Last Call Review of draft-ietf-sacm-coswid-18
review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07-00
Request | Review of | draft-ietf-sacm-coswid |
---|---|---|
Requested revision | No specific revision (document currently at 24) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2021-08-09 | |
Requested | 2021-07-26 | |
Authors | Henk Birkholz , Jessica Fitzgerald-McKay , Charles Schmidt , David Waltermire | |
I-D last updated | 2021-08-07 | |
Completed reviews |
Artart Last Call review of -18
by Rich Salz
(diff)
Opsdir Last Call review of -18 by Scott O. Bradner (diff) Secdir Last Call review of -18 by Robert Sparks (diff) Secdir Telechat review of -20 by Robert Sparks (diff) |
|
Assignment | Reviewer | Scott O. Bradner |
State | Completed | |
Request | Last Call review on draft-ietf-sacm-coswid by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/JNsGDbELO7tLT8USpC67afKDiIM | |
Reviewed revision | 18 (document currently at 24) | |
Result | Has nits | |
Completed | 2021-08-07 |
review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07-00
This is an OPS-DIR review of Concise Software Identification Tags This ID describes a concise representation of ISO Software Identification Tags and extensions to allow identification of additional types of information. The document is well written and easy to follow, and, as it should be considering the number of revisions, a mature document. I will say that I would not have expected that this much effort would have been applied to this specific problem (reducing the size of SWID repositories) in this day and age of cheap & big storage and where low speed nets are not all that slow - but I guess a bunch of people felt it was worth while I am not sure this is a nit or not, but it seems like the use of the terms "SWID" and "CoSWID" is not consistent for example in the following: CoSWID tags are intended to be easily discoverable by authorized applications and users on an endpoint in order to make it easy to determine the tagged software load. Access to the collection of an endpoint's SWID tags needs to be appropriately controlled to authorized applications and users using an appropriate access control mechanism. I am not sure why "SWID" is used in the second case - if that is purposeful then I missed the explanation of the difference along the same line - it would seem to me that the IANA repository should be at https://www.iana.org/assignments/coswid (or co_swid) not https://www.iana.org/assignments/swid otherwise, nice work (even if I do not understand the "why") Scott