IETF Logo Mail Archive

Re: [urn] Namespace Identifier: Requested of IANA - cdx

"Hakala, Juha E" <juha.hakala@helsinki.fi> Fri, 14 January 2022 06:24 UTC

Return-Path: <juha.hakala@helsinki.fi>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 748E53A1C00 for <urn@ietfa.amsl.com>; Thu, 13 Jan 2022 22:24:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=helsinkifi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJTfEx22bNDg for <urn@ietfa.amsl.com>; Thu, 13 Jan 2022 22:24:06 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140104.outbound.protection.outlook.com [40.107.14.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 511673A1BFE for <urn@ietf.org>; Thu, 13 Jan 2022 22:24:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lkvkQIUSHJF1PLXoqc0uqzB06WjCp0/eaqF2m5jA4/u2199cNA1s+b3S7Zdi9bpPIoGjiFk4SSag5Ifpbef3De4Da0iB2wZHB1uQR/+1YdjdHsoxXfoqUFve2yqV1PHL6AgSCZOr5RRV6koMwDR6S8OTeLrXE+/40r713JDAcY5P5fXGaFjKNi0Exqnvpgs6405mQpRjkv+1EpFx2g8gymwHW9FCVKz9e7eTMyskvIwNkrs46bciA21yYTa/n1r4qGkWgkNiPsBfn8JUnkimT1sPVA7JmimW+79NzpFEwRT00KBD5SOkXN+0hQlkIDzjOkk61SODkX4SQS36lVCKkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B4qJSp3Em0oDw3xZJ3jj9K+shuNkJ3nKxsnT/VMEm9M=; b=DKMGTwRCld1dswfb8W0fQ5PTNmKkGozYJjf2jNqQLHxs2cIplscTDtSbtmzaXcA9cz22tY41UlXXunFfYFwPuUOJ0aHGbX1IcQsjkF2FyjdHbVrpX1GSH6VFnJM6jocjhUQvY6NAohdRN8HzM6OFYLKkz0jWIQqZBBtLpg0BEYoGFR/eSxDhzODSaRCdYfy4ZE2aCDyL4oISB/cZCqjbmHAZNJcNKbhM/SZ1G5eFCtEwO+sieUSqRrXXufCNRd5x3lllOKMa6Iml4md8EtkwbYp4vA50fNaRfBYlXDN1pee4/VptFCiA8sgl7RFR+WXjbCZJk32jOTfi7ufBtBWgJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=helsinki.fi; dmarc=pass action=none header.from=helsinki.fi; dkim=pass header.d=helsinki.fi; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=HelsinkiFI.onmicrosoft.com; s=selector1-HelsinkiFI-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B4qJSp3Em0oDw3xZJ3jj9K+shuNkJ3nKxsnT/VMEm9M=; b=HCJ5VIIC2tBDUjKTmx5o0OGZP6FwUBqrw39ZPOmdQvgKWdM6TzaPNb8AH7CSq6wDjuBsDdmo/6rYailCoSP5TasqpBFsWaqts5yKo3mq0maDNmWJSPq1uZlT058LwkgsspGNvA9PiTkDeMe3Ut8AMsIOBP+E+y54Onvc04mEGxs=
Received: from HE1PR07MB3196.eurprd07.prod.outlook.com (2603:10a6:7:2e::17) by VI1PR07MB5391.eurprd07.prod.outlook.com (2603:10a6:803:c1::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.7; Fri, 14 Jan 2022 06:24:00 +0000
Received: from HE1PR07MB3196.eurprd07.prod.outlook.com ([fe80::5073:2902:fdf0:d407]) by HE1PR07MB3196.eurprd07.prod.outlook.com ([fe80::5073:2902:fdf0:d407%3]) with mapi id 15.20.4909.003; Fri, 14 Jan 2022 06:24:00 +0000
From: "Hakala, Juha E" <juha.hakala@helsinki.fi>
To: Patrick Dwyer <patrick.dwyer@owasp.org>, "Dale R. Worley" <worley@ariadne.com>
CC: "urn@ietf.org" <urn@ietf.org>
Thread-Topic: [urn] Namespace Identifier: Requested of IANA - cdx
Thread-Index: AQHYAo9obl7xH9e7WEmGlaqb8RaSsqxbbbCAgAaePKA=
Date: Fri, 14 Jan 2022 06:24:00 +0000
Message-ID: <HE1PR07MB3196AE69F57A86C035DF81EBFA549@HE1PR07MB3196.eurprd07.prod.outlook.com>
References: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org> <87ee5leo4y.fsf@hobgoblin.ariadne.com> <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com>
In-Reply-To: <CACjy5ZfuG8yARFdboBOq0QrVhEWtGL+2UAuypjeP9xhUjXNEyA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: fi-FI
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=helsinki.fi;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dcd2205a-be8d-4214-8090-08d9d7267419
x-ms-traffictypediagnostic: VI1PR07MB5391:EE_
