Data input into tagging fields must maintain consistencies that optimise the software detection processes for discovery tools, SAM and other software life cycle management owners alike. For example, it is recommended that, if possible, software manufacturers should maintain consistency in the manufacturer name field within any given product line. Although this document does not require consistency in the manufacturer name field for operating systems, uniformity is strongly urged.
Acknowledging that some resellers may only ship pre-manufactured media and therefore find tag modification difficult or impossible, this document proposes three possible implementation alternatives to allow for, or preclude the necessity of, reseller tag modification:
Acknowledging that many manufacturers produce software with specific builds that are dependent on language and that many others produce software with one build that implements add-on language packs, this document does not require that tagging methods allow for the recognition of different language versions for the same product. Consistent categorisation of the type of language solution employed is, however, strongly encouraged.
It is recommended that SWID tags should be routinely embedded into software installers so as to distinguish unapproved versions of a product from approved versions via the presence/absence of a manufacturer’s proprietary tag elements.
For purposes of uniqueness, tag creators must create a globally unique identifier (GUID) to assign to each particular piece of software’s SWID tag. The value of the GUID should be exclusive to a particular release of software. The GUID can be used to reference a tag in other, related tags. TagVault.org managed tags allow the assignment of a unique GUID across the TagVault domain. The cross-referencing capabilities of a GUID include, but are not limited to:
The sequence of applying tags consists of multiple steps. For each product requiring tagging, analyse as follows:
For each deployment to be tagged:
The deployment can be a simple set of binaries that provides a single set of functionality that is not configurable.
In this case, the deployment can be labelled with a single classic tag in two locations:
Details of each are described below.
In the case where there may be add-ons in the deployment model, there are tags for each component, where the build tag can describe the ‘base component’ and then component tags describe each component.
If the entire available functionality is installed as a single deployment, then the build tag can describe the deployment. If the additional functionality is achieved by adding new components to the base component, then each component tag can describe the additional deployment.
The presence of any tag does not imply that the software that is tagged is in use. If there are rules for measuring activity, these rules can be derived from the optional usage element, if it is included in the tag.
In the case where attributes may need protection, the attributes are grouped by owner (either a creator or modifier) and the group is signed. In the above example, for instance, all mandatory elements plus either the ‘component list’ or ‘component of’ elements might form a group for signing. There may be other elements that do not require protection in any tag generated and these can be formed within the tag at the same time as the signed group by the tag generation mechanism.
The functionality of an IEC/ISO 19770-2 tag is such that each tag can be identifiable as unique (see serial_number below in the section on tag optional elements).
In order to achieve this, there is a preference for a central clearing house that assigns, at minimum, a unique identifier for each tag generated that is identified in the ISO proposed standard as serial_number.
The tag container, or file, must also conform to specific parameters. The proposed ISO standard is as follows:
The name of a software tag must be unique and align with the following structure: <product_title>-<serial_number>.swtag. The components of the tag filename are identity elements required of all software tags. The .swtag file extension can be used for all software tags. This naming scheme allows for multiple software tags to be applied to the same product, thereby providing support for upgrades and audit capabilities.
If a software configuration item is installed for a specific user, a suffix containing user identification information (e.g. ‘userlD’) should be used to differentiate unique installations. An example name in such an instance would be <product_title>-<serial_number>-<userlD>.swtag.
An application, such as VTP, must generate digitally signed tag files as part of the process.
The digital signature can be generated uniquely based upon pre-selected criteria, e.g. by publisher or by tag attribute, or a combination of attributes. This functionality can allow verification of tags in a customised fashion.
The clearing house can provide additional services such as:
The detection of a deployment may vary depending upon the deployment measurement tool.
Windows |
%ALLUSERPROFILE%Application Data<Company>ISO-19770 |
Apple Macintosh, Unix and Linux |
Users/Shared/<Company>/ISO-19770 |
The above is the ISO-defined root location.
The field ‘Company’ can use a unique corporate identifier as assigned by the clearing house, in much the same way as a DNS domain name is assigned. The ‘Company’ may be chosen by the requestor and maintained as unique by the clearing house. The identifier field may also use the 10-digit IBEI/ISO16372 standard, or the Standard and Poor’s, Dun and Bradstreet, etc. identifiers, and be assigned by the clearing house.
A single classic tag should also be deployed in the top-level directory of the application directory in case it is located on removable media.
This has to be determined by research on the product. This is usually some logical location that is defined as a global environment variable in the installation machine.