A YANG Data Model for Reporting Software Bills of Materials (SBOMs) and Vulnerability Information
draft-ietf-opsawg-sbom-access-18

[Ballot comment]
Thank you to Christian Huitema for the SECDIR review.

Thank you for addressing my DISCUSS and most of my COMMENT feedback.

** Section 5.1

==[ snip ]==
The second example demonstrates that just SBOM information is included.

{
  "ietf-mud:mud": {
    "mud-version": 1,
    "extensions": [
      "transparency"
    ],
    "mudtx:transparency": {
      "sbom-local-well-known": "https"
    },
    "mud-url": "https://iot.example.com/modelX.json",
    "mud-signature": "https://iot.example.com/modelX.p7s",
    "last-update": "2022-01-05T13:29:47+00:00",
    "cache-validity": 48,
    "is-supported": true,
    "systeminfo": "retrieving SBOM info via a cloud service",
    "mfg-name": "Example, Inc.",
    "documentation": "https://iot.example.com/doc/modelX",
    "model-name": "modelX"
  }
}
==[ snip ]==

In -15 systeminfo said "retrieving vuln and SBOM info via a cloud service".  In response to my ballot, -16 now reads "retrieving SBOM info via a cloud service".  However, since the sbom-local-well-known field is present and the narrative text says "The second example demonstrates that just SBOM information is included", systeminfo should read "retrieving SBOM information locally from the device" (or something to that effect).

[Ballot comment]
Thanks for working on this specification.

I also stumbled upon "sbom" and "vuln" nodes in section 1.2. I assumed these refers to the nodes in the YANG tree sbom node = starts with sbom- and vuln node = starts with vuln- .... yes that I had to guess to continue reading. Now I see Roman has a discuss on this point hence supporting the discuss. I believe evenif it might be a convention call those node as I assumed, we could be more clear by actually describing the notion in the doc. And if my assumption is wrong then we definitely need to describe the nodes so that readers like me don't make wrong assumption :-).

[Ballot comment]
Thank you for this document, and also much thanks to Henk for the OpsDir review - https://datatracker.ietf.org/doc/review-ietf-opsawg-sbom-access-03-opsdir-early-comstedt-2021-12-19/

I found it an easy read, and only have a few nits to offer:

1: "A number of activities have been working to improve visibility to
  what software is running on a system, and what vulnerabilities that
  software may have[EO2021]."
Missing space before the [EO2021] reference.

2: "... two classes of questions *at scale*:"
I think that you should drop the "emphasis" - I really don't think that it helps readability, and looks "odd". I often use this form for emphasis, but I really don't think that it should be used in an RFC.

3: "Examples of these interfaces might be an HTTP [RFC7231],[RFC9110], or COAP [RFC7252] endpoint for retrieval."
Missing space after [RFC7231] -- hey, I *did* mention that this is all nits (and also that I *emphasize text*).

4: "Using the second method, when a device does not have an appropriate retrieval interface, but one is directly available from the manufacturer, a URI to that information MUST be discovered."
I don't really understand the uppercase MUST here; it's unclear who / what the MUST is directed at.

5: "To address either risk, any change in a URL, and in particular to the authority section, should be treated with some suspicion.  One mitigation would be to test any cloud-based URL against a reputation service."
I don't really have any useful text to suggest, but I find the wording of "To address either risk, ..., should be treated with some suspicion" to be strange. I don't really view treating something with suspicion as addressing a risk. I *do* know what you are trying to say, but I don't really think that this accomplishes it. I'm also not really sure why the second sentence only views 'cloud-based' URLs as different to non-cloud-based ones - why is foo.bar.example.com more or less sketchy if it is on AWS then on a physical server? And I think that the hand-wavy "check it against some sort of reputation thing" is sufficiently underspecified that it's not helpful.

Please notes that these really are just intended to be nits / attempts to help improve the document; I seem to be having a hard time with my tone in this writeup and apologize if it came out as snarky....

