Diff: rfc9393v5.txt - rfc9393.txt

	rfc9393v5.txt	rfc9393.txt

	Internet Engineering Task Force (IETF) H. Birkholz	Internet Engineering Task Force (IETF) H. Birkholz
	Request for Comments: 9393 Fraunhofer SIT	Request for Comments: 9393 Fraunhofer SIT
	Category: Standards Track J. Fitzgerald-McKay	Category: Standards Track J. Fitzgerald-McKay
	ISSN: 2070-1721 National Security Agency	ISSN: 2070-1721 National Security Agency
	C. Schmidt	C. Schmidt
	The MITRE Corporation	The MITRE Corporation
	D. Waltermire	D. Waltermire
	NIST	NIST

	May 2023	June 2023

	Concise Software Identification Tags	Concise Software Identification Tags

	Abstract	Abstract

	ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an	ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an
	extensible XML-based structure to identify and describe individual	extensible XML-based structure to identify and describe individual
	software components, patches, and installation bundles. SWID tag	software components, patches, and installation bundles. SWID tag
	representations can be too large for devices with network and storage	representations can be too large for devices with network and storage
	constraints. This document defines a concise representation of SWID	constraints. This document defines a concise representation of SWID

	skipping to change at line 1064 ¶	skipping to change at line 1064 ¶
	to registered entries in the "Software ID Link Relationship	to registered entries in the "Software ID Link Relationship
	Values" registry.	Values" registry.

	media-type (index 41): Supplies the resource consumer with a hint	media-type (index 41): Supplies the resource consumer with a hint
	regarding what type of resource to expect. A link can point to	regarding what type of resource to expect. A link can point to
	arbitrary resources on the endpoint, local network, or Internet	arbitrary resources on the endpoint, local network, or Internet
	using the href item. (This is a _hint_: there is no obligation	using the href item. (This is a _hint_: there is no obligation
	for the server hosting the target of the URI to use the indicated	for the server hosting the target of the URI to use the indicated
	media type when the URI is dereferenced.) Media types are	media type when the URI is dereferenced.) Media types are
	identified by referencing a "Name" from the IANA "Media Types"	identified by referencing a "Name" from the IANA "Media Types"

	registry (see <http://www.iana.org/assignments/media-types/>).	registry (see <https://www.iana.org/assignments/media-types/>).
	This item maps to '/SoftwareIdentity/Link/@type' in [SWID].	This item maps to '/SoftwareIdentity/Link/@type' in [SWID].

	use (index 42): An integer or textual value (integer label with text	use (index 42): An integer or textual value (integer label with text
	escape; see Section 2). See Section 4.5 for the list of values	escape; see Section 2). See Section 4.5 for the list of values
	available for this item. This item is used to determine if the	available for this item. This item is used to determine if the
	referenced software component has to be installed before	referenced software component has to be installed before
	installing the software component identified by the CoSWID tag.	installing the software component identified by the CoSWID tag.
	If an integer value is used, it MUST be an index value in the	If an integer value is used, it MUST be an index value in the
	range -256 to 255. Integer values in the range -256 to -1 are	range -256 to 255. Integer values in the range -256 to -1 are
	reserved for testing and use in closed environments (see	reserved for testing and use in closed environments (see

	skipping to change at line 1243 ¶	skipping to change at line 1243 ¶

	$$software-meta-extension: A CDDL socket that can be used to extend	$$software-meta-extension: A CDDL socket that can be used to extend
	the software-meta-entry group model. See Section 2.2.	the software-meta-entry group model. See Section 2.2.

	2.9. The Resource Collection Definition	2.9. The Resource Collection Definition

	2.9.1. The hash-entry Array	2.9.1. The hash-entry Array

	CoSWID adds explicit support for the representation of hash entries	CoSWID adds explicit support for the representation of hash entries
	using algorithms that are registered in the IANA "Named Information	using algorithms that are registered in the IANA "Named Information

	Hash Algorithm Registry" [IANA.named-information] using the hash	Hash Algorithm Registry" [IANA.named-information]. This array is
	member (index 7) and the corresponding hash-entry type. This is the	used by both the hash (index 7) and thumbprint (index 34) values.
	equivalent of the namespace qualified "hash" attribute in [SWID].	This is the equivalent of the namespace qualified "hash" attribute in
		[SWID].

	hash-entry = [	hash-entry = [
	hash-alg-id: int,	hash-alg-id: int,
	hash-value: bytes,	hash-value: bytes,
	]	]

	The number used as a value for hash-alg-id is an integer-based hash	The number used as a value for hash-alg-id is an integer-based hash
	algorithm identifier whose value MUST refer to an ID in the IANA	algorithm identifier whose value MUST refer to an ID in the IANA
	"Named Information Hash Algorithm Registry" [IANA.named-information]	"Named Information Hash Algorithm Registry" [IANA.named-information]
	with a Status of "current" (at the time the generator software was	with a Status of "current" (at the time the generator software was

	skipping to change at line 1324 ¶	skipping to change at line 1325 ¶
	* $$process-extension,	* $$process-extension,
	global-attributes,	global-attributes,
	}	}

	resource-entry = {	resource-entry = {
	type => text,	type => text,
	* $$resource-extension,	* $$resource-extension,
	global-attributes,	global-attributes,
	}	}


		hash = 7
	directory = 16	directory = 16
	file = 17	file = 17
	process = 18	process = 18
	resource = 19	resource = 19
	size = 20	size = 20
	file-version = 21	file-version = 21
	key = 22	key = 22
	location = 23	location = 23
	fs-name = 24	fs-name = 24
	root = 25	root = 25

	skipping to change at line 1349 ¶	skipping to change at line 1351 ¶
	The following list describes each member of the groups and maps	The following list describes each member of the groups and maps
	illustrated above.	illustrated above.

