draft-ietf-sacm-rolie-softwaredescriptor-06.txt   draft-ietf-sacm-rolie-softwaredescriptor-07.txt 
SACM Working Group S. Banghart SACM Working Group S. Banghart
Internet-Draft D. Waltermire Internet-Draft D. Waltermire
Intended status: InformationalNational Institute of Standards and Techno Intended status: Informational NIST
Expires: September 28, 2019 March 27, 2019 Expires: December 27, 2019 June 25, 2019
Definition of the ROLIE Software Descriptor Extension Definition of the ROLIE Software Descriptor Extension
draft-ietf-sacm-rolie-softwaredescriptor-06 draft-ietf-sacm-rolie-softwaredescriptor-07
Abstract Abstract
This document uses the "information-type" extension point as defined This document uses the "information-type" extension point as defined
in the Resource-Oriented Lightweight Information Exchange (ROLIE) in the Resource-Oriented Lightweight Information Exchange (ROLIE)
[RFC8322] Section 7.1.2 to better support Software Record and [RFC8322] Section 7.1.2 to better support Software Record and
Software Inventory use cases. This specification registers a new Software Inventory use cases. This specification registers a new
ROLIE information-type, "software-descriptor", that allows for the ROLIE information-type, "software-descriptor", that allows for the
categorization of information relevant to software description categorization of information relevant to software description
activities and formats. In particular, the usage of the ISO activities and formats. In particular, the usage of the ISO
19770-2:2015 (SWID Tag) and the Concise SWID (COSWID) formats in 19770-2:2015 Software Identification Tag (SWID Tag) and the Concise
ROLIE are standardized. Additionally, this document discusses SWID (COSWID) formats in ROLIE are standardized. Additionally, this
requirements and usage of other ROLIE elements in order to best document discusses requirements and usage of other ROLIE elements in
syndicate software description information. order to best syndicate software description information.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 28, 2019. This Internet-Draft will expire on December 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
4. The "software-descriptor" information type . . . . . . . . . 4 4. The "software-descriptor" information type . . . . . . . . . 4
5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5 5. rolie:property Extensions . . . . . . . . . . . . . . . . . . 5
5.1. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5 5.1. urn:ietf:params:rolie:property:swd:swname . . . . . . . . 5
5.2. urn:ietf:params:rolie:property:swd:swversion . . . . . . 6 5.2. urn:ietf:params:rolie:property:swd:swversion . . . . . . 6
5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6 5.3. urn:ietf:params:rolie:property:swd:swcreator . . . . . . 6
6. Data format requirements . . . . . . . . . . . . . . . . . . 6 6. Data format requirements . . . . . . . . . . . . . . . . . . 6
6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6 6.1. The ISO SWID 2015 format . . . . . . . . . . . . . . . . 6
6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6 6.1.1. Description . . . . . . . . . . . . . . . . . . . . . 6
6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7 6.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 7
6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7 6.2. The Concise SWID format . . . . . . . . . . . . . . . . . 7
6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 8 6.2.1. Description . . . . . . . . . . . . . . . . . . . . . 7
6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8 6.2.2. Requirements . . . . . . . . . . . . . . . . . . . . 8
7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9 7. atom:link Extensions . . . . . . . . . . . . . . . . . . . . 9
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8.1. software-descriptor information-type . . . . . . . . . . 11 8.1. software-descriptor information-type . . . . . . . . . . 10
8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 11 8.2. swd:swname property . . . . . . . . . . . . . . . . . . . 10
8.3. swd:swversion property . . . . . . . . . . . . . . . . . 11 8.3. swd:swversion property . . . . . . . . . . . . . . . . . 11
8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 12 8.4. swd:swcreator property . . . . . . . . . . . . . . . . . 11
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11
10. Normative References . . . . . . . . . . . . . . . . . . . . 12 10. Normative References . . . . . . . . . . . . . . . . . . . . 12
Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. Schema . . . . . . . . . . . . . . . . . . . . . . . 12
Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 13 Appendix B. Examples of Use . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines an extension to the Resource-Oriented This document defines an extension to the Resource-Oriented
Lightweight Information Exchange (ROLIE) [RFC8322] to support the Lightweight Information Exchange (ROLIE) [RFC8322] to support the
publication of software descriptor information. Software descriptor publication of software descriptor information. Software descriptor
information is information that characterizes static software information is information that characterizes static software
components, packages, and installers; including identifying, components, packages, and installers; including identification,
versioning, software creation and publication, and file artifact version, software creation and publication, and file artifact
information. information.
