Add Sharing Groups #705
Comments
|
I could imagine to extend the Note: CSAF documents that differ in content MUST use different |
|
@boschpsirt Please also formally notify about the suggestion by writing to the csaf-comment mailing list (as soon as its back online). |
Hi Thomas, we agree with this proposal. |
|
Another use case for the suggested field is access restricted advisories. The addition of this field will allow automatic decision which CSAF documents show be displayed/accessible by which group based on the |
|
Call to action sent by @tschmidtb51 https://groups.oasis-open.org/discussion/call-to-action-for-705 This should be discussed in the next meeting or a motion placed before the meeting on May 29th. |
tschmidtb51
added
motion
|
We will use UUIDv4. Here is some background information regarding the choice of the Overview
DetailsFor Thus, according to RFC 9562, only UUIDv4 and UUIDv7 are good candidates for the use as id in UUIDv6 is a replacement for UUIDv1 inheriting some drawbacks. And UUIDv7 is an improvement over both. UUIDv7 uses the well-known Unix Epoch timestamp source, which takes up less space, so random values could be added. This means there is a lower risk of collisions and of being guessed. UUIDv3 and UUIDv5 compute hash over a name. This is not needed and in addition both MD5 and SHA1 algorithms are not considered cryptographic secure for all uses in the next years, so just the mention of any of theses algorithms in a new standard will add the requirement to add a paragraph of justification and make implementations more difficult because existence of any code for these hashes is questioned in context of certified security. UUIDv8 is application specific and would add the burden to specify the algorithms in more depth which is too much effort and error prone for the envisioned simple usage. UUIDv2 is an legacy use case and not even specified in the RFC itself. |
|
We will use lowercase in 8-4-4-4-12 notation. The omni UUID |
tschmidtb51
changed the title
- addresses parts of oasis-tcs#705 - add `sharing_group` to JSON schema
- addresses parts of oasis-tcs#705 - adapt prose to reflect sharing group changes - add RFC 9562 to normative references - add RFC 4122 to informative references
- addresses parts of oasis-tcs#705 - add mandatory test to prevent usage of Max UUID in other TLP than CLEAR - add invalid examples - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add mandatory test to prevent usage of reserved names - improve wording - add invalid examples - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add mandatory test to prevent usage other UUID than Max UUID in TLP:CLEAR - add invalid examples - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - swap order of 6.1.40 and 6.1.41 - adapt testfiles
- addresses parts of oasis-tcs#705 - add mandatory test to enforce usage of sharing group names - add invalid examples - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add additional valid examples for 6.1.41
- addresses parts of oasis-tcs#705 - add rule about the relationship between sharing group ID and `/document/tracking/id`
- addresses parts of oasis-tcs#705 - correct link format
- addresses parts of oasis-tcs#705 - add optional test to discourage usage of Max UUID - add invalid example - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add optional test to discourage usage of Nil UUID - add invalid example - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add optional test to discourage usage sharing group with TLP:CLEAR - add invalid example - add valid examples - adapt testcases list and schema
- addresses parts of oasis-tcs#705 - add new files into bind.txt
- addresses parts of oasis-tcs#705 - add suggestions for quick fixes throughout the sharing group tests
- addresses parts of oasis-tcs#705 - add guidance of size for UUIDs - swap date and URI to make it alphabetic amongst the "special" strings
tschmidtb51
added
editor-revision
|
The issue was announced on the mailing list: https://groups.oasis-open.org/discussion/github-issue-705 |
At the document level there is a Publisher sub-item. There are some use cases where a publisher does not write an advisory for all customers, but rather publishes it for each one with appropriate additional information. In human-readable format, this is in the title and in the watermark.
Would it be possible to expand this for this or the next release? I could imagine placing Publisher and Document References directly between the points in the Secvisogram and adapting them accordingly to CSAF.
The text was updated successfully, but these errors were encountered: