Dick Brooks <[email protected]> wrote: > The general direction makes sense regarding the use of well known > locations for SBOM retrieval, but I do have one concern, SBOM are > unique to a specific Supplier+Product+Version. Has there been any > discussion/guidance regarding a nomenclature for the SBOM artifacts > themselves within these well-known locations?
> For example:
>
https://someplacewithsboms/.well-known/sbom/SupplierS_ProductP_VersionV.sbom
>
https://someplacewithsboms/.well-known/sbom/SupplierX_ProductY_VersionZ.sbom
That wouldn't be a sensible thing to do.
First, the .well-known mechanism refers to retrieving the SBOM from the
device itself. It's not "someplacewithsboms". It's SELF.
So, there aren't multiple suppliers, or multiple products, or multiple versions.
If https://someplacewithsboms/ wants to do something, then they would need to
organize their stuff somehow. MUD files, which are produced independantly by
supplierS and supplierX, would point to some URL if they aren't self-hosting
the SBOM. If the manufacturer has contracted with someplacewithsboms, then
that place would provide them with a sensible URL to point at, and it
wouldn't be at /.well-known/sbom.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