[Ballot comment]
Thank you to Christian Huitema for the SECDIR review.

Like Eric, I find the yang module name a bit odd, but have no good suggestion for a better alternative.

[Ballot discuss]
** Section 1.2.
  When both vulnerability and software inventory
  information is available from the same location, both sbom and vuln
  nodes MUST indicate that.

What are “sbom and vuln nodes”?  Those names don’t map to YANG model described in Section 3.  Is this “sbom-url” and “vuln-url”?

[Ballot comment]
Thank you to Christian Huitema for the SECDIR review.

** Section 1.  Editorial.

  These two classes of information can be used in concert.  For
  instance, a network management tool may discover that a system makes
  use of a particular software component that has a known
  vulnerability, and a vulnerability report may be used to indicate
  what if any versions of software correct that vulnerability, or
  whether the system exercises the vulnerable code at all.

  Both classes of information elements are optional under the model
  specified in this memo.  One can provide only an SBOM, only
  vulnerability information, or both an SBOM and vulnerability
  information.

The second paragraph seems to suggest that the classes of information are SBOM and vulnerability information.  However, the example provided in paragraph one doesn’t make that distinction clear since the “network management tool” implicitly bundled SBOM+vulnerability information into one information element by both knowing what software was loaded and that it was vulnerable.  Editorially, the case isn’t make that “these two classes of information can be used in concert.”

** Section 1.1
In the first few reads of the text, it was obvious that there were different interfaces, but not that they served different content.  Likewise, the title of the section “How This Information Is Retrieved” didn’t match the text which covered the properties of the retrieval rather than explicitly summarize it.  I would recommend adding something explicit about the role of the interfaces with appropriate forward references at the start of the section.

PROPOSED NEW:
Section 4 describes a data model to extend the MUD file format to carry SBOM and vulnerability information.  Section 1.5 of RFC8520 describes mechanisms by which devices can emit a URL to point to this file.  Additionally, devices can share this URL either through documentation or within a QR code on a box.  Section 2 describes a well-known URL from which an SBOM could be served from the local device.

** Section 1.2
  When these are retrieved either directly from the
  device or directly from a web server

Recommend being clearer about the location of the web-server.  Retrieval from the device could be from its internal web. 

PROPOSED NEW
When these are retrieved either directly from the device or from a remote web server.

** Section 1.2.  Editorial.
  ... tools will need to observe the
  content-type header to determine precisely which format is being
  transmitted.

Is it “content-type” or “Content-Type”?

** Section 1.2.
  When both vulnerability and software inventory
  information is available from the same location

Recommend being precise by saying: s/from the same location/from the same URL/.

** Section 4. sbom-archive-list.  Does this list have a recommend sort order?  Is random ok?  Newest to old?

** Section 5.1
  The second example demonstrates that just SBOM information is
  included.

  {
    "ietf-mud:mud": {
      "mud-version": 1,
      "extensions": [
        "transparency"
      ],
      "mudtx:transparency": {
        "sbom-local-well-known": "https"
      },
      "mud-url": "https://iot.example.com/modelX.json",
      "mud-signature": "https://iot.example.com/modelX.p7s",
      "last-update": "2022-01-05T13:29:47+00:00",
      "cache-validity": 48,
      "is-supported": true,
      "systeminfo": "retrieving vuln and SBOM info via a cloud service",
      "mfg-name": "Example, Inc.",
      "documentation": "https://iot.example.com/doc/modelX",
      "model-name": "modelX"
    }
  }

The “systeminfo” text is not accurate (“retrieving vuln and SBOM info via a cloud service”) as no vulnerability information appears to be provided in the MUD file and the text describing the example also says no vulnerability information is provided.

** Section 5.2
  In this example, the SBOM is retrieved from the device, while
  vulnerability information is available from the cloud.  This is
  likely a common case, because vendors may learn of vulnerability
  information more frequently than they update software.

