draft-ietf-sacm-rolie-softwaredescriptor-02.txt   draft-ietf-sacm-rolie-softwaredescriptor-03.txt 
SACM Working Group D. Waltermire SACM Working Group S. Banghart
Internet-Draft S. Banghart Internet-Draft D. Waltermire
Intended status: InformationalNational Institute of Standards and Techno Intended status: InformationalNational Institute of Standards and Techno
Expires: September 22, 2018 March 21, 2018 Expires: January 16, 2019 July 15, 2018
Definition of the ROLIE Software Descriptor Extension Definition of the ROLIE Software Descriptor Extension
draft-ietf-sacm-rolie-softwaredescriptor-02 draft-ietf-sacm-rolie-softwaredescriptor-03
Abstract Abstract
This document extends the Resource-Oriented Lightweight Information This document uses the "information-type" extension point as defined
Exchange (ROLIE) core to add the information type category and in the Resource-Oriented Lightweight Information Exchange (ROLIE)
related requirements needed to support Software Record and Software [RFC8322] Section 7.1.2 to better support Software Record and
Inventory use cases. The 'software-descriptor' information type is Software Inventory use cases. This specification registers a new
defined as a ROLIE extension. Additional supporting requirements are ROLIE information-type, "software-descriptor", that allows for the
also defined that describe the use of specific formats and link categorization of information relevant to software description
relations pertaining to the new information type. activities and formats. In particular, the usage of the ISO
19770-2:2015 (SWID Tag) and the Concise SWID (COSWID) formats in
ROLIE are standardized. Additionally, this document discusses
requirements and usage of other ROLIE elements in order to best
syndicate software description information.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 22, 2018. This Internet-Draft will expire on January 16, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Information-type Extensions . . . . . . . . . . . . . . . . . 3 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The "software-descriptor" information type . . . . . . . 4 4. The "software-descriptor" information type . . . . . . . . . 4
4. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5 5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5
4.1. urn:ietf:params:rolie:property:swd:id . . . . . . . . . . 5 5.1. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5
4.2. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5 5.2. urn:ietf:params:rolie:property:swd:swversion . . . . . . 6
5. Use of the rolie:format element . . . . . . . . . . . . . . . 5 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6
5.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 5 6. Data format requirements . . . . . . . . . . . . . . . . . . 6
5.1.1. Description . . . . . . . . . . . . . . . . . . . . . 5 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6
5.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 6 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6
5.2. The Concise SWID format . . . . . . . . . . . . . . . . . 6 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7
5.2.1. Description . . . . . . . . . . . . . . . . . . . . . 7 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7
5.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8
6. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 8 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9
7.1. Media Type Registrations . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Media Type Registrations . . . . . . . . . . . . . . . . 11
7.2. software-descriptor information-type . . . . . . . . . . 9 8.1.1. ISO SWID . . . . . . . . . . . . . . . . . . . . . . 11
7.3. swd:id property . . . . . . . . . . . . . . . . . . . . . 10 8.2. software-descriptor information-type . . . . . . . . . . 12
7.4. swd:swname property . . . . . . . . . . . . . . . . . . . 10 8.3. swd:swname property . . . . . . . . . . . . . . . . . . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8.4. swd:swversion property . . . . . . . . . . . . . . . . . 12
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 8.5. swd:swcreator property . . . . . . . . . . . . . . . . . 13
10. Normative References . . . . . . . . . . . . . . . . . . . . 11 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13
Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 12 10. Normative References . . . . . . . . . . . . . . . . . . . . 13
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 12 Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines an extension to the Resource-Oriented This document defines an extension to the Resource-Oriented
Lightweight Information Exchange (ROLIE) [RFC8322] protocol to Lightweight Information Exchange (ROLIE) [RFC8322] to support the
support the publication of software descriptor information. Software publication of software descriptor information. Software descriptor
descriptor information is information that characterizes: information is information that characterizes static software
components, packages, and installers; including identifying,
an installable software package, or versioning, software creation and publication, and file artifact
information.
information about static software components that may be installed
by a software package or patch.
Software descriptor information includes identifying, versioning,
software creation and publication, and file artifact information.