Software descriptor information provides data about what might be Software descriptor information provides data about what might be
installed, but doesn't describe a specific software installation's installed, but doesn't describe a specific software installation's
configuration or execution. This static approach to software configuration or execution. This static approach to software
description is a smaller state space that covers the majority of description is a tightly limited scope that still covers the majority
current use cases for software inventory and record keeping. of current use cases for software inventory and record keeping.
Some possible use cases for software descriptor information ROLIE Some possible use cases for software descriptor information ROLIE
Feeds include: Feeds (Section 6.1 of [RFC8322]) include:
o Software providers can publish software descriptor information so o Software providers can publish software descriptor information so
that software researchers, enterprises, and users of software can that software researchers, enterprises, and users of software can
understand the collection of software produced by that software understand the collection of software produced by that software
provider. provider.
o Organizations can aggregate and syndicate collections of software o Organizations can aggregate and syndicate collections of software
descriptor information provided by multiple software providers to descriptor information provided by multiple software providers to
support software-related analysis processes (e.g., vulnerability support software-related analysis processes (e.g., vulnerability
analysis) and value added information (e.g., software analysis) and to provide downsteam services (e.g., software
configuration checklist repositories) using identification and configuration checklist repositories).
characterization information derived from software descriptor
information.
o End user organizations can consume sources of software descriptor o End user organizations can consume software descriptor information
information, and other related software vulnerability and along with related software vulnerability and configuration
configuration information to provide the data needed to automate information to provide the data needed to automate software asset,
software asset, patch, and configuration management practices. patch, and configuration management practices.
o Organizations can use software descriptors to support verification o Organizations can use software descriptors to support verification
of other entities, thru mechanisms such as RIM or other integrity of other entities through integrity measurement mechanisms.
measurements.
This document supports these use cases by describing the content This document supports these use cases by describing the content
requirements for Feeds and Entries of software descriptor information requirements for Feeds and Entries of software descriptor information
that are to be published to or retrieved from a ROLIE repository. that are to be published to or retrieved from a ROLIE repository.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
As an extension of [RFC8322], this document refers to many terms
defined in that document. In particular, the use of "Entry" and
"Feed" are aligned with the definitions presented in section TODO of
ROLIE.
Several places in this document refer to the "information-type" of a Several places in this document refer to the "information-type" of a
Resource (Entry or Feed). This refers to the "value" attribute of an Resource (Entry or Feed). This refers to the "term" attribute of an
"atom:category" element whose scheme is "atom:category" element whose scheme is
"urn:ietf:params:rolie:category:information-type". For an Entry, "urn:ietf:params:rolie:category:information-type". For an Entry,
this value can be inherited from it's containing Feed as per this value can be inherited from it's containing Feed as per
[RFC8322]. [RFC8322].
3. Background 3. Background
In order to effectively protect and secure an endpoint, it is vital In order to effectively protect and secure an endpoint, it is vital
to know what the software load of that endpoint is. This software to know what the software load of that endpoint is. Software load,
load, the combination of software, patches and installers on a the combination of software, patches and installers on a device,
device, represents the majority of the endpoint's attack surface. represents a significant portion of the endpoint's attack surface.
Unfortunately, without a reliable and secure package manager, or Unfortunately, without a reliable and secure package manager, or a
otherwise a secured and managed operating system, tracking what secured and managed operating system with strict software
software is installed on an endpoint is currently not feasible whitelisting, tracking what software is installed on an endpoint is
without undue effort. Even attempting to whitelist software is currently not feasible without undue effort. Even attempting to
difficult without a way of identifying software and its editions, whitelist software is difficult without a way of identifying software
versions and hotfixes. and its editions, versions and hotfixes.