{
  "ietf-mud:mud": {
    "mud-version": 1,
    "extensions": [
      "transparency"
    ],
    "mudtx:transparency": {
      "sbom-local-well-known": "https",
      "vuln-url": "https://iot-device.example.com/info/modelX/csaf.json"
    },
    "mud-url": "https://iot-device.example.com/modelX.json",
    "mud-signature": "https://iot-device.example.com/modelX.p7s",
    "last-update": "2022-01-05T13:25:14+00:00",
    "cache-validity": 48,
    "is-supported": true,
    "systeminfo": "retrieving vuln and SBOM info via a cloud service",
    "mfg-name": "Example, Inc.",
    "documentation": "https://iot-device.example.com/doc/modelX",
    "model-name": "modelX"
  }
}

The “systeminfo” text in this example is not accurate ( “retrieving vuln and SBOM info via a cloud service”) as the SBOM appears to be locally served per the file MUD file text and the text description of this example.

** Section 6
  In particular, the YANG
  module specified in this document is not necessarly intended to be
  accessed via regular network management protocols, such as the
  NETCONF [RFC6241] or RESTCONF [RFC8040], and hence the regular
  security considerations for such usage are not considered here.

-- Typo. s/necessarly/necessarily/
-- Can a stronger statement be made here?  Is this YANG module intended or not to be access via NETCONF/RESTCONF?

** Section 6
  If an attacker modifies the elements, they may misdirect automation
  to retrieve a different set of URLs than was intended by the
  designer.  This in turn leads to two specific sets of risks:

  *  the information retrieved would be false.

  *  the URLs themselves point to malware.

Additionally, there is a tracking/asset identification risk.  If the attacker can control the target of the URL (without having access or prior knowledge of the devices), they could potentially discover the existence of particular hardware at a given netblock/organization.

** Section 6
  SBOMs provide an inventory of software.  If software is available to
  an attacker, the attacker may well already be able to derive this
  very same software inventory.

Recommend being explicit on why knowing the SBOM helps the attacker.

PROPOSED NEW
SBOMs provide an inventory of software.  Knowledge of which specific software is loaded on a system can aid an attacker in identifying an appropriate exploit for a known vulnerability or guide the development of novel exploit against this system.

** Section 6
  SBOMs provide an inventory of software.
  …
  When this information resides on the
  endpoint itself, the endpoint SHOULD NOT provide unrestricted access
  by default.

Is this text referencing the “.well-known” interface?  If so, please be clear.

** Section 6
  In
  particular, if a system attempts to retrieve an SBOM via HTTP and the
  client is not authorized, the server MUST produce an appropriate
  error, with instructions on how to register a particular client.

Assuming this sentence is talking about the “.well-known” interface, does this same kind of guidance apply to CoAP?

** Section 6
  To further mitigate attacks against a device, manufacturers SHOULD
  recommend access controls.

Good guidance. What’s the context of this recommendation given that this specification is about an API to retrieve SBOM/vulnerability information.  Access controls on what?

** Section 6
  Vulnerability information is generally made available to such
  databases as NIST's National Vulnerability Database.  It is possible
  that vendor may wish to release information early to some customers.
  We do not discuss here whether that is a good idea, but if it is
  employed, then appropriate access controls and authorization SHOULD
  be applied to the vulnerability resource.

-- Please provide a reference for the NIST NVD

-- Per “vulnerability resource”, is that a typo and it should be “vulnerable resource” or is the text saying that the pre-release vulnerability information needs to be protected?

[Ballot comment]
# GEN AD review of draft-ietf-opsawg-sbom-access-15

CC @larseggert

Thanks to Russ Housley for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/c_Npcow_0xA8aojaPi07NMcoeaw).

## Comments

### Section 1, paragraph 3
```
    Put simply, we seek to answer two classes of questions *at scale*:
```
What does "at scale" mean here? Ask the questions to a large number of systems?
Ask the questions and expect very large results? Something else?

