Last Call Review of draft-ietf-sacm-coswid-18
review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02-00

Request Review of draft-ietf-sacm-coswid
Requested revision No specific revision (document currently at 22)
Type Last Call Review
Team ART Area Review Team (artart)
Deadline 2021-08-09
Requested 2021-07-26
Authors Henk Birkholz , Jessica Fitzgerald-McKay , Charles Schmidt , David Waltermire
Draft last updated 2021-08-02
Completed reviews Artart Last Call review of -18 by Rich Salz (diff)
Opsdir Last Call review of -18 by Scott O. Bradner (diff)
Secdir Last Call review of -18 by Robert Sparks (diff)
Secdir Telechat review of -20 by Robert Sparks (diff)
Assignment Reviewer Rich Salz
State Completed
Review review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02
Posted at https://mailarchive.ietf.org/arch/msg/art/adGh-_pOSDVJObN06Qps2Scilts
Reviewed revision 18 (document currently at 22)
Result Ready with Nits
Completed 2021-08-02
review-ietf-sacm-coswid-18-artart-lc-salz-2021-08-02-00
I am the ART directorate reviewer for this document. The comments are mainly
for the ADs, but others should treat them like any other last-call comments.

I did not shell at the 187 CHF for the SWID specification.  Kudo's to the
authors for doing something that seems (claims?) to be compatible, in an
infoset way, and is also much more compact.  A couple of minor things.

In 2.3, why are there three separate bools for corpus/patch/supplemental as
opposed to a single enumeration? Can the tag-id be a digest of the source file?
What are the implications of it not being unique? That should be listed in the
security considerations.

The expert review guidelines seem like "specification required" with some
additional requirements on things like what the specification must say.

I was surprised to see Carsten's full contact information given, as if he were
a co-author.