Hi Dick,Versioning information is available off the cloud for SBOMs as a tuple: "version-info" / "sbom-url". Michael is correct with regard to stuff being pulled off the device.
Eliot On 03.09.22 01:35, Dick Brooks wrote:
Thanks for clarifying Michael. If I'm understanding you correctly, the /.well-known/sbom reference only pertains to devices which self-host an SBOM file for the software on the device. Correct? I thought this guidance applied to all three methods: * on devices themselves * on a web site (e.g., via URI) * through some form of out-of-band contact with the supplier. Thanks, Dick BrooksActive Member of the CISA Critical Manufacturing Sector,Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Michael Richardson <[email protected]> Sent: Friday, September 2, 2022 3:45 PM To: [email protected] Cc: 'Eliot Lear' <[email protected]>; [email protected] Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-06.txt Dick Brooks <[email protected]> wrote: > The general direction makes sense regarding the use of well known > locations for SBOM retrieval, but I do have one concern, SBOM are > unique to a specific Supplier+Product+Version. Has there been any > discussion/guidance regarding a nomenclature for the SBOM artifacts > themselves within these well-known locations? > For example: > https://someplacewithsboms/.well-known/sbom/SupplierS_ProductP_VersionV.sbom > https://someplacewithsboms/.well-known/sbom/SupplierX_ProductY_VersionZ.sbom That wouldn't be a sensible thing to do. First, the .well-known mechanism refers to retrieving the SBOM from the device itself. It's not "someplacewithsboms". It's SELF. So, there aren't multiple suppliers, or multiple products, or multiple versions. If https://someplacewithsboms/ wants to do something, then they would need to organize their stuff somehow. MUD files, which are produced independantly by supplierS and supplierX, would point to some URL if they aren't self-hosting the SBOM. If the manufacturer has contracted with someplacewithsboms, then that place would provide them with a sensible URL to point at, and it wouldn't be at /.well-known/sbom. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
