[urn] Namespace Identifier: Requested of IANA - cdx

Patrick Dwyer <patrick.dwyer@owasp.org> Sat, 01 January 2022 06:39 UTC

Return-Path: <patrick.dwyer@owasp.org>
X-Original-To: urn@ietfa.amsl.com
Delivered-To: urn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557BD3A00F7 for <urn@ietfa.amsl.com>; Fri, 31 Dec 2021 22:39:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=owasp.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sm5eQTzh18A1 for <urn@ietfa.amsl.com>; Fri, 31 Dec 2021 22:39:21 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B16163A00E9 for <urn@ietf.org>; Fri, 31 Dec 2021 22:39:21 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id l10so25498895pgm.7 for <urn@ietf.org>; Fri, 31 Dec 2021 22:39:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owasp.org; s=google; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=OksyWo4XCapwdxQkT4Lu9pF9ADKZEj0BD+f2zDk7t9I=; b=g/x+3ACZToxZXcsiVl5lJjDnF1iwWWvRqTMICTIqioOn0/dSxWkNIBgsVo5xZ7Frr5 ywN//+nsl2rmLUMMYUG9Mu8i3r9jRq/ZWVZh1S9B7Wcdh8zcH9X+ezX7YspLLWDhYJs6 YMqKhgkOIsSqsf61zNGT6Uxtd0l89nF7LKlhJXwOh9nFFmZPYrAVo5hOZRaofWajdXF8 gc5eqPXg0GGv3U42mtAE81WzZ2um2klcabeWIuscK27p34VE80HDw88lfwWl+EUJyYU8 YarW+5sGq+PyP+w56xZ8vItK1vxQ+TgcR5iio9iSXR+Lq98w+KYvfoEBhjODuO73QAgB Kpjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=OksyWo4XCapwdxQkT4Lu9pF9ADKZEj0BD+f2zDk7t9I=; b=G7FzHV/1X8M/b01FgowPgY930VTzzFs1mEuff1Ee3s1RvPphG/H7uT5JJOVbqIqa8I Umvy5UwQv4Ly1289Uf9MVhUq6LWlYzXV57W/wvKc4FA/h3KROXmJgYBkGktszzCYL6G0 Jbu0SlIgHbqeBYJtO1dmXbQS3iah8sI38fTiwUVJVeHTMNKlKVrLhwxDYAzCdBLzdRO0 C8ySjRrjoi2hB7ednoWdpdTTzxr8XAq7ddzO9gXkRSU/Y/mBYL69ofrNPWrKJUKgvm0I 2rpepCJzSl+deIoV4HviTwACxcqI/Z11E3iXnPoz6X/3O3YNPBTngEuO39QIYyDbKF5t Iy+Q==
X-Gm-Message-State: AOAM531E8tU5yc9wLgeeku2lhPrp5qTUXP4f51OBFYAX2sbIgRj8sYUN vAhuHmF4X63+bLRvTAZgGQKmdFgeKuzt8R2t
X-Google-Smtp-Source: ABdhPJyLqXidoM0OXD3Og36YLkU9CUuYsLPDR4J4LSNzMu4vAi0DK5+56I2HpufR5oA24UE4sLM28Q==
X-Received: by 2002:a05:6a00:2347:b0:4ba:bd36:1743 with SMTP id j7-20020a056a00234700b004babd361743mr37990068pfj.15.1641019159222; Fri, 31 Dec 2021 22:39:19 -0800 (PST)
Received: from [192.168.0.111] ([220.158.190.37]) by smtp.gmail.com with ESMTPSA id h3sm24775142pjk.48.2021.12.31.22.39.17 for <urn@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 31 Dec 2021 22:39:18 -0800 (PST)
To: urn@ietf.org
From: Patrick Dwyer <patrick.dwyer@owasp.org>
Message-ID: <d3762641-86d3-8ac0-587d-8fb0c702c26e@owasp.org>
Date: Sat, 01 Jan 2022 16:39:14 +1000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/urn/wXqmnR4nSF6WPemEK9xszDcVarI>
X-Mailman-Approved-At: Fri, 31 Dec 2021 23:18:04 -0800
Subject: [urn] Namespace Identifier: Requested of IANA - cdx
X-BeenThere: urn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Revisions to URN RFCs <urn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/urn>, <mailto:urn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/urn/>
List-Post: <mailto:urn@ietf.org>
List-Help: <mailto:urn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/urn>, <mailto:urn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jan 2022 06:39:26 -0000

