7.1.7: Clarification on the extend of checking requirement 7 while retrieving provider metadata #1245
Description
This has been discussed among implementers of the standard: We need a clarification to which degree requirement 7 needs to be checked when discovering (valid) provider-metadata.json (see below). Currently, we have a chain that needs to be followed when discovering a provider-metadata.json
- 7.3.1 describes the approach of discovering them from various sources and points to requirements of chapter 7.1 (see also 7.3.1: Clarification on "requirement" when retrieving provider metadata #1243 for a clarification here). For example requirement 9.
- 7.1.9 which houses requirements 9 states
The URL path /.well-known/csaf/provider-metadata.json under the main domain of the issuing authority serves directly the provider-metadata.json according to requirement 7, point to requirement 7
Finally, requirement 7 states
The publisher object SHOULD match the one used in the CSAF documents of the issuing party but can be set to whatever value a CSAF aggregator SHOULD display over any individual publisher values in the CSAF documents themselves.
Apparently this has led some implementors lead to the conclusion that documents inside the provider must be checked for a potential match to the publisher value inside the provider-metadata.json. In my opinion this should definitely not be a part of the discovery process but can of course the done by an extensive checker on the provider itself. In addition there are also references to other requirements (14, 15, etc.) that also should not affect the discovery process.
In my opinion we should clearly state which requirements we intend to be checked by the process described in 7.3.1