< draft-ietf-sacm-coswid-19.txt   draft-ietf-sacm-coswid-20.txt >
SACM Working Group H. Birkholz SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT Internet-Draft Fraunhofer SIT
Intended status: Standards Track J. Fitzgerald-McKay Intended status: Standards Track J. Fitzgerald-McKay
Expires: 23 April 2022 National Security Agency Expires: 30 July 2022 National Security Agency
C. Schmidt C. Schmidt
The MITRE Corporation The MITRE Corporation
D. Waltermire D. Waltermire
NIST NIST
20 October 2021 26 January 2022
Concise Software Identification Tags Concise Software Identification Tags
draft-ietf-sacm-coswid-19 draft-ietf-sacm-coswid-20
Abstract Abstract
ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an
extensible XML-based structure to identify and describe individual extensible XML-based structure to identify and describe individual
software components, patches, and installation bundles. SWID tag software components, patches, and installation bundles. SWID tag
representations can be too large for devices with network and storage representations can be too large for devices with network and storage
constraints. This document defines a concise representation of SWID constraints. This document defines a concise representation of SWID
tags: Concise SWID (CoSWID) tags. CoSWID supports a similar set of tags: Concise SWID (CoSWID) tags. CoSWID supports a similar set of
semantics and features as SWID tags, as well as new semantics that semantics and features as SWID tags, as well as new semantics that
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 23 April 2022. This Internet-Draft will expire on 30 July 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. The SWID and CoSWID Tag Lifecycle . . . . . . . . . . . . 5 1.1. The SWID and CoSWID Tag Lifecycle . . . . . . . . . . . . 5
1.2. Concise SWID Format . . . . . . . . . . . . . . . . . . . 8 1.2. Concise SWID Format . . . . . . . . . . . . . . . . . . . 8
1.3. Requirements Notation . . . . . . . . . . . . . . . . . . 8 1.3. Requirements Notation . . . . . . . . . . . . . . . . . . 8
2. Concise SWID Data Definition . . . . . . . . . . . . . . . . 8 2. Concise SWID Data Definition . . . . . . . . . . . . . . . . 8
2.1. Character Encoding . . . . . . . . . . . . . . . . . . . 10 2.1. Character Encoding . . . . . . . . . . . . . . . . . . . 10
2.2. Concise SWID Extensions . . . . . . . . . . . . . . . . . 10 2.2. Concise SWID Extensions . . . . . . . . . . . . . . . . . 10
skipping to change at page 2, line 40 skipping to change at page 2, line 40
2.9.1. The hash-entry Array . . . . . . . . . . . . . . . . 27 2.9.1. The hash-entry Array . . . . . . . . . . . . . . . . 27
2.9.2. The resource-collection Group . . . . . . . . . . . . 27 2.9.2. The resource-collection Group . . . . . . . . . . . . 27
2.9.3. The payload-entry Map . . . . . . . . . . . . . . . . 31 2.9.3. The payload-entry Map . . . . . . . . . . . . . . . . 31
2.9.4. The evidence-entry Map . . . . . . . . . . . . . . . 31 2.9.4. The evidence-entry Map . . . . . . . . . . . . . . . 31
2.10. Full CDDL Specification . . . . . . . . . . . . . . . . . 32 2.10. Full CDDL Specification . . . . . . . . . . . . . . . . . 32
3. Determining the Type of CoSWID . . . . . . . . . . . . . . . 38 3. Determining the Type of CoSWID . . . . . . . . . . . . . . . 38
4. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 38 4. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 38
4.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 39 4.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 39
4.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 40 4.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 40
4.3. Link Ownership Values . . . . . . . . . . . . . . . . . . 42 4.3. Link Ownership Values . . . . . . . . . . . . . . . . . . 42
4.4. Link Rel Values . . . . . . . . . . . . . . . . . . . . . 43 4.4. Link Rel Values . . . . . . . . . . . . . . . . . . . . . 42
4.5. Link Use Values . . . . . . . . . . . . . . . . . . . . . 45 4.5. Link Use Values . . . . . . . . . . . . . . . . . . . . . 44
5. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . . . 45 5. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.1. "swid" URI Scheme . . . . . . . . . . . . . . . . . . . . 46 5.1. "swid" URI Scheme . . . . . . . . . . . . . . . . . . . . 45
5.2. "swidpath" URI Scheme . . . . . . . . . . . . . . . . . . 46 5.2. "swidpath" URI Scheme . . . . . . . . . . . . . . . . . . 46
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
6.1. CoSWID Items Registry . . . . . . . . . . . . . . . . . . 47 6.1. CoSWID Items Registry . . . . . . . . . . . . . . . . . . 47
6.2. Software Tag Values Registries . . . . . . . . . . . . . 50 6.2. Software Tag Values Registries . . . . . . . . . . . . . 50
6.2.1. Registration Procedures . . . . . . . . . . . . . . . 50 6.2.1. Registration Procedures . . . . . . . . . . . . . . . 50
6.2.2. Private Use of Index and Name Values . . . . . . . . 50 6.2.2. Private Use of Index and Name Values . . . . . . . . 50
6.2.3. Expert Review Guidelines . . . . . . . . . . . . . . 51 6.2.3. Expert Review Guidelines . . . . . . . . . . . . . . 51
6.2.4. Software Tag Version Scheme Values Registry . . . . . 52 6.2.4. Software Tag Version Scheme Values Registry . . . . . 51
6.2.5. Software Tag Entity Role Values Registry . . . . . . 53 6.2.5. Software Tag Entity Role Values Registry . . . . . . 53
6.2.6. Software Tag Link Ownership Values Registry . . . . . 55 6.2.6. Software Tag Link Ownership Values Registry . . . . . 54
6.2.7. Software Tag Link Relationship Values Registry . . . 56 6.2.7. Software Tag Link Relationship Values Registry . . . 55
6.2.8. Software Tag Link Use Values Registry . . . . . . . . 58 6.2.8. Software Tag Link Use Values Registry . . . . . . . . 58
6.3. swid+cbor Media Type Registration . . . . . . . . . . . . 59 6.3. swid+cbor Media Type Registration . . . . . . . . . . . . 59
6.4. CoAP Content-Format Registration . . . . . . . . . . . . 60 6.4. CoAP Content-Format Registration . . . . . . . . . . . . 60
6.5. CBOR Tag Registration . . . . . . . . . . . . . . . . . . 60 6.5. CBOR Tag Registration . . . . . . . . . . . . . . . . . . 60
6.6. URI Scheme Registrations . . . . . . . . . . . . . . . . 61 6.6. URI Scheme Registrations . . . . . . . . . . . . . . . . 60
6.6.1. URI-scheme swid . . . . . . . . . . . . . . . . . . . 61 6.6.1. URI-scheme swid . . . . . . . . . . . . . . . . . . . 61
6.6.2. URI-scheme swidpath . . . . . . . . . . . . . . . . . 61 6.6.2. URI-scheme swidpath . . . . . . . . . . . . . . . . . 61
6.7. CoSWID Model for use in SWIMA Registration . . . . . . . 62 6.7. CoSWID Model for use in SWIMA Registration . . . . . . . 62
7. Signed CoSWID Tags . . . . . . . . . . . . . . . . . . . . . 63 7. Signed CoSWID Tags . . . . . . . . . . . . . . . . . . . . . 62
8. Tagged CoSWID Tags . . . . . . . . . . . . . . . . . . . . . 65 8. Tagged CoSWID Tags . . . . . . . . . . . . . . . . . . . . . 65
9. Security Considerations . . . . . . . . . . . . . . . . . . . 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 65
10. Privacy Consideration . . . . . . . . . . . . . . . . . . . . 68 10. Privacy Consideration . . . . . . . . . . . . . . . . . . . . 68
11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 68 11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 69
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 73 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
12.1. Normative References . . . . . . . . . . . . . . . . . . 73 12.1. Normative References . . . . . . . . . . . . . . . . . . 74
12.2. Informative References . . . . . . . . . . . . . . . . . 77 12.2. Informative References . . . . . . . . . . . . . . . . . 77
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 78 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 78
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78
1. Introduction 1. Introduction
SWID tags, as defined in ISO-19770-2:2015 [SWID], provide a SWID tags, as defined in ISO-19770-2:2015 [SWID], provide a
standardized XML-based record format that identifies and describes a standardized XML-based record format that identifies and describes a
