Eliot, The general direction makes sense regarding the use of well known locations for SBOM retrieval, but I do have one concern, SBOM are unique to a specific Supplier+Product+Version. Has there been any discussion/guidance regarding a nomenclature for the SBOM artifacts themselves within these well-known locations?
For example: https://someplacewithsboms/.well-known/sbom/SupplierS_ProductP_VersionV.sbom https://someplacewithsboms/.well-known/sbom/SupplierX_ProductY_VersionZ.sbom Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: OPSAWG <[email protected]> On Behalf Of Eliot Lear Sent: Thursday, September 1, 2022 8:11 AM To: [email protected] Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-06.txt Hi, The intent of this draft was to address all WGLC comments. I hope that we have. One major change based on Joe's comments: We moved from enums to identities in one case. In doing so we pulled out support for openc2, because it can easily be added back in later. Jean Camp asked for an archive node, so we added that. Please check my work. Eliot On 01.09.22 14:02, [email protected] wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Operations and Management Area Working Group > WG of the IETF. > > Title : Discovering and Retrieving Software Transparency > and Vulnerability Information > Authors : Eliot Lear > Scott Rose > Filename : draft-ietf-opsawg-sbom-access-06.txt > Pages : 21 > Date : 2022-09-01 > > Abstract: > To improve cybersecurity posture, automation is necessary to locate > what software is running on a device, whether that software has known > vulnerabilities, and what, if any recommendations suppliers may have. > This memo specifies a model to provide access to this information. > It may optionally be discovered through manufacturer usage > descriptions. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access-06 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-sbom-access-06 > > > Internet-Drafts are also available by rsync at > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg > _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
