Open CodingVoid opened 2 years ago
stevespringett
commented
2 years ago is the mime type application/swid+cbor accurate for this use case?
I saw that referenced in https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/ but have not dived into it yet.
CodingVoid
commented
2 years ago "IANA is requested to add the following to the IANA "Media Types" registry" Type name: application Subtype name: swid+cbor
I am no expert, but I guess that means application/swid+cbor will be added to the IANA media types registry in the near future.
stevespringett
commented
1 year ago Do you envision that CoSWID would be embedded into CycloneDX in the same way that an XML SWID document can be today? Is it possible to also reference CoSWID via a URL?
CoSWID defines a concise representation of SWID Tags. It's very suited for devices with network and storage constraints. It would be quite useful for a firmware use case I have. Moreover it's not behind a ISO paywall like SWID. It's using the CBOR data format (binary format), which means it's probably not suited for the text representations like JSON and XML, but very well as field/message for the protobuf representation. On could probably just use the 'AttachedText' message in the 'swid' message (since it is essentially SWID) and specify the 'encoding' and/or 'content_type' as CoSWID/CBOR, but the 'value' property is of string type. Maybe someone got a better implementation idea for the specification? https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html