Add requirements on encryption of SBOM while stored and transmitted.

[Jimmy-ahlberg]

Suggested new material

It would be of interest to add instructions for encryption and access control of SBOMs for use cases where such are required. I don't think it should be mandated but added as an option. SBOM's could very well be sensitive information, thus it is good if our guide adds clarity for when it is needed.

Proposal would be along the lines of: SBOM Access control

SBOM at rest is stored in a access controlled fashion with only authorized individuals able to access the SBOM for approved purposes.

SBOM encryption:

When an SBOM is transmitted or stored, it should be encrypted (according to some specification we can discuss).

Additional comments

This would harmonize with requirements from O-RAN on how to mange SBOMs.

[vargenau]

Hi Jimmy, Thank you for the suggestion. Let us discuss it during in our March meeting. Best regards, Marc-Etienne

…

-- Marc-Etienne Vargenau ***@***.******@***.***> Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE Mobile: +33 6 24 49 78 68<tel:+33624497868> Senior Specialist Open Source Planned absence: none De : Jimmy Ahlberg ***@***.***> Date : vendredi, 14 février 2025 à 12:56 À : OpenChain-Project/Telco-WG ***@***.***> Cc : Subscribed ***@***.***> Objet : [OpenChain-Project/Telco-WG] Add requirements on encryption of SBOM while stored and transmitted. (Issue #155) Suggested new material It would be of interest to add instructions for encryption and access control of SBOMs for use cases where such are required. I don't think it should be mandated but added as an option. SBOM's could very well be sensitive information, thus it is good if our guide adds clarity for when it is needed. Proposal would be along the lines of: SBOM Access control SBOM at rest is stored in a access controlled fashion with only authorized individuals able to access the SBOM for approved purposes. SBOM encryption: When an SBOM is transmitted or stored, it should be encrypted (according to some specification we can discuss). Additional comments This would harmonize with requirements from O-RAN on how to mange SBOMs. — Reply to this email directly, view it on GitHub<#155>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAC4KKQMY5S4MNKP5EGCATT2PXKV7AVCNFSM6AAAAABXEOYWL6VHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2TGNBZGM3TEMA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> [Jimmy-ahlberg]Jimmy-ahlberg created an issue (OpenChain-Project/Telco-WG#155)<#155> Suggested new material It would be of interest to add instructions for encryption and access control of SBOMs for use cases where such are required. I don't think it should be mandated but added as an option. SBOM's could very well be sensitive information, thus it is good if our guide adds clarity for when it is needed. Proposal would be along the lines of: SBOM Access control SBOM at rest is stored in a access controlled fashion with only authorized individuals able to access the SBOM for approved purposes. SBOM encryption: When an SBOM is transmitted or stored, it should be encrypted (according to some specification we can discuss). Additional comments This would harmonize with requirements from O-RAN on how to mange SBOMs. — Reply to this email directly, view it on GitHub<#155>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAC4KKQMY5S4MNKP5EGCATT2PXKV7AVCNFSM6AAAAABXEOYWL6VHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2TGNBZGM3TEMA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[winterrocks]

Encrypting sensitive information at rest and during the transmission is IMHO the normal practice, but on the other hand, it does not hurt to mention that also in the guide.

I think in the case the SBOM is confidential then the at-rest storage should be not just access controlled, but also encrypted (but that is of course also normal good practice).

[vargenau]

This has been included in draft version 1.2