[3.7] Vocabularies & normalisation

[ozzyathome]

Aspect

Section: 3.7 Vocabularies & normalisation
Orientation relevance: both

Objective

Decide which external vocabularies the methodology adopts (rather than reinvents) and what
controlled value sets a profile may rely on, so the same thing is named and interpreted
identically across producers. Cross-cutting — reference from other threads.

Background & links

Scoping document §3.7, and the normalisation lesson from SBOM adoption in §2.4. References:
the CycloneDX Cryptography Registry (algorithm identification); Package URL (purl) for
component identity. Coordinates with format mapping (3.6).

Options under consideration

• Adopt external vocabularies wholesale — use the Cryptography Registry and purl as-is,
  defining WG vocabulary only for genuine gaps. (Trade-off: minimal divergence; dependent on
  upstream cadence.)
• WG-curated overlay — maintain a thin curated value set layered over external sources.
  (Trade-off: more control; maintenance burden.)

Open questions

• Which external vocabularies the methodology adopts rather than reinvents.
• The controlled value sets a profile may rely on (lifecycle/state values: active, deprecated, quantum-vulnerable, hybrid, …) and how new values are added.
• Guidance on syntactic normalisation (schema versions, identifiers) and semantic normalisation (agreed meanings).

Dependencies

Depends on attribute model (3.3 #1). Cross-cutting — referenced by most aspect threads.
Coordinates with format mapping (3.6 #2).

Decision

Not yet decided.

Impact on the specification

Spec section "Vocabularies and normalisation."