Software descriptor information provides data about what might be Software descriptor information provides data about what might be
installed, but doesn't describe where or how a specific software installed, but doesn't describe a specific software installation's
installation is installed, configured, or executed. configuration or execution. This static approach to software
description is a smaller state space that covers the majority of
current use cases for software inventory and record keeping.
Some possible use cases for Software descriptor information include: Some possible use cases for software descriptor information ROLIE
Feeds include:
o Software providers can publish software descriptor information so o Software providers can publish software descriptor information so
that software researchers and users of software can understand the that software researchers, enterprises, and users of software can
collection of software produced by a that software provider. understand the collection of software produced by that software
provider.
o Organizations can aggregate and syndicate collections of software o Organizations can aggregate and syndicate collections of software
descriptor information provided by multiple software providers to descriptor information provided by multiple software providers to
support software-related analysis processes (e.g., vulnerability support software-related analysis processes (e.g., vulnerability
analysis) and value added information (e.g., software analysis) and value added information (e.g., software
configuration checklist repositories) using identification and configuration checklist repositories) using identification and
characterization information derived from software descriptor characterization information derived from software descriptor
information. information.
o End user organizations can consume sources of software descriptor o End user organizations can consume sources of software descriptor
information, and other related software vulnerability and information, and other related software vulnerability and
configuration information to provide the data needed to automate configuration information to provide the data needed to automate
software asset, patch, and configuration management practices. software asset, patch, and configuration management practices.
o Organizations can use software descriptors to support verification o Organizations can use software descriptors to support verification
of other entities, thru mechanisms such as RIM or other integrity of other entities, thru mechanisms such as RIM or other integrity
measurements. measurements.
This document supports these use cases by describing the content This document supports these use cases by describing the content
requirements for Collections and Entries of software descriptor requirements for Feeds and Entries of software descriptor information
information that are to be published to or retrieved from a ROLIE that are to be published to or retrieved from a ROLIE repository.
repository. This document also discusses requirements around the use
of atom:link and rolie:format.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Several places in this document refer to the "information-type" of a
terminology used in this document can be found in Section 2 of Resource (Entry or Feed). This refers to the "value" attribute of an
[RFC5070]. "atom:category" element whose scheme is
"urn:ietf:params:rolie:category:information-type". For an Entry,
this value can be inherited from it's containing Feed as per
[RFC8322].
3. Information-type Extensions 3. Background
This document defines the following information type[s]: In order to effectively protect and secure an endpoint, it is vital
to know what the software load of that endpoint is. This software
load, the combination of software, patches and installers on a
device, represents the majority of the endpoint's attack surface.
Unfortunately, without a reliable and secure package manager, or
otherwise a secured and managed operating system, tracking what
software is installed on an endpoint is currently not feasible
without undue effort. Even attempting to whitelist software is
difficult without a way of identifying software and its editions,
versions and hotfixes.
3.1. The "software-descriptor" information type Software descriptor information, such as that standardized in the ISO
19770-2:2015 SWID Tag format, or expressed in proprietary enterprise
databases, attempts to provide as much data about this software as
possible.
The "software-descriptor" information type represents any information Once this information is expressed, it needs to be stored and shared
that describes a piece of software. This document uses the to internal and external parties. ROLIE provides a mechanism to
definition of software provided by [RFC4949]. Note that as per this handle this sharing in an automation-friendly way.
definition, this information type pertains to static software, that
is, code on the disc. The software-descriptor information type is 4. The "software-descriptor" information type
intended to provide a category for information that does one or more
of the following: When an "atom:category" element has the scheme
"urn:ietf:params:rolie:category:information-type", the value is
considered to be the information type of the associated resource.
The new information type value "software-descriptor", is described in
this section, and registered in Section 8.2.