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Uncited references

Uncited references: `[RFC8446]`, `[RFC6242]`, and `[RFC8341]`.

### Outdated references

Reference `[RFC7231]` to `RFC7231`, which was obsoleted by `RFC9110` (this may
be on purpose).

### Grammar/style

#### Section 1, paragraph 16
```
: * on devices themselves * on a web site (e.g., via URI) * through some for
                                ^^^^^^^^
```
Nowadays, it's more common to write this as one word.

#### Section 4, paragraph 13
```
this device. Publication dates can found inside the SBOMs."; } choice vuln-r
                                  ^^^^^
```
Make sure that the ambiguous verb form "found" is correct. (It can either be
the base form "found", or the past tense of a different verb.).

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

[Ballot comment]
Thank you for the work put into this document.

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education).

Special thanks to Win Wu for the shepherd's detailed write-up including the WG consensus and the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric


# COMMENTS (non blocking)

## 'transparency' vs. 'sbom'

This is probably due to historical reasons, but I find it strange to have the YANG module named 'transparency' while this term does not appear in the abstract.

## Abstract

I am not a native English speaker, so I am probably outside of my expertise here, but:

* `automation is necessary to locate what software is running` should 'to identify' or 'to list' be better ?
* `to provide the locations of software bills of materials (SBOMS) and to vulnerability information.` is there a verb missing between 'to' and 'vulnerability' ? I must admit that I cannot parse this sentence.

## Section 1

`we seek` who is the 'we' ?

s/the model is a discovery mechanism/the model can be used as a discovery mechanism/ ? I.e., how can a model be a mechanism ?

In `report to administrators the state of a system.` "state" is rather vague, can the state be qualified ? I.e., "security state" ?

In the introduction of the 3 methods, the 2nd one (URI) is the only one having a normative MUST. Is it on purpose that the two other methods do not have normative language ?

## Section 6

`the endpoint SHOULD NOT provide unrestricted access by default` this is indeed a key point as the SBOM can also be viewed as the list of open doors to the device. I am really unsure how to fix this problem at all...

I would also wish to have a mean to keep the SBOM information available for years even after manufacturer bankruptcy ...

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-opsawg-sbom-access-14. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are four actions which we must complete.

First, in the MUD Extensions registry on the Manufacturer Usage Description (MUD) registry page located at:

https://www.iana.org/assignments/mud/

a single, new registration is to be made as follows:

Value: transparency
Reference: [ RFC-to-be ]

Second, in the ns registry on the IETF XML Registry page located at:

https://www.iana.org/assignments/xml-registry/

a single, new namespace will be registered as follows:

ID: yang:ietf-mud-transparency
URI: urn:ietf:params:xml:ns:yang:ietf-mud-transparency
Filename: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

Third, in the YANG Module Names registry on the YANG Parameters registry page located at:

https://www.iana.org/assignments/yang-parameters/

a single, new YANG module will be registered as follows:

Name: ietf-mud-transparency
File: [ TBD-at-Registration ]
Maintained by IANA? N
Namespace: urn:ietf:params:xml:ns:yang:ietf-mud-transparency
Prefix: mudtx
Module:
Reference: [ RFC-to-be ]

While the YANG module name will be registered after the IESG approves the document, the YANG module file will be posted after the RFC Editor notifies us that the document has been published.

