Re: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Qin Wu <> Sat, 16 January 2021 12:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 048333A1730 for <>; Sat, 16 Jan 2021 04:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kQWGPKbPfYDs for <>; Sat, 16 Jan 2021 04:16:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6D39A3A16EF for <>; Sat, 16 Jan 2021 04:16:59 -0800 (PST)
Received: from (unknown []) by (SkyGuard) with ESMTP id 4DHxjh6gKGz67blY; Sat, 16 Jan 2021 20:11:36 +0800 (CST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2106.2; Sat, 16 Jan 2021 13:16:54 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.2106.2 via Frontend Transport; Sat, 16 Jan 2021 13:16:54 +0100
Received: from ([]) by ([fe80::b177:a243:7a69:5ab8%31]) with mapi id 14.03.0509.000; Sat, 16 Jan 2021 20:16:50 +0800
From: Qin Wu <>
To: Henk Birkholz <>, opsawg <>
Thread-Topic: =?utf-8?B?W09QU0FXR10g8J+UlCBXRyBBZG9wdGlvbiBDYWxsIG9uIGRyYWZ0LWxlYXIt?= =?utf-8?Q?opsawg-sbom-access-00?=
Thread-Index: AdbsATdhD9Hj0KOZTIqZzBfQvUYmZA==
Date: Sat, 16 Jan 2021 12:16:50 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [OPSAWG] =?utf-8?q?=F0=9F=94=94_WG_Adoption_Call_on_draft-lear-o?= =?utf-8?q?psawg-sbom-access-00?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Jan 2021 12:17:02 -0000

Hi, authors of draft-lear-opsawg-sbom-access-00:
What is key difference between sbom-url and local-uri? I feel a little bit confused when reading the definition of sbom-url and local-uri
Based on the definition of local-url,
case local-uri {
              "The choice of sbom-local means that the SBOM resides at
              a location indicated by an indicted scheme for the
              device in question, at well known location
              '/.well-known/sbom'.  For example, if the MUD file
              indicates that coaps is to be used and the host is
              located at address, the SBOM could be retrieved
              at 'coaps://'.  N.B., coap and
              http schemes are NOT RECOMMENDED.";
I think local-url is more related to well know url while sbom url is more related to local domain URL, what am I missing?
The question is Should SBOM server be discovered in the Cloud or in the local domain?

发件人: OPSAWG [] 代表 Henk Birkholz
发送时间: 2021年1月5日 0:10
收件人: opsawg <>
主题: [OPSAWG] 🔔 WG Adoption Call on draft-lear-opsawg-sbom-access-00

Dear OPSAWG members,

this starts a call for Working Group Adoption on ending on Monday, January 25.

As a reminder, this I-D describes different ways to acquire Software Bills of Material (SBOM) about distinguishable managed entities. The work was updated by the authors on October 13th and now elaborates on three ways SBOM can be found, including a MUD URI as one of the options.

Please reply with your support and especially any substantive comments you may have.

For the OPSAWG co-chairs,


OPSAWG mailing list