CoSWID Tag

CoSWID (Concise Software Identification) tags are defined in RFC 9393¹. These are based upon the SWID specification. NIST has also created NIST IR 8060² as an open stand-in for the specification, defining a few extra meta-fields that are contained within CoSWID tags (edition, colloquial-version, product, etc.).

In contrast to SWID tags, which use XML encoding, CoSWID tags use CBOR³ encoding.

Details

The CoSWID specification uses the Concise Data Definition Language (CDDL), defined in RFC 8610⁴, to define CoSWID structures in terms of arrays and maps (a type of array limited to key/value pairs). Most of these items are optional.

CoSWID tags are signed using a COSE⁵ signature envelope. RFC 9393 defines a context attribute of "application/swid+cbor" to provide a hint to the parser that the payload is a CoSWID-defined object.

At present, while there are technically few implementations of systems requiring CoSWID tags, support is making its way into related specifications mentioned on this page.

---

1. See RFC 9393 here . ↩

2. See NIST IR 8060 here . ↩

3. Stands for Concise Binary Object Representation, defined in RFC 8949 . ↩

4. See RFC 8610 here . ↩

5. Stands for CBOR Object Signing and Encryption, defined in RFC 9052 . ↩