specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

[FEATURE]: Add Support for Declaring Usage Context (CBOM, TM, etc)

Open stevespringett opened this issue 5 months ago • 2 comments

In many security-sensitive applications, it's crucial to understand not just what cryptographic asset is used, but how it is used. For example, an algorithm might be used for legal document signing, authentication/authorization workflows, or encryption at rest.

At present, CycloneDX provides detailed support for cryptographic assets via the cryptoProperties structure. However, it lacks a normative way to specify the usage context of the asset.

Proposed Enhancement

Introduce a new optional field to assert the usage context . This could be an enumeration or free-form string, with examples such as:

- signing-legal-documents
- encryption-at-rest
- authentication
- authorization
- secure-boot

Justification

This information is vital for:

- Security audits and compliance
- Risk analysis and threat modeling
- PQC readiness assessments

This need was discussed in the CycloneDX Cryptography Working Group call on 2025-08-07.

cc: @n1ckl0sk0rtge, @bhess

stevespringett avatar Aug 07 '25 18:08 stevespringett

Note to self. This may tie into the work in #463 where we're describing behavior.

stevespringett avatar Aug 07 '25 19:08 stevespringett

The current proposal to add a usageContext field (e.g., signing-legal-documents, authentication, encryption-at-rest) is very useful, but it relies on manual declaration. However, in complex environments, this information is often implicit in existing complex cryptographic processes, which are described by various artifacts such as keys, algorithms, protocols, and the flows in which they are engaged.

An emerging concept suggests that we can determine usage by analyzing the cryptographic processes related to the asset.

A process consists of a sequence of cryptographic operations organized for a specific purpose, such as key generation, signature creation, and document validation. We can discuss the required granularity.

If the process is documented in the inventory or CBOM, then the usage context can be derived normatively without the need for manual declaration. I recommend considering a proposal to enhance the schema by providing some declarations for these processes.

akrogames avatar Sep 18 '25 19:09 akrogames