search

CycloneDX / transparency-exchange-api

A standard API specification for exchanging supply chain artifacts and intelligence
https://tc54.org/
Apache License 2.0
61 stars 9 forks source link

TEA Discovery: Should we be opinionated on priority of different discovery mechanisms? #66

Open madpah opened 1 week ago

madpah commented 1 week ago

For discussion.

The current in-draft Discovery docs cater for TWO mechanisms to discovery the TEA API for a given TEI:

  1. Discovery using DNS (subject to #64 - will be SVCB records)
  2. Discovery using Host (use of AAAA or A records) to get to a WebServer at the Host so that /.well-known/tei can be accessed - this would likely produce a HTTP Redirect (301 or 302 - TBC which are permitted within TEI specification) to the TEA API

Additionally, @ppkarwasz has suggested (in https://github.com/CycloneDX/transparency-exchange-api/issues/30 - now tracked in https://github.com/CycloneDX/transparency-exchange-api/issues/67):

  1. Discovery using Host (use of AAAA or A records) to get to a WebServer at the Host so that /.well-known/security.txt can be accessed, containing a new (yet to proposed and registered) field that provides the URL to the TEA API

When considering implementation of the TEA Specification - I would suggest it is prudent for the Specification to be opinionated on which method(s) have priority along with reasons.

FYI @oej

oej commented 1 week ago

I think like this: For TEI discovery: DNS is the best way to(provides failover etc). If that's not allowed, #2 will be used.

The security.txt case is very different as it a way to say "by the way, we have a TEA service". For that to work, there needs to be a way to get product identifiers. It requires further thinking.

oej commented 1 week ago

https://github.com/CycloneDX/transparency-exchange-api/pull/72