Reviewer: Christian Huitema Review result: Ready I have reviewed the changes between draft-09, which I reviewed in September 2022, and draft-14, the most recent version. The main concern expressed in my review was that "defense at scale" might also enable "attack at scale". The authors were not entirely convinced that this applies to their draft, because they "are discussing a discovery mechanism, and that the mechanism itself does not provide access to the underlying data." The authors reinforced this point by stating in the introduction that "the model is a discovery mechanism, and on its own provides no access to the underlying data." The other counter argument was that there is a lot do be gained by disclosing vulnerabilities, and that for most devices vulnerabilities can be deduced from very simple and well known properties, such as the version of OpenWRT that is run by a Wi-Fi router. That is true, but my main concern was that having information available on the device itself was tantamount to flashing a "hack me now" sign. And I was specially concerned by having that information published by default by otherwise unconfigured devices. This, the author did fix. The paragraph in the security section now says: SBOMs provide an inventory of software. If software is available to an attacker, the attacker may well already be able to derive this very same software inventory. When this information resides on the endpoint itself, the endpoint SHOULD NOT provide unrestricted access by default. Other servers that offer the data MAY restrict access to SBOM information using appropriate authorization semantics within HTTP. (Followed by description of access control methods.) The "SHOULD NOT" does address my recommendation, and also mitigates somewhat the risk of having a server running on an open port on the device. I am also happy that the ambiguous text about "some of the readable data nodes ... considered sensitive or vulnerable in some network environments" has been removed. I am still concerned that the paragraph starting "SBOMs provide an inventory of software", as written, only hints at the potential attack, without describing it. But life is full of such little dissatisfaction... -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
