draft-ietf-sacm-coswid-13.txt   draft-ietf-sacm-coswid-14.txt 
SACM Working Group H. Birkholz SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT Internet-Draft Fraunhofer SIT
Intended status: Standards Track J. Fitzgerald-McKay Intended status: Standards Track J. Fitzgerald-McKay
Expires: May 20, 2020 Department of Defense Expires: November 1, 2020 Department of Defense
C. Schmidt C. Schmidt
The MITRE Corporation The MITRE Corporation
D. Waltermire D. Waltermire
NIST NIST
November 17, 2019 April 30, 2020
Concise Software Identification Tags Concise Software Identification Tags
draft-ietf-sacm-coswid-13 draft-ietf-sacm-coswid-14
Abstract Abstract
ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an
extensible XML-based structure to identify and describe individual extensible XML-based structure to identify and describe individual
software components, patches, and installation bundles. SWID tag software components, patches, and installation bundles. SWID tag
representations can be too large for devices with network and storage representations can be too large for devices with network and storage
constraints. This document defines a concise representation of SWID constraints. This document defines a concise representation of SWID
tags: Concise SWID (CoSWID) tags. CoSWID supports the same features tags: Concise SWID (CoSWID) tags. CoSWID supports the same features
as SWID tags, as well as additional semantics that allow CoSWIDs to as SWID tags, as well as additional semantics that allow CoSWIDs to
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 20, 2020. This Internet-Draft will expire on November 1, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. The SWID and CoSWID Tag Lifecycle . . . . . . . . . . . . 4 1.1. The SWID and CoSWID Tag Lifecycle . . . . . . . . . . . . 4
1.2. Concise SWID Format . . . . . . . . . . . . . . . . . . . 7 1.2. Concise SWID Format . . . . . . . . . . . . . . . . . . . 7
1.3. Requirements Notation . . . . . . . . . . . . . . . . . . 7 1.3. Requirements Notation . . . . . . . . . . . . . . . . . . 7
2. Concise SWID Data Definition . . . . . . . . . . . . . . . . 7 2. Concise SWID Data Definition . . . . . . . . . . . . . . . . 7
2.1. Character Encoding . . . . . . . . . . . . . . . . . . . 8 2.1. Character Encoding . . . . . . . . . . . . . . . . . . . 8
2.2. Concise SWID Extensions . . . . . . . . . . . . . . . . . 9 2.2. Concise SWID Extensions . . . . . . . . . . . . . . . . . 9
2.3. The concise-swid-tag Group . . . . . . . . . . . . . . . 11 2.3. The concise-swid-tag Map . . . . . . . . . . . . . . . . 11
2.4. concise-swid-tag Co-constraints . . . . . . . . . . . . . 15 2.4. concise-swid-tag Co-constraints . . . . . . . . . . . . . 15
2.5. The global-attributes Group . . . . . . . . . . . . . . . 16 2.5. The global-attributes Group . . . . . . . . . . . . . . . 16
2.6. The entity-entry Group . . . . . . . . . . . . . . . . . 17 2.6. The entity-entry Map . . . . . . . . . . . . . . . . . . 17
2.7. The link-entry Map . . . . . . . . . . . . . . . . . . . 18 2.7. The link-entry Map . . . . . . . . . . . . . . . . . . . 18
2.8. The software-meta-entry Map . . . . . . . . . . . . . . . 22 2.8. The software-meta-entry Map . . . . . . . . . . . . . . . 22
2.9. The Resource Collection Definition . . . . . . . . . . . 26 2.9. The Resource Collection Definition . . . . . . . . . . . 26
2.9.1. The hash-entry Array . . . . . . . . . . . . . . . . 26 2.9.1. The hash-entry Array . . . . . . . . . . . . . . . . 26
2.9.2. The resource-collection Group . . . . . . . . . . . . 26 2.9.2. The resource-collection Group . . . . . . . . . . . . 26
2.9.3. The payload-entry Group . . . . . . . . . . . . . . . 29 2.9.3. The payload-entry Map . . . . . . . . . . . . . . . . 29
2.9.4. The evidence-entry Group . . . . . . . . . . . . . . 30 2.9.4. The evidence-entry Map . . . . . . . . . . . . . . . 30
2.10. Full CDDL Definition . . . . . . . . . . . . . . . . . . 30 2.10. Full CDDL Definition . . . . . . . . . . . . . . . . . . 30
3. Determining the Type of CoSWID . . . . . . . . . . . . . . . 36 3. Determining the Type of CoSWID . . . . . . . . . . . . . . . 36
4. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 37 4. CoSWID Indexed Label Values . . . . . . . . . . . . . . . . . 37
4.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 37 4.1. Version Scheme . . . . . . . . . . . . . . . . . . . . . 37
4.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 38 4.2. Entity Role Values . . . . . . . . . . . . . . . . . . . 38
4.3. Link Ownership Values . . . . . . . . . . . . . . . . . . 39 4.3. Link Ownership Values . . . . . . . . . . . . . . . . . . 39
4.4. Link Rel Values . . . . . . . . . . . . . . . . . . . . . 40 4.4. Link Rel Values . . . . . . . . . . . . . . . . . . . . . 40
4.5. Link Use Values . . . . . . . . . . . . . . . . . . . . . 42 4.5. Link Use Values . . . . . . . . . . . . . . . . . . . . . 42
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
5.1. CoSWID Items Registry . . . . . . . . . . . . . . . . . . 43 5.1. CoSWID Items Registry . . . . . . . . . . . . . . . . . . 43
skipping to change at page 3, line 15 skipping to change at page 3, line 15
5.3. swid+cbor Media Type Registration . . . . . . . . . . . . 54 5.3. swid+cbor Media Type Registration . . . . . . . . . . . . 54
5.4. CoAP Content-Format Registration . . . . . . . . . . . . 55 5.4. CoAP Content-Format Registration . . . . . . . . . . . . 55
5.5. CBOR Tag Registration . . . . . . . . . . . . . . . . . . 55 5.5. CBOR Tag Registration . . . . . . . . . . . . . . . . . . 55
5.6. URI Scheme Registrations . . . . . . . . . . . . . . . . 55 5.6. URI Scheme Registrations . . . . . . . . . . . . . . . . 55
5.6.1. "swid" URI Scheme Registration . . . . . . . . . . . 56 5.6.1. "swid" URI Scheme Registration . . . . . . . . . . . 56
5.6.2. "swidpath" URI Scheme Registration . . . . . . . . . 56 5.6.2. "swidpath" URI Scheme Registration . . . . . . . . . 56
