Thanks for clarifying Eliot. Thanks,
Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Eliot Lear <[email protected]> Sent: Saturday, September 3, 2022 1:05 AM To: [email protected]; 'Michael Richardson' <[email protected]> Cc: [email protected] Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-06.txt Hi Dick, Versioning information is available off the cloud for SBOMs as a tuple: "version-info" / "sbom-url". Michael is correct with regard to stuff being pulled off the device. Eliot On 03.09.22 01:35, Dick Brooks wrote: > Thanks for clarifying Michael. > > If I'm understanding you correctly, the /.well-known/sbom reference > only pertains to devices which self-host an SBOM file for the software > on the device. Correct? > > I thought this guidance applied to all three methods: > > * on devices themselves > > * on a web site (e.g., via URI) > > * through some form of out-of-band contact with the supplier. > > Thanks, > > Dick Brooks > > Active Member of the CISA Critical Manufacturing Sector, Sector > Coordinating Council - A Public-Private Partnership > > Never trust software, always verify and report! T > http://www.reliableenergyanalytics.com > Email: [email protected] > Tel: +1 978-696-1788 > > -----Original Message----- > From: Michael Richardson <[email protected]> > Sent: Friday, September 2, 2022 3:45 PM > To: [email protected] > Cc: 'Eliot Lear' <[email protected]>; [email protected] > Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sbom-access-06.txt > > > Dick Brooks <[email protected]> wrote: > > The general direction makes sense regarding the use of well known > > locations for SBOM retrieval, but I do have one concern, SBOM are > > unique to a specific Supplier+Product+Version. Has there been any > > discussion/guidance regarding a nomenclature for the SBOM artifacts > > themselves within these well-known locations? > > > For example: > > > https://someplacewithsboms/.well-known/sbom/SupplierS_ProductP_Version > V.sbom > > > > https://someplacewithsboms/.well-known/sbom/SupplierX_ProductY_Version > Z.sbom > > That wouldn't be a sensible thing to do. > First, the .well-known mechanism refers to retrieving the SBOM from > the device itself. It's not "someplacewithsboms". It's SELF. > So, there aren't multiple suppliers, or multiple products, or multiple > versions. > > If https://someplacewithsboms/ wants to do something, then they would > need to organize their stuff somehow. MUD files, which are produced > independantly by supplierS and supplierX, would point to some URL if > they aren't self-hosting the SBOM. If the manufacturer has contracted > with someplacewithsboms, then that place would provide them with a > sensible URL to point at, and it wouldn't be at /.well-known/sbom. > > -- > Michael Richardson <[email protected]>, Sandelman Software Works > -= > IPv6 IoT consulting =- > > > > _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
