draft-ietf-sacm-rolie-softwaredescriptor-01.txt   draft-ietf-sacm-rolie-softwaredescriptor-02.txt 
SACM Working Group D. Waltermire SACM Working Group D. Waltermire
Internet-Draft S. Banghart Internet-Draft S. Banghart
Intended status: InformationalNational Institute of Standards and Techno Intended status: InformationalNational Institute of Standards and Techno
Expires: September 6, 2018 March 5, 2018 Expires: September 22, 2018 March 21, 2018
Definition of the ROLIE Software Descriptor Extension Definition of the ROLIE Software Descriptor Extension
draft-ietf-sacm-rolie-softwaredescriptor-01 draft-ietf-sacm-rolie-softwaredescriptor-02
Abstract Abstract
This document extends the Resource-Oriented Lightweight Information This document extends the Resource-Oriented Lightweight Information
Exchange (ROLIE) core to add the information type category and Exchange (ROLIE) core to add the information type category and
related requirements needed to support Software Record and Software related requirements needed to support Software Record and Software
Inventory use cases. The 'software-descriptor' information type is Inventory use cases. The 'software-descriptor' information type is
defined as a ROLIE extension. Additional supporting requirements are defined as a ROLIE extension. Additional supporting requirements are
also defined that describe the use of specific formats and link also defined that describe the use of specific formats and link
relations pertaining to the new information type. relations pertaining to the new information type.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2018. This Internet-Draft will expire on September 22, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Additional Requirements for the Atom Publishing Protocol . . 3 3. Information-type Extensions . . . . . . . . . . . . . . . . . 3
4. Additonal Requirements for the Atom Syndication Format . . . 4 3.1. The "software-descriptor" information type . . . . . . . 4
5. Information-type Extensions . . . . . . . . . . . . . . . . . 4 4. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5
5.1. The "software-descriptor" information type . . . . . . . 4 4.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 5
5.2. Use of the rolie:format element . . . . . . . . . . . . . 5 4.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5
5.2.1. The ISO SWID 2016 format . . . . . . . . . . . . . . 5 5. Use of the rolie:format element . . . . . . . . . . . . . . . 5
5.2.2. The Concise SWID format . . . . . . . . . . . . . . . 5 5.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 5
6. rolie:property Extensions . . . . . . . . . . . . . . . . . . 6 5.1.1. Description . . . . . . . . . . . . . . . . . . . . . 5
6.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 6 5.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 6
6.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 6 5.2. The Concise SWID format . . . . . . . . . . . . . . . . . 6
7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 6 5.2.1. Description . . . . . . . . . . . . . . . . . . . . . 7
8. Other Registered Extensions . . . . . . . . . . . . . . . . . 7 5.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 8
9.1. software-descriptor information-type . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9.2. swd:id property . . . . . . . . . . . . . . . . . . . . . 8 7.1. Media Type Registrations . . . . . . . . . . . . . . . . 8
9.3. swd:swname property . . . . . . . . . . . . . . . . . . . 8 7.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 8
10. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7.2. software-descriptor information-type . . . . . . . . . . 9
11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 7.3. swd:id property . . . . . . . . . . . . . . . . . . . . . 10
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.4. swd:swname property . . . . . . . . . . . . . . . . . . . 10
12.1. Normative References . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10
12.2. Informative References . . . . . . . . . . . . . . . . . 9 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11
Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 9 10. Normative References . . . . . . . . . . . . . . . . . . . . 11
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 9 Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
This document defines an extension to the Resource-Oriented This document defines an extension to the Resource-Oriented
Lightweight Information Exchange (ROLIE) [RFC8322] protocol to Lightweight Information Exchange (ROLIE) [RFC8322] protocol to
support the publication of software descriptor information. Software support the publication of software descriptor information. Software
descriptor information is information that characterizes: descriptor information is information that characterizes:
an installable software package, or an installable software package, or
skipping to change at page 3, line 31 skipping to change at page 3, line 31
o End user organizations can consume sources of software descriptor o End user organizations can consume sources of software descriptor
information, and other related software vulnerability and information, and other related software vulnerability and
configuration information to provide the data needed to automate configuration information to provide the data needed to automate
software asset, patch, and configuration management practices. software asset, patch, and configuration management practices.
o Organizations can use software descriptors to support verification o Organizations can use software descriptors to support verification
of other entities, thru mechanisms such as RIM or other integrity of other entities, thru mechanisms such as RIM or other integrity
measurements. measurements.
