laurencelundblade
commented
1 year ago Fixed by #386. CycloneDX and SPDX registrations and references were removed. They can still be used, but someone else needs to to the registrations.
Closed laurencelundblade closed 1 year ago
laurencelundblade
commented
1 year ago Fixed by #386. CycloneDX and SPDX registrations and references were removed. They can still be used, but someone else needs to to the registrations.
Both manifests and measurements claims allow unlimited formats to be used via coap content types.
For measurements EAT references CoSWID.
For manifests, EAT references CoSWID and SUIT plus it registered CycloneDX and SPDX.
Do we: 1) remove all references and registrations 2) only reference CoSWID 3) only reference already-registered (SUIT and CoSWID) (remove SPDX and CycloneDX) 4) Leave it as is with the registrations for SPDX and CyCloneDX
I like 3) and maybe 2). Removing SPDX and Cyclone DX will reduce the document by a page or so and simplify the CDDL and other document processing.
I would also say to Kathleen and Eliot 1) We're not experts in these and it is better to let the SBOM experts do the registration 2) There's a very clear means for including them (we kind of proved it out) 3) EAT is big and complex enough, so we like simplifying a bit here