The "software-descriptor" information type represents any static
information that describes a piece of software. This document uses
the definition of software provided by [RFC4949]. Note that as per
this definition, this information type pertains to static software,
that is, code on the disc. The "software-descriptor" information
type is intended to provide a category for information that does one
or more of the following:
identifies and characterizes software: This software identification identifies and characterizes software: This software identification
and characterization information can be provided by a large and characterization information can be provided by a large
variety of data, but always describes software in a pre-installed variety of data, but always describes software in a pre-installed
state. state.
provides software installer metadata: This represents information provides software installer metadata: This represents information
about software used to install other software. This metadata about software used to install other software. This metadata
identifies, and characterizes a software installation package or identifies, and characterizes a software installation package or
media. media.
skipping to change at page 5, line 9 skipping to change at page 5, line 36
software, and information about those files. software, and information about those files.
o Descriptive information and data: Any information that otherwise o Descriptive information and data: Any information that otherwise
characterizes a piece of software, such as libraries, runtime characterizes a piece of software, such as libraries, runtime
environments, target OSes, intended purpose or audience, etc. environments, target OSes, intended purpose or audience, etc.
Note again that this list is not exhaustive, any information that in Note again that this list is not exhaustive, any information that in
is the abstract realm of an incident should be classified under this is the abstract realm of an incident should be classified under this
information-type. information-type.
This information type does not include descriptions of running It is important to note that software descriptor information is
software, or state and configuration information that is associated static for a given piece of software. That is, the information
with a software installation. expressed is the data that doesn't change from the publication of the
software to its final install. Information about the current status
(e.g. install location, memory usage, CPU usage, launch parameters,
job progress, etc.), is out of scope of this information type.
4. rolie:property Extensions 5. rolie:property Extensions
This document registers new valid rolie:property names as follows: This document registers new valid rolie:property names as follows:
4.1. urn:ietf:params:rolie:property:swd:id 5.1. urn:ietf:params:rolie:property:swd:swname
This property provides an exposure point for an identification field This property provides an exposure point for the plain text name of
from the associated software descriptor. The value of this property the software being described. Naming of software is not a well
SHOULD be uniquely identifying information generated from the standardized process, and software names can change between product
software descriptor linked to by the entry's atom:content element. versions or editions. As such, care should be taken that this value
swd:id property values SHOULD have a one-to-one mapping to individual is set as consistently as possible by generating it directly from an
pieces of SWD content. attached software descriptor resource.
4.2. urn:ietf:params:rolie:property:swd:swname 5.2. urn:ietf:params:rolie:property:swd:swversion
This property provides an exposure point for the plain text name of This property provides an exposure point for the version of the
the software being described. Due to the great variance in naming software being described. This value should be generated or taken
schemes, this property should be considered informative. from the software descriptor linked to by the entry. This helps
avoid, but does not prevent, inconsistent versioning schemes being
shared.
5. Use of the rolie:format element 5.3. urn:ietf:params:rolie:property:swd:swcreator
This section defines usage guidance and additional requirements on This property provides an exposure point for a plain text name of the
the rolie:format element above and beyond those specified in RFC8322. creator of the software being described. This is in many cases an
The following formats are expected to be commonly used to express organization or company, but certainly could be a single person.
software descriptor information. For this reason, this document Most software descriptor formats include this information, and where
specifies additional requirements to ensure interoperability. possible, this property should be set equal to that value.
5.1. The ISO SWID 2015 format 6. Data format requirements
5.1.1. Description This section defines usage guidance and additional requirements
related to data formats above and beyond those specified in
[RFC8322]. The following formats are expected to be commonly used to
express software descriptor information. For this reason, this
document specifies additional requirements to ensure
interoperability.
ISO/IEC 19770-2:2015 defines a software record data format refered to 6.1. The ISO SWID 2015 format
as a "SWID Tag". It provides several tag types:
6.1.1. Description
ISO/IEC 19770-2:2015 defines a software record data format referred
to as a "SWID Tag". It provides several tag types:
o primary: provides descriptive and naming information about o primary: provides descriptive and naming information about
software, software,
o patch: describes non-standalone software meant to patch existing o patch: describes non-standalone software meant to patch existing
software, software,
o corpus:describes the software installation media that installs a o corpus:describes the software installation media that installs a
given piece of software, given piece of software,
o supplemental: provides additional metadata to be deployed o supplemental: provides additional metadata to be deployed
alongside a tag. alongside a tag.
For a more complete overview as well as normative requirements, refer For a more complete overview as well as normative requirements, refer
to ISO/IEC 19770-2:2015 [SWID]. to ISO/IEC 19770-2:2015 [SWID].
For additional requirements and guidance around creation of SWID For additional requirements and guidance around creation of SWID
Tags, consult NIST Internal Report 8060 [NISTIR8060]. Tags, consult NIST Internal Report 8060 [NISTIR8060].
5.1.2. Requirements 6.1.2. Requirements
For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill
the following conditions: the following conditions:
o The information type of the Entry is "software-descriptor". For a o The information-type of the Entry is "software-descriptor". For a
typical Entry, this is derived from the information type of the typical Entry, this is derived from the information type of the
Feed it is contained in. For a standalone Entry, this is provided Feed it is contained in. For a standalone Entry, this is provided
by an atom:category element. by an "atom:category" element.
o The document linked to by the "href" attribute of the atom:content o The document linked to by the "href" attribute of the
element is a SWID Tag as per ISO/IEC 19770-2:2015. "atom:content" element is a 2015 SWID Tag as per ISO/IEC
19770-2:2015.
A "SWID Tag Entry" MUST conform to the following requirements: A "SWID Tag Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the atom:content element MUST o The value of the "type" attribute of the "atom:content" element
be "application/swid2015+xml". MUST be "application/swid2015+xml"[TODO].
o There MUST be one rolie:property with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "<tagid>" element in the attached attribute exactly equal to the "<tagid>" element in the attached
SWID Tag. This allows for ROLIE consumers to more easily search SWID Tag. This allows for ROLIE consumers to more easily search
for SWID tags without needing to download the tag itself. for SWID tags without needing to download the tag itself.
o There MUST be one rolie:property with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:swname", and the "value" to "urn:ietf:params:rolie:property:swd:swname", and the "value"
attribute equal to the value of the "<name>" element in the attribute equal to the value of the "<name>" element in the
attached SWID Tag. As above, this field aids ROLIE consumers in attached SWID Tag. As above, this field aids ROLIE consumers in
search and filtering Entries. search and filtering Entries.
5.2. The Concise SWID format o There MAY be a property element with the "name" attribute equal to
5.2.1. Description "urn:ietf:params:rolie:property:swd:swversion". When this
property appears, it's value MUST be equal to the value of the
"TODO-version" element in the attached SWID Tag.
6.2. The Concise SWID format
6.2.1. Description
The Concise SWID (COSWID) format is an alternative representation of The Concise SWID (COSWID) format is an alternative representation of
the SWID Tag format using a Concise Binary Object Representation the SWID Tag format using a Concise Binary Object Representation
(CBOR) encoding. This provides the format with a reduced size that (CBOR) encoding. This provides the format with a reduced size that
is more sutiable for constrained devices. It provides the same is more suitable for constrained devices. It provides the same
features and attributes as are specified in ISO 19770-2:2015, plus: features and attributes as are specified in ISO 19770-2:2015, plus:
o a straight forward method to sign and encrypt using COSE, and o a straight forward method to sign and encrypt using COSE, and
o additional attributes that provide an improved structure to o additional attributes that provide an improved structure to
include file hashes intended to be used as Reference Integrity include file hashes intended to be used as Reference Integrity
Measurements (RIM). Measurements (RIM).
For more information and the complete specification, refer to the For more information and the complete specification, refer to the
COSWID internet draft [I-D.ietf-sacm-coswid]. COSWID internet draft [I-D.ietf-sacm-coswid].
5.2.2. Requirements 6.2.2. Requirements
For an Entry to be considered as a "COSWID Tag Entry", it MUST For an Entry to be considered as a "COSWID Tag Entry", it MUST
fulfill the following conditions: fulfill the following conditions:
o The information type of the Entry is "software-descriptor". For a o The information-type of the Entry is "software-descriptor". For a
typical Entry, this is derived from the information type of the typical Entry, this is derived from the information-type of the
Feed it is contained in. For a standalone Entry, this is provided Feed it is contained in. For a standalone Entry, this is provided
by an atom:category element. by an "atom:category" element.
