Last Call Review of draft-ietf-sacm-coswid-18
review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02-00
Request | Review of | draft-ietf-sacm-coswid |
---|---|---|
Requested revision | No specific revision (document currently at 24) | |
Type | Last Call Review | |
Team | ART Area Review Team (artart) | |
Deadline | 2021-08-09 | |
Requested | 2021-07-26 | |
Authors | Henk Birkholz , Jessica Fitzgerald-McKay , Charles Schmidt , David Waltermire | |
I-D last updated | 2021-08-02 | |
Completed reviews |
Artart Last Call review of -18
by Rich Salz
(diff)
Opsdir Last Call review of -18 by Scott O. Bradner (diff) Secdir Last Call review of -18 by Robert Sparks (diff) Secdir Telechat review of -20 by Robert Sparks (diff) |
|
Assignment | Reviewer | Rich Salz |
State | Completed | |
Request | Last Call review on draft-ietf-sacm-coswid by ART Area Review Team Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/art/adGh-_pOSDVJObN06Qps2Scilts | |
Reviewed revision | 18 (document currently at 24) | |
Result | Ready w/nits | |
Completed | 2021-08-02 |
review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02-00
I am the ART directorate reviewer for this document. The comments are mainly for the ADs, but others should treat them like any other last-call comments. I did not shell at the 187 CHF for the SWID specification. Kudo's to the authors for doing something that seems (claims?) to be compatible, in an infoset way, and is also much more compact. A couple of minor things. In 2.3, why are there three separate bools for corpus/patch/supplemental as opposed to a single enumeration? Can the tag-id be a digest of the source file? What are the implications of it not being unique? That should be listed in the security considerations. The expert review guidelines seem like "specification required" with some additional requirements on things like what the specification must say. I was surprised to see Carsten's full contact information given, as if he were a co-author.