor information-type . . . . . . . . . . 11 - 8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 11 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 8.1. software-descriptor information-type . . . . . . . . . . 10 + 8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 10 8.3. swd:swversion property . . . . . . . . . . . . . . . . . 11 - 8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 12 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 + 8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 11 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11 10. Normative References . . . . . . . . . . . . . . . . . . . . 12 - Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 13 + Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 12 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 13 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction This document defines an extension to the Resource-Oriented Lightweight Information Exchange (ROLIE) [RFC8322] to support the publication of software descriptor information. Software descriptor information is information that characterizes static software - components, packages, and installers; including identifying, - versioning, software creation and publication, and file artifact + components, packages, and installers; including identification, + version, software creation and publication, and file artifact information. Software descriptor information provides data about what might be installed, but doesn't describe a specific software installation's configuration or execution. This static approach to software - description is a smaller state space that covers the majority of - current use cases for software inventory and record keeping. + description is a tightly limited scope that still covers the majority + of current use cases for software inventory and record keeping. Some possible use cases for software descriptor information ROLIE - Feeds include: + Feeds (Section 6.1 of [RFC8322]) include: o Software providers can publish software descriptor information so that software researchers, enterprises, and users of software can understand the collection of software produced by that software provider. o Organizations can aggregate and syndicate collections of software descriptor information provided by multiple software providers to support software-related analysis processes (e.g., vulnerability - analysis) and value added information (e.g., software - configuration checklist repositories) using identification and - characterization information derived from software descriptor - information. + analysis) and to provide downsteam services (e.g., software + configuration checklist repositories). - o End user organizations can consume sources of software descriptor - information, and other related software vulnerability and - configuration information to provide the data needed to automate - software asset, patch, and configuration management practices. + o End user organizations can consume software descriptor information + along with related software vulnerability and configuration + information to provide the data needed to automate software asset, + patch, and configuration management practices. o Organizations can use software descriptors to support verification - of other entities, thru mechanisms such as RIM or other integrity - measurements. + of other entities through integrity measurement mechanisms. This document supports these use cases by describing the content requirements for Feeds and Entries of software descriptor information that are to be published to or retrieved from a ROLIE repository. 2. Terminology The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. + As an extension of [RFC8322], this document refers to many terms + defined in that document. In particular, the use of "Entry" and + "Feed" are aligned with the definitions presented in section TODO of + ROLIE. + Several places in this document refer to the "information-type" of a - Resource (Entry or Feed). This refers to the "value" attribute of an + Resource (Entry or Feed). This refers to the "term" attribute of an "atom:category" element whose scheme is "urn:ietf:params:rolie:category:information-type". For an Entry, this value can be inherited from it's containing Feed as per [RFC8322]. 3. Background In order to effectively protect and secure an endpoint, it is vital - to know what the software load of that endpoint is. This software - load, the combination of software, patches and installers on a - device, represents the majority of the endpoint's attack surface. - Unfortunately, without a reliable and secure package manager, or - otherwise a secured and managed operating system, tracking what - software is installed on an endpoint is currently not feasible - without undue effort. Even attempting to whitelist software is - difficult without a way of identifying software and its editions, - versions and hotfixes. + to know what the software load of that endpoint is. Software load, + the combination of software, patches and installers on a device, + represents a significant portion of the endpoint's attack surface. + Unfortunately, without a reliable and secure package manager, or a + secured and managed operating system with strict software + whitelisting, tracking what software is installed on an endpoint is + currently not feasible without undue effort. Even attempting to + whitelist software is difficult without a way of identifying software + and its editions, versions and hotfixes. Software descriptor information, such as that standardized in the ISO - 19770-2:2015 SWID Tag format, or expressed in proprietary enterprise - databases, attempts to provide as much data about this software as - possible. + 19770-2:2015 Software Identification Tag (SWID) format or expressed + in proprietary enterprise databases, attempts to provide as much data + about this software as possible. Once this information is expressed, it needs to be stored and shared to internal and external parties. ROLIE provides a mechanism to handle this sharing in an automation-friendly way. 4. The "software-descriptor" information type When an "atom:category" element has a "scheme" attribute equal to "urn:ietf:params:rolie:category:information-type", the "term" attribute defines the information type of the associated resource. A - new information type value: "software-descriptor", is described in - this section, and registered in Section 8.1. + new valid value for this "term": "software-descriptor", is described + in this section and registered in Section 8.1. When this value is + used, the resource in question is considered to have an information- + type of "software-descriptor" as per [RFC8322] Section 7.1.2. The "software-descriptor" information type represents any static information that describes a piece of software. This document uses the definition of software provided by [RFC4949]. Note that as per this definition, this information type pertains to static software, that is, code on the disc. The "software-descriptor" information type is intended to provide a category for information that does one or more of the following: - identifies and characterizes software: This software identification - and characterization information can be provided by a large - variety of data, but always describes software in a pre-installed - state. + identifies and characterizes software: information that provides + quantative and qualitative data describing software. This + information identifies and charaterizes a given instance of + software. - provides software installer metadata: This represents information - about software used to install other software. This metadata - identifies, and characterizes a software installation package or - media. + provides software installer metadata: information about software + used to install other software. This metadata identifies, and + characterizes a software installation package or media. - describes stateless installation metadata: Information that + describes stateless installation metadata: information that describes the software post-deployment, such as files that may be deployed during an installation. It is expected that this metadata is produced generally for a given installation, and may not exactly match the actual installed files on a given endpoint. Provided below is a non-exhaustive list of information that may be considered to be of a software-descriptor information type. o Naming information: IDs and names that aid in the identification of a piece of software o Version and patching information: Version numbers, patch - identifiers, or other information that + identifiers, or other information that relates to software updates + and patches. o Vendor and source information: Includes where the software was - developed or distributed from, as well as where the software + developed or distributed, as well as where the software installation media may be located. o Payload and file information: information that describes or enumerates the files and folders that make up the piece of software, and information about those files. o Descriptive information and data: Any information that otherwise characterizes a piece of software, such as libraries, runtime - environments, target OSes, intended purpose or audience, etc. - - Note again that this list is not exhaustive, any information that in - is the abstract realm of an incident should be classified under this - information-type. + environments, target operating systems, intended purpose or + audience, etc. It is important to note that software descriptor information is static for a given piece of software. That is, the information expressed is the data that doesn't change from the publication of the software to its final install. Information about the current status (e.g. install location, memory usage, CPU usage, launch parameters, job progress, etc.), is out of scope of this information type. 5. rolie:property Extensions @@ -293,52 +294,53 @@ For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill the following conditions: o The information-type of the Entry is "software-descriptor". For a typical Entry, this is derived from the information type of the Feed it is contained in. For a standalone Entry, this is provided by an "atom:category" element. o The document linked to by the "href" attribute of the - "atom:content" element is a 2015 SWID Tag as per ISO/IEC + "atom:content" element is a 2015 SWID Tag per ISO/IEC 19770-2:2015. A "SWID Tag Entry" MUST conform to the following requirements: o The value of the "type" attribute of the "atom:content" element MUST be "application/xml". o There MUST be one "rolie:property" with the "name" attribute equal to "urn:ietf:params:rolie:property:content-id" and the "value" attribute exactly equal to the "" element in the attached - SWID Tag. This allows for ROLIE consumers to more easily search - for SWID tags without needing to download the tag itself. + SWID Tag. This allows ROLIE consumers to more easily search for + SWID tags without needing to download the tag itself. o There MUST be one "rolie:property" with the "name" attribute equal to "urn:ietf:params:rolie:property:swd:swname", and the "value" attribute equal to the value of the "" element in the - attached SWID Tag. As above, this field aids ROLIE consumers in - search and filtering Entries. + attached SWID Tag. As above, this helps ROLIE consumers search and + filter Entries. o There MAY be a property element with the "name" attribute equal to "urn:ietf:params:rolie:property:swd:swversion". When this - property appears, it's value MUST be equal to the value of the + property appears, its value MUST be equal to the value of the "version" element in the attached SWID Tag. 6.2. The Concise SWID format + 6.2.1. Description The Concise SWID (COSWID) format is an alternative representation of the SWID Tag format using a Concise Binary Object Representation - (CBOR) encoding. This provides the format with a reduced size that - is more suitable for constrained devices. It provides the same + (CBOR) encoding. CBOR provides the format with a reduced size that + is more suitable for constrained devices. COSWID provides the same features and attributes as are specified in ISO 19770-2:2015, plus: o a straight forward method to sign and encrypt using COSE, and o additional attributes that provide an improved structure to include file hashes intended to be used as Reference Integrity Measurements (RIM). For more information and the complete specification, refer to the COSWID internet draft [I-D.ietf-sacm-coswid]. @@ -347,97 +349,100 @@ For an Entry to be considered as a "COSWID Tag Entry", it MUST fulfill the following conditions: o The information-type of the Entry is "software-descriptor". For a typical Entry, this is derived from the information-type of the Feed it is contained in. For a standalone Entry, this is provided by an "atom:category" element. o The document linked to by the "href" attribute of the - "atom:content" element is a COSWID Tag as per - [I-D.ietf-sacm-coswid] + "atom:content" element is a COSWID Tag per [I-D.ietf-sacm-coswid] A "COSWID Tag Entry" MUST conform to the following requirements: o The value of the "type" attribute of the atom:content element MUST be "application/coswid+cbor". o There MUST be one "rolie:property" with the "name" attribute equal to "urn:ietf:params:rolie:property:content-id" and the "value" attribute exactly equal to the "tag-id" element in the attached - COSWID Tag (mapped to integer 0). This allows for ROLIE consumers - to more easily search for COSWID tags without needing to download - the tag itself. + COSWID Tag (mapped to integer 0). This allows ROLIE consumers to + more easily search for COSWID tags without needing to download the + tag itself. o There MUST be one "rolie:property" with the "name" attribute equal to "urn:ietf:params:rolie:property:swd:swname", and the "value" attribute equal to the value of the "swid-name" element in the attached COSWID Tag (mapped to the integer 1). As above, this - field aids ROLIE consumers in searching and filtering Entries. + helps ROLIE consumers search and filter Entries. o There MAY be a property element with the "name" attribute equal to "urn:ietf:params:rolie:property:swd:swversion". When this property appears, it's value MUST be equal to the value of the tag-version element in the attached COSWID Tag (mapped to the integer 12). 