o The document linked to by the "href" attribute of the atom:content o The document linked to by the "href" attribute of the
element is a COSWID Tag as per [I-D.ietf-sacm-coswid] "atom:content" element is a COSWID Tag as per
[I-D.ietf-sacm-coswid]
A "COSWID Tag Entry" MUST conform to the following requirements: A "COSWID Tag Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the atom:content element MUST o The value of the "type" attribute of the atom:content element MUST
be "application/coswid+cbor". be "application/coswid+cbor".
o There MUST be one rolie:property with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "tag-id" element in the attached attribute exactly equal to the "tag-id" element in the attached
COSWID Tag. This allows for ROLIE consumers to more easily search COSWID Tag. This allows for ROLIE consumers to more easily search
for COSWID tags without needing to download the tag itself. for COSWID tags without needing to download the tag itself.
o There MUST be one rolie:property with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:swname", and the "value" to "urn:ietf:params:rolie:property:swd:swname", and the "value"
attribute equal to the value of the "swid-name" element in the attribute equal to the value of the "swid-name" element in the
attached COSWID Tag. As above, this field aids ROLIE consumers in attached COSWID Tag. As above, this field aids ROLIE consumers in
searching and filtering Entries. searching and filtering Entries.
6. atom:link Extensions o There MAY be a property element with the "name" attribute equal to
"urn:ietf:params:rolie:property:swd:swversion". When this
property appears, it's value MUST be equal to the value of the
"TODO-version" element in the attached COSWID Tag.
This section defines additonal link relationships that 7. atom:link Extensions
implementations MUST support. These relationships are not registed
This section defines additional link relationships that
implementations MUST support. These relationships are not registered
in the Link Relation IANA table as their use case is too narrow. in the Link Relation IANA table as their use case is too narrow.
Each relationship is named and described. Each relationship is named and described.
+--------------------+----------------------------------------------+ These relations come in related pairs. The first of each pair is
| Name | Description | expected to be more common, as they can be determined at the time
+--------------------+----------------------------------------------+ that the Entry is created. The second of each pair will often need
| ancestor | Links to a software descriptor resource that | to be added retroactively to an Entry.
| | defines an ancestor of the software being |
| | described by this Entry. This is usually a | +----------------------+--------------------------------------------+
| | previous version of the software. | | Name | Description |
| patches | Links to a software descriptor resource that | +----------------------+--------------------------------------------+
| | defines the software being patched by this | | ancestor | Links to a software descriptor resource |
| | software | | | that defines an ancestor of the software |
| requires | Links to a software descriptor resource that | | | being described by this Entry. This is |
| | defines a piece of software required for | | | usually a previous version of the |
| | this software to function properly, i.e., a | | | software. |
| | dependencecy. | | descendent | Links to a software descriptor resource |
| installs | Links to a software descriptor resource that | | | that defines an descendent of the software |
| | defines the software that is installed by | | | being described by this Entry. This is |
| | this software. | | | usually a more recent version or edition |
| installationrecord | Links to a software descriptor resource that | | | of the software. |
| | defines the software package that installs | | patches | Links to a software descriptor resource |
| | this software. | | | that defines the software being patched by |
+--------------------+----------------------------------------------+ | | this software |
| patchedby | Links to a software descriptor resource |
| | that defines the patch or update itself |
| | that can be or has been applied to this |
| | software. |
| requires | Links to a software descriptor resource |
| | that defines a piece of software required |
| | for this software to function properly, |
| | i.e., a dependency. |
| requiredBy | Links to a software descriptor resource |
| | that defines a piece of software that |
| | requires this software to function |
| | properly. |
| installs | Links to a software descriptor resource |
| | that defines the software that is |
| | installed by this software. |
| installedBy | Links to a software descriptor resource |
| | that defines the software package that |
| | installs this software. |
| patchesVulnerability | Links to a vulnerability that this |
| | software update fixes. Used for software |
| | descriptors that are describing software |
| | patches or updates. |
| hasVulnerability | Links to a vulnerability description |
| | object that details a vulnerability that |
| | this software has. |
+----------------------+--------------------------------------------+
Table 1: Link Relations for Resource-Oriented Lightweight Indicator Table 1: Link Relations for Resource-Oriented Lightweight Indicator
Exchange Exchange
7. IANA Considerations 8. IANA Considerations
7.1. Media Type Registrations 8.1. Media Type Registrations
7.1.1. ISO SWID 8.1.1. ISO SWID
This document registers a MIME Type for the SWID Tag format. The This document registers a MIME Type for the SWID Tag format. The
registration is as follows registration is as follows
MIME media type name: application MIME media type name: application
MIME subtype name: swid2015+xml MIME subtype name: swid2015+xml
Mandatory parameters: None. Mandatory parameters: None.
