On 04.01.22 18:02, tom petch wrote:
Any risk is with the data being referred to, not the reference. We can say that.*From:* Eliot Lear *Sent:* Tuesday, January 04, 2022 16:28 *To:* tom petch; gen-art@ietf.org; Russ Housley *Cc:* draft-ietf-opsawg-sbom-access....@ietf.org; ops...@ietf.org*Subject:* Re: [OPSAWG] some YANG thoughts on draft-ietf-opsawg-sbom-access-03Hi Tom, Thanks for your review. Please see below. <tp>On security, YANG Guidelines, RFC8407, says that there MUST be Security Considerations and that they MUST be patterned on the latest template. No exemption for read only or grouping only!
For example, I note that you refer to HTTP whereas the template only uses HTTPS, underpinned by TLS. It is fine to say that the data is read only. It is also fine to say that the data is in the public domain and so privacy is not a concern.
That really can't be helped because some of the underlying systems involved may not support TLS. Integrity must be handled at different layer, and if confidentiality is important, that will have to be expressed there as well. This really is an operational reality. Again, this is a discovery mechanism that describes how to locate the data and what protocols to use. We are not specifying the protocols or formats.
Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art
