Comments (3)
Hashes and signatures can be computed only over artifacts - serialization means putting information into a specific sequence of bytes. A single Element can be serialized into a file and a signature or hash computed over the bytes of that file. This is true even if that Element is first serialized into a file containing many Elements - the multi-Element file will have one signature that validates all of the Elements within it. A different multi-Element file will have a different signature. But when a single Element is extracted from both files its value, and thus its single-Element file hash or deterministic signature value must be identical. (The signature value of a probabilistic signature scheme will be different each time the same tbs value is signed, but each signature must validate that tbs data.)
Integrity does not apply to non-serialized Elements, including Collection Elements. Integrity does apply to documents (the serialized value of one or more Elements of any type).
We can only be sure that integrity of referenced elements is intact up to the strength of the integrity mechanism. Although MD5 collision resistance has long been broken, I don't know if second-preimage attacks are currently practical. The prudent thing to "be sure" is to use stronger hash algorithms where even collision attacks are impractical (and of course ensure that the integrity validation code is uncompromised.) Reducing opportunities for preimage fuzzing (such as by canonicalizing documents into an information-dense serialization and validating both length and hash value) can improve the security of even weak hash algorithms.
from spdx-3-model.
Subgroup will look at verification of elements themselves, independent of 3.x timeline. verifiedUsing
will continue to be verification of what the element references (e.g. an artifact).
from spdx-3-model.
@iamwillbar - I believe we've covered all the issues in the punchlist now. If you disagree, please reopen.
from spdx-3-model.
Related Issues (20)
- SBOM generator for SPDX 3.0 HOT 1
- Security Examples need to be updated HOT 3
- `hasDataFile` would benefit from a better description HOT 4
- Introduce the fields for referring harm HOT 2
- Cardinality constraints on external properties of AIPackage and DatasetPackage should be used consistently HOT 2
- Clarify description between ExternalIdentifier and ExternalReference HOT 4
- AI: meaning of PresenceType in autonomyType HOT 5
- In page https://spdx.github.io/spdx-spec/v3.0/model/Licensing/Licensing/ the lists are not displayed correctly. HOT 3
- Doc: Possible outdated references to gh-pages and auto-generated in README.md HOT 2
- Delete gh-pages for the spdx-3-model
- License list version is still not SemVer HOT 5
- Does the specVersion include a PATCH version?
- ProfileIdentifierType list HOT 1
- What does "IRI ``" mean? HOT 6
- Have Markdown lint runs after commit HOT 1
- 3.1: Dataset: Add a "language" field
- rootElement: SBOM or BOM? HOT 1
- Where are the SPDX Matching Guidelines? HOT 7
- Where is the "Legacy Text Template format section"? HOT 3
- Vocabulary entries should be single-line
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spdx-3-model.