Toerless Eckert <[email protected]> wrote: > On Fri, May 28, 2021 at 10:23:21AM -0400, Michael Richardson wrote: >> >> Toerless Eckert <[email protected]> wrote: > SBOM is likely something many >> devices may want to keep confidential. >> >> I think that national security will eventually trump (might be a pun, >> not sure), emotional insecurities of manufacturers who made poor >> choices.
> Can not quite parse this. Rephrase pls. I was just thinking about known
> exploits for specific software versions as the reason for not making
> the SBOM available to anyone who asks.
The need for all entities in all sorts of supply chains to know exactly what
possible issues there are.
This will lead to many audits, mandated by national security concerns.
Manufacturers who feel shy about revealing what they used, will find themselves
with multiple month delays at borders.
I also think that we are going towards mandatory disclosure of all breaches.
> I ran into that problem i think
> more than a decade ago when customers asked to not have software
> version be included in LLDP information freely available to anyone on
> the same LAN. Such as the virus infested employee PC whereas that virus
> would hen easily find attackable network equipment. Not much different
> when there is a well-known URL that such attacking systems could probe.
Right, "Think about the children".
So, now IT can't find the vulnerable PC either.
The malware never needed or cared about the LLDP version.
What's the proof? The presence of virus infected PCs.
>> We also already know how to integrate MUD with BRSKI, and this
>> connects MUD with SBOM, so really, I don't think we need more.
> So tell me, how do you think a registrar would be able to include SBOM
> information in its decision whether to, or what certificate to give to
> a pledge during the EST enrollment. I don't see a solution for that
> without a solution like he one i proposed. I may of course be missing
> something.
Because SBOM is just an attribute that is part of remote attestation.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