This document supports these use cases by describing the content This document supports these use cases by describing the content
requirements for Collections of software descriptor information that requirements for Collections and Entries of software descriptor
are to be published to or retrieved from a ROLIE repository. This information that are to be published to or retrieved from a ROLIE
document also discusses requirements around the use of link repository. This document also discusses requirements around the use
relationships and describing the data model formats used in a ROLIE of atom:link and rolie:format.
Entry describing a software descriptor information resource.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[RFC5070]. [RFC5070].
3. Additional Requirements for the Atom Publishing Protocol 3. Information-type Extensions
This document does not specify any additional requirements for use of
the Atom Publishing Protocol.
4. Additonal Requirements for the Atom Syndication Format
This document does not specify any additional requirements on the
Atom Syndication Format.
5. Information-type Extensions
This document defines the following information type[s]: This document defines the following information type[s]:
5.1. The "software-descriptor" information type 3.1. The "software-descriptor" information type
The "software-descriptor" information type represents any information The "software-descriptor" information type represents any information
that describes a piece of software. This document uses the that describes a piece of software. This document uses the
definition of software provided by [RFC4949]. Note that as per this definition of software provided by [RFC4949]. Note that as per this
definition, this information type pertains to static software, that definition, this information type pertains to static software, that
is, code on the disc. The software-descriptor information type is is, code on the disc. The software-descriptor information type is
intended to provide a category for information that does one or more intended to provide a category for information that does one or more
of the following: of the following:
identifies and characterizes software This software identification identifies and characterizes software: This software identification
and characterization information can be provided by a large and characterization information can be provided by a large
variety of data, but always describes software in a pre-installed variety of data, but always describes software in a pre-installed
state. state.
provides software installer metadata This represents information provides software installer metadata: This represents information
about software used to install other software. This metadata about software used to install other software. This metadata
identifies, and characterizes a software installation package or identifies, and characterizes a software installation package or
media. media.
describes stateless installation metadata Information that describes describes stateless installation metadata: Information that
the software post-deployment, such as files that may be deployed describes the software post-deployment, such as files that may be
during an installation. It is expected that this metadata is deployed during an installation. It is expected that this
produced generally for a given installation, and may not exactly metadata is produced generally for a given installation, and may
match the actual installed files on a given endpoint. not exactly match the actual installed files on a given endpoint.
Provided below is a non-exhaustive list of information that may be Provided below is a non-exhaustive list of information that may be
considered to be of a software-descriptor information type. considered to be of a software-descriptor information type.
o Naming information: IDs and names that aid in the identification o Naming information: IDs and names that aid in the identification
of a piece of software of a piece of software
o Version and patching information: Version numbers, patch o Version and patching information: Version numbers, patch
identifiers, or other information that identifiers, or other information that
skipping to change at page 5, line 21 skipping to change at page 5, line 13
environments, target OSes, intended purpose or audience, etc. environments, target OSes, intended purpose or audience, etc.
Note again that this list is not exhaustive, any information that in Note again that this list is not exhaustive, any information that in
is the abstract realm of an incident should be classified under this is the abstract realm of an incident should be classified under this
information-type. information-type.
This information type does not include descriptions of running This information type does not include descriptions of running
software, or state and configuration information that is associated software, or state and configuration information that is associated
with a software installation. with a software installation.
5.2. Use of the rolie:format element 4. rolie:property Extensions
This document does not contain any additional requirements for the This document registers new valid rolie:property names as follows:
rolie:format element, the formats that follow are provided as
examples of formats that describe the software descriptor information
type.
5.2.1. The ISO SWID 2016 format 4.1. urn:ietf:params:rolie:property:swd:id
The ISO SWID Tag 2016 format is a software descriptor and software This property provides an exposure point for an identification field
record data format. It provides several tags: primary, which from the associated software descriptor. The value of this property
provides descriptive and naming information about software, patch, SHOULD be uniquely identifying information generated from the
which describes non-standalone software meant to patch existing software descriptor linked to by the entry's atom:content element.
software, and corpus, which describes the software installation media swd:id property values SHOULD have a one-to-one mapping to individual
that installs a given piece of software. pieces of SWD content.
4.2. urn:ietf:params:rolie:property:swd:swname
This property provides an exposure point for the plain text name of
the software being described. Due to the great variance in naming
schemes, this property should be considered informative.
5. Use of the rolie:format element
This section defines usage guidance and additional requirements on
the rolie:format element above and beyond those specified in RFC8322.
The following formats are expected to be commonly used to express
software descriptor information. For this reason, this document
specifies additional requirements to ensure interoperability.
5.1. The ISO SWID 2015 format
5.1.1. Description
ISO/IEC 19770-2:2015 defines a software record data format refered to
as a "SWID Tag". It provides several tag types:
o primary: provides descriptive and naming information about
software,
o patch: describes non-standalone software meant to patch existing
software,
o corpus:describes the software installation media that installs a
given piece of software,
o supplemental: provides additional metadata to be deployed
alongside a tag.
For a more complete overview as well as normative requirements, refer For a more complete overview as well as normative requirements, refer
to :ISO/IEC 19770-2 [SWID] to ISO/IEC 19770-2:2015 [SWID].
5.2.2. The Concise SWID format For additional requirements and guidance around creation of SWID
Tags, consult NIST Internal Report 8060 [NISTIR8060].
5.1.2. Requirements
For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill
the following conditions:
o The information type of the Entry is "software-descriptor". For a
typical Entry, this is derived from the information type of the
Feed it is contained in. For a standalone Entry, this is provided
by an atom:category element.
o The document linked to by the "href" attribute of the atom:content
element is a SWID Tag as per ISO/IEC 19770-2:2015.
A "SWID Tag Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the atom:content element MUST
be "application/swid2015+xml".
o There MUST be one rolie:property with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:id" and the "value"
attribute exactly equal to the "<tagid>" element in the attached
SWID Tag. This allows for ROLIE consumers to more easily search
for SWID tags without needing to download the tag itself.
o There MUST be one rolie:property with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:swname", and the "value"
attribute equal to the value of the "<name>" element in the
attached SWID Tag. As above, this field aids ROLIE consumers in
search and filtering Entries.
5.2. The Concise SWID format
5.2.1. Description
The Concise SWID (COSWID) format is an alternative representation of The Concise SWID (COSWID) format is an alternative representation of
the ISO SWID Tag 2016 format using a CBOR encoding defined by a CDDL the SWID Tag format using a Concise Binary Object Representation
specification. It provides the same features and attributes as are (CBOR) encoding. This provides the format with a reduced size that
specified in ISO 19770-2, plus: is more sutiable for constrained devices. It provides the same
features and attributes as are specified in ISO 19770-2:2015, plus:
o a straight forward method to sign and encrypt SWID Tags using o a straight forward method to sign and encrypt using COSE, and
COSE, and
o additional attributes that provide an improved structure to o additional attributes that provide an improved structure to
include file hashes intended to be used as Reference Integrity include file hashes intended to be used as Reference Integrity
Measurements (RIM). Measurements (RIM).
6. rolie:property Extensions For more information and the complete specification, refer to the
COSWID internet draft [I-D.ietf-sacm-coswid].
This document registers new valid rolie:property names as follows: 5.2.2. Requirements
6.1. urn:ietf:params:rolie:property:swd:id For an Entry to be considered as a "COSWID Tag Entry", it MUST
fulfill the following conditions:
This property provides an exposure point for an identification field o The information type of the Entry is "software-descriptor". For a
from the associated software descriptor. The value of this property typical Entry, this is derived from the information type of the
SHOULD be uniquely identifying information generated from the Feed it is contained in. For a standalone Entry, this is provided
software descriptor linked to by the entry's atom:content element. by an atom:category element.
swd:id property values SHOULD have a one-to-one mapping to individual
pieces of SWD content.
6.2. urn:ietf:params:rolie:property:swd:swname o The document linked to by the "href" attribute of the atom:content
element is a COSWID Tag as per [I-D.ietf-sacm-coswid]
This property provides an exposure point for the plain text name of A "COSWID Tag Entry" MUST conform to the following requirements:
the software being described. Due to the great variance in naming
schemes, this property should be considered informative.
7. atom:link Extensions o The value of the "type" attribute of the atom:content element MUST
be "application/coswid+cbor".