Fourth, in the Well-Known URIs registry located at:

https://www.iana.org/assignments/well-known-uris/

a single, new registration will be made as follows:

URI Suffix: sbom
Change Controller: IETF
Reference: [ RFC-to-be ]
Status: permanent
Related Information: See ISO/IEC 5962:2021 and SPDX.org

As this also requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

The IANA Functions Operator understands that these two actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Specialist

The following Last Call announcement was sent out (ends 2023-03-13):

From: The IESG
To: IETF-Announce
CC: bill.wu@huawei.com, draft-ietf-opsawg-sbom-access@ietf.org, henk.birkholz@sit.fraunhofer.de, opsawg-chairs@ietf.org, opsawg@ietf.org, rwilton@cisco.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Discovering and Retrieving Software Transparency and Vulnerability Information) to Proposed Standard


The IESG has received a request from the Operations and Management Area
Working Group WG (opsawg) to consider the following document: - 'Discovering
and Retrieving Software Transparency and Vulnerability
  Information'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2023-03-13. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  To improve cybersecurity posture, automation is necessary to locate
  what software is running on a device, whether that software has known
  vulnerabilities, and what, if any recommendations suppliers may have.
  This memo extends the MUD YANG model to provide the locations of
  software bills of materials (SBOMS) and to vulnerability information.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/



No IPR declarations have been submitted directly on this I-D.

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
 
  This draft was last called in April 12 and the last call was extended one more week and received a good reviews from Joe Clarke, Carsten Bormann,Tome Petch. These reviews stand
  for strong concurrence of a few individuals, with others being silent. This draft also
  acknowledged 4 people for valuable review.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No Controversy.
 
3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No.
 
4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  The document author has confirmed there is one implementation on the way,
  see https://github.com/sbomtools/apt2sbom
  The author's response can be found:
  https://mailarchive.ietf.org/arch/msg/opsawg/zt4Nt7e5cibd5NvJfB7PDf3_lho/

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  This draft has closely interact with SBOM technologies developed by NTIA Multistakeholder
  process on Software Component Transparency Framing Working Group.
  It was agreed to remove SWID and add CycloneDX to improve interoperability.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  A YANG Doctor review has been carried out by Ebben Aries which can
  be found in the datatracker.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  The PYANG compilation tool in the datatracker shows no errors and warnings
  in YANG. Yes, the YANG module complies with the NMDA architecture.
 
8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  xml2rfc ietf tool and rfcfold, pyang,yanglint automation tools have been
  installed to validate sections of the final version of the document
  including example snippets. These tools show no errors and warnings in the
  document.
 
## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  The document shepherd reviewed this document in more details during WGLC and
  after WGLC and author of this document has addressed all the comments. Yes,
  this document is clearly written, it can be see seen one useful companion document
  triggered by supply chain transparency effort.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

  This draft received YANG Doctor early review, OPSDIR review, GENART review, SECDIR review,
  all comments from these have been well discussed on the opsawg mailing list and addressed
  in the latest version. 
 
11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    The type of RFC publication being requested on the IETF stream is proposed
    standard. It is appropriate for a YANG model that extends IETF MUD model work [RFC8520].
    Yes, the datatracker state attributes correctly reflect this
    intent.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    WG chairs requested authors to confirm conformance with the
    BCP 78 and BCP 79 on 2022-05-01, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jTsbEhL3jYKpDdCSv5fPrcJoosw/
    The author of this document also confirmed again that there is no IPR
    related to this document on 2022-06-10, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jNgoILCz-joa5z79nThfPDO7tHM/

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

    There is two authors for this document. Both are willing to be listed as authors.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

  idnits tool flags no issues and warnings. Everything looks fine after reading
  the content guidelines on author.ietf.org.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

None.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All normative references are freely available to anyone.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
 
    None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No change to any existing RFCs. The YANG model defined in this document just
    imports module defined in RFC8520 which are normative references.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    The document shepherd has reviewed IANA considerations section and confirm
    two new YANG registries, one MUD extension, one Well-Known Prefix registries are correctly specified and consistent with the body of
    this document.The referenced IANA registries have been clearly identified.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
 
  This draft was last called in April 12 and the last call was extended one more week and received a good reviews from Joe Clarke, Carsten Bormann,Tome Petch. These reviews stand
  for strong concurrence of a few individuals, with others being silent. This draft also
  acknowledged 4 people for valuable review.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No Controversy.
 
3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No.
 
4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  The document author has confirmed there is one implementation on the way,
  see https://github.com/sbomtools/apt2sbom
  The author's response can be found:
  https://mailarchive.ietf.org/arch/msg/opsawg/zt4Nt7e5cibd5NvJfB7PDf3_lho/

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  This draft has closely interact with SBOM technologies developed by NTIA Multistakeholder
  process on Software Component Transparency Framing Working Group.
  It was agreed to remove SWID and add CycloneDX to improve interoperability.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  A YANG Doctor review has been carried out by Ebben Aries which can
  be found in the datatracker.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  The PYANG compilation tool in the datatracker shows no errors and warnings
  in YANG. Yes, the YANG module complies with the NMDA architecture.
 
8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  xml2rfc ietf tool and rfcfold, pyang,yanglint automation tools have been
  installed to validate sections of the final version of the document
  including example snippets. These tools show no errors and warnings in the
  document.
 
## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  The document shepherd reviewed this document in more details during WGLC and
  after WGLC and author of this document has addressed all the comments. Yes,
  this document is clearly written, it can be see seen one useful companion document
  triggered by supply chain transparency effort.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

  This draft received YANG Doctor early review, OPSDIR review, GENART review, SECDIR review,
  all comments from these have been well discussed on the opsawg mailing list and addressed
  in the latest version. 
 
11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    The type of RFC publication being requested on the IETF stream is proposed
    standard. It is appropriate for a YANG model that extends IETF MUD model work [RFC8520].
    Yes, the datatracker state attributes correctly reflect this
    intent.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    WG chairs requested authors to confirm conformance with the
    BCP 78 and BCP 79 on 2022-05-01, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jTsbEhL3jYKpDdCSv5fPrcJoosw/
    The author of this document also confirmed again that there is no IPR
    related to this document on 2022-06-10, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jNgoILCz-joa5z79nThfPDO7tHM/

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

    There is two authors for this document. Both are willing to be listed as authors.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

  idnits tool flags no issues and warnings. Everything looks fine after reading
  the content guidelines on author.ietf.org.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

None.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All normative references are freely available to anyone.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
 
    None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No change to any existing RFCs. The YANG model defined in this document just
    imports module defined in RFC8520 which are normative references.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    The document shepherd has reviewed IANA considerations section and confirm
    two new YANG registries, one MUD extension, one Well-Known Prefix registries are correctly specified and consistent with the body of
    this document.The referenced IANA registries have been clearly identified.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
 
  This draft was last called in April 12 and the last call was extended one more week and received a good reviews from Joe Clarke, Carsten Bormann,Tome Petch. These reviews stand
  for strong concurrence of a few individuals, with others being silent. This draft also
  acknowledged 4 people for valuable review.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No Controversy.
 
3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No.
 
4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  I haven't heard any existing implementations of the contents of this draft.
 
## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  This draft has closely interact with SBOM technologies developed by NTIA Multistakeholder process on Software Component Transparency Framing Working Group.
  It was agreed to remove SWID and add CycloneDX to improve interoperability.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  A YANG Doctor review has been carried out by Ebben Aries which can
  be found in the datatracker.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  The PYANG compilation tool in the datatracker shows no errors and warnings
  in YANG. Yes, the YANG module complies with the NMDA architecture.
 
8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  xml2rfc ietf tool and rfcfold, pyang,yanglint automation tools have been
  installed to validate sections of the final version of the document
  including example snippets. These tools show no errors and warnings in the
  document.
 
## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  The document shepherd reviewed this document in more details during WGLC and
  after WGLC and author of this document has addressed all the comments. Yes,
  this document is clearly written, it can be see seen one useful companion document
  triggered by supply chain transparency effort.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

  This draft received YANG Doctor early review, OPSDIR review, GENART review, SECDIR review,
  all comments from these have been well discussed on the opsawg mailing list and addressed
  in the latest version. 
 