x-microsoft-antispam-prvs: <VI1PR07MB5391EDE7AA80BFC80146122AFA549@VI1PR07MB5391.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2803;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CzNggX8aUuZrMjQ0yOUaVaXEaAnf+nJ9gNNMUk29j5ujjf67LJpc4Km8TLykfs34PC3XAjWtlB7TVkejLJTIWltEtmKr+FnS0LIteiQZmJM1KlYaUNGWzYNsQMbvgo02IRi7GyS1VoGgGSyLyTSQUL6DkH0tjAofF23m4TovGP9FEIvriNBQ8XkUgTAib25EgTSz8aqWGRH3dq1hQGPaFARyjDqHrsNX2fck7C07aU+MUzXO90Mcw2RbRAYIiTfGGlu2Bv0Bg1sX4nD9Jpl6k0DjbR8ACg/LuEHy2yAFqJ9lm1Z1MCWacwPQiB1TD3inxK/N8dtOIrqLbVbjtrS2nABgSmBugDNlAAgsoEJA/2+3u7lyK4wGUGK/oAb6qYXiM5nE7Ko4pjn6sY6+WvS3KWRfP9jQU5G/+yUUZOXByY4bn58i3B1YwoH4iL55HjlEToCChr2HWSEWk0YUrc8/V89sZ6cpNqmtejHg2QB8kUOEYv3fTHKx6uJqzuWrl4RVxaeX3171CmWHow2xEYzrzERLmlHTuGpqeGP8xKr79zhiSOnghm2DhdJ5JtRojGdzcc0wnn25TEGn2r9yR+ZB2vvzMoO0I9iDi2AIpiqMHm5ALIyU/aXEqbICHh1zfRGsPW2zvbuyKbePw9olZe4hf3ztXXK+xAXHqjjHLqU22UHZninBat3SMdGFr6bCdbsW85BuH79tUfFVSiMfXNfohIWtSa+xdUvh2GaPa/9D1p1ygRRGfYDH99SGqeuiui0z+M/+1V/vaZhfUaTVq3jl3aCDuC0UlexPuWc6eyI8Q4mvgHdgTFrydsBwOjcBlHhQ7hp9PFIIyhPOKoZBXbqAjA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3196.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(786003)(316002)(53546011)(110136005)(76116006)(64756008)(7696005)(38100700002)(186003)(5660300002)(2906002)(52536014)(86362001)(26005)(38070700005)(30864003)(6506007)(9686003)(4326008)(8676002)(8936002)(66946007)(66446008)(66476007)(66556008)(33656002)(66574015)(55016003)(966005)(508600001)(71200400001)(122000001)(83380400001)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8tzjOpTfc7dloyquiHAS6a1HvGbUfbEDRVT7ZH+92/dAiQvyiCRXZ4cZLdMtNvtKrFvivltNOFKEnr6h0+Wyg78MH8y/AaDxkpeb/4h3B+j3ZiZOqEB3MSD+sw0wzVjPzcsCtz2Zys5D+LDM9wv0e2frfXiDyIZ6rqMuhObcnQlycMDiWCgYHWBhSCwj5aHIyphGNY5KWSTA0HJzBgR1CKJNOPxbi8ciXiiPoGp+Tj4JAR45tVtYjGi6SC/CIonlRZvFQTHZjv3dfGh6gRyKCdPc06oPq2LwR88gsOINVGFyo/iDsN++M3ovH3Afs7sXqy05mEoOiruQNk/MgvfRCMYOwVsHXcCLaa8wxLWdcoUSaHS6NCNr3YSyRKxCozjySCq8oBnD6XiBEo347ZmsmSfOb7Uf4SaglbSMo02S75hPnAhhl3pT9Ep2xkEE9OhtZK1EpBVHdmUkCm97hP0BTFCzJBBoW7zCsx5WUEHJFA6eYhvQAg8i9EUFyzRBOcBFODYBH28mW6ZZZM1Qrs5hAIE2hZXMqSFI07dtVds4bXNJckDuRKO97bbznXUc4c9y+SVjp/Umijwjd1uWjEgh4dii/DUF39KjNKC8/MfLdukpM0J2dB2gy9jbclcNHswSJoqEtVGwl6Myyzbu7w+4bc2yaTlRSPf4DseeCgvAGbG0v4iBRPKQX3HTJ/6+EcpSXiOY5sShInws2ileh3zgXGHKQqIYlGQVwHICzCStaurrIKH+6ZdQ2PwVI8nvZHmrSycoZbrMZr7C+3lmdEWftvsVC5+9ppP/l1+FDXvpBsuHBBoWzn/LKjJR0hRIuYuNQVnifywpcDXlOpmqn+qwlidIXTjfRqQKKrzwdKlDP/zMybKWjz7DpsWBSOCA5yb2Klj3HbWfokCGSj/HsBi6YVW5kuK377x1NPrllj5lqevuVR+dAdLjt9tp91pXolH6+TedbHfwi9MBAfkX/XpHQIWIzHcv/ihHiWQuCpN99ky0i6T0pQnHw1u2fGFFuNictKDIc8UJ8QCM/WWPzAUPJsyJf/mPBVbepggKhCS+lRL4B27VJ+dA1a+FsHF7GnzmCKH+I3ix56ezNaUwn1mE1JUtXhasSkQXYZZdDkKUoHdpK2fRd7M/FHi7zcxvO2bPIVAesrz/iH2oSvkyDgnEjqYnc3fbtXejQaPtCWSWT9s22Oy5ZkphQAbRR61DSEOUaGEx6C25k2SwFjZIEqT4PLvNW9xpYEcwfwbp7t0E54gkYOm9EfnkZ5gqAEQch315wu09FKPt8WzIac5M/kjkQSWAjpJt4FfTFJkkt6AdX/eSFOHv+g/Tfe/SCwxjscylYVJE9fRRdQXuwYd4u+ksizxe4+K2bx5NZ4+k2HN6nDJkLFoGC9wpWAnXXI4WsJn0kw2ivJ2QO8JJ5JI52kKN3R5feqdPCMUcA42828O9RWz+6JFdpGqqnkiDQFycH0ctcrQNEvk16UwnU4HRMH5DH7JHbCyYAiWtgqNMsQPEOVnc1cOhiEXlwK6yLcFOIYYeXeqgjZCquod6ZAY5Xs6lS8YSm2Ey8EYz61OmCljyMKr9tWUpFJeM6K/LJDye3udfMJhhFBfmRPm2qktWpakYlw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: helsinki.fi
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3196.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dcd2205a-be8d-4214-8090-08d9d7267419
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2022 06:24:00.4943 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 98ae7559-10dc-4288-8e2e-4593e62fe3ee
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VVwUvddKPTaxZCGQRM/dpFA/IKG/zxtbqCDOSpuHblOhE+UGZ9aSVphoSSWZVNCNqxbTHXvqDxCEa0iuyqNePA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5391
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/lXeVBYvrzBFR4-7f80h6vuE1gh0>
Subject: Re: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2022 06:24:12 -0000