This section defines the requirements around the implementation of o There MUST be one rolie:property with the "name" attribute equal
link relationships in the atom:link element in Entries. Each to "urn:ietf:params:rolie:property:swd:id" and the "value"
relationship is named, described, and given a requirement level. attribute exactly equal to the "tag-id" element in the attached
COSWID Tag. This allows for ROLIE consumers to more easily search
for COSWID tags without needing to download the tag itself.
+--------------------+--------------------------------+-------------+ o There MUST be one rolie:property with the "name" attribute equal
| Name | Description | Conformance | to "urn:ietf:params:rolie:property:swd:swname", and the "value"
+--------------------+--------------------------------+-------------+ attribute equal to the value of the "swid-name" element in the
| ancestor | Links to a software descriptor | MAY | attached COSWID Tag. As above, this field aids ROLIE consumers in
| | resource that defines an | | searching and filtering Entries.
| | ancestor of the software being | |
| | described by this Entry. | | 6. atom:link Extensions
| patches | Links to a software descriptor | MAY |
| | resource that defines the | | This section defines additonal link relationships that
| | software being patched by this | | implementations MUST support. These relationships are not registed
| | software | | in the Link Relation IANA table as their use case is too narrow.
| requires | Links to a software descriptor | MAY | Each relationship is named and described.
| | resource that defines a piece | |
| | of software required for this | | +--------------------+----------------------------------------------+
| | software to function properly. | | | Name | Description |
| installs | Links to a software descriptor | MAY | +--------------------+----------------------------------------------+
| | resource that defines the | | | ancestor | Links to a software descriptor resource that |
| | software being installed by | | | | defines an ancestor of the software being |
| | this software. | | | | described by this Entry. This is usually a |
| installationrecord | Provides a link to a resource | MAY | | | previous version of the software. |
| | that describes an installation | | | patches | Links to a software descriptor resource that |
| | of this software. | | | | defines the software being patched by this |
+--------------------+--------------------------------+-------------+ | | software |
| requires | Links to a software descriptor resource that |
| | defines a piece of software required for |
| | this software to function properly, i.e., a |
| | dependencecy. |
| installs | Links to a software descriptor resource that |
| | defines the software that is installed by |
| | this software. |
| installationrecord | Links to a software descriptor resource that |
| | defines the software package that installs |
| | this software. |
+--------------------+----------------------------------------------+
Table 1: Link Relations for Resource-Oriented Lightweight Indicator Table 1: Link Relations for Resource-Oriented Lightweight Indicator
Exchange Exchange
8. Other Registered Extensions 7. IANA Considerations
There are no additional extensions to define. 7.1. Media Type Registrations
9. IANA Considerations 7.1.1. ISO SWID
9.1. software-descriptor information-type This document registers a MIME Type for the SWID Tag format. The
registration is as follows
MIME media type name: application
MIME subtype name: swid2015+xml
Mandatory parameters: None.
Optional parameters: "charset": This parameter has semantics
identical to the charset parameter of the "application/xml" media
type as specified in [RFC3023].
Encoding considerations: Identical to those of "application/xml" as
described in [RFC3023], Section 3.2.
Security considerations: As defined in this specification, and in
[RFC8322]. In addition, as this media type uses the "+xml"
convention, it shares the same security considerations as described
in [RFC3023], Section 10.
Interoperability considerations: There are no known interoperability
issues.
Published specification: This specification.
Applications that use this media type: No known applications
currently use this media type.
Additional information:
Magic number(s): As specified for "application/xml" in [RFC3023],
Section 3.2.
File extension: .swidtag
Fragment identifiers: As specified for "application/xml" in
[RFC3023], Section 5.
Base URI: As specified in [RFC3023], Section 6.
Macintosh File Type code: TEXT
Person and email address to contact for further information: Stephen
Banghart <stephen.banghart@nist.gov>
Intended usage: COMMON
Author/Change controller: IESG
7.2. software-descriptor information-type
IANA has added an entry to the "ROLIE Security Resource Information IANA has added an entry to the "ROLIE Security Resource Information
Type Sub-Registry" registry located at Type Sub-Registry" registry located at
<https://www.iana.org/assignments/rolie/category/information-type> . <https://www.iana.org/assignments/rolie/category/information-type> .