skipping to change at page 9, line 38 skipping to change at page 12, line 4
Section 3.2. Section 3.2.
File extension: .swidtag File extension: .swidtag
Fragment identifiers: As specified for "application/xml" in Fragment identifiers: As specified for "application/xml" in
[RFC3023], Section 5. [RFC3023], Section 5.
Base URI: As specified in [RFC3023], Section 6. Base URI: As specified in [RFC3023], Section 6.
Macintosh File Type code: TEXT Macintosh File Type code: TEXT
Person and email address to contact for further information: Stephen Person and email address to contact for further information: Stephen
Banghart <stephen.banghart@nist.gov> Banghart <stephen.banghart@nist.gov>
Intended usage: COMMON Intended usage: COMMON
Author/Change controller: IESG Author/Change controller: IESG
7.2. software-descriptor information-type 8.2. software-descriptor information-type
IANA has added an entry to the "ROLIE Security Resource Information IANA has added an entry to the "ROLIE Security Resource Information
Type Sub-Registry" registry located at Type Sub-Registry" registry located at
<https://www.iana.org/assignments/rolie/category/information-type> . <https://www.iana.org/assignments/rolie/category/information-type> .
The entry is as follows: The entry is as follows:
name: software-descriptor name: software-descriptor
index: TBD index: TBD
reference: This document, Section 3.1 reference: This document, Section 4
7.3. swd:id property 8.3. swd:swname property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:id name: property:swd:swname
Extension IRI: urn:ietf:params:rolie:property:swd:id Extension IRI: urn:ietf:params:rolie:property:swd:swname
Reference: This document, Section 4.1 Reference: This document, Section 5.1
Subregistry: None Subregistry: None
7.4. swd:swname property 8.4. swd:swversion property
IANA has added an entry to the "ROLIE URN Parameters" registry IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>. located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows: The entry is as follows:
name: property:swd:swname name: property:swd:swversion
Extension IRI: urn:ietf:params:rolie:property:swd:swname Extension IRI: urn:ietf:params:rolie:property:swd:swversion
Reference: This document, Section 4.2 Reference: This document, Section 5.1
Subregistry: None
8.5. swd:swcreator property
IANA has added an entry to the "ROLIE URN Parameters" registry
located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows:
name: property:swd:swcreator
Extension IRI: urn:ietf:params:rolie:property:swd:swcreator
Reference: This document, Section 5.1
Subregistry: None Subregistry: None
8. Security Considerations 9. Security Considerations
Use of this extension implies dealing with the security implications Use of this extension implies dealing with the security implications
of both ROLIE and of software descriptors in general. As with any of both ROLIE and of software descriptors in general. As with any
SWD information, care should be taken to verify the trustworthiness data, care should be taken to verify the trustworthiness and veracity
and veracity of the descriptor information to the fullest extent of the descriptor information to the fullest extent possible.
possible.
Ideally, software descriptors should have been signed by the software Ideally, software descriptors should have been signed by the software
manufacturer, or signed by whichever agent processed the source code. manufacturer, or signed by whichever agent processed the source code.
SWD documents from these sources are more likely to be accurate than Software descriptor documents from these sources are more likely to
those generated by scraping installed software. be accurate than those generated by scraping installed software.
These "authoritative" sources of SWD content should consider These "authoritative" sources of software descriptor content should
additional security for their ROLIE repository beyond the typical consider additional security for their ROLIE repository beyond the
recommendations, as the central importance of the repository is typical recommendations, as the central importance of the repository
likely to make it a target. is likely to make it a target.
