-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
are SWID and CoSWID isomorphic? #27
Comments
Another bit that looks pretty suspicious is around the definition of payload and evidence:
where multiple payloads and evidences seem to be allowed in the same CoSWID. This is different from SWID which allows at most one Evidence and/or Payload:
|
At first glance it appears to be a 0-1 quantity. Alas, both (and other) are embedded in a 0-n choice:
|
Thanks! I had overlooked the wrapping |
Another thing still on the alignment between CoSWID and SWID: in SWID there seem to be no restrictions about mixing Evidence and Payload (at least at a syntactic level). Why is CoSWID enforcing their mutual exclusion? |
The authors are currently meeting on a regular basis and are generating a shared agreement on all inputs, including yours. Each issue leads to discussions of various sizes, currently :-) One of the big topics discussed is the relationship between SWID and CoSWID. As soon as all authors agreed on a way to address a topic, e.g. SWID & CoSWID alignment, we will pull new content into the I-D and reply to the corresponding issue. According to NIST SP 8060, file hashes are stored in XML any-attributes associated with file types. Currently, CoSWID provides more explicit structures and therefore is intentionally more specific (not allowing SHA1 or MD5, for example & or disallowing the mixture of Evidence and Payload). |
Since the use of
[1] ISO/IEC 19770-2:2015, Section 8.5.3 and Section 8.5.6 (which might also contain another typo) |
As the release of the iso spec and corresponding xsd is simply inconsistent, there is no simple way forward here. We came to the decision that it is likely that implementers start from the XSD, than from the written definition in the spec table (it seems you did, too?). Having said this. Do you still think it would be better to restrict the quantity here to 1? |
An implementation can always make the syntactic layer refuse to decode more than one entry (not what I do at the moment, but that can be easily fixed). But I guess the naive implementer - including yours truly in the lot :-) - is likely to code the syntactic layer as per CDDL and then on top of that put a semantic layer that will refuse multiple entries. And that space between syntax and sema checks potentially creates waste of resources (on the constrained side, where they are more scarce), and ultimately attack surface. If YAGNI then drop it :-) |
I believe we should follow the spec as it is normative, not the XSD. So we should restrict the payload and evidence to a single optional instance. |
that would result in: payload-or-evidence //= ( payload => payload-entry ) |
It is not clear to me whether the intent is that SWID and CoSWID are equivalent data models?
If so, I think
entity-entry
is a bit problematic in this respect becauseentity-extension
and SWID'sMeta(s)
are not the same thing. Anentity-extension
could be constrained to resemble aMeta
but this doesn't seem to be the case, at least in the version of the draft I'm reading (i.e., -15).Another point of apparent divergence is the explicit definition of
hash
in thefile-entry
map. In SWID hashes are introduced viaMeta
and there can be any number of them (e.g., one for SHA1, one for MD5, one for SHA256).Surely, in CoSWID one could add an
extra-hash
extension viafile-extension
like this:but then I wonder why can't we just do the above and get rid of the special diversion? (We'd be exercising the extension path too, which seems like a plus.)
The text was updated successfully, but these errors were encountered: