My bad. I didn't mean "under control" as having an integrity mechanism, I meant "having the ability to decide what goes into the local ID". Which is synonymous with saying that as far as the SPDX standard and SPDX-consuming applications are concerned, local IDs are opaque.
On Tue, Aug 3, 2021 at 3:48 PM William Bartholomew <[email protected]> wrote: > On Tue, Aug 3, 2021 at 11:34 AM David Kemp <[email protected]> wrote: > >> >> 2) elements are always identified by namespace and local ID, where local >> means under the control of the namespace owner. Don't get hung up on what >> owner means - anybody can become an owner by generating a 256 bit >> random number for their namespace. >> > > We're not proposing a model where namespaces are "controlled", which would > require either a central authority or some form of challenge-response > process for verifying control. Nothing would stop me declaring elements in > your namespace, what I can't do is sign an SBOM as you. > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4146): https://lists.spdx.org/g/Spdx-tech/message/4146 Mute This Topic: https://lists.spdx.org/mt/84645574/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
