Early Review of draft-ietf-opsawg-sbom-access-03
review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19-00
Request | Review of | draft-ietf-opsawg-sbom-access-02 |
---|---|---|
Requested revision | 02 (document currently at 18) | |
Type | Early Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2021-12-20 | |
Requested | 2021-12-03 | |
Requested by | Henk Birkholz | |
Authors | Eliot Lear , Scott Rose | |
I-D last updated | 2021-12-19 | |
Completed reviews |
Secdir Early review of -09
by Christian Huitema
(diff)
Yangdoctors Early review of -02 by Ebben Aries (diff) Genart Early review of -03 by Russ Housley (diff) Opsdir Early review of -03 by Niclas Comstedt (diff) Secdir Last Call review of -14 by Christian Huitema (diff) |
|
Assignment | Reviewer | Niclas Comstedt |
State | Completed | |
Request | Early review on draft-ietf-opsawg-sbom-access by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/oFKzdIzmH3jJ9fCNBvjuq-ez2PE | |
Reviewed revision | 03 (document currently at 18) | |
Result | Has nits | |
Completed | 2021-12-19 |
review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19-00
This is an OPS-DIR review of "Discovering and Retrieving Software Transparency and Vulnerability Information" <draft-ietf-opsawg-sbom-access-03>. This document outlines a model to help discover and retrieve Software and/or Vulnerability info from devices in an automated way. I don't have any real operational concerns but have a few comments and questions. - I realize the point about vulnerabilities info having a different change rate than software but why not include support to retrieve vulnerabilities from the endpoint? Part of this question is driven by that I find the document inconsistent and slightly confusing in the retrieval distinction - What is the reason for not having a well known endpoint for the vulnerability info? I can see that it sometimes is not as clear and useful as the SBOM, especially with the endpoint retrieval not supported, but wondering if there is more to it than that? - In the security section is firmware and software used somewhat interchangeably? Trying to understand if something specific is meant with the current wording that I'm not seeing. Also I'm not sure the skewing example makes sense. I would think it would be very common that a mfr updates the SBOM on it's server and hence you would often get this mismatch unless you query the device in question before applying anything to it /nco