	filesystem-item: A list of common items used for representing the	filesystem-item: A list of common items used for representing the
	filesystem root, relative location, name, and significance of a	filesystem root, relative location, name, and significance of a
	file or directory item.	file or directory item.

	global-attributes: The global-attributes group as described in	global-attributes: The global-attributes group as described in
	Section 2.5.	Section 2.5.


	hash (index 7): A hash of the file as described in Section 2.9.1.	hash (index 7): Value that provides a hash of a file. This item
		provides an integrity measurement with respect to a specific file.
		See Section 2.9.1 for more details on the use of the hash-entry
		data structure.

	directory (index 16): Item that allows child directory and file	directory (index 16): Item that allows child directory and file
	items to be defined within a directory hierarchy for the software	items to be defined within a directory hierarchy for the software
	component.	component.

	file (index 17): Item that allows details about a file to be	file (index 17): Item that allows details about a file to be
	provided for the software component.	provided for the software component.

	process (index 18): Item that allows details to be provided about	process (index 18): Item that allows details to be provided about
	the runtime behavior of the software component, such as	the runtime behavior of the software component, such as

	skipping to change at line 1386 ¶	skipping to change at line 1391 ¶
	'/SoftwareIdentity/(Payload\|Evidence)/File/@version' in [SWID].	'/SoftwareIdentity/(Payload\|Evidence)/File/@version' in [SWID].

	key (index 22): A boolean value indicating if a file or directory is	key (index 22): A boolean value indicating if a file or directory is
	significant or required for the software component to execute or	significant or required for the software component to execute or
	function properly. These are files or directories that can be	function properly. These are files or directories that can be
	used to affirmatively determine if the software component is	used to affirmatively determine if the software component is
	installed on an endpoint.	installed on an endpoint.

	location (index 23): The filesystem path where a file is expected to	location (index 23): The filesystem path where a file is expected to
	be located when installed or copied. The location MUST be either	be located when installed or copied. The location MUST be either

	relative to the location of the parent directory item (preferred)	an absolute path, a path relative to the path value included in
	or relative to the location of the CoSWID tag (as indicated in the	the parent directory item (preferred), or a path relative to the
	location value in the evidence entry map) if no parent is defined.	location of the CoSWID tag if no parent is defined. The location
	The location MUST NOT include a file's name, which is provided by	MUST NOT include a file's name, which is provided by the fs-name
	the fs-name item.	item.

	fs-name (index 24): The name of the directory or file without any	fs-name (index 24): The name of the directory or file without any
	path information. This aligns with a file "name" in [SWID]. This	path information. This aligns with a file "name" in [SWID]. This
	item maps to	item maps to
	'/SoftwareIdentity/(Payload\|Evidence)/(File\|Directory)/@name' in	'/SoftwareIdentity/(Payload\|Evidence)/(File\|Directory)/@name' in
	[SWID].	[SWID].

	root (index 25): A host-specific name for the root of the	root (index 25): A host-specific name for the root of the
	filesystem. The location item is considered relative to this	filesystem. The location item is considered relative to this
	location if specified. If not provided, the value provided by the	location if specified. If not provided, the value provided by the

	skipping to change at line 1482 ¶	skipping to change at line 1487 ¶
	device-id = 36	device-id = 36

	The following list describes each child item of this group.	The following list describes each child item of this group.

	global-attributes: The global-attributes group as described in	global-attributes: The global-attributes group as described in
	Section 2.5.	Section 2.5.

	resource-collection: The resource-collection group as described in	resource-collection: The resource-collection group as described in
	Section 2.9.2.	Section 2.9.2.


	location (index 23): The absolute file path of the location of the	location (index 23): The filesystem path of the location of the
	CoSWID tag generated as evidence. (Location values in filesystem-	CoSWID tag generated as evidence. This path is always an absolute
	item instances in the payload can be expressed relative to this	file path (unlike the value of a location item found within a
	location.)	filesystem-item as described in Section 2.9.2, which can be either
		a relative path or an absolute path).

	date (index 35): The date and time the information was collected	date (index 35): The date and time the information was collected
	pertaining to the evidence item in epoch-based date/time format as	pertaining to the evidence item in epoch-based date/time format as
	specified in Section 3.4.2 of [RFC8949].	specified in Section 3.4.2 of [RFC8949].

	device-id (index 36): The endpoint's string identifier from which	device-id (index 36): The endpoint's string identifier from which
	the evidence was collected.	the evidence was collected.

	$$evidence-extension: A CDDL socket that can be used to extend the	$$evidence-extension: A CDDL socket that can be used to extend the
	evidence-entry group model. See Section 2.2.	evidence-entry group model. See Section 2.2.

End of changes. 7 change blocks.
	15 lines changed or deleted	21 lines changed or added
This html diff was produced by rfcdiff 1.48.