Software descriptor information, such as that standardized in the ISO Software descriptor information, such as that standardized in the ISO
19770-2:2015 SWID Tag format, or expressed in proprietary enterprise 19770-2:2015 Software Identification Tag (SWID) format or expressed
databases, attempts to provide as much data about this software as in proprietary enterprise databases, attempts to provide as much data
possible. about this software as possible.
Once this information is expressed, it needs to be stored and shared Once this information is expressed, it needs to be stored and shared
to internal and external parties. ROLIE provides a mechanism to to internal and external parties. ROLIE provides a mechanism to
handle this sharing in an automation-friendly way. handle this sharing in an automation-friendly way.
4. The "software-descriptor" information type 4. The "software-descriptor" information type
When an "atom:category" element has a "scheme" attribute equal to When an "atom:category" element has a "scheme" attribute equal to
"urn:ietf:params:rolie:category:information-type", the "term" "urn:ietf:params:rolie:category:information-type", the "term"
attribute defines the information type of the associated resource. A attribute defines the information type of the associated resource. A
new information type value: "software-descriptor", is described in new valid value for this "term": "software-descriptor", is described
this section, and registered in Section 8.1. in this section and registered in Section 8.1. When this value is
used, the resource in question is considered to have an information-
type of "software-descriptor" as per [RFC8322] Section 7.1.2.
The "software-descriptor" information type represents any static The "software-descriptor" information type represents any static
information that describes a piece of software. This document uses information that describes a piece of software. This document uses
the definition of software provided by [RFC4949]. Note that as per the definition of software provided by [RFC4949]. Note that as per
this definition, this information type pertains to static software, this definition, this information type pertains to static software,
that is, code on the disc. The "software-descriptor" information that is, code on the disc. The "software-descriptor" information
type is intended to provide a category for information that does one type is intended to provide a category for information that does one
or more of the following: or more of the following:
identifies and characterizes software: This software identification identifies and characterizes software: information that provides
and characterization information can be provided by a large quantative and qualitative data describing software. This
variety of data, but always describes software in a pre-installed information identifies and charaterizes a given instance of
state. software.
provides software installer metadata: This represents information provides software installer metadata: information about software
about software used to install other software. This metadata used to install other software. This metadata identifies, and
identifies, and characterizes a software installation package or characterizes a software installation package or media.
media.
describes stateless installation metadata: Information that describes stateless installation metadata: information that
describes the software post-deployment, such as files that may be describes the software post-deployment, such as files that may be
deployed during an installation. It is expected that this deployed during an installation. It is expected that this
metadata is produced generally for a given installation, and may metadata is produced generally for a given installation, and may
not exactly match the actual installed files on a given endpoint. not exactly match the actual installed files on a given endpoint.
Provided below is a non-exhaustive list of information that may be Provided below is a non-exhaustive list of information that may be
considered to be of a software-descriptor information type. considered to be of a software-descriptor information type.
o Naming information: IDs and names that aid in the identification o Naming information: IDs and names that aid in the identification
of a piece of software of a piece of software
o Version and patching information: Version numbers, patch o Version and patching information: Version numbers, patch
identifiers, or other information that identifiers, or other information that relates to software updates
and patches.
o Vendor and source information: Includes where the software was o Vendor and source information: Includes where the software was
developed or distributed from, as well as where the software developed or distributed, as well as where the software
installation media may be located. installation media may be located.
o Payload and file information: information that describes or o Payload and file information: information that describes or
enumerates the files and folders that make up the piece of enumerates the files and folders that make up the piece of
software, and information about those files. software, and information about those files.
o Descriptive information and data: Any information that otherwise o Descriptive information and data: Any information that otherwise
characterizes a piece of software, such as libraries, runtime characterizes a piece of software, such as libraries, runtime
environments, target OSes, intended purpose or audience, etc. environments, target operating systems, intended purpose or
audience, etc.
Note again that this list is not exhaustive, any information that in
is the abstract realm of an incident should be classified under this
information-type.