11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    The type of RFC publication being requested on the IETF stream is proposed
    standard. It is appropriate for a YANG model that extends IETF MUD model work [RFC8520].
    Yes, the datatracker state attributes correctly reflect this
    intent.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    WG chairs requested authors to confirm conformance with the
    BCP 78 and BCP 79 on 2022-05-01, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jTsbEhL3jYKpDdCSv5fPrcJoosw/
    The author of this document also confirmed again that there is no IPR
    related to this document on 2022-06-10, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jNgoILCz-joa5z79nThfPDO7tHM/

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

    There is two authors for this document. Both are willing to be listed as authors.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

  idnits tool flags no issues and warnings. Everything looks fine after reading
  the content guidelines on author.ietf.org.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

None.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All normative references are freely available to anyone.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
 
    None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No change to any existing RFCs. The YANG model defined in this document just
    imports module defined in RFC8520 which are normative references.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    The document shepherd has reviewed IANA considerations section and confirm
    two new YANG registries, one MUD extension, one Well-Known Prefix registries are correctly specified and consistent with the body of
    this document.The referenced IANA registries have been clearly identified.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
 
  This draft was last called in April 12 and the last call was extended one more week and received a good reviews from Joe Clarke, Carsten Bormann,Tome Petch. These reviews stand
  for strong concurrence of a few individuals, with others being silent. This draft also
  acknowledged 4 people for valuable review.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No Controversy.
 
3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No.
 
4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  I haven't heard any existing implementations of the contents of this draft.
 
## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  This draft has closely interact with SBOM technologies developed by NTIA Multistakeholder process on Software Component Transparency Framing Working Group.
  It was agreed to remove SWID and add CycloneDX to improve interoperability.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  A YANG Doctor review has been carried out by Ebben Aries which can
  be found in the datatracker.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  The PYANG compilation tool in the datatracker shows no errors and warnings
  in YANG. Yes, the YANG module complies with the NMDA architecture.
 
8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  xml2rfc ietf tool and rfcfold, pyang,yanglint automation tools have been
  installed to validate sections of the final version of the document
  including example snippets. These tools show no errors and warnings in the
  document.
 
## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  The document shepherd reviewed this document in more details during WGLC and
  after WGLC and author of this document has addressed all the comments. Yes,
  this document is clearly written, it can be see seen one useful companion document
  triggered by supply chain transparency effort.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

  This draft received YANG Doctor early review, OPSDIR review, GENART review, SECDIR review,
  all comments from these have been well discussed on the opsawg mailing list and addressed
  in the latest version. 
 
11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

The type of RFC publication being requested on the IETF stream is proposed
    standard. It is appropriate for a YANG model that extends IETF MUD model work [RFC8520].
Yes, the datatracker state attributes correctly reflect this
    intent.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

WG chairs requested authors to confirm conformance with the
    BCP 78 and BCP 79 on 2022-05-01, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jTsbEhL3jYKpDdCSv5fPrcJoosw/
    The author of this document also confirmed again that there is no IPR
    related to this document on 2022-06-10, which can be found at:
    https://mailarchive.ietf.org/arch/msg/opsawg/jNgoILCz-joa5z79nThfPDO7tHM/

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

There is two authors for this document. Both are willing to be listed as authors.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

  idnits tool flags no issues and warnings. Everything looks fine after reading
  the content guidelines on author.ietf.org.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

None.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All normative references are freely available to anyone.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
 
    None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

No change to any existing RFCs. The YANG model defined in this document just
    imports module defined in RFC8520 which are normative references.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

The document shepherd has reviewed IANA considerations section and confirm
    two new YANG registries, one MUD extension, one Well-Known Prefix registries are correctly specified and consistent with the body of
    this document.The referenced IANA registries have been clearly identified.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
None.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

There were comments on the list as a result of the first WGLC, which should be addressed. Eliot and Scott, when you think that all comments are addressed by you on either the email list and/or potentially via a revised I-D, please indicate so.