5.7. CoSWID Model for use in SWIMA Registration . . . . . . . 57 5.7. CoSWID Model for use in SWIMA Registration . . . . . . . 57
6. Security Considerations . . . . . . . . . . . . . . . . . . . 58 6. Security Considerations . . . . . . . . . . . . . . . . . . . 58
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59
8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 60 8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 60
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 64 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 65
9.1. Normative References . . . . . . . . . . . . . . . . . . 64 9.1. Normative References . . . . . . . . . . . . . . . . . . 65
9.2. Informative References . . . . . . . . . . . . . . . . . 66 9.2. Informative References . . . . . . . . . . . . . . . . . 67
Appendix A. Signed Concise SWID Tags using COSE . . . . . . . . 67 Appendix A. Signed Concise SWID Tags using COSE . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction 1. Introduction
SWID tags, as defined in ISO-19770-2:2015 [SWID], provide a SWID tags, as defined in ISO-19770-2:2015 [SWID], provide a
standardized XML-based record format that identifies and describes a standardized XML-based record format that identifies and describes a
specific release of software, a patch, or an installation bundle, specific release of software, a patch, or an installation bundle,
which are referred to as software components in this document. which are referred to as software components in this document.
Different software components, and even different releases of a Different software components, and even different releases of a
particular software component, each have a different SWID tag record particular software component, each have a different SWID tag record
associated with them. SWID tags are meant to be flexible and able to associated with them. SWID tags are meant to be flexible and able to
skipping to change at page 7, line 21 skipping to change at page 7, line 21
Concise Data Definition Language (CDDL) [RFC8610]. The resulting Concise Data Definition Language (CDDL) [RFC8610]. The resulting
CoSWID data definition is aligned to the information able to be CoSWID data definition is aligned to the information able to be
expressed with the XML schema definition of ISO-19770-2:2015 [SWID]. expressed with the XML schema definition of ISO-19770-2:2015 [SWID].
This alignment allows both SWID and CoSWID tags to represent a common This alignment allows both SWID and CoSWID tags to represent a common
set of software component information and allows CoSWID tags to set of software component information and allows CoSWID tags to
support the same uses as a SWID tag. To achieve this end, the CDDL support the same uses as a SWID tag. To achieve this end, the CDDL
representation includes every SWID tag field and attribute. representation includes every SWID tag field and attribute.
The vocabulary, i.e., the CDDL names of the types and members used in The vocabulary, i.e., the CDDL names of the types and members used in
the CoSWID data definition, are mapped to more concise labels the CoSWID data definition, are mapped to more concise labels
represented as small integer values. The names used in the CDDL data represented as small integer values (indices). The names used in the
definition and the mapping to the CBOR representation using integer CDDL data definition and the mapping to the CBOR representation using
labels is based on the vocabulary of the XML attribute and element integer indices is based on the vocabulary of the XML attribute and
names defined in ISO/IEC 19770-2:2015. element names defined in ISO/IEC 19770-2:2015.
1.3. Requirements Notation 1.3. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Concise SWID Data Definition 2. Concise SWID Data Definition
skipping to change at page 8, line 26 skipping to change at page 8, line 26
The 57 human-readable text labels of the CDDL-based CoSWID vocabulary The 57 human-readable text labels of the CDDL-based CoSWID vocabulary
are mapped to integer indices via a block of rules at the bottom of are mapped to integer indices via a block of rules at the bottom of
the definition. This allows a more concise integer-based form to be the definition. This allows a more concise integer-based form to be
stored or transported, as compared to the less efficient text-based stored or transported, as compared to the less efficient text-based
form of the original vocabulary. form of the original vocabulary.
In CBOR, an array is encoded using bytes that identify the array, and In CBOR, an array is encoded using bytes that identify the array, and
the array's length or stop point (see [RFC7049]). To make items that the array's length or stop point (see [RFC7049]). To make items that
support 1 or more values, the following CDDL notion is used. support 1 or more values, the following CDDL notion is used.
_name_ = (_label_: _data_ / [ 2* _data_ ]) _name_ = (_label_ => _data_ / [ 2* _data_ ])
The CDDL rule above allows either a single data item or an array of 2 The CDDL rule above allows either a single data item or an array of 2
or more data values to be provided. When a singleton data value is or more data values to be provided. When a singleton data value is
provided, the CBOR markers for the array, array length, and stop provided, the CBOR markers for the array, array length, and stop
point are not needed, saving bytes. When two or more data values are point are not needed, saving bytes. When two or more data values are
provided, these values are encoded as an array. This modeling provided, these values are encoded as an array. This modeling
pattern is used frequently in the CoSWID CDDL data definition to pattern is used frequently in the CoSWID CDDL data definition to
allow for more efficient encoding of singleton values. allow for more efficient encoding of singleton values.