It is important to note that software descriptor information is It is important to note that software descriptor information is
static for a given piece of software. That is, the information static for a given piece of software. That is, the information
expressed is the data that doesn't change from the publication of the expressed is the data that doesn't change from the publication of the
software to its final install. Information about the current status software to its final install. Information about the current status
(e.g. install location, memory usage, CPU usage, launch parameters, (e.g. install location, memory usage, CPU usage, launch parameters,
job progress, etc.), is out of scope of this information type. job progress, etc.), is out of scope of this information type.
5. rolie:property Extensions 5. rolie:property Extensions
This document registers new valid rolie:property names as follows: This document registers new valid rolie:property names as follows:
5.1. urn:ietf:params:rolie:property:swd:swname 5.1. urn:ietf:params:rolie:property:swd:swname
This property provides an exposure point for the plain text name of This property provides an exposure point for the plain text name of
the software being described. Naming of software is not a well the software being described. Naming of software is not a well
skipping to change at page 6, line 45 skipping to change at page 6, line 43
ISO/IEC 19770-2:2015 defines a software record data format referred ISO/IEC 19770-2:2015 defines a software record data format referred
to as a "SWID Tag". It provides several tag types: to as a "SWID Tag". It provides several tag types:
o primary: provides descriptive and naming information about o primary: provides descriptive and naming information about
software, software,
o patch: describes non-standalone software meant to patch existing o patch: describes non-standalone software meant to patch existing
software, software,
o corpus:describes the software installation media that installs a o corpus: describes the software installation media that installs a
given piece of software, given piece of software,
o supplemental: provides additional metadata to be deployed o supplemental: provides additional metadata to be deployed
alongside a tag. alongside a tag.
For a more complete overview as well as normative requirements, refer For a more complete overview as well as normative requirements, refer
to ISO/IEC 19770-2:2015 [SWID]. to ISO/IEC 19770-2:2015 [SWID].
For additional requirements and guidance around creation of SWID For additional requirements and guidance around creation of SWID
Tags, consult NIST Internal Report 8060 [NISTIR8060]. Tags, consult NIST Internal Report 8060 [NISTIR8060].
skipping to change at page 7, line 22 skipping to change at page 7, line 19
For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill
the following conditions: the following conditions:
o The information-type of the Entry is "software-descriptor". For a o The information-type of the Entry is "software-descriptor". For a
typical Entry, this is derived from the information type of the typical Entry, this is derived from the information type of the
Feed it is contained in. For a standalone Entry, this is provided Feed it is contained in. For a standalone Entry, this is provided
by an "atom:category" element. by an "atom:category" element.
o The document linked to by the "href" attribute of the o The document linked to by the "href" attribute of the
"atom:content" element is a 2015 SWID Tag as per ISO/IEC "atom:content" element is a 2015 SWID Tag per ISO/IEC
19770-2:2015. 19770-2:2015.
A "SWID Tag Entry" MUST conform to the following requirements: A "SWID Tag Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the "atom:content" element o The value of the "type" attribute of the "atom:content" element
MUST be "application/xml". MUST be "application/xml".
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:content-id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "<tagid>" element in the attached attribute exactly equal to the "<tagid>" element in the attached
SWID Tag. This allows for ROLIE consumers to more easily search SWID Tag. This allows ROLIE consumers to more easily search for
for SWID tags without needing to download the tag itself. SWID tags without needing to download the tag itself.
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:swname", and the "value" to "urn:ietf:params:rolie:property:swd:swname", and the "value"
attribute equal to the value of the "<name>" element in the attribute equal to the value of the "<name>" element in the
attached SWID Tag. As above, this field aids ROLIE consumers in attached SWID Tag. As above, this helps ROLIE consumers search and
search and filtering Entries. filter Entries.
o There MAY be a property element with the "name" attribute equal to o There MAY be a property element with the "name" attribute equal to
"urn:ietf:params:rolie:property:swd:swversion". When this "urn:ietf:params:rolie:property:swd:swversion". When this
property appears, it's value MUST be equal to the value of the property appears, its value MUST be equal to the value of the
"version" element in the attached SWID Tag. "version" element in the attached SWID Tag.