Hi folks,

Seeking your review on this URN namespace registration.

Regards,
Pat

Namespace Identifier:  Requested of IANA - cdx

Version:  1

Date:  2022-01-01

Registrant:

Patrick Dwyer, on behalf of OWASP CycloneDX
Email: patrick.dwyer@owasp.org
Address:
The OWASP Foundation Inc.
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Purpose:

CycloneDX is an open source software bill of materials OWASP standard. 
CycloneDX bill of materials documents (BOMs) are intended to be 
exchanged between different parties of the software supply chain.

The “cdx” namespace is to be used as a means of persistently identifying 
CycloneDX BOMs.

When creating a BOM that describes multiple components, a CycloneDX URN 
can be used to reference an upstream BOM for a component rather than 
embedding it inline. This may be a consideration for performance 
reasons. Especially in resource constrained environments such as 
embedded devices. But can also be used when a software supplier does not 
have authority to share upstream BOM content directly.

CycloneDX also supports “BOM refs”. BOM refs are unique BOM scoped 
references to a particular element. A URN with an optional BOM ref 
f-component can be used to reference an element within another BOM.

Referencing a specific element in a BOM is particularly relevant for use 
cases like describing known vulnerabilities in a component in the 
context of a particular assembled piece of software or embedded device.

Syntax:

The syntax for a CycloneDX URN namestring is defined using the Augmented 
Backus-Naur Form (ABNF) below. And uses “UUID” as defined in [RFC4122] 
and “fragment” as defined in [RFC3986].

     namestring             = assigned-name [ "#" f-component ]
     assigned-name          = "urn:cdx:" NSS
     NSS                    = bom-serial-number-uuid "/" bom-version
     bom-serial-number-uuid = UUID
     bom-version            = 1*digit
     f-component            = fragment

Assignment:

CycloneDX URNs are assigned in a decentralised way, using the BOM serial 
number. CycloneDX BOM serial numbers are unique to a specific BOM. And 
are version 4 UUID URNs as defined in [RFC4122].

Security and Privacy:

As CycloneDX URNs are based on UUIDs they have the same security 
considerations as UUID URNs as per [RFC4122].

Additionally, there are no specification limitations on what information 
can be included in a “BOM ref”. When using BOM refs for f-components, 
consideration must be given to any restrictions imposed on sharing of 
information within a BOM. And what information may “leak” by including a 
BOM ref as an f-component in a CycloneDX URN.

For producers of BOMs who have high confidentiality requirements it is 
recommended to use UUIDs for BOM refs.

Interoperability:

Although CycloneDX BOMs already use a UUID URN to identify a BOM this 
information isn’t sufficient when referencing a BOM.

A particular BOM may be revised over time. Especially in the case of 
legacy software as mistakes and omissions are corrected. In this 
scenario the BOM serial number remains static and the version is 
incremented.

It also isn’t sufficient for use cases that require referencing a 
specific component within a BOM.

Resolution:

No prescriptive resolution mechanisms are envisioned.

Resolution mechanisms will be determined between parties in the software 
supply chain, or by organizations using CycloneDX BOMs internally.

Documentation:

Please note, this URL will be updated to reference the URN registration.

https://cyclonedx.org/capabilities/rfc-tbd/

Additional Information:

More information about CycloneDX can be found on the project homepage at 
https://cyclonedx.org

More general information about software bill of materials can be found 
at https://www.ntia.gov/sbom