[3.8] Relationship to SBOM / HBOM & layering

[ozzyathome]

Aspect

Section: 3.8 Relationship to other inventories and layering
Orientation relevance: both

Objective

Decide how a profile expresses the relationship between cryptographic assets and the software
and hardware that use them, including links to an accompanying SBOM and, where relevant, HBOM.

Background & links

Scoping document §3.8. A CBOM is rarely used alone; its value depends on being relatable to
the components it describes. References: SBOM/CBOM relationship; purl / BOM-ref for component
identity.

Options under consideration

• Reference, don't duplicate — the CBOM links to SBOM/HBOM components by identifier
  (purl / BOM-ref); component detail stays in the SBOM/HBOM. (Trade-off: clean separation;
  requires the linked artifacts to be present.)
• Limited duplication — allow key component attributes to be carried in the CBOM for
  standalone use. (Trade-off: usable alone; risk of drift between artifacts.)

Open questions

• How a profile references the components a cryptographic asset belongs to, and links to SBOM/HBOM.
• How the layered relationship (cryptographic / software / asset inventory) is reflected in profile attributes.
• Whether some attributes are deliberately delegated to the SBOM or HBOM rather than duplicated.

Dependencies

Depends on attribute model (3.3 #1); coordinates with normalisation (3.7 #3) on
identifiers.

Decision

Not yet decided.

Impact on the specification

Spec section "Relationship to SBOM/HBOM and layering."