6.2. The Concise SWID format 6.2. The Concise SWID format
6.2.1. Description 6.2.1. Description
The Concise SWID (COSWID) format is an alternative representation of The Concise SWID (COSWID) format is an alternative representation of
the SWID Tag format using a Concise Binary Object Representation the SWID Tag format using a Concise Binary Object Representation
(CBOR) encoding. This provides the format with a reduced size that (CBOR) encoding. CBOR provides the format with a reduced size that
is more suitable for constrained devices. It provides the same is more suitable for constrained devices. COSWID provides the same
features and attributes as are specified in ISO 19770-2:2015, plus: features and attributes as are specified in ISO 19770-2:2015, plus:
o a straight forward method to sign and encrypt using COSE, and o a straight forward method to sign and encrypt using COSE, and
o additional attributes that provide an improved structure to o additional attributes that provide an improved structure to
include file hashes intended to be used as Reference Integrity include file hashes intended to be used as Reference Integrity
Measurements (RIM). Measurements (RIM).
For more information and the complete specification, refer to the For more information and the complete specification, refer to the
COSWID internet draft [I-D.ietf-sacm-coswid]. COSWID internet draft [I-D.ietf-sacm-coswid].
skipping to change at page 8, line 32 skipping to change at page 8, line 25
For an Entry to be considered as a "COSWID Tag Entry", it MUST For an Entry to be considered as a "COSWID Tag Entry", it MUST
fulfill the following conditions: fulfill the following conditions:
o The information-type of the Entry is "software-descriptor". For a o The information-type of the Entry is "software-descriptor". For a
typical Entry, this is derived from the information-type of the typical Entry, this is derived from the information-type of the
Feed it is contained in. For a standalone Entry, this is provided Feed it is contained in. For a standalone Entry, this is provided
by an "atom:category" element. by an "atom:category" element.
o The document linked to by the "href" attribute of the o The document linked to by the "href" attribute of the
"atom:content" element is a COSWID Tag as per "atom:content" element is a COSWID Tag per [I-D.ietf-sacm-coswid]
[I-D.ietf-sacm-coswid]
A "COSWID Tag Entry" MUST conform to the following requirements: A "COSWID Tag Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the atom:content element MUST o The value of the "type" attribute of the atom:content element MUST
be "application/coswid+cbor". be "application/coswid+cbor".
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:content-id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "tag-id" element in the attached attribute exactly equal to the "tag-id" element in the attached
COSWID Tag (mapped to integer 0). This allows for ROLIE consumers COSWID Tag (mapped to integer 0). This allows ROLIE consumers to
to more easily search for COSWID tags without needing to download more easily search for COSWID tags without needing to download the
the tag itself. tag itself.
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:swd:swname", and the "value" to "urn:ietf:params:rolie:property:swd:swname", and the "value"
attribute equal to the value of the "swid-name" element in the attribute equal to the value of the "swid-name" element in the
attached COSWID Tag (mapped to the integer 1). As above, this attached COSWID Tag (mapped to the integer 1). As above, this
field aids ROLIE consumers in searching and filtering Entries. helps ROLIE consumers search and filter Entries.
o There MAY be a property element with the "name" attribute equal to o There MAY be a property element with the "name" attribute equal to
"urn:ietf:params:rolie:property:swd:swversion". When this "urn:ietf:params:rolie:property:swd:swversion". When this
property appears, it's value MUST be equal to the value of the property appears, it's value MUST be equal to the value of the
tag-version element in the attached COSWID Tag (mapped to the tag-version element in the attached COSWID Tag (mapped to the
integer 12). integer 12).
7. atom:link Extensions 7. atom:link Extensions
This section defines additional link relationships that This section defines additional link relationships that
implementations MUST support. These relationships are not registered implementations MUST support. These relationships are not registered
in the Link Relation IANA table as their use case is too narrow. in the Link Relation IANA table as their use case is too narrow.
Each relationship is named and described. Each relationship is named and described.