specific release of software, a patch, or an installation bundle, specific release of software, a patch, or an installation bundle,
skipping to change at page 42, line 7 skipping to change at page 41, line 51
| | | the software component. This SHOULD | | | | the software component. This SHOULD |
| | | be used when the "maintainer" is a | | | | be used when the "maintainer" is a |
| | | different person or organization than | | | | different person or organization than |
| | | the original "softwareCreator". | | | | the original "softwareCreator". |
+-------+-----------------+----------------------------------------+ +-------+-----------------+----------------------------------------+
Table 4: Entity Role Values Table 4: Entity Role Values
The values above are registered in the IANA "Software Tag Entity Role The values above are registered in the IANA "Software Tag Entity Role
Values" registry defined in Section 6.2.5. Additional values will Values" registry defined in Section 6.2.5. Additional values will
likely be registered over time. Additionally, the index values 128 likely be registered over time.
through 255 and the name prefix "x_" have been reserved for private
use.
4.3. Link Ownership Values 4.3. Link Ownership Values
The following table indicates the index value to use for the link- The following table indicates the index value to use for the link-
entry group's ownership item (see Section 2.7). These values match entry group's ownership item (see Section 2.7). These values match
the link ownership values defined in the ISO/IEC 19770-2:2015 [SWID] the link ownership values defined in the ISO/IEC 19770-2:2015 [SWID]
specification. The "Index" value indicates the value to use as the specification. The "Index" value indicates the value to use as the
link-entry group ownership item's value. The "Ownership Type" link-entry group ownership item's value. The "Ownership Type"
provides human-readable text for the value. The "Definition" provides human-readable text for the value. The "Definition"
describes the semantic meaning of each entry. describes the semantic meaning of each entry.
skipping to change at page 42, line 45 skipping to change at page 42, line 39
| 3 | shared | If the software component referenced by the | | 3 | shared | If the software component referenced by the |
| | | CoSWID tag is uninstalled, then the | | | | CoSWID tag is uninstalled, then the |
| | | referenced software SHOULD be uninstalled if | | | | referenced software SHOULD be uninstalled if |
| | | no other components sharing the software. | | | | no other components sharing the software. |
+-------+-----------+-----------------------------------------------+ +-------+-----------+-----------------------------------------------+
Table 5: Link Ownership Values Table 5: Link Ownership Values
The values above are registered in the IANA "Software Tag Link The values above are registered in the IANA "Software Tag Link
Ownership Values" registry defined in Section 6.2.6. Additional Ownership Values" registry defined in Section 6.2.6. Additional
values will likely be registered over time. Additionally, the index values will likely be registered over time.
values 128 through 255 and the name prefix "x_" have been reserved
for private use.
4.4. Link Rel Values 4.4. Link Rel Values
The following table indicates the index value to use for the link- The following table indicates the index value to use for the link-
entry group's rel item (see Section 2.7). These values match the entry group's rel item (see Section 2.7). These values match the
link rel values defined in the ISO/IEC 19770-2:2015 [SWID] link rel values defined in the ISO/IEC 19770-2:2015 [SWID]
specification. The "Index" value indicates the value to use as the specification. The "Index" value indicates the value to use as the
link-entry group ownership item's value. The "Relationship Type" link-entry group ownership item's value. The "Relationship Type"
provides human-readable text for the value. The "Definition" provides human-readable text for the value. The "Definition"
describes the semantic meaning of each entry. describes the semantic meaning of each entry.
skipping to change at page 44, line 43 skipping to change at page 44, line 33
| | | tag that the referencing tag | | | | tag that the referencing tag |
| | | supplements. Used on | | | | supplements. Used on |
| | | supplemental tags (see | | | | supplemental tags (see |
| | | Section 1.1). | | | | Section 1.1). |
+-------+-------------------+---------------------------------------+ +-------+-------------------+---------------------------------------+
Table 6: Link Relationship Values Table 6: Link Relationship Values
The values above are registered in the IANA "Software Tag Link The values above are registered in the IANA "Software Tag Link
Relationship Values" registry defined in Section 6.2.7. Additional Relationship Values" registry defined in Section 6.2.7. Additional
values will likely be registered over time. Additionally, the index values will likely be registered over time.
values 32768 through 65535 and the name prefix "x_" have been
reserved for private use.
4.5. Link Use Values 4.5. Link Use Values
The following table indicates the index value to use for the link- The following table indicates the index value to use for the link-
entry group's use item (see Section 2.7). These values match the entry group's use item (see Section 2.7). These values match the
link use values defined in the ISO/IEC 19770-2:2015 [SWID] link use values defined in the ISO/IEC 19770-2:2015 [SWID]
specification. The "Index" value indicates the value to use as the specification. The "Index" value indicates the value to use as the
link-entry group use item's value. The "Use Type" provides human- link-entry group use item's value. The "Use Type" provides human-
readable text for the value. The "Definition" describes the semantic readable text for the value. The "Definition" describes the semantic
meaning of each entry. meaning of each entry.
skipping to change at page 45, line 35 skipping to change at page 45, line 25
+-------+-------------+----------------------------------------+ +-------+-------------+----------------------------------------+
| 3 | recommended | From [SWID], "Not absolutely required; | | 3 | recommended | From [SWID], "Not absolutely required; |
| | | the [Link]'d software is installed | | | | the [Link]'d software is installed |
| | | unless specified otherwise." | | | | unless specified otherwise." |
+-------+-------------+----------------------------------------+ +-------+-------------+----------------------------------------+
Table 7: Link Use Values Table 7: Link Use Values
The values above are registered in the IANA "Software Tag Link Use The values above are registered in the IANA "Software Tag Link Use
Values" registry defined in Section 6.2.8. Additional values will Values" registry defined in Section 6.2.8. Additional values will
likely be registered over time. Additionally, the index values 128 likely be registered over time.
through 255 and the name prefix "x_" have been reserved for private
use.
5. URI Schemes 5. URI Schemes
This specification defines the following URI schemes for use in This specification defines the following URI schemes for use in
CoSWID and to provide interoperability with schemes used in [SWID]. CoSWID and to provide interoperability with schemes used in [SWID].
Note: These URI schemes are used in [SWID] without an IANA Note: These URI schemes are used in [SWID] without an IANA
registration. The present specification ensures that these URI registration. The present specification ensures that these URI
schemes are properly defined going forward. schemes are properly defined going forward.
skipping to change at page 47, line 29 skipping to change at page 47, line 13
registry. New values for 5 other registries are also requested. registry. New values for 5 other registries are also requested.
6.1. CoSWID Items Registry 6.1. CoSWID Items Registry
This registry uses integer values as index values in CBOR maps. This registry uses integer values as index values in CBOR maps.
This document defines a new registry titled "CoSWID Items". Future This document defines a new registry titled "CoSWID Items". Future
registrations for this registry are to be made based on [RFC8126] as registrations for this registry are to be made based on [RFC8126] as
follows: follows:
+==================+=========================+ +==================+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+==================+=========================+ +==================+=====================================+
| 0-32767 | Standards Action | | 0-32767 | Standards Action with Expert Review |
+------------------+-------------------------+ +------------------+-------------------------------------+
| 32768-4294967295 | Specification Required | | 32768-4294967295 | Specification Required |
+------------------+-------------------------+ +------------------+-------------------------------------+
Table 8: CoSWID Items Registration Procedures Table 8: CoSWID Items Registration Procedures
All negative values are reserved for Private Use. All negative values are reserved for Private Use.
