Skip to main content

Last Call Review of draft-ietf-sacm-coswid-18
review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07-00

Request Review of draft-ietf-sacm-coswid
Requested revision No specific revision (document currently at 22)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2021-08-09
Requested 2021-07-26
Authors Henk Birkholz , Jessica Fitzgerald-McKay , Charles Schmidt , David Waltermire
Draft last updated 2021-08-07
Completed reviews Artart Last Call review of -18 by Rich Salz (diff)
Opsdir Last Call review of -18 by Scott O. Bradner (diff)
Secdir Last Call review of -18 by Robert Sparks (diff)
Secdir Telechat review of -20 by Robert Sparks (diff)
Assignment Reviewer Scott O. Bradner
State Completed
Review review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/JNsGDbELO7tLT8USpC67afKDiIM
Reviewed revision 18 (document currently at 22)
Result Has Nits
Completed 2021-08-07
review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07-00
This is an OPS-DIR review of Concise Software Identification Tags

This ID describes a concise representation of ISO Software Identification Tags
and extensions to allow identification of additional types of information.

The document is well written and easy to follow, and, as it should be
considering the number of revisions, a mature document.

I will say that I would not have expected that this much effort would have been
applied to this specific problem (reducing the size of SWID repositories) in
this day and age of cheap & big storage and where low speed nets are not all
that slow - but I guess a bunch of people felt it was worth while

I am not sure this is a nit or not, but it seems like the use of the terms
"SWID" and "CoSWID" is not consistent for example in the following:
   CoSWID tags are intended to be easily discoverable by authorized
   applications and users on an endpoint in order to make it easy to
   determine the tagged software load.  Access to the collection of an
   endpoint's SWID tags needs to be appropriately controlled to
   authorized applications and users using an appropriate access control
   mechanism.

I am not sure why "SWID" is used in the second case - if that is purposeful
then I missed the explanation of the difference

along the same line - it would seem to me that the IANA repository should be at
https://www.iana.org/assignments/coswid  (or co_swid) not
https://www.iana.org/assignments/swid

otherwise, nice work (even if I do not understand the "why")

Scott