Hello Patrick, 

Dale and Peter did not leave much for me to say :-). In its revised form the text is almost fine; I found just some issues and minor typos.

You (or Dale, in fact) say: 

CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the fragment identifier specifying the element within the BOM identifier by the URN.

This combines URN syntax (URN f-component) and URI syntax (URI fragment identifier) when talking about the same thing. I found this confusing, since URI fragments have a role in identification, whereas f-components don't. It might be better to write the entire sentence from the URN syntax point of view. Also there seems to be a typo in "BOM identifier".  Suggested new text:

CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the f-component specifying the location of the element within the BOM identified by the URN. 

 Word "and" seems to be misplaced here: 

The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. And uses "UUID" as defined in [RFC4122] and "fragment" as defined in [RFC3986]

It is better to say: 

The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. It uses "UUID" as defined in [RFC4122] and "f-component" as defined in [RFC8141]

since, as I have said above, in the URN context URI fragments are called f-components in order to make clear that they do not identify anything; they just indicate the location of something within the identified resource. From BOM reference point of view URN approach is IMO sufficient. Elements within BOM do not require URNs of their own; it is enough to locate them. 

In this paragraph: 

CycloneDX URNs are assigned in a decentralised way, using the bom-serial-number.
A bom-serial-number is a version 4 UUID as defined in [RFC4122]. And is unique to a specific BOM.

there is another misplaced "and".  It might be a good idea to say that bom-serial-numbers are not only unique but also persistent: 

CycloneDX URNs are assigned in a decentralised way, using the bom-serial-number.
bom-serial-numbers are version 4 UUIDs as defined in [RFC4122]. Once assigned, bom-serial-numbers are unique and persistent.

In the Interoperability clause, bom-serial-number is written as BOM serial number. I prefer this format, but you should decide which one to use throughout the document.