Initial registrations for the "CoSWID Items" registry are provided Initial registrations for the "CoSWID Items" registry are provided
below. Assignments consist of an integer index value, the item name, below. Assignments consist of an integer index value, the item name,
and a reference to the defining specification. and a reference to the defining specification.
+===============+===========================+===============+ +===============+===========================+===============+
skipping to change at page 50, line 19 skipping to change at page 50, line 4
| 54 | revision | RFC-AAAA | | 54 | revision | RFC-AAAA |
+---------------+---------------------------+---------------+ +---------------+---------------------------+---------------+
| 55 | summary | RFC-AAAA | | 55 | summary | RFC-AAAA |
+---------------+---------------------------+---------------+ +---------------+---------------------------+---------------+
| 56 | unspsc-code | RFC-AAAA | | 56 | unspsc-code | RFC-AAAA |
+---------------+---------------------------+---------------+ +---------------+---------------------------+---------------+
| 57 | unspsc-version | RFC-AAAA | | 57 | unspsc-version | RFC-AAAA |
+---------------+---------------------------+---------------+ +---------------+---------------------------+---------------+
| 58-4294967295 | Unassigned | | | 58-4294967295 | Unassigned | |
+---------------+---------------------------+---------------+ +---------------+---------------------------+---------------+
Table 9: CoSWID Items Inital Registrations Table 9: CoSWID Items Inital Registrations
6.2. Software Tag Values Registries 6.2. Software Tag Values Registries
The following IANA registries provide a mechanism for new values to The following IANA registries provide a mechanism for new values to
be added over time to common enumerations used by SWID and CoSWID. be added over time to common enumerations used by SWID and CoSWID.
While neither the CoSWID nor SWID specification is subordinate to the
other and will evolve as their respective standards group chooses,
there is value in supporting alignment between the two standards.
Shared use of common code points, as spelled out in these registries,
will facilitate this alignment, hence the intent for shared use of
these registries and the decision to use "swid" (rather than
"coswid") in registry names.
6.2.1. Registration Procedures 6.2.1. Registration Procedures
The following registries allow for the registration of index values The following registries allow for the registration of index values
and names. New registrations will be permitted through either the and names. New registrations will be permitted through either a
Standards Action policy or the Specification Required policy [BCP26]. Standards Action with Expert Review policy or a Specification
New index values will be provided on a First Come First Served as Required policy [BCP26]. New index values will be provided on a
defined by [BCP26]. First Come First Served as defined by [BCP26].
The following registries also reserve the integer-based index values The following registries also reserve the integer-based index values
in the range of -1 to -256 for private use as defined by [BCP26] in in the range of -1 to -256 for private use as defined by [BCP26] in
Section 4.1. This allows values -1 to -24 to be expressed as a Section 4.1. This allows values -1 to -24 to be expressed as a
single uint_8t in CBOR, and values -25 to -256 to be expressed using single uint_8t in CBOR, and values -25 to -256 to be expressed using
an additional uint_8t in CBOR. an additional uint_8t in CBOR.
6.2.2. Private Use of Index and Name Values 6.2.2. Private Use of Index and Name Values
The integer-based index values in the private use range (-1 to -256) The integer-based index values in the private use range (-1 to -256)
skipping to change at page 52, line 18 skipping to change at page 52, line 5
Scheme Values". This registry provides index values for use as Scheme Values". This registry provides index values for use as
version-scheme item values in this document and version scheme names version-scheme item values in this document and version scheme names
for use in [SWID]. for use in [SWID].
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/swid] location: https://www.iana.org/assignments/swid]
This registry uses the registration procedures defined in This registry uses the registration procedures defined in
Section 6.2.1 with the following associated ranges: Section 6.2.1 with the following associated ranges:
+=============+=========================+ +=============+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+=============+=========================+ +=============+=====================================+
| 0-16383 | Standards Action | | 0-16383 | Standards Action with Expert Review |
+-------------+-------------------------+ +-------------+-------------------------------------+
| 16384-65535 | Specification Required | | 16384-65535 | Specification Required |
+-------------+-------------------------+ +-------------+-------------------------------------+
Table 10: CoSWID Version Scheme Table 10: CoSWID Version Scheme Registration
Registration Procedures Procedures
Assignments MUST consist of an integer Index value, the Version Assignments MUST consist of an integer Index value, the Version
Scheme Name, and a reference to the defining specification. Scheme Name, and a reference to the defining specification.
