Skip to main content

Early Review of draft-ietf-opsawg-sbom-access-03
review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19-00

Request Review of draft-ietf-opsawg-sbom-access-02
Requested revision 02 (document currently at 18)
Type Early Review
Team Ops Directorate (opsdir)
Deadline 2021-12-20
Requested 2021-12-03
Requested by Henk Birkholz
Authors Eliot Lear , Scott Rose
I-D last updated 2021-12-19
Completed reviews Secdir Early review of -09 by Christian Huitema (diff)
Yangdoctors Early review of -02 by Ebben Aries (diff)
Genart Early review of -03 by Russ Housley (diff)
Opsdir Early review of -03 by Niclas Comstedt (diff)
Secdir Last Call review of -14 by Christian Huitema (diff)
Assignment Reviewer Niclas Comstedt
State Completed
Request Early review on draft-ietf-opsawg-sbom-access by Ops Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/oFKzdIzmH3jJ9fCNBvjuq-ez2PE
Reviewed revision 03 (document currently at 18)
Result Has nits
Completed 2021-12-19
review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19-00
This is an OPS-DIR review of "Discovering and Retrieving Software Transparency
and Vulnerability Information" <draft-ietf-opsawg-sbom-access-03>.

This document outlines a model to help discover and retrieve Software and/or
Vulnerability info from devices in an automated way.

I don't have any real operational concerns but have a few comments and
questions.

- I realize the point about vulnerabilities info having a different change rate
than software but why not include support to retrieve vulnerabilities from the
endpoint? Part of this question is driven by that I find the document
inconsistent and slightly confusing in the retrieval distinction

- What is the reason for not having a well known endpoint for the vulnerability
info? I can see that it sometimes is not as clear and useful as the SBOM,
especially with the endpoint retrieval not supported, but wondering if there is
more to it than that?

- In the security section is firmware and software used somewhat
interchangeably? Trying to understand if something specific is meant with the
current wording that I'm not seeing. Also I'm not sure the skewing example
makes sense. I would think it would be very common that a mfr updates the SBOM
on it's server and hence you would often get this mismatch unless you query the
device in question before applying anything to it

/nco