This is an interesting and relevant usage of URNs.  

All the best, 

Juha

-----Alkuperäinen viesti-----
Lähettäjä: urn <urn-bounces@ietf.org> Puolesta Patrick Dwyer
Lähetetty: maanantai 10. tammikuuta 2022 2.31
Vastaanottaja: Dale R. Worley <worley@ariadne.com>
Kopio: urn@ietf.org
Aihe: Re: [urn] Namespace Identifier: Requested of IANA - cdx

Thanks for the great feedback Dale.

Revised below:

Namespace Identifier:  Requested of IANA - cdx

Version:  1

Date:  2022-01-01

Registrant:

Patrick Dwyer, on behalf of the OWASP CycloneDX project.
Email: patrick.dwyer@owasp.org
Address:
The OWASP Foundation Inc.
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Purpose:

CycloneDX is a software bill of materials OWASP standard. CycloneDX bill of materials documents (BOMs) are intended to be exchanged between different parties of the software supply chain.

URNs in the "cdx" namespace are used as a means of persistently identifying CycloneDX BOMs.

When creating a BOM, a CycloneDX URN can be used to reference an upstream BOM for a component rather than embedding it inline. This may be a consideration for performance reasons. Especially in resource constrained environments such as embedded devices. It can also be used when a software supplier does not have authority to share upstream BOM content directly.

CycloneDX also supports "BOM refs". A BOM ref is a reference to a particular element within a BOM. A "cdx" URN with an f-component is a BOM ref, with the fragment identifier specifying the element within the BOM identifier by the URN.

Syntax:

The syntax for a CycloneDX URN namestring is defined using the Augmented Backus-Naur Form (ABNF) below. And uses "UUID" as defined in [RFC4122] and "fragment" as defined in [RFC3986].

     namestring             = assigned-name [ "#" f-component ]
     assigned-name          = "urn:cdx:" NSS
     NSS                    = bom-serial-number "/" bom-version
     bom-serial-number-uuid = UUID
     bom-version            = nonzero-digit *digit ; an integer >= 1
     f-component            = fragment
     nonzero-digit          = %x31-39 ; 1-9

Assignment:

CycloneDX URNs are assigned in a decentralised way, using the bom-serial-number.
A bom-serial-number is a version 4 UUID as defined in [RFC4122]. And is unique to a specific BOM.

Security and Privacy:

As CycloneDX URNs are based on UUIDs they have the same security considerations as UUID URNs as per [RFC4122].

Additionally, there are no specification limitations beyond [RFC3986] on what can be included in an f-component. Given that f-components may be published in CyclineDX URNs, producers of BOMs should avoid using any value on which there are sharing restrictions. For producers of BOMs who have high confidentiality requirements, it is recommended to use UUIDs for f-components.

Interoperability:

Although CycloneDX BOMs may use a UUID URN to identify a BOM via its BOM serial number, the serial number isn’t sufficient when referencing a BOM because a particular BOM may be revised over time. Even in the case of legacy software that is not conceptualized as changing, mistakes and omissions can be corrected over time causing changes in the BOM. This is allowed for by successive "cdx"
URNs in which the BOM serial number is static and the version is incremented.

Resolution:

No prescriptive resolution mechanisms are envisioned.

Resolution mechanisms will be determined between parties in the software supply chain, or by organizations using CycloneDX BOMs internally.

Documentation:

Please note, this URL will be updated to reference the URN registration.

https://cyclonedx.org/capabilities/rfc-tbd/

Additional Information:

More information about CycloneDX can be found on the project homepage at https://cyclonedx.org

More general information about software bill of materials can be found at https://www.ntia.gov/sbom