The following subsections describe the different parts of the CoSWID The following subsections describe the different parts of the CoSWID
skipping to change at page 10, line 5 skipping to change at page 10, line 5
sockets allow for well-formed extensions to be defined in sockets allow for well-formed extensions to be defined in
supplementary CDDL descriptions that support additional uses of supplementary CDDL descriptions that support additional uses of
CoSWID tags that go beyond the original scope of ISO-19770-2:2015 CoSWID tags that go beyond the original scope of ISO-19770-2:2015
tags. This extension mechanism can also be used to update the tags. This extension mechanism can also be used to update the
CoSWID format as revisions to ISO-19770-2 are published. CoSWID format as revisions to ISO-19770-2 are published.
The following CDDL sockets (extension points) are defined in this The following CDDL sockets (extension points) are defined in this
document, which allow the addition of new information structures to document, which allow the addition of new information structures to
their respective CDDL groups. their respective CDDL groups.
+---------------------+-----------------------+---------------+ +---------------------+---------------------------+---------------+
| Map Name | CDDL Socket | Defined in | | Map Name | CDDL Socket | Defined in |
+---------------------+-----------------------+---------------+ +---------------------+---------------------------+---------------+
| concise-swid-tag | $$coswid-extension | Section 2.3 | | concise-swid-tag | $$coswid-extension | Section 2.3 |
| | | | | | | |
| entity-entry | $$entity-extension | Section 2.6 | | entity-entry | $$entity-extension | Section 2.6 |
| | | | | | | |
| link-entry | $$link-extension | Section 2.7 | | link-entry | $$link-extension | Section 2.7 |
| | | | | | | |
| software-meta-entry | $$meta-extension | Section 2.8 | | software-meta-entry | $$software-meta-extension | Section 2.8 |
| | | | | | | |
| file-entry | $$file-extension | Section 2.9.2 | | file-entry | $$file-extension | Section 2.9.2 |
| | | | | | | |
| directory-entry | $$directory-extension | Section 2.9.2 | | directory-entry | $$directory-extension | Section 2.9.2 |
| | | | | | | |
| process-entry | $$process-extension | Section 2.9.2 | | process-entry | $$process-extension | Section 2.9.2 |
| | | | | | | |
| resource-entry | $$resource-extension | Section 2.9.2 | | resource-entry | $$resource-extension | Section 2.9.2 |
| | | | | | | |
| payload-entry | $$payload-extension | Section 2.9.3 | | payload-entry | $$payload-extension | Section 2.9.3 |
| | | | | | | |
| evidence-entry | $$evidence-extension | Section 2.9.4 | | evidence-entry | $$evidence-extension | Section 2.9.4 |
+---------------------+-----------------------+---------------+ +---------------------+---------------------------+---------------+
Table 1: CoSWID CDDL Group Extension Points Table 1: CoSWID CDDL Group Extension Points
The CoSWID Items Registry defined in Section 5.1 provides a The CoSWID Items Registry defined in Section 5.1 provides a
registration mechanism allowing new items, and their associated index registration mechanism allowing new items, and their associated index
values, to be added to the CoSWID model through the use of the CDDL values, to be added to the CoSWID model through the use of the CDDL
sockets described in the table above. This registration mechanism sockets described in the table above. This registration mechanism
provides for well-known index values for data items in CoSWID provides for well-known index values for data items in CoSWID
extensions, allowing these index values to be recognized by extensions, allowing these index values to be recognized by
implementations supporting a given extension. implementations supporting a given extension.
skipping to change at page 11, line 31 skipping to change at page 11, line 31
A number of SWID/CoSWID value registries are also defined in A number of SWID/CoSWID value registries are also defined in
Section 5.2 that allow new values to be registered with IANA for the Section 5.2 that allow new values to be registered with IANA for the
enumerations above. This registration mechanism supports the enumerations above. This registration mechanism supports the
definition of new well-known index values and names for new definition of new well-known index values and names for new
enumeration values used by both SWID and CoSWID. This registration enumeration values used by both SWID and CoSWID. This registration
mechanism allows new standardized enumerated values to be shared mechanism allows new standardized enumerated values to be shared
between both specifications (and implementations) over time, and between both specifications (and implementations) over time, and
references to the IANA registries will be added to the next revision references to the IANA registries will be added to the next revision
of [SWID]. of [SWID].
