specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

[FEATURE]: Standard grouping (CBOM related)

Open stevespringett opened this issue 5 months ago • 0 comments

There is a need to group cryptographic assets (possibly others) into a standard.

For example, the following can currently be represented:

  • Use of a cryptographic algorithm for encryption (e.g. AES-256)
  • Use of a cryptographic algorithm for signing (HS-256)
  • Use of a token defined in relatedCryptoMaterial

What cannot be represented is the overall "standard" that these are part of. In this case JOSE. The current workaround is to leverage CycloneDX Properties.

Grouping these together into a standard would provide much more context into how these three seemingly independent components are used.

This was discussed in the CycloneDX Cryptography Working Group call on 2025-08-07.

cc: @IanDeaks, @n1ckl0sk0rtge, @bhess

stevespringett avatar Aug 07 '25 18:08 stevespringett