Goals:
* Write down definitions of the "things" (entities) that are described by
logical model elements. Every element instance is metadata about an entity
instance.
* Model identities in the simplest way that allows definition of SBOMs. It
should be consistent with general identity management concepts but does not
need to support general identity management use cases.
Use cases / examples are helpful in resolving punch list questions about
definitions.
A big problem is that it is difficult to write a definition of an
"identity" thing; identity is the human mental model of physical things as
they are perceived over time.
* A meatbag human has the same unique DNA throughout its lifetime, but may
have many "identities" shared with overlapping or disjoint sets of other
entities over overlapping or disjoint time intervals,
* An organization doesn't have an underlying entity, it exists because one
or more people decide to do something for some time interval under its
name/brand/identity.
* A process (fixed program or trainable AI) can be an actor making
decisions algorithmically or a tool mechanically carrying out individual
decisions made by a human. In either case the only reason the process
would be assigned an identity is to attribute its actions separately from
the person/organization that invoked it. Nobody cares whether Gary uses
Notepad or VSCode to type an SBOM character by character; that tool doesn't
need an identity. But a process started by Gary or an organization might
create an SBOM under any combination of {process, person or organization}
identities.
* An artifact (e.g., a book, a car, source code for a program) is an
immutable physical entity ("thing"). Different entities may be linked by
giving them type/version/serial identities (title/edition, model/year/VIN,
name/version).
Person instance - physical entity, one entity has many identities
Organization instance - no physical entity, may have charter, buildings,
behaviors
Process instance - no physical entity, code performing actions, optional
identity
Artifact* instance - physical entity, multiple entities may have same
identity
* A separate definition question - which if any are artifacts: person,
organization, running process/tool?
Identities are modeled as sets of identifying and descriptive attributes.
Identities may be issued credentials containing one or more identifiers
(identifying attributes).
Credentials are used to authenticate an identifier, not an identity - the
recipient knows only the attributes included in the credential, not the
complete set of attributes known to the identity manager.
------------------------------------
In my opinion the SBOM use cases and logical model do not need to address
identity at all. The only requirement is to be able to refer to an
identity, not model it. An identifier is a reference to an identity and is
contained in credentials used to support data origin authentication
(verification). Nor does the type of identity matter - if an artifact is
created by "[email protected]", is the consumer of the SBOM going to take
different action based on whether the identifier is assigned to a person,
an organization, or a process acting on behalf of itself or a person or
organization?
The only identifier type information I would recommend is syntactic - an
rfc822 name (an identifier in the form of an email address even if no email
can be routed to it) is a different format from a GUID, employee number, or
device serial number. To the extent that string identifiers can be
validated, enumerating the supported syntaxes is useful.
But "because it's there" is not a sufficient use case for attempting to
model identities instead of just identifiers. The benefits of doing so
have to outweigh the complexity.
v/r,
Dave
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4433): https://lists.spdx.org/g/Spdx-tech/message/4433
Mute This Topic: https://lists.spdx.org/mt/90118332/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
