Registration Request: hash

[paul-knight]

Relation Name

hash

Description

Refers to a resource that contains the context's hash value. The resource content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.

Reference

https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#7115-requirement-15-rolie-feed

Additional Information

The OASIS Common Security Advisories Framework (CSAF) Technical Committee (TC) has been chartered to standardize the implementation and exchange of security advisories. The automatic and fast discovery of relevant as well as actionable security advisories is an important step in the process of effectively mitigating and ultimately removing vulnerabilities as they become apparent. We are requesting the registration of a "hash" link type that would contain parameters and configuration requirements to allow this level of automated discovery. Resource-Oriented Lightweight Information Exchange (ROLIE) is a standard to ease discovery of security content. ROLIE is built on top of the Atom Publishing Format and Protocol, with specific requirements that support publishing security content. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322]. Any existing hash file (requirement 18) MUST be listed in the corresponding entry of the ROLIE feed as an item of the array link having the rel value of hash.

For further reference, the CSAF version 2.0 OASIS Standard is always available at: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html

[mnot]

Paul,

The description restricts the payload format; that's not allowed by RFC8288. Furthermore, hash is extremely generic, whereas this appears to be a specific application (especially since the payload format is fixed).

There are a couple of practical ways forward here.

Regarding the format, you could use the type attribute to identify the media type of the expected payload (you'd need to defined a media type too), or you could say that your specific application requires a particular format (i.e., don't tie it to the link relation type; tie the format to your specfiic use of the relation type).

Regarding the name, you could use a more specific name (e.g., csaf-hash), or you could make this more generic (especially in the description). If you want to go the latter way, it'd be best to register it in a standalone specification, or at least in a more separate and fully specified section of your specification.

Cheers,

P.S. Purely an aside -- I notice that you require this to be a ROLIE feed, but it's in JSON. RFC8322 only defines an XML format; it doesn't define a JSON format, so I think you need to either reuse one from somewhere else, or define your own.

[paul-knight]

Mark,
The specification editors have agreed that the members of the OASIS CSAF Technical Committee need to discuss and agree on how best to handle this internally. Will it be okay to put this on hold for a while, and return to the ticket once a decision is made?

[mnot]

Of course.