Initial registrations for the "Software Tag Version Scheme Values" Initial registrations for the "Software Tag Version Scheme Values"
registry are provided below, which are derived from the textual registry are provided below, which are derived from the textual
version scheme names defined in [SWID]. version scheme names defined in [SWID].
+=============+=========================+=================+ +=============+=========================+=================+
| Index | Version Scheme Name | Specification | | Index | Version Scheme Name | Specification |
skipping to change at page 54, line 5 skipping to change at page 53, line 25
Role Values". This registry provides index values for use as entity- Role Values". This registry provides index values for use as entity-
entry role item values in this document and entity role names for use entry role item values in this document and entity role names for use
in [SWID]. in [SWID].
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/swid] location: https://www.iana.org/assignments/swid]
This registry uses the registration procedures defined in This registry uses the registration procedures defined in
Section 6.2.1 with the following associated ranges: Section 6.2.1 with the following associated ranges:
+=========+=========================+ +=========+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+=========+=========================+ +=========+=====================================+
| 0-127 | Standards Action | | 0-127 | Standards Action with Expert Review |
+---------+-------------------------+ +---------+-------------------------------------+
| 128-255 | Specification Required | | 128-255 | Specification Required |
+---------+-------------------------+ +---------+-------------------------------------+
Table 12: CoSWID Entity Role Table 12: CoSWID Entity Role Registration
Registration Procedures Procedures
Assignments consist of an integer Index value, a Role Name, and a Assignments consist of an integer Index value, a Role Name, and a
reference to the defining specification. reference to the defining specification.
Initial registrations for the "Software Tag Entity Role Values" Initial registrations for the "Software Tag Entity Role Values"
registry are provided below, which are derived from the textual registry are provided below, which are derived from the textual
entity role names defined in [SWID]. entity role names defined in [SWID].
+=======+=================+=================+ +=======+=================+=================+
| Index | Role Name | Specification | | Index | Role Name | Specification |
skipping to change at page 55, line 18 skipping to change at page 55, line 5
Ownership Values". This registry provides index values for use as Ownership Values". This registry provides index values for use as
link-entry ownership item values in this document and link ownership link-entry ownership item values in this document and link ownership
names for use in [SWID]. names for use in [SWID].
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/swid] location: https://www.iana.org/assignments/swid]
This registry uses the registration procedures defined in This registry uses the registration procedures defined in
Section 6.2.1 with the following associated ranges: Section 6.2.1 with the following associated ranges:
+=========+=========================+ +=========+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+=========+=========================+ +=========+=====================================+
| 0-127 | Standards Action | | 0-127 | Standards Action with Expert Review |
+---------+-------------------------+ +---------+-------------------------------------+
| 128-255 | Specification Required | | 128-255 | Specification Required |
+---------+-------------------------+ +---------+-------------------------------------+
Table 14: CoSWID Link Ownership Table 14: CoSWID Link Ownership Registration
Registration Procedures Procedures
Assignments consist of an integer Index value, an Ownership Type Assignments consist of an integer Index value, an Ownership Type
Name, and a reference to the defining specification. Name, and a reference to the defining specification.
Initial registrations for the "Software Tag Link Ownership Values" Initial registrations for the "Software Tag Link Ownership Values"
registry are provided below, which are derived from the textual registry are provided below, which are derived from the textual
entity role names defined in [SWID]. entity role names defined in [SWID].
+=======+=====================+=================+ +=======+=====================+=================+
| Index | Ownership Type Name | Definition | | Index | Ownership Type Name | Definition |
skipping to change at page 56, line 17 skipping to change at page 56, line 4
6.2.7. Software Tag Link Relationship Values Registry 6.2.7. Software Tag Link Relationship Values Registry
This document establishes a new registry titled "Software Tag Link This document establishes a new registry titled "Software Tag Link
Relationship Values". This registry provides index values for use as Relationship Values". This registry provides index values for use as
link-entry rel item values in this document and link ownership names link-entry rel item values in this document and link ownership names
for use in [SWID]. for use in [SWID].
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/swid] location: https://www.iana.org/assignments/swid]
This registry uses the registration procedures defined in This registry uses the registration procedures defined in
Section 6.2.1 with the following associated ranges: Section 6.2.1 with the following associated ranges:
+=============+=========================+ +=============+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+=============+=========================+ +=============+=====================================+
| 0-32767 | Standards Action | | 0-32767 | Standards Action with Expert Review |
+-------------+-------------------------+ +-------------+-------------------------------------+
| 32768-65535 | Specification Required | | 32768-65535 | Specification Required |
+-------------+-------------------------+ +-------------+-------------------------------------+
Table 16: CoSWID Link Relationship Table 16: CoSWID Link Relationship Registration
Registration Procedures Procedures
Assignments consist of an integer Index value, the Relationship Type Assignments consist of an integer Index value, the Relationship Type
Name, and a reference to the defining specification. Name, and a reference to the defining specification.
Initial registrations for the "Software Tag Link Relationship Values" Initial registrations for the "Software Tag Link Relationship Values"
registry are provided below, which are derived from the link registry are provided below, which are derived from the link
relationship values defined in [SWID]. relationship values defined in [SWID].
+==========+========================+=================+ +==========+========================+=================+
| Index | Relationship Type Name | Specification | | Index | Relationship Type Name | Specification |
skipping to change at page 58, line 18 skipping to change at page 58, line 18
Use Values". This registry provides index values for use as link- Use Values". This registry provides index values for use as link-
entry use item values in this document and link use names for use in entry use item values in this document and link use names for use in
[SWID]. [SWID].
[TO BE REMOVED: This registration should take place at the following [TO BE REMOVED: This registration should take place at the following
location: https://www.iana.org/assignments/swid] location: https://www.iana.org/assignments/swid]
This registry uses the registration procedures defined in This registry uses the registration procedures defined in
Section 6.2.1 with the following associated ranges: Section 6.2.1 with the following associated ranges:
+=========+=========================+ +=========+=====================================+
| Range | Registration Procedures | | Range | Registration Procedures |
+=========+=========================+ +=========+=====================================+
| 0-127 | Standards Action | | 0-127 | Standards Action with Expert Review |
+---------+-------------------------+ +---------+-------------------------------------+
| 128-255 | Specification Required | | 128-255 | Specification Required |
+---------+-------------------------+ +---------+-------------------------------------+
Table 18: CoSWID Link Use Table 18: CoSWID Link Use Registration Procedures
Registration Procedures
Assignments consist of an integer Index value, the Link Use Type Assignments consist of an integer Index value, the Link Use Type
Name, and a reference to the defining specification. Name, and a reference to the defining specification.
Initial registrations for the "Software Tag Link Use Values" registry Initial registrations for the "Software Tag Link Use Values" registry
are provided below, which are derived from the link relationship are provided below, which are derived from the link relationship
values defined in [SWID]. values defined in [SWID].
+=======+====================+=================+ +=======+====================+=================+
| Index | Link Use Type Name | Specification | | Index | Link Use Type Name | Specification |
skipping to change at page 59, line 10 skipping to change at page 59, line 7
| 4-255 | Unassigned | | | 4-255 | Unassigned | |
+-------+--------------------+-----------------+ +-------+--------------------+-----------------+
Table 19: CoSWID Link Use Initial Registrations Table 19: CoSWID Link Use Initial Registrations
Registrations MUST conform to the expert review guidelines defined in Registrations MUST conform to the expert review guidelines defined in
Section 6.2.3. Section 6.2.3.
