On Fri, May 28, 2021 at 08:37:54PM +0200, Eliot Lear wrote:
> Toerless,
>
> Feel free to come up with whatever work flows you want. However... I'm
> less fine with is creating a new endpoint to retrieve the exact same
> information.
Agreed.
But: when we want to make attestation information available for BRSKI,
we can not use "retrieval" == "push" URLs, we need to use some form of "push"
URL because in BRSKI the SBOM device itself is the client, not the server.
So, the proposal actually would NOT introduce a duplicate URL for exactly
the same thing, but like MUD embedding a different "namespace" option.
> The magic you want to implement, so far as I can tell, is
> entirely in the authorization model and that is orthogonal to the RESTful
> endpoint.
Not magic, just policy like i would expect to be the result of pretty much any
SBOM workflow. Yes, that policy result is outside of scope. Like the rest
of the existing SBOM proposal, this would purely be the namespace definitions
to enable the workflow.
Cheers
Toerless
> Eliot
>
>
>
--
---
[email protected]
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
