Retrieving rules #430
Retrieving rules #430
Conversation
tschmidtb51
commented
Feb 16, 2022
tschmidtb51
commented
- resolves Indicate order of places to look for the provider-metadata.json file (to ease implementation) #398
- add rules for retrieving CSAF documents
- explain 2 part process
- clarify why multiple CSAF fields might exist
- resolves oasis-tcs#398 - add rules for retrieving CSAF documents - explain 2 part process - clarify why multiple CSAF fields might exist
|
@bernhardreiter: See this draft. |
|
|
||
| **Direct locating**: The following process SHOULD be used to determine the location of a `provider-metadata.json` (requirement 7 in section 7.1) based on the main domain of the issuing party: | ||
|
|
||
| 1. Checking the Well-known URL (requirement 9 in section 7.1) |
There was a problem hiding this comment.
The first three steps may profit from replacing the term checking With a more specific activity. I know this is tricky, but if we can be more specific, maybe the implementers can comply more easily.
There was a problem hiding this comment.
Agree, but I'm currently missing a better word.
There was a problem hiding this comment.
Retrieving, requesting? Parsing or reacting on HTTP/404 is part of phase 2, right?
There was a problem hiding this comment.
4962a82: not ideal but at start.
|
|
||
| 1. Parse the `provider-metadata.json` to determine whether the directory-based (requirements 11 to 14 in section 7.1) or ROLIE-based distribution (requirements 15 to 17 in section 7.1) is used. If both are present, the ROLIE information SHOULD be preferred. | ||
| 2. For any CSAF trusted provider, the hash and signature files (requirements 18 to 19 in section 7.1) SHOULD be retrieved together with the CSAF document. They MUST be checked before further processing the CSAF document. | ||
| 3. Check whether the CSAF document is valid. |
There was a problem hiding this comment.
Maybe: Validate the CSAF document. ?
There was a problem hiding this comment.
Not quite the thing I had in mind. See 03360f1.
- addresses review comments from oasis-tcs#430 - improve wording
- addresses review comments from oasis-tcs#430 - add informal definition for checking
- addresses review comments from oasis-tcs#430 - improve wording
| @@ -5187,6 +5187,8 @@ CSAF: https://domain.tld/security/csaf/provider-metadata.json | |||
| CSAF: https://www.example.com/.well-known/csaf/provider-metadata.json | |||
| ``` | |||
|
|
|||
| > An issuing party MAY advertise more than one `provider-metadata.json` by adding multiple `CSAF` fields, e.g. in case of changes to the organizational structure through merges or aquisitions. It is strongly recommended NOT to do this. If it is inevitable, this SHOULD be a temporary solution. If one of the URLs fulfills requirement 9, this SHOULD be used as the first CSAF entry. | |||
There was a problem hiding this comment.
MAY and SHOULD contradict themselves according to RFC2119. My suggestion is to remove the MAY and say something like it is possible to advertise more than one ....but it SHOULD NOT be done and be removed as soon as possible. Additionally I think that the last hint should be a MUST like: If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF entry.
There was a problem hiding this comment.
Having a MUST is IMHO usually a No-Go in an informal statement... See f2e97a8 for my suggestion.
There was a problem hiding this comment.
If it is informal then let us use English spelling (lowercase may, should, …) and reduce the appealing parts?
There was a problem hiding this comment.
I did convert it into an formal one 🙈
|
|
||
| The retrieving process executes in two phases: Finding the `provider-metadata.json` (requirement 7 in section 7.1) and retrieving CSAF documents. | ||
|
|
||
| > A retrieving party MAY choose to do the first phase only when adding new or updating distributing parties. However, it is recommended to check regulary whether new information is available. |
There was a problem hiding this comment.
Again what about SHOULD look for and download the provider_metadata.json earch time.?
There was a problem hiding this comment.
The question is: Is that really necessary? In most cases probably not. Therefore, I'm a little bit reluctant to make such hard statement...
There was a problem hiding this comment.
See f2e97a8 for my suggestion.
- addresses review comments from oasis-tcs#430 - make statement about multiple CSAF fields formal - improve guidance on first phase - correct spelling
|
As discussed with @sthagen during our meeting: Approved to merge. |