7. atom:link Extensions This section defines additional link relationships that implementations MUST support. These relationships are not registered in the Link Relation IANA table as their use case is too narrow. Each relationship is named and described. - These relations come in related pairs. The first of each pair is - expected to be more common, as they can be determined at the time - that the Entry is created. The second of each pair will often need - to be added retroactively to an Entry. - +----------------------+--------------------------------------------+ | Name | Description | +----------------------+--------------------------------------------+ | ancestor | Links to a software descriptor resource | | | that defines an ancestor of the software | | | being described by this Entry. This is | | | usually a previous version of the | | | software. | + +----------------------+--------------------------------------------+ | descendent | Links to a software descriptor resource | | | that defines an descendent of the software | | | being described by this Entry. This is | | | usually a more recent version or edition | | | of the software. | + +----------------------+--------------------------------------------+ | patches | Links to a software descriptor resource | | | that defines the software being patched by | | | this software | + +----------------------+--------------------------------------------+ | patchedby | Links to a software descriptor resource | | | that defines the patch or update itself | | | that can be or has been applied to this | | | software. | + +----------------------+--------------------------------------------+ | requires | Links to a software descriptor resource | | | that defines a piece of software required | | | for this software to function properly, | | | i.e., a dependency. | + +----------------------+--------------------------------------------+ | requiredBy | Links to a software descriptor resource | | | that defines a piece of software that | | | requires this software to function | | | properly. | + +----------------------+--------------------------------------------+ | installs | Links to a software descriptor resource | | | that defines the software that is | | | installed by this software. | + +----------------------+--------------------------------------------+ | installedBy | Links to a software descriptor resource | | | that defines the software package that | | | installs this software. | + +----------------------+--------------------------------------------+ | patchesVulnerability | Links to a vulnerability that this | | | software update fixes. Used for software | - | | descriptors that are describing software | - | | patches or updates. | + | | descriptors that describe software patches | + | | or updates. | + +----------------------+--------------------------------------------+ | hasVulnerability | Links to a vulnerability description | | | object that details a vulnerability that | | | this software has. | +----------------------+--------------------------------------------+ Table 1: Link Relations for Resource-Oriented Lightweight Indicator Exchange 8. IANA Considerations @@ -500,42 +505,41 @@ Subregistry: None 9. Security Considerations Use of this extension implies dealing with the security implications of both ROLIE and of software descriptors in general. As with any data, care should be taken to verify the trustworthiness and veracity of the descriptor information to the fullest extent possible. - Ideally, software descriptors should have been signed by the software + Ideally, software descriptors should be signed by the software manufacturer, or signed by whichever agent processed the source code. Software descriptor documents from these sources are more likely to be accurate than those generated by scraping installed software. These "authoritative" sources of software descriptor content should consider additional security for their ROLIE repository beyond the typical recommendations, as the central importance of the repository is likely to make it a target. Version information is often represented differently across manufacturers and even across product releases. If using software version information for low fault tolerance comparisons and searches, - care should be taken that the correct version scheme is being - utilized. + care should be taken that the correct version scheme is being used. 10. Normative References [I-D.ietf-sacm-coswid] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. - Waltermire, "Concise Software Identifiers", draft-ietf- - sacm-coswid-08 (work in progress), November 2018. + Waltermire, "Concise Software Identification Tags", draft- + ietf-sacm-coswid-10 (work in progress), June 2019. [NISTIR8060] Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags", NISTIR 8060, April 2016, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, @@ -550,21 +554,21 @@ DOI 10.17487/RFC5070, December 2007, . [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018, . [SWID] "Information technology - Software asset management - Part 2: Software identification tag", ISO/IEC 19770-2:2015, - October 2015. + October 2015, . Appendix A. Schema This document does not require any schema extensions. Appendix B. Examples of Use Use of this extension in a ROLIE repository will not typically change that repository's operation. As such, the general examples provided by the ROLIE core document would serve as examples. Provided below @@ -589,24 +593,24 @@ term="software-descriptor"/> Authors' Addresses Stephen Banghart - National Institute of Standards and Technology + NIST 100 Bureau Drive Gaithersburg, Maryland 20877 USA Email: stephen.banghart@nist.gov David Waltermire - National Institute of Standards and Technology + NIST 100 Bureau Drive Gaithersburg, Maryland 20877 USA Email: david.waltermire@nist.gov