2.3. The concise-swid-tag Group 2.3. The concise-swid-tag Map
The CDDL data definition for the root concise-swid-tag map is as The CDDL data definition for the root concise-swid-tag map is as
follows and this rule and its constraints MUST be followed when follows and this rule and its constraints MUST be followed when
creating or validating a CoSWID tag: creating or validating a CoSWID tag:
concise-swid-tag = { concise-swid-tag = {
global-attributes, global-attributes,
tag-id => text / bstr .size 16, tag-id => text / bstr .size 16,
tag-version => integer, tag-version => integer,
? corpus => bool, ? corpus => bool,
? patch => bool, ? patch => bool,
? supplemental => bool, ? supplemental => bool,
software-name => text, software-name => text,
? software-version => text, ? software-version => text,
? version-scheme => $version-scheme, ? version-scheme => $version-scheme,
? media => text, ? media => text,
? software-meta => software-meta-entry / [ 2* software-meta-entry ], ? software-meta => software-meta-entry / [ 2* software-meta-entry ],
entity => entity-entry / [ 2* entity-entry ], entity => entity-entry / [ 2* entity-entry ],
? link => link-entry / [ 2* link-entry ], ? link => link-entry / [ 2* link-entry ],
? (( payload => payload-entry ) // ( evidence => evidence-entry )), ? (( payload => payload-entry ) // ( evidence => evidence-entry )),
* $$coswid-extension * $$coswid-extension,
} }
tag-id = 0 tag-id = 0
software-name = 1 software-name = 1
entity = 2 entity = 2
evidence = 3 evidence = 3
link = 4 link = 4
software-meta = 5 software-meta = 5
payload = 6 payload = 6
corpus = 8 corpus = 8
skipping to change at page 16, line 49 skipping to change at page 16, line 49
o lang (index 15): A textual language tag that conforms with IANA o lang (index 15): A textual language tag that conforms with IANA
"Language Subtag Registry" [RFC5646]. The context of the "Language Subtag Registry" [RFC5646]. The context of the
specified language applies to all sibling and descendant textual specified language applies to all sibling and descendant textual
values, unless a descendant object has defined a different values, unless a descendant object has defined a different
language tag. Thus, a new context is established when a language tag. Thus, a new context is established when a
descendant object redefines a new language tag. All textual descendant object redefines a new language tag. All textual
values within a given context MUST be considered expressed in the values within a given context MUST be considered expressed in the
specified language. specified language.
o any-attribute: This sub-group provides a means to include o any-attribute: This sub-group provides a means to include
arbitrary information via label ("key") value pairs. Labels can arbitrary information via label/index ("key") value pairs. Labels
be either a single integer or text string. Values can be a single can be either a single integer or text string. Values can be a
integer, a text string, or an array of integers or text strings. single integer, a text string, or an array of integers or text
strings.
2.6. The entity-entry Group 2.6. The entity-entry Map
The CDDL for the entity-entry group follows: The CDDL for the entity-entry map follows:
entity-entry = { entity-entry = {
global-attributes, global-attributes,
entity-name => text, entity-name => text,
? reg-id => any-uri, ? reg-id => any-uri,
role => $role / [ 2* $role ], role => $role / [ 2* $role ],
? thumbprint => hash-entry, ? thumbprint => hash-entry,
* $$entity-extension, * $$entity-extension,
} }
entity-name = 31 entity-name = 31
reg-id = 32 reg-id = 32
role = 33 role = 33
thumbprint = 34 thumbprint = 34
$role /= tag-creator $role /= tag-creator
$role /= software-creator $role /= software-creator
$role /= aggregator $role /= aggregator
$role /= distributor $role /= distributor
$role /= licensor $role /= licensor
skipping to change at page 23, line 22 skipping to change at page 23, line 22
? entitlement-data-required => bool, ? entitlement-data-required => bool,
? entitlement-key => text, ? entitlement-key => text,
? generator => text, ? generator => text,
? persistent-id => text, ? persistent-id => text,
? product => text, ? product => text,
? product-family => text, ? product-family => text,
? revision => text, ? revision => text,
? summary => text, ? summary => text,
? unspsc-code => text, ? unspsc-code => text,
? unspsc-version => text, ? unspsc-version => text,
* $$meta-extension, * $$software-meta-extension,
} }
activation-status = 43 activation-status = 43
channel-type = 44 channel-type = 44
colloquial-version = 45 colloquial-version = 45
description = 46 description = 46
edition = 47 edition = 47
entitlement-data-required = 48 entitlement-data-required = 48
entitlement-key = 49 entitlement-key = 49
generator = 50 generator = 50
persistent-id = 51 persistent-id = 51
product = 52 product = 52
skipping to change at page 26, line 11 skipping to change at page 26, line 11
o $$meta-extension: This CDDL socket can be used to extend the o $$meta-extension: This CDDL socket can be used to extend the
software-meta-entry group model. See Section 2.2. software-meta-entry group model. See Section 2.2.
2.9. The Resource Collection Definition 2.9. The Resource Collection Definition
2.9.1. The hash-entry Array 2.9.1. The hash-entry Array
CoSWID adds explicit support for the representation of hash entries CoSWID adds explicit support for the representation of hash entries
using algorithms that are registered in the IANA "Named Information using algorithms that are registered in the IANA "Named Information
Hash Algorithm Registry" using the hash-entry member (label 58). Hash Algorithm Registry" using the hash member (index 7) and the
corresponding hash-entry type.
hash-entry = [ hash-alg-id: int, hash-value: bytes ] hash-entry = [
hash-alg-id: int,
hash-value: bytes,
]
The number used as a value for hash-alg-id MUST refer an ID in the The number used as a value for hash-alg-id MUST refer an ID in the
"Named Information Hash Algorithm Registry" (see "Named Information Hash Algorithm Registry" (see
https://www.iana.org/assignments/named-information/named- https://www.iana.org/assignments/named-information/named-
information.xhtml); other hash algorithms MUST NOT be used. The information.xhtml); other hash algorithms MUST NOT be used. The
hash-value MUST represent the raw hash value of the hashed resource hash-value MUST represent the raw hash value of the hashed resource
generated using the hash algorithm indicated by the hash-alg-id. generated using the hash algorithm indicated by the hash-alg-id.