6.3. swid+cbor Media Type Registration 6.3. swid+cbor Media Type Registration
*_TODO: Per Section 5.1 of RFC6838, was a message sent to media-
types@iana.org for preliminary review? I didn't see it on that
mailing list (did I miss it?). Please kick that off._*
IANA is requested to add the following to the IANA "Media Types" IANA is requested to add the following to the IANA "Media Types"
registry [IANA.media-types]. registry [IANA.media-types].
Type name: application Type name: application
Subtype name: swid+cbor Subtype name: swid+cbor
Required parameters: none Required parameters: none
Optional parameters: none Optional parameters: none
skipping to change at page 67, line 16 skipping to change at page 67, line 16
components and, as such, the contents of a CoSWID tag does not need components and, as such, the contents of a CoSWID tag does not need
to be protected against unintended disclosure on an endpoint. to be protected against unintended disclosure on an endpoint.
CoSWID tags are intended to be easily discoverable by authorized CoSWID tags are intended to be easily discoverable by authorized
applications and users on an endpoint in order to make it easy to applications and users on an endpoint in order to make it easy to
determine the tagged software load. Access to the collection of an determine the tagged software load. Access to the collection of an
endpoint's CoSWID tags needs to be appropriately controlled to endpoint's CoSWID tags needs to be appropriately controlled to
authorized applications and users using an appropriate access control authorized applications and users using an appropriate access control
mechanism. mechanism.
Since the tag-id of a CoSWID tag can be used as a global index value,
failure to ensure the tag-id's uniqueness can cause collisions or
ambiguity in CoSWID tags that are retrieved or processed using this
identifier. CoSWID is designed to not require a registry of
identifiers. As a result, CoSWID requires the tag creator employ a
method of generating a unique tag identifier. Specific methods of
generating a unique identifier are beyond the scope of this
specification. A collision in tag-ids may result in false positives/
negatives in software integrity checks or mis-identification of
installed software, undermining CoSWID use cases such as
vulnerability identification, software inventory, etc. If such a
collision is detected, then the tag consumer should contact the
maintainer of the CoSWID to have them issue a correction addressing
the collision.
CoSWID tags are designed to be easily added and removed from an CoSWID tags are designed to be easily added and removed from an
endpoint along with the installation or removal of software endpoint along with the installation or removal of software
components. On endpoints where addition or removal of software components. On endpoints where addition or removal of software
components is tightly controlled, the addition or removal of CoSWID components is tightly controlled, the addition or removal of CoSWID
tags can be similarly controlled. On more open systems, where many tags can be similarly controlled. On more open systems, where many
users can manage the software inventory, CoSWID tags can be easier to users can manage the software inventory, CoSWID tags can be easier to
add or remove. On such systems, it can be possible to add or remove add or remove. On such systems, it can be possible to add or remove
CoSWID tags in a way that does not reflect the actual presence or CoSWID tags in a way that does not reflect the actual presence or
absence of corresponding software components. Similarly, not all absence of corresponding software components. Similarly, not all
software products automatically install CoSWID tags, so products can software products automatically install CoSWID tags, so products can
skipping to change at page 77, line 25 skipping to change at page 77, line 31
12.2. Informative References 12.2. Informative References
[CamelCase] [CamelCase]
"UpperCamelCase", 29 August 2014, "UpperCamelCase", 29 August 2014,
<http://wiki.c2.com/?CamelCase>. <http://wiki.c2.com/?CamelCase>.
[I-D.ietf-rats-architecture] [I-D.ietf-rats-architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
12, 23 April 2021, <https://www.ietf.org/archive/id/draft- 14, 9 December 2021, <https://www.ietf.org/archive/id/
ietf-rats-architecture-12.txt>. draft-ietf-rats-architecture-14.txt>.
[KebabCase] [KebabCase]
"KebabCase", 18 December 2014, "KebabCase", 18 December 2014,
<http://wiki.c2.com/?KebabCase>. <http://wiki.c2.com/?KebabCase>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003, DOI 10.17487/RFC3444, January 2003,
<https://www.rfc-editor.org/info/rfc3444>. <https://www.rfc-editor.org/info/rfc3444>.
 End of changes. 36 change blocks. 
96 lines changed or deleted 103 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/