These relations come in related pairs. The first of each pair is
expected to be more common, as they can be determined at the time
that the Entry is created. The second of each pair will often need
to be added retroactively to an Entry.
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| Name | Description | | Name | Description |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| ancestor | Links to a software descriptor resource | | ancestor | Links to a software descriptor resource |
| | that defines an ancestor of the software | | | that defines an ancestor of the software |
| | being described by this Entry. This is | | | being described by this Entry. This is |
| | usually a previous version of the | | | usually a previous version of the |
| | software. | | | software. |
+----------------------+--------------------------------------------+
| descendent | Links to a software descriptor resource | | descendent | Links to a software descriptor resource |
| | that defines an descendent of the software | | | that defines an descendent of the software |
| | being described by this Entry. This is | | | being described by this Entry. This is |
| | usually a more recent version or edition | | | usually a more recent version or edition |
| | of the software. | | | of the software. |
+----------------------+--------------------------------------------+
| patches | Links to a software descriptor resource | | patches | Links to a software descriptor resource |
| | that defines the software being patched by | | | that defines the software being patched by |
| | this software | | | this software |
+----------------------+--------------------------------------------+
| patchedby | Links to a software descriptor resource | | patchedby | Links to a software descriptor resource |
| | that defines the patch or update itself | | | that defines the patch or update itself |
| | that can be or has been applied to this | | | that can be or has been applied to this |
| | software. | | | software. |
+----------------------+--------------------------------------------+
| requires | Links to a software descriptor resource | | requires | Links to a software descriptor resource |
| | that defines a piece of software required | | | that defines a piece of software required |
| | for this software to function properly, | | | for this software to function properly, |
| | i.e., a dependency. | | | i.e., a dependency. |
+----------------------+--------------------------------------------+
| requiredBy | Links to a software descriptor resource | | requiredBy | Links to a software descriptor resource |
| | that defines a piece of software that | | | that defines a piece of software that |
| | requires this software to function | | | requires this software to function |
| | properly. | | | properly. |
+----------------------+--------------------------------------------+
| installs | Links to a software descriptor resource | | installs | Links to a software descriptor resource |
| | that defines the software that is | | | that defines the software that is |
| | installed by this software. | | | installed by this software. |
+----------------------+--------------------------------------------+
| installedBy | Links to a software descriptor resource | | installedBy | Links to a software descriptor resource |
| | that defines the software package that | | | that defines the software package that |
| | installs this software. | | | installs this software. |
+----------------------+--------------------------------------------+
| patchesVulnerability | Links to a vulnerability that this | | patchesVulnerability | Links to a vulnerability that this |
| | software update fixes. Used for software | | | software update fixes. Used for software |
| | descriptors that are describing software | | | descriptors that describe software patches |
| | patches or updates. | | | or updates. |
+----------------------+--------------------------------------------+
| hasVulnerability | Links to a vulnerability description | | hasVulnerability | Links to a vulnerability description |
| | object that details a vulnerability that | | | object that details a vulnerability that |
| | this software has. | | | this software has. |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
Table 1: Link Relations for Resource-Oriented Lightweight Indicator Table 1: Link Relations for Resource-Oriented Lightweight Indicator
Exchange Exchange
8. IANA Considerations 8. IANA Considerations
skipping to change at page 12, line 27 skipping to change at page 11, line 42
Subregistry: None Subregistry: None
9. Security Considerations 9. Security Considerations
Use of this extension implies dealing with the security implications Use of this extension implies dealing with the security implications
of both ROLIE and of software descriptors in general. As with any of both ROLIE and of software descriptors in general. As with any
data, care should be taken to verify the trustworthiness and veracity data, care should be taken to verify the trustworthiness and veracity
of the descriptor information to the fullest extent possible. of the descriptor information to the fullest extent possible.
Ideally, software descriptors should have been signed by the software Ideally, software descriptors should be signed by the software
manufacturer, or signed by whichever agent processed the source code. manufacturer, or signed by whichever agent processed the source code.
Software descriptor documents from these sources are more likely to Software descriptor documents from these sources are more likely to
be accurate than those generated by scraping installed software. be accurate than those generated by scraping installed software.
