gmandyam
commented
1 year ago One solution is to remove the new media type registration for specific SBOM formats, and ensure that the manifest claim is sufficiently general to allow for CycloneDX and SPDY to be sent as part of the token. Media type registration for specific SBOM formats can be handled separately from the EAT document.
laurencelundblade
Reference: https://mailarchive.ietf.org/arch/msg/rats/50ZbUkhSrU1cgOLYkir3f1kKFiY/ EAT reference: https://www.ietf.org/archive/id/draft-ietf-rats-eat-19.html#name-manifests-software-manifest EAT reference: https://www.ietf.org/archive/id/draft-ietf-rats-eat-19.html#name-media-types-registered-by-t
" [CycloneDX] "CycloneDX", https://cyclonedx.org/specification/overview/.
The IESG will push back at this being web link that could likely change to point to the latest version of the specification. CycloneDX is versioned so please point to a particular version. This looks like the a specific reference
https://cyclonedx.org/docs/1.4/json/"