| SACM Working Group | D. Waltermire |
| Internet-Draft | S. Banghart |
| Intended status: Informational | National Institute of Standards and Technology |
| Expires: September 23, 2018 | March 22, 2018 |
Definition of the ROLIE Software Descriptor Extension
draft-ietf-sacm-rolie-softwaredescriptor-02
This document extends the Resource-Oriented Lightweight Information Exchange (ROLIE) core to add the information type category and related requirements needed to support Software Record and Software Inventory use cases. The 'software-descriptor' information type is defined as a ROLIE extension. Additional supporting requirements are also defined that describe the use of specific formats and link relations pertaining to the new information type.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 23, 2018.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines an extension to the Resource-Oriented Lightweight Information Exchange (ROLIE) [RFC8322] protocol to support the publication of software descriptor information. Software descriptor information is information that characterizes:
Software descriptor information includes identifying, versioning, software creation and publication, and file artifact information. Software descriptor information provides data about what might be installed, but doesn't describe where or how a specific software installation is installed, configured, or executed.
Some possible use cases for Software descriptor information include:
This document supports these use cases by describing the content requirements for Collections and Entries of software descriptor information that are to be published to or retrieved from a ROLIE repository. This document also discusses requirements around the use of atom:link and rolie:format.
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [RFC5070].
This document defines the following information type[s]:
The "software-descriptor" information type represents any information that describes a piece of software. This document uses the definition of software provided by [RFC4949]. Note that as per this definition, this information type pertains to static software, that is, code on the disc. The software-descriptor information type is intended to provide a category for information that does one or more of the following:
Provided below is a non-exhaustive list of information that may be considered to be of a software-descriptor information type.
Note again that this list is not exhaustive, any information that in is the abstract realm of an incident should be classified under this information-type.
This information type does not include descriptions of running software, or state and configuration information that is associated with a software installation.
This document registers new valid rolie:property names as follows:
This property provides an exposure point for an identification field from the associated software descriptor. The value of this property SHOULD be uniquely identifying information generated from the software descriptor linked to by the entry's atom:content element. swd:id property values SHOULD have a one-to-one mapping to individual pieces of SWD content.
This property provides an exposure point for the plain text name of the software being described. Due to the great variance in naming schemes, this property should be considered informative.
This section defines usage guidance and additional requirements on the rolie:format element above and beyond those specified in RFC8322. The following formats are expected to be commonly used to express software descriptor information. For this reason, this document specifies additional requirements to ensure interoperability.
ISO/IEC 19770-2:2015 defines a software record data format refered to as a "SWID Tag". It provides several tag types:
For a more complete overview as well as normative requirements, refer to ISO/IEC 19770-2:2015 [SWID].
For additional requirements and guidance around creation of SWID Tags, consult NIST Internal Report 8060 [NISTIR8060].
For an Entry to be considered as a "SWID Tag Entry", it MUST fulfill the following conditions:
A "SWID Tag Entry" MUST conform to the following requirements:
The Concise SWID (COSWID) format is an alternative representation of the SWID Tag format using a Concise Binary Object Representation (CBOR) encoding. This provides the format with a reduced size that is more sutiable for constrained devices. It provides the same features and attributes as are specified in ISO 19770-2:2015, plus:
For more information and the complete specification, refer to the COSWID internet draft [I-D.ietf-sacm-coswid].
For an Entry to be considered as a "COSWID Tag Entry", it MUST fulfill the following conditions:
A "COSWID Tag Entry" MUST conform to the following requirements:
This section defines additonal link relationships that implementations MUST support. These relationships are not registed in the Link Relation IANA table as their use case is too narrow. Each relationship is named and described.
| Name | Description |
|---|---|
| ancestor | Links to a software descriptor resource that defines an ancestor of the software being described by this Entry. This is usually a previous version of the software. |
| patches | Links to a software descriptor resource that defines the software being patched by this software |
| requires | Links to a software descriptor resource that defines a piece of software required for this software to function properly, i.e., a dependencecy. |
| installs | Links to a software descriptor resource that defines the software that is installed by this software. |
| installationrecord | Links to a software descriptor resource that defines the software package that installs this software. |
This document registers a MIME Type for the SWID Tag format. The registration is as follows
MIME media type name: application
MIME subtype name: swid2015+xml
Mandatory parameters: None.
Optional parameters: "charset": This parameter has semantics identical to the charset parameter of the "application/xml" media type as specified in [RFC3023].
Encoding considerations: Identical to those of "application/xml" as described in [RFC3023], Section 3.2.
Security considerations: As defined in this specification, and in [RFC8322]. In addition, as this media type uses the "+xml" convention, it shares the same security considerations as described in [RFC3023], Section 10.
Interoperability considerations: There are no known interoperability issues.
Published specification: This specification.
Applications that use this media type: No known applications currently use this media type.
Additional information:
Magic number(s): As specified for "application/xml" in [RFC3023], Section 3.2.
File extension: .swidtag
Fragment identifiers: As specified for "application/xml" in [RFC3023], Section 5.
Base URI: As specified in [RFC3023], Section 6.
Macintosh File Type code: TEXT
Person and email address to contact for further information: Stephen Banghart <stephen.banghart@nist.gov>
Intended usage: COMMON
Author/Change controller: IESG
IANA has added an entry to the "ROLIE Security Resource Information Type Sub-Registry" registry located at <https://www.iana.org/assignments/rolie/category/information-type> .
The entry is as follows:
IANA has added an entry to the "ROLIE URN Parameters" registry located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows:
IANA has added an entry to the "ROLIE URN Parameters" registry located in <https://www.iana.org/assignments/rolie/>.
The entry is as follows:
Use of this extension implies dealing with the security implications of both ROLIE and of software descriptors in general. As with any SWD information, care should be taken to verify the trustworthiness and veracity of the descriptor information to the fullest extent possible.
Ideally, software descriptors should have been signed by the software manufacturer, or signed by whichever agent processed the source code. SWD documents from these sources are more likely to be accurate than those generated by scraping installed software.
These "authoritative" sources of SWD content should consider additional security for their ROLIE repository beyond the typical recommendations, as the central importance of the repository is likely to make it a target.
Version information is often represented differently across manufacturers and even across product releases. If using SWD version information for low fault tolerance comparisons and searches, care should be taken that the correct version scheme is being utilized.
This extension does not introduce any privacy considerations above or beyond that of the core ROLIE document. Any implementations using this extension should understand the privacy considerations of ROLIE and the Atom Publishing Protocol.
This document does not require any schema extensions.
Use of this extension in a ROLIE repository will not typically change that repository's operation. As such, the general examples provided by the ROLIE core document would serve as examples. Provided below is a sample SWD ROLIE entry:
<?xml version="1.0" encoding="UTF-8"?>
<entry xmlns="http://www.w3.org/2005/Atom"
xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0">
<id>dd786dba-88e6-440b-9158-b8fae67ef67c</id>
<title>Sample Software Descriptor</title>
<published>2015-08-04T18:13:51.0Z</published>
<updated>2015-08-05T18:13:51.0Z</updated>
<summary>A descriptor for a piece of software published by this
organization. </summary>
<link rel="self" href="http://www.example.org/provider/SWD/123456"/>
<category
scheme="urn:ietf:params:rolie:category:information-type"
term="software-descriptor"/>
<rolie:format ns="urn:example:COSWID"/>
<content type="application/xml"
src="http://www.example.org/provider/SWD/123456/data"/>
</entry>