These "authoritative" sources of software descriptor content should These "authoritative" sources of software descriptor content should
consider additional security for their ROLIE repository beyond the consider additional security for their ROLIE repository beyond the
typical recommendations, as the central importance of the repository typical recommendations, as the central importance of the repository
is likely to make it a target. is likely to make it a target.
Version information is often represented differently across Version information is often represented differently across
manufacturers and even across product releases. If using software manufacturers and even across product releases. If using software
version information for low fault tolerance comparisons and searches, version information for low fault tolerance comparisons and searches,
care should be taken that the correct version scheme is being care should be taken that the correct version scheme is being used.
utilized.
10. Normative References 10. Normative References
[I-D.ietf-sacm-coswid] [I-D.ietf-sacm-coswid]
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
Waltermire, "Concise Software Identifiers", draft-ietf- Waltermire, "Concise Software Identification Tags", draft-
sacm-coswid-08 (work in progress), November 2018. ietf-sacm-coswid-10 (work in progress), June 2019.
[NISTIR8060] [NISTIR8060]
Waltermire, D., Cheikes, B., Feldman, L., and G. Witte, Waltermire, D., Cheikes, B., Feldman, L., and G. Witte,
"Guidelines for the Creation of Interoperable Software "Guidelines for the Creation of Interoperable Software
Identification (SWID) Tags", NISTIR 8060, April 2016, Identification (SWID) Tags", NISTIR 8060, April 2016,
<https://doi.org/10.6028/NIST.IR.8060>. <https://doi.org/10.6028/NIST.IR.8060>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
skipping to change at page 13, line 32 skipping to change at page 12, line 44
DOI 10.17487/RFC5070, December 2007, DOI 10.17487/RFC5070, December 2007,
<https://www.rfc-editor.org/info/rfc5070>. <https://www.rfc-editor.org/info/rfc5070>.
[RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource-
Oriented Lightweight Information Exchange (ROLIE)", Oriented Lightweight Information Exchange (ROLIE)",
RFC 8322, DOI 10.17487/RFC8322, February 2018, RFC 8322, DOI 10.17487/RFC8322, February 2018,
<https://www.rfc-editor.org/info/rfc8322>. <https://www.rfc-editor.org/info/rfc8322>.
[SWID] "Information technology - Software asset management - Part [SWID] "Information technology - Software asset management - Part
2: Software identification tag", ISO/IEC 19770-2:2015, 2: Software identification tag", ISO/IEC 19770-2:2015,
October 2015. October 2015, <https://www.iso.org/standard/65666.html>.
Appendix A. Schema Appendix A. Schema
This document does not require any schema extensions. This document does not require any schema extensions.
Appendix B. Examples of Use Appendix B. Examples of Use
Use of this extension in a ROLIE repository will not typically change Use of this extension in a ROLIE repository will not typically change
that repository's operation. As such, the general examples provided that repository's operation. As such, the general examples provided
by the ROLIE core document would serve as examples. Provided below by the ROLIE core document would serve as examples. Provided below
skipping to change at page 14, line 31 skipping to change at page 13, line 38
term="software-descriptor"/> term="software-descriptor"/>
<rolie:format <rolie:format
ns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"/> ns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"/>
<content type="application/xml" <content type="application/xml"
src="http://www.example.org/rolie/SWD/123456/data"/> src="http://www.example.org/rolie/SWD/123456/data"/>
</entry> </entry>
Authors' Addresses Authors' Addresses
Stephen Banghart Stephen Banghart
National Institute of Standards and Technology NIST
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland 20877 Gaithersburg, Maryland 20877
USA USA
Email: stephen.banghart@nist.gov Email: stephen.banghart@nist.gov
David Waltermire David Waltermire
National Institute of Standards and Technology NIST
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland 20877 Gaithersburg, Maryland 20877
USA USA
Email: david.waltermire@nist.gov Email: david.waltermire@nist.gov
 End of changes. 53 change blocks. 
93 lines changed or deleted 97 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/