2.9.2. The resource-collection Group 2.9.2. The resource-collection Group
A list of items both used in evidence (created by a software A list of items both used in evidence (created by a software
discovery process) and payload (installed in an endpoint) content of discovery process) and payload (installed in an endpoint) content of
a CoSWID tag document to structure and differentiate the content of a CoSWID tag document to structure and differentiate the content of
specific CoSWID tag types. Potential content includes directories, specific CoSWID tag types. Potential content includes directories,
files, processes, or resources. files, processes, or resources.
The CDDL for the resource-collection group follows: The CDDL for the resource-collection group follows:
resource-collection = ( path-elements-group = ( ? directory => directory-entry / [ 2* directory-entry ],
? directory => directory-entry, ? file => file-entry / [ 2* file-entry ],
? file => file-entry, )
? process => process-entry,
? resource => resource-entry,
)
filesystem-item = ( esource-collection = (
global-attributes, path-elements-group,
? key => bool, ? process => process-entry / [ 2* process-entry ],
? location => text, ? resource => resource-entry / [ 2* resource-entry ],
fs-name => text, * $$resource-collection-extension,
? root => text, )
)
path-elements-entry = [ [ * file-entry ], filesystem-item = (
[ * directory-entry ], global-attributes,
] ? key => bool,
? location => text,
fs-name => text,
? root => text,
file-entry = { )
filesystem-item,
? size => integer,
? file-version => text,
? hash => hash-entry,
* $$file-extension
}
directory-entry = { file-entry = {
filesystem-item, filesystem-item,
path-elements => path-elements-entry, ? size => integer,
* $$directory-extension ? file-version => text,
} ? hash => hash-entry,
* $$file-extension,
}
process-entry = { directory-entry = {
global-attributes, filesystem-item,
process-name => text, path-elements => { path-elements-group },
? pid => integer, * $$directory-extension,
* $$process-extension }
}
resource-entry = { process-entry = {
global-attributes, global-attributes,
type => text, process-name => text,
* $$resource-extension ? pid => integer,
} * $$process-extension,
}
directory = 16 resource-entry = {
file = 17 global-attributes,
process = 18 type => text,
resource = 19 * $$resource-extension,
size = 20 }
file-version = 21
key = 22 directory = 16
location = 23 file = 17
fs-name = 24 process = 18
root = 25 resource = 19
path-elements = 26 size = 20
process-name = 27 file-version = 21
pid = 28 key = 22
type = 29 location = 23
fs-name = 24
root = 25
path-elements = 26
process-name = 27
pid = 28
type = 29
The following describes each member of the groups and maps The following describes each member of the groups and maps
illustrated above. illustrated above.
o filesystem-item: A list of common items used for representing the o filesystem-item: A list of common items used for representing the
filesystem root, relative location, name, and significance of a filesystem root, relative location, name, and significance of a
file or directory item. file or directory item.
o global-attributes: The global-attributes group described in o global-attributes: The global-attributes group described in
Section 2.5. Section 2.5.
skipping to change at page 29, line 34 skipping to change at page 29, line 38
o $$file-extension: This CDDL socket can be used to extend the file- o $$file-extension: This CDDL socket can be used to extend the file-
entry group model. See Section 2.2. entry group model. See Section 2.2.
o $$directory-extension: This CDDL socket can be used to extend the o $$directory-extension: This CDDL socket can be used to extend the
directory-entry group model. See Section 2.2. directory-entry group model. See Section 2.2.
o $$process-extension: This CDDL socket can be used to extend the o $$process-extension: This CDDL socket can be used to extend the
process-entry group model. See Section 2.2. process-entry group model. See Section 2.2.
o $$resource-extension: This CDDL socket can be used to extend the o $$resource-extension: This CDDL socket can be used to extend the
group model. See Section 2.2. resource-entry group model. See Section 2.2.
o $$-extension: This CDDL socket can be used to extend the resource-
entry group model. See Section 2.2.
2.9.3. The payload-entry Group 2.9.3. The payload-entry Map
The CDDL for the payload-entry group follows: The CDDL for the payload-entry map follows:
payload-entry = { payload-entry = {
global-attributes, global-attributes,
resource-collection, resource-collection,
* $$payload-extension * $$payload-extension,
} }
The following describes each child item of this group. The following describes each child item of this group.
o global-attributes: The global-attributes group described in o global-attributes: The global-attributes group described in
Section 2.5. Section 2.5.
o resource-collection: The resource-collection group described in o resource-collection: The resource-collection group described in
Section 2.9.2. Section 2.9.2.
o $$payload-extension: This CDDL socket can be used to extend the o $$payload-extension: This CDDL socket can be used to extend the
payload-entry group model. See Section 2.2. payload-entry group model. See Section 2.2.
2.9.4. The evidence-entry Group 2.9.4. The evidence-entry Map
The CDDL for the evidence-entry group follows: The CDDL for the evidence-entry map follows:
evidence-entry = { evidence-entry = {
global-attributes, global-attributes,
resource-collection, resource-collection,
? date => time, ? date => time,
? device-id => text, ? device-id => text,
* $$evidence-extension * $$evidence-extension,
} }
date = 35 date = 35
device-id = 36 device-id = 36
The following describes each child item of this group. The following describes each child item of this group.
o global-attributes: The global-attributes group described in o global-attributes: The global-attributes group described in
Section 2.5. Section 2.5.
o resource-collection: The resource-collection group described in o resource-collection: The resource-collection group described in
Section 2.9.2. Section 2.9.2.
skipping to change at page 30, line 51 skipping to change at page 30, line 52
o $$evidence-extension: This CDDL socket can be used to extend the o $$evidence-extension: This CDDL socket can be used to extend the
evidence-entry group model. See Section 2.2. evidence-entry group model. See Section 2.2.
2.10. Full CDDL Definition 2.10. Full CDDL Definition
In order to create a valid CoSWID document the structure of the In order to create a valid CoSWID document the structure of the
corresponding CBOR message MUST adhere to the following CDDL data corresponding CBOR message MUST adhere to the following CDDL data
definition. definition.
concise-swid-tag = { concise-swid-tag = {
global-attributes, global-attributes,
tag-id => text / bstr .size 16, tag-id => text / bstr .size 16,
tag-version => integer, tag-version => integer,
? corpus => bool, ? corpus => bool,
? patch => bool, ? patch => bool,
? supplemental => bool, ? supplemental => bool,
software-name => text, software-name => text,
? software-version => text, ? software-version => text,
? version-scheme => $version-scheme, ? version-scheme => $version-scheme,
? media => text, ? media => text,
? software-meta => software-meta-entry / [ 2* software-meta-entry ], ? software-meta => software-meta-entry / [ 2* software-meta-entry ],
entity => entity-entry / [ 2* entity-entry ], entity => entity-entry / [ 2* entity-entry ],
? link => link-entry / [ 2* link-entry ], ? link => link-entry / [ 2* link-entry ],
? (( payload => payload-entry ) // ( evidence => evidence-entry )), ? (( payload => payload-entry ) // ( evidence => evidence-entry )),
* $$coswid-extension * $$coswid-extension,
} }
any-uri = text any-uri = text
label = text / int label = text / int
$version-scheme /= multipartnumeric $version-scheme /= multipartnumeric
$version-scheme /= multipartnumeric-suffix $version-scheme /= multipartnumeric-suffix
$version-scheme /= alphanumeric $version-scheme /= alphanumeric
$version-scheme /= decimal $version-scheme /= decimal
$version-scheme /= semver $version-scheme /= semver
$version-scheme /= uint / text $version-scheme /= uint / text
any-attribute = ( any-attribute = (
label => text / int / [ 2* text ] / [ 2* int ] label => text / int / [ 2* text ] / [ 2* int ]
) )
global-attributes = ( global-attributes = (
? lang => text, ? lang => text,
* any-attribute, * any-attribute,
) )
hash-entry = [ hash-alg-id: int, hash-entry = [
hash-value: bytes ] hash-alg-id: int,
hash-value: bytes,
]
entity-entry = { entity-entry = {
global-attributes, global-attributes,
entity-name => text, entity-name => text,
? reg-id => any-uri, ? reg-id => any-uri,
role => $role / [ 2* $role ], role => $role / [ 2* $role ],
? thumbprint => hash-entry, ? thumbprint => hash-entry,
* $$entity-extension, * $$entity-extension,
}
$role /= tag-creator }
$role /= software-creator
$role /= aggregator
$role /= distributor
$role /= licensor
$role /= uint / text
link-entry = { $role /= tag-creator
global-attributes, $role /= software-creator
? artifact => text, $role /= aggregator
href => any-uri, $role /= distributor
? media => text, $role /= licensor
? ownership => $ownership, $role /= uint / text
rel => $rel,
? media-type => text,
? use => $use,
* $$link-extension
}
$ownership /= shared link-entry = {
$ownership /= private global-attributes,
$ownership /= abandon ? artifact => text,
$ownership /= uint / text href => any-uri,
? media => text,
? ownership => $ownership,
rel => $rel,
? media-type => text,
? use => $use,
* $$link-extension
}
$rel /= ancestor $ownership /= shared
$rel /= component $ownership /= private
$rel /= feature $ownership /= abandon
$rel /= installationmedia $ownership /= uint / text
$rel /= packageinstaller
$rel /= parent
$rel /= patches
$rel /= requires
$rel /= see-also
$rel /= supersedes
$rel /= supplemental
$rel /= uint / text
$use /= optional $rel /= ancestor
$use /= required $rel /= component
$use /= recommended $rel /= feature
$use /= uint / text $rel /= installationmedia
$rel /= packageinstaller
$rel /= parent
$rel /= patches
$rel /= requires
$rel /= see-also
$rel /= supersedes
$rel /= supplemental
$rel /= uint / text
software-meta-entry = { $use /= optional
global-attributes, $use /= required
? activation-status => text, $use /= recommended
? channel-type => text, $use /= uint / text
? colloquial-version => text,
? description => text,
? edition => text,
? entitlement-data-required => bool,
? entitlement-key => text,
? generator => text,
? persistent-id => text,
? product => text,
? product-family => text,
? revision => text,
? summary => text,
? unspsc-code => text,
? unspsc-version => text,
* $$meta-extension,
}
resource-collection = ( software-meta-entry = {
? directory => directory-entry, global-attributes,
? file => file-entry, ? activation-status => text,
? process => process-entry, ? channel-type => text,
? resource => resource-entry, ? colloquial-version => text,
* $$resource-collection-extension ? description => text,
) ? edition => text,
? entitlement-data-required => bool,
? entitlement-key => text,
? generator => text,
? persistent-id => text,
? product => text,
? product-family => text,
? revision => text,
? summary => text,
? unspsc-code => text,
? unspsc-version => text,
* $$software-meta-extension,
}
file-entry = { path-elements-group = ( ? directory => directory-entry / [ 2* directory-entry ],
filesystem-item, ? file => file-entry / [ 2* file-entry ],
? size => integer, )
? file-version => text,
? hash => hash-entry,
* $$file-extension
}
path-elements-entry = [ [ * file-entry ], resource-collection = (
[ * directory-entry ], path-elements-group,
] ? process => process-entry / [ 2* process-entry ],