The entry is as follows: The entry is as follows:
name: software-descriptor name: software-descriptor
index: TBD index: TBD
reference: This document, Section 5.1 reference: This document, Section 3.1
9.2. swd:id property 7.3. swd:id property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:id name: property:swd:id
Extension IRI: urn:ietf:params:rolie:property:swd:id Extension IRI: urn:ietf:params:rolie:property:swd:id
Reference: This document, Section 6.1 Reference: This document, Section 4.1
Subregistry: None Subregistry: None
9.3. swd:swname property 7.4. swd:swname property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swname name: property:swd:swname
Extension IRI: urn:ietf:params:rolie:property:swd:swname Extension IRI: urn:ietf:params:rolie:property:swd:swname
Reference: This document, Section 6.2 Reference: This document, Section 4.2
Subregistry: None Subregistry: None
10. Security Considerations 8. Security Considerations
Use of this extension implies dealing with the security implications Use of this extension implies dealing with the security implications
of both ROLIE and of software descriptors in general. As with any of both ROLIE and of software descriptors in general. As with any
SWD information, care should be taken to verify the trustworthiness SWD information, care should be taken to verify the trustworthiness
and veracity of the descriptor information to the fullest extent and veracity of the descriptor information to the fullest extent
possible. possible.
Ideally, software descriptors should have been signed by the software Ideally, software descriptors should have been signed by the software
manufacturer, or signed by whichever agent processed the source code. manufacturer, or signed by whichever agent processed the source code.
SWD documents from these sources are more likely to be accurate than SWD documents from these sources are more likely to be accurate than
skipping to change at page 9, line 10 skipping to change at page 11, line 15
These "authoritative" sources of SWD content should consider These "authoritative" sources of SWD content should consider
additional security for their ROLIE repository beyond the typical additional security for their ROLIE repository beyond the typical
recommendations, as the central importance of the repository is recommendations, as the central importance of the repository is
likely to make it a target. likely to make it a target.
Version information is often represented differently across Version information is often represented differently across
manufacturers and even across product releases. If using SWD version manufacturers and even across product releases. If using SWD version
information for low fault tolerance comparisons and searches, care information for low fault tolerance comparisons and searches, care
should be taken that the correct version scheme is being utilized. should be taken that the correct version scheme is being utilized.
11. Privacy Considerations 9. Privacy Considerations
This extension does not introduce any privacy considerations above or This extension does not introduce any privacy considerations above or
beyond that of the core ROLIE document. Any implementations using beyond that of the core ROLIE document. Any implementations using
this extension should understand the privacy considerations of ROLIE this extension should understand the privacy considerations of ROLIE
and the Atom Publishing Protocol. and the Atom Publishing Protocol.
12. References 10. Normative References
12.1. Normative References [I-D.ietf-sacm-coswid]
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identifiers", draft-ietf-
sacm-coswid-05 (work in progress), March 2018.
[NISTIR8060]
Waltermire, D., Cheikes, B., Feldman, L., and G. Witte,
"Guidelines for the Creation of Interoperable Software
Identification (SWID) Tags", NISTIR 8060, April 2016,
<https://doi.org/10.6028/NIST.IR.8060>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", RFC 5070, Object Description Exchange Format", RFC 5070,
DOI 10.17487/RFC5070, December 2007, DOI 10.17487/RFC5070, December 2007,
<https://www.rfc-editor.org/info/rfc5070>. <https://www.rfc-editor.org/info/rfc5070>.
[RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource-
Oriented Lightweight Information Exchange (ROLIE)", Oriented Lightweight Information Exchange (ROLIE)",
RFC 8322, DOI 10.17487/RFC8322, February 2018, RFC 8322, DOI 10.17487/RFC8322, February 2018,
<https://www.rfc-editor.org/info/rfc8322>. <https://www.rfc-editor.org/info/rfc8322>.
12.2. Informative References [SWID] "Information technology - Software asset management - Part
2: Software identification tag", ISO/IEC 19770-2:2015,
[SWID] ISO, "ISO/IEC 19770-2:2015". October 2015.
Appendix A. Schema Appendix A. Schema
This document does not require any schema extensions. This document does not require any schema extensions.
Appendix B. Examples of Use Appendix B. Examples of Use
Use of this extension in a ROLIE repository will not typically change Use of this extension in a ROLIE repository will not typically change
that repository's operation. As such, the general examples provided that repository's operation. As such, the general examples provided
by the ROLIE core document would serve as examples. Provided below by the ROLIE core document would serve as examples. Provided below
 End of changes. 41 change blocks. 
126 lines changed or deleted 252 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/