Last Call Review of draft-ietf-sacm-coswid-18
review-ietf-sacm-coswid-18-opsdir-lc-bradner-2021-08-07-00

This is an OPS-DIR review of Concise Software Identification Tags

This ID describes a concise representation of ISO Software Identification Tags
and extensions to allow identification of additional types of information.

The document is well written and easy to follow, and, as it should be
considering the number of revisions, a mature document.

I will say that I would not have expected that this much effort would have been
applied to this specific problem (reducing the size of SWID repositories) in
this day and age of cheap & big storage and where low speed nets are not all
that slow - but I guess a bunch of people felt it was worth while

I am not sure this is a nit or not, but it seems like the use of the terms
"SWID" and "CoSWID" is not consistent for example in the following:
   CoSWID tags are intended to be easily discoverable by authorized
   applications and users on an endpoint in order to make it easy to
   determine the tagged software load.  Access to the collection of an
   endpoint's SWID tags needs to be appropriately controlled to
   authorized applications and users using an appropriate access control
   mechanism.

I am not sure why "SWID" is used in the second case - if that is purposeful
then I missed the explanation of the difference

along the same line - it would seem to me that the IANA repository should be at
https://www.iana.org/assignments/coswid  (or co_swid) not
https://www.iana.org/assignments/swid

otherwise, nice work (even if I do not understand the "why")

Scott