? resource => resource-entry / [ 2* resource-entry ],
* $$resource-collection-extension,
)
directory-entry = { file-entry = {
filesystem-item, filesystem-item,
path-elements => path-elements-entry, ? size => uint,
* $$directory-extension ? file-version => text,
} ? hash => hash-entry,
* $$file-extension,
}
process-entry = { directory-entry = {
global-attributes, filesystem-item,
process-name => text, ? path-elements => { path-elements-group },
? pid => integer, * $$directory-extension,
* $$process-extension }
}
resource-entry = { process-entry = {
global-attributes, global-attributes,
type => text, process-name => text,
* $$resource-extension ? pid => integer,
} * $$process-extension,
}
resource-entry = {
global-attributes,
type => text,
* $$resource-extension,
}
filesystem-item = ( filesystem-item = (
global-attributes, global-attributes,
? key => bool, ? key => bool,
? location => text, ? location => text,
fs-name => text, fs-name => text,
? root => text, ? root => text,
) )
payload-entry = { payload-entry = {
global-attributes, global-attributes,
resource-collection, resource-collection,
* $$payload-extension * $$payload-extension,
} }
evidence-entry = { evidence-entry = {
global-attributes, global-attributes,
resource-collection, resource-collection,
? date => time, ? date => time,
? device-id => text, ? device-id => text,
* $$evidence-extension * $$evidence-extension,
} }
; "global map member" integer indexes ; "global map member" integer indexes
tag-id = 0 tag-id = 0
software-name = 1 software-name = 1
entity = 2 entity = 2
evidence = 3 evidence = 3
link = 4 link = 4
software-meta = 5 software-meta = 5
payload = 6 payload = 6
hash = 7 hash = 7
corpus = 8 corpus = 8
patch = 9 patch = 9
media = 10 media = 10
supplemental = 11 supplemental = 11
tag-version = 12 tag-version = 12
software-version = 13 software-version = 13
version-scheme = 14 version-scheme = 14
lang = 15 lang = 15
directory = 16 directory = 16
file = 17 file = 17
process = 18 process = 18
resource = 19 resource = 19
size = 20 size = 20
file-version = 21 file-version = 21
key = 22 key = 22
location = 23 location = 23
fs-name = 24 fs-name = 24
root = 25 root = 25
path-elements = 26 path-elements = 26
process-name = 27 process-name = 27
pid = 28 pid = 28
type = 29 type = 29
entity-name = 31 entity-name = 31
reg-id = 32 reg-id = 32
role = 33 role = 33
thumbprint = 34 thumbprint = 34
date = 35 date = 35
device-id = 36 device-id = 36
artifact = 37 artifact = 37
href = 38 href = 38
ownership = 39 ownership = 39
rel = 40 rel = 40
media-type = 41 media-type = 41
use = 42 use = 42
activation-status = 43 activation-status = 43
channel-type = 44 channel-type = 44
colloquial-version = 45 colloquial-version = 45
description = 46 description = 46
edition = 47 edition = 47
entitlement-data-required = 48 entitlement-data-required = 48
entitlement-key = 49 entitlement-key = 49
generator = 50 generator = 50
persistent-id = 51 persistent-id = 51
product = 52 product = 52
product-family = 53 product-family = 53
revision = 54 revision = 54
summary = 55 summary = 55
unspsc-code = 56 unspsc-code = 56
unspsc-version = 57 unspsc-version = 57
; "version-scheme" integer indexes ; "version-scheme" integer indexes
multipartnumeric = 1 multipartnumeric = 1
multipartnumeric-suffix = 2 multipartnumeric-suffix = 2
alphanumeric = 3 alphanumeric = 3
decimal = 4 decimal = 4
semver = 16384 semver = 16384
; "role" integer indexes ; "role" integer indexes
tag-creator=1 tag-creator=1
software-creator=2 software-creator=2
aggregator=3 aggregator=3
distributor=4 distributor=4
licensor=5 licensor=5
; ownership integer indexes ; "ownership" integer indexes
shared=1 shared=1
private=2 private=2
abandon=3 abandon=3
; "rel" integer indexes ; "rel" integer indexes
ancestor=1 ancestor=1
component=2 component=2
feature=3 feature=3
installationmedia=4 installationmedia=4
packageinstaller=5 packageinstaller=5
parent=6 parent=6
patches=7 patches=7
requires=8 requires=8
see-also=9 see-also=9
supersedes=10 supersedes=10
; supplemental=11 ; this is already defined earlier
; "use" integer indexes ; "use" integer indexes
optional=1 optional=1
required=2 required=2
recommended=3 recommended=3
3. Determining the Type of CoSWID 3. Determining the Type of CoSWID
The operational model for SWID and CoSWID tags was introduced in The operational model for SWID and CoSWID tags was introduced in
Section 1.1, which described four different CoSWID tag types. The Section 1.1, which described four different CoSWID tag types. The
following additional rules apply to the use of CoSWID tags to ensure following additional rules apply to the use of CoSWID tags to ensure
that created tags properly identify the tag type. that created tags properly identify the tag type.
The first matching rule MUST determine the type of the CoSWID tag. The first matching rule MUST determine the type of the CoSWID tag.
skipping to change at page 60, line 9 skipping to change at page 60, line 9
This document draws heavily on the concepts defined in the ISO/IEC This document draws heavily on the concepts defined in the ISO/IEC
19770-2:2015 specification. The authors of this document are 19770-2:2015 specification. The authors of this document are
grateful for the prior work of the 19770-2 contributors. grateful for the prior work of the 19770-2 contributors.
