search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
148 stars 39 forks source link

Integrity Files / Signatures to be mentioned in Rolie Feed? #368

Closed h4b4n3r0 closed 2 years ago

h4b4n3r0 commented 3 years ago

Hello together,

is there any requirement (as CSAF "trusted provider" role) to mention the integrity files / signature files (.asc) in the rolie feed? I have not found a dedicated field for that.

Or is it enough to place them just with the correct naming next to the document file (as described in the specification draft)? It is not clear for me.

Thank you Klaus

tschmidtb51 commented 3 years ago

Thank you for the question. Originally, it was intended to be determined just by the filename.

Or is it enough to place them just with the correct naming next to the document file (as described in the specification draft)?

That would be enough.

@sthagen I just read RFC 8322 again. We have the option to register additional rel types.

Example:

"entry": [
  {
    "id": "2020-ESA-001",
    "title": "Example Security Advisory 001",
    "link": [
      {
        "rel": "self",
        "href": "https://psirt.domain.tld/advisories/csaf/2020/2020-ESA-001.json"
      },
      {
        "rel": "sig",
        "href": "https://psirt.domain.tld/advisories/csaf/2020/2020-ESA-001.json.asc"
      },
      {
        "rel": "hash",
        "href": "https://psirt.domain.tld/advisories/csaf/2020/2020-ESA-001.json.sha512"
      }
    ],
    // ...
  }
]

Do you think we should do that? It wouldn't change the standard as we don't need to modify the prose. We would only guide by example here.

sthagen commented 3 years ago

@tschmidtb51 if there is a use case for the link navigation, why not? As long as the usual "name extrapolation" conventions are also supported these registered relations should help the "Rolies".

tschmidtb51 commented 3 years ago

Totally - it will help automation as you can advertise the link to the hash (and reduce workload as not everyone is guessing). As we don't change the standard the "name extrapolation" conventions are still supported and valid. How do we do the registration via OASIS?

sthagen commented 3 years ago

@tschmidtb51 I will take a look, engage with administration and if the path is clear prepare a proposal to be discussed within the TC.