On Thu, Jan 6, 2022 at 9:52 AM Dale R. Worley <worley@ariadne.com> wrote:
>
> I've got a number of editorial nits, and one technical question:  
> Should it revise the syntax of bom-version based on its underlying semantics?
>
> ----------
>
> There are some places where the sentence structure is rough, so you 
> probably want someone to copy-edit the text.
>
>     Patrick Dwyer, on behalf of OWASP CycloneDX
>
> You probably want to say "on behalf of OWASP", as CycloneDX isn't an 
> organization.  Alternatively, you may want to conceptualize "the 
> CycloneDX project" apart from OWASP, in which case you'd say "on 
> behalf of the CycloneDX project".
>
>     CycloneDX is an open source software bill of materials OWASP
>     standard.
>
> I'm not sure of the significance of "open source" here.  Is CycloneDX 
> only applicable to open-source software?  Or is the standard somehow 
> open-source?
>
>     The “cdx” namespace is used ...
>
> Better, 'URNs in the "cdx" namespace are used ...'.
>
>     CycloneDX also supports “BOM refs”. BOM refs are unique BOM scoped
>     references to a particular element. A URN with an optional BOM ref
>     f-component can be used to reference an element within another BOM.
>
>     Referencing a specific element in a BOM is particularly relevant for use
>     cases like describing known vulnerabilities in a component in the
>     context of a particular assembled piece of software or embedded device.
>
> This text is interesting, but it seems to me that you'd need quite a 
> bit more description to enable the reader to understand the import of 
> BOM refs.  So I think you should trim it back to provide just enough 
> context for why the grammar specifies f-components.  Say:
>
>     CycloneDX also supports “BOM refs”. A BOM ref is a reference to a
>     particular element within a BOM.  A "cdx" URN with an f-component is
>     a BOM ref, with the fragment identifier specifying the element
>     within the BOM identified by the URN.
>
> That makes the purpose clear without even getting into the details of 
> what an "element of a BOM" is.
>
>     bom-version            = 1*digit
>
> There are a bunch of interesting questions here!  As written, 
> bom-version is a string of digits, and "00", "000", "1", and "0001"
> are all different.  Is bom-version intended to denote an integer?  If 
> so, what range does the integer have; specifically, does it include 
> zero?  If it is intended to be an integer, you should adjust the 
> syntax to permit only the canonical way of writing those integers.
>
>     CycloneDX URNs are assigned in a decentralised way, using the BOM serial
>     number. CycloneDX BOM serial numbers are unique to a specific BOM. And
>     are version 4 UUID URNs as defined in [RFC4122].
>
> In the first sentence, it would be preferable to say 
> "bom-serial-number-uuid" rather than "BOM serial number", as that is 
> what the grammar says -- unless CycloneDX uses the term "BOM serial 
> number" a lot, in which case I'd change "bom-serial-number-uuid" to 
> "bom-serial-number" in the grammar.
>
> In the second sentence, I'd clarify the correspondence between serial 
> numbers and BOMs by making both parts of the sentence singular, "A 
> CycloneDX BOM serial number is unique to a specific BOM."
>
> I would clarify the third sentence by saying "A CycloneDX BOM serial 
> number is a version 4 UUID as defined in [RFC4122]."  (A BOM serial 
> number *itself* isn't a URN, as it is a UUID [RFC4122] and does not 
> start with "urn:".)
>
>     Additionally, there are no specification limitations on what information
>     can be included in a “BOM ref”. When using BOM refs for f-components,
>     consideration must be given to any restrictions imposed on sharing of
>     information within a BOM. And what information may “leak” by including a
>     BOM ref as an f-component in a CycloneDX URN.
>
>     For producers of BOMs who have high confidentiality requirements it is
>     recommended to use UUIDs for BOM refs.
>
> I'm not clear what exactly counts as a "BOM ref" -- Is it the 
> URN-with-f-component, or is it just the f-component?  Or is it the 
> abstract concept and we also use the term vaguely to mean both the 
> URN-with-f-component and f-component?  It might be better to limit 
> this paragraph to talking about f-components to avoid any
> complications:
>
>     Additionally, there are no specification limitations beyond
>     [RFC3986] on what can be included the f-component.  Given that
>     f-components may be published in CyclineDX URNs, producers of BOMs
>     should avoid using any value on which there are sharing
>     restrictions.  For producers of BOMs who have high confidentiality
>     requirements, it is recommended to use UUIDs for f-components.
>
> --
>
>     Although CycloneDX BOMs already use a UUID URN to identify a BOM this
>     information isn’t sufficient when referencing a BOM.
>
>     A particular BOM may be revised over time. Especially in the case of
>     legacy software as mistakes and omissions are corrected. In this
>     scenario the BOM serial number remains static and the version is
>     incremented.
>
>     It also isn’t sufficient for use cases that require referencing a
>     specific component within a BOM.
>
> I think this can be clarified considerably:
>
>     Although CycloneDX BOMs may use a UUID URN to identify a BOM via
>     its BOM serial number, the serial number isn’t sufficient when
>     referencing a BOM because a particular BOM may be revised over
>     time.  Even in the case of legacy software that is not
>     conceptualized as changing, mistakes and omissions can be
>     corrected over time causing changes in the BOM.  This is allowed
>     for by successive "cdx" URNs in which the BOM serial number
>     remains static and the version is incremented.
>
> Dale

_______________________________________________
urn mailing list
urn@ietf.org
https://www.ietf.org/mailman/listinfo/urn

v2.23.0 | Report a Bug | By Email