We are also grateful to the careful reviews provided by ... We are also grateful to the careful reviews provided by ...
8. Change Log 8. Change Log
[THIS SECTION TO BE REMOVED BY THE RFC EDITOR.] [THIS SECTION TO BE REMOVED BY THE RFC EDITOR.]
Changes from version 12 to version 14:
o Moved key identifier to protected COSE header
o Fixed index reference for hash
o Removed indirection of CDDL type definition for filesystem-item
o Fixed quantity of resource and process
o Updated resource-collection
o Renamed socket name in software-meta to be consistent in naming
o Aligned excerpt examples in I-D text with full CDDL
o Fixed titels where title was referring to group instead of map
o Added missig date in SEMVER
o Fixed root cardinality for file and directory, etc.
o Transformed path-elements-entry from map to group for re-usability
o Scrubbed IANA section
o Removed redundant supplemental rule
o Aligned discrepancy with ISO spec.
o Addressed comments on typos.
o Fixed kramdown nits and BCP reference.
o Addressed comments from WGLC reviewers.
Changes in version 12: Changes in version 12:
o Addressed a bunch of minor editorial issues based on WGLC o Addressed a bunch of minor editorial issues based on WGLC
feedback. feedback.
o Added text about the use of UTF-8 in CoSWID. o Added text about the use of UTF-8 in CoSWID.
o Adjusted tag-id to allow for a UUID to be provided as a bstr. o Adjusted tag-id to allow for a UUID to be provided as a bstr.
o Cleaned up descriptions of index ranges throughout the document, o Cleaned up descriptions of index ranges throughout the document,
skipping to change at page 66, line 15 skipping to change at page 66, line 43
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[SAM] "Information technology - Software asset management - Part [SAM] "Information technology - Software asset management - Part
5: Overview and vocabulary", ISO/IEC 19770-5:2015, 5: Overview and vocabulary", ISO/IEC 19770-5:2015,
November 2013. November 2013.
[SEMVER] Preston-Werner, T., "Semantic Versioning 2.0.0", n.d., [SEMVER] Preston-Werner, T., "Semantic Versioning 2.0.0",
<https://semver.org/spec/v2.0.0.html>. <https://semver.org/spec/v2.0.0.html>.
[SWID] "Information technology - Software asset management - Part [SWID] "Information technology - Software asset management - Part
2: Software identification tag", ISO/IEC 19770-2:2015, 2: Software identification tag", ISO/IEC 19770-2:2015,
October 2015. October 2015.
[W3C.REC-css3-mediaqueries-20120619] [W3C.REC-css3-mediaqueries-20120619]
Rivoal, F., "Media Queries", World Wide Web Consortium Rivoal, F., "Media Queries", World Wide Web Consortium
Recommendation REC-css3-mediaqueries-20120619, June 2012, Recommendation REC-css3-mediaqueries-20120619, June 2012,
<http://www.w3.org/TR/2012/REC-css3-mediaqueries- <http://www.w3.org/TR/2012/REC-css3-mediaqueries-
skipping to change at page 67, line 8 skipping to change at page 67, line 36
9.2. Informative References 9.2. Informative References
[CamelCase] [CamelCase]
"UpperCamelCase", August 2014, "UpperCamelCase", August 2014,
<http://wiki.c2.com/?CamelCase>. <http://wiki.c2.com/?CamelCase>.
[I-D.birkholz-rats-tuda] [I-D.birkholz-rats-tuda]
Fuchs, A., Birkholz, H., McDonald, I., and C. Bormann, Fuchs, A., Birkholz, H., McDonald, I., and C. Bormann,
"Time-Based Uni-Directional Attestation", draft-birkholz- "Time-Based Uni-Directional Attestation", draft-birkholz-
rats-tuda-01 (work in progress), September 2019. rats-tuda-02 (work in progress), March 2020.
[KebabCase] [KebabCase]
"KebabCase", December 2014, "KebabCase", December 2014,
<http://wiki.c2.com/?KebabCase>. <http://wiki.c2.com/?KebabCase>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
skipping to change at page 68, line 16 skipping to change at page 69, line 14
<CODE BEGINS> <CODE BEGINS>
signed-coswid = #6.18(COSE-Sign1-coswid) signed-coswid = #6.18(COSE-Sign1-coswid)
cose-label = int / tstr cose-label = int / tstr
cose-values = any cose-values = any
protected-signed-coswid-header = { protected-signed-coswid-header = {
1 => int, ; algorithm identifier 1 => int, ; algorithm identifier
3 => "application/swid+cbor", 3 => "application/swid+cbor",
4 => bstr, ; key identifier
* cose-label => cose-values, * cose-label => cose-values,
} }
unprotected-signed-coswid-header = { unprotected-signed-coswid-header = {
4 => bstr, ; key identifier
* cose-label => cose-values, * cose-label => cose-values,
} }
COSE-Sign1-coswid = [ COSE-Sign1-coswid = [
protected: bstr .cbor protected-signed-coswid-header, protected: bstr .cbor protected-signed-coswid-header,
unprotected: unprotected-signed-coswid-header, unprotected: unprotected-signed-coswid-header,
payload: bstr .cbor concise-swid-tag, payload: bstr .cbor concise-swid-tag,
signature: bstr, signature: bstr,
] ]
<CODE ENDS> <CODE ENDS>
 End of changes. 71 change blocks. 
358 lines changed or deleted 400 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/