You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-rats-corim.md
+20-4Lines changed: 20 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -1275,10 +1275,24 @@ Schema extensions (Map or Data Type) should be documented to facilitate interope
1275
1275
# CoBOM {#sec-cobom}
1276
1276
1277
1277
A Concise Bill of Material (CoBOM) object represents the signal for the
1278
-
Verifier to activate the listed tags. Data contained in a tag MUST NOT be used
1279
-
for appraisal until a CoBOM which activates that tag has been received and
1280
-
successfully processed. All the tags listed in the CoBOM must be activated in
1281
-
the same transaction, i.e., either all or none.
1278
+
Verifier to activate the listed tags. Verifier policy determines whether CoBOMs are required.
1279
+
1280
+
When CoBOMs are required, each tag MUST be activated by a CoBOM before being processed.
1281
+
All the tags listed in the CoBOM MUST be activated atomically. If any tag activated by a CoBOM is not available to the Verifier, the entire CoBOM is rejected.
1282
+
1283
+
The number of CoBOMs required in a given supply chain ecosystem is dependent on
1284
+
Verifier Owner's Appraisal Policy for Evidence. Corresponding policies are often driven by the complexity and nature of the use case.
1285
+
1286
+
If a Verifier Owner has a policy that does not require CoBOM, tags within a CoRIM received by a Verifier
1287
+
are activated immediately and treated valid for appraisal.
1288
+
1289
+
There may be cases when Verifier receives CoRIMs from multiple
1290
+
Reference Value providers and Endorsers. In such cases, a supplier (or other authorities, such as integrators)
1291
+
may be designated to issue a single CoBOM to activate all the tags submitted to the Verifier
1292
+
in these CoRIMs.
1293
+
1294
+
In a more complex case, there may be multiple authorities that issue CoBOMs at different points in time.
1295
+
An Appraisal Policy for Evidence may dictate how multiple CoBOMs are to be processed within the Verifier.
1282
1296
1283
1297
## Structure
1284
1298
@@ -1390,6 +1404,8 @@ The selection process MUST yield at least one usable tag.
1390
1404
1391
1405
### CoBOM Extraction
1392
1406
1407
+
This section is not applicable if the Verifier policy does not require CoBOMs.
1408
+
1393
1409
All the available Concise Bill Of Material (CoBOMs) tags are then collected
0 commit comments