Version information is often represented differently across Version information is often represented differently across
manufacturers and even across product releases. If using SWD version manufacturers and even across product releases. If using software
information for low fault tolerance comparisons and searches, care version information for low fault tolerance comparisons and searches,
should be taken that the correct version scheme is being utilized. care should be taken that the correct version scheme is being
utilized.
9. Privacy Considerations
This extension does not introduce any privacy considerations above or
beyond that of the core ROLIE document. Any implementations using
this extension should understand the privacy considerations of ROLIE
and the Atom Publishing Protocol.
10. Normative References 10. Normative References
[I-D.ietf-sacm-coswid] [I-D.ietf-sacm-coswid]
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identifiers", draft-ietf- Waltermire, "Concise Software Identifiers", draft-ietf-
sacm-coswid-05 (work in progress), March 2018. sacm-coswid-06 (work in progress), July 2018.
[NISTIR8060] [NISTIR8060]
Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, Waltermire, D., Cheikes, B., Feldman, L., and G. Witte,
"Guidelines for the Creation of Interoperable Software "Guidelines for the Creation of Interoperable Software
Identification (SWID) Tags", NISTIR 8060, April 2016, Identification (SWID) Tags", NISTIR 8060, April 2016,
<https://doi.org/10.6028/NIST.IR.8060>. <https://doi.org/10.6028/NIST.IR.8060>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
skipping to change at page 12, line 18 skipping to change at page 14, line 43
Appendix A. Schema Appendix A. Schema
This document does not require any schema extensions. This document does not require any schema extensions.
Appendix B. Examples of Use Appendix B. Examples of Use
Use of this extension in a ROLIE repository will not typically change Use of this extension in a ROLIE repository will not typically change
that repository's operation. As such, the general examples provided that repository's operation. As such, the general examples provided
by the ROLIE core document would serve as examples. Provided below by the ROLIE core document would serve as examples. Provided below
is a sample SWD ROLIE entry: is a sample software descriptor ROLIE entry:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<entry xmlns="http://www.w3.org/2005/Atom" <entry xmlns="http://www.w3.org/2005/Atom"
xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0"> xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0">
<id>dd786dba-88e6-440b-9158-b8fae67ef67c</id> <id>dd786dba-88e6-440b-9158-b8fae67ef67c</id>
<title>Sample Software Descriptor</title> <title>Sample Software Descriptor</title>
<published>2015-08-04T18:13:51.0Z</published> <published>2015-08-04T18:13:51.0Z</published>
<updated>2015-08-05T18:13:51.0Z</updated> <updated>2015-08-05T18:13:51.0Z</updated>
<summary>A descriptor for a piece of software published by this <summary>A descriptor for a piece of software published by this
organization. </summary> organization. </summary>
<link rel="self" href="http://www.example.org/provider/SWD/123456"/> <link rel="self" href="http://www.example.org/rolie/SWD/123456"/>
<link rel="feed" href="http://www.example.org/rolie/SWD/"/>
<link rel="requires" href="http://www.example.org/rolie/SWD/78430"/>
<rolie:property name=urn:ietf:params:rolie:property:swd:swname
value="Example Software Name"/>
<category <category
scheme="urn:ietf:params:rolie:category:information-type" scheme="urn:ietf:params:rolie:category:information-type"
term="software-descriptor"/> term="software-descriptor"/>
<rolie:format ns="urn:example:COSWID"/> <rolie:format
<content type="application/xml" ns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"/>
src="http://www.example.org/provider/SWD/123456/data"/> <content type="application/swid+xml"
src="http://www.example.org/rolie/SWD/123456/data"/>
</entry> </entry>
Authors' Addresses Authors' Addresses
David Waltermire Stephen Banghart
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland 20877 Gaithersburg, Maryland 20877
USA USA
Email: david.waltermire@nist.gov Email: stephen.banghart@nist.gov
Stephen Banghart
David Waltermire
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland 20877 Gaithersburg, Maryland 20877
USA USA
Email: stephen.banghart@nist.gov Email: david.waltermire@nist.gov
 End of changes. 72 change blocks. 
183 lines changed or deleted 277 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/