Re: [Iot-onboarding] SBOM : Basic question on how it will be used

Michael Richardson <> Fri, 27 March 2020 20:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D5863A0CB0 for <>; Fri, 27 Mar 2020 13:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JPlKfHUSn-Pt for <>; Fri, 27 Mar 2020 13:36:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38ABC3A0C98 for <>; Fri, 27 Mar 2020 13:36:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CF97238985; Fri, 27 Mar 2020 16:34:37 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id E401BBA2; Fri, 27 Mar 2020 16:36:03 -0400 (EDT)
From: Michael Richardson <>
To: "M. Ranganathan" <>
In-Reply-To: <>
References: <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Fri, 27 Mar 2020 16:36:03 -0400
Message-ID: <1775.1585341363@localhost>
Archived-At: <>
Subject: Re: [Iot-onboarding] SBOM : Basic question on how it will be used
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Mar 2020 20:36:18 -0000

M. Ranganathan <> wrote:
    > Given that there is no automated mechanism to actually check if the
    > SBOM is consistent with the software that is bundled with the device
    > is it regarded as being just informational (i.e. an additional piece
    > of information about the device that the manufacturer ships)?  If the
    > SBOM is informational and specific to the software that is actually on
    > the device and you trust the software that is on the device, then I'd
    > imagine the device could publish its own SBOM.

I think that the SBOM is an assertion from the manufacturer that a particular
set of firmware contains a particular set of software.
The list of software (in the form of SWIDs or CoSWIDs, I hope), can be
compared automatically against CVEs.

If you want to know what firmware a device is running, then you need:
  1) an attestation that the device is trustworthy
  2) a claim from the device about it's SBOM

Generating (1) might also return the SBOM in the Attestation Result.
It might be redundant to also put it in the MUD file, but it does create a
nice auditable trail.

One vendor in this space:

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-