Re: Element IDs

David Kemp

My bad.  I didn't mean "under control" as having an integrity mechanism, I meant "having the ability to decide what goes into the local ID".  Which is synonymous with saying that as far as the SPDX standard and SPDX-consuming applications are concerned, local IDs are opaque.

On Tue, Aug 3, 2021 at 3:48 PM William Bartholomew <iamwillbar@...> wrote:
On Tue, Aug 3, 2021 at 11:34 AM David Kemp <dk190a@...> wrote:

2) elements are always identified by namespace and local ID, where local means under the control of the namespace owner.  Don't get hung up on what owner means - anybody can become an owner by generating a 256 bit random number for their namespace.

We're not proposing a model where namespaces are "controlled", which would require either a central authority or some form of challenge-response process for verifying control. Nothing would stop me declaring elements in your namespace, what I can't do is sign an SBOM as you.

Join to automatically receive all group messages.