<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-liu-cadi-01" category="std" consensus="true" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CADI">Cryptographic Asset Discovery and Inventory</title>
    <seriesInfo name="Internet-Draft" value="draft-liu-cadi-01"/>
    <author initials="C. P." surname="Liu" fullname="Chunchi Peter Liu">
      <organization>Huawei</organization>
      <address>
        <postal>
          <country>China</country>
        </postal>
        <email>liuchunchi@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>CADI</keyword>
    <keyword>PQC</keyword>
    <abstract>
      <?line 65?>

<t>This document compiles existing Cryptographic Asset Discovery and Inventory (CADI) methods and analyze potential gaps.</t>
    </abstract>
  </front>
  <middle>
    <?line 69?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Cryptographic Asset Discovery and Inventory (CADI) refers to a set of tools and guidelines that assist in identifying, collecting, normalizing, correlating, and continuously maintaining all cryptography-related assets, including configurations, dependencies, and usage contexts within a given organization, system, or product scope. It requires both technical tools and management approaches.</t>
      <t>Many Post-Quantum transition roadmaps have highlighted the importance of identifying legacy cryptographic assets inside of an organization as a crucial preparatory part. For example:</t>
      <ul spacing="normal">
        <li>
          <t>The G7 statement on "Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector" <xref target="G7"/> mentions there should exist six key PQ-migration activities:
          </t>
          <ul spacing="normal">
            <li>
              <t>Awareness and Preparation, <strong>Discovery and Inventory</strong>, Risk Assessment and Planning, Migration Execution, Migration Testing, Validation and Monitoring. The exact six stages are also published in NCCoE analysis on "Six Key Phases of the PQC Migration Journey" <xref target="NCCOEFAQ"/>.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>The United States Memorandum for the Heads of Executive Departments and Agencies on "Migrating to Post-Quantum Cryptography" <xref target="OMBM2302"/> requires:
          </t>
          <ul spacing="normal">
            <li>
              <t>All federal agencies to "<strong>Submit cryptographic system inventory By May 4, 2023 and annually thereafter</strong>". This important date is also mentioned in CISA directive "Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools"<xref target="CISAACDI"/>.</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>Although the exact PQ-migration roadmap in each different nations varies, the fact that cryptographic asset discovery and inventory is a key prerequisite for Chief Information Security Officers to asses a migration budget and draft a migration plan does not change. In this draft, we analyze existing CADI methods and potential gaps.</t>
    </section>
    <section anchor="term">
      <name>Terminology</name>
      <ul spacing="normal">
        <li>
          <t>CADI (Cryptographic Asset Discovery and Inventory) -- A set of tools and guidelines designed to automate the identification, collection, normalization, correlation, and lifecycle management of an organization's cryptographic assets.</t>
        </li>
        <li>
          <t>Cryptographic Asset -- A digital or physical element within a device or service-such as an algorithm, module, configuration, credential, secret, or communication protocol-that protects the confidentiality and integrity of secure data transmission or storage.</t>
        </li>
        <li>
          <t>Cryptographic System -- An active software or hardware implementation of one or more cryptographic algorithms that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections; or (3) creation and validation of digital signatures. (according to <xref target="OMBM2302"/>)</t>
        </li>
        <li>
          <t>Cryptographically Relevant Quantum Computers (CRQC) -- A fault-tolerant quantum system capable of solving the underlying hardness assumption problems of widely used public-key cryptography in polynomial time, such as RSA and ECC.</t>
        </li>
      </ul>
    </section>
    <section anchor="ps">
      <name>Problem Statement and Challenges</name>
      <t>Apart from the milestones and requirements discussed above, there are also a few challenges to identify cryptographic assets:</t>
      <ul spacing="normal">
        <li>
          <t>Legacy ICT systems were not engineered to treat cryptographic primitives as distinct, trackable assets. Instead, cryptographic implementations are deeply integrated, highly distributed, and hidden across heterogeneous layers of the technology stack.</t>
        </li>
        <li>
          <t>Taking inventory manually would take enormous amount of effort, yet there may still be statistical omissions that leave security exposures.</t>
        </li>
        <li>
          <t>Methods like Cryptographic Bill of Materials (CBOM) only take effect on new devices to self-announce its cryprographic assets, but it cannot help identify legacy devices and systems.</t>
        </li>
        <li>
          <t>Legacy devices and systems often behave like blackboxes, many does not allow installing additional programs or tools on them.</t>
        </li>
      </ul>
      <t>As a result, the ideal CADI tool should meet the following requirements:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Automated</strong> scanning and inventory taking</t>
        </li>
        <li>
          <t><strong>Agnostic</strong> to target object's system designs and architectures</t>
        </li>
        <li>
          <t><strong>Integrate</strong> the result to existing network management and operations systems for unified presentation</t>
        </li>
      </ul>
      <t>The requirements for automation, architectural agnosticism, and network management integration suggest a protocol-driven approach, potentially placing this within the scope of the IETF. However, this remains open for discussion.</t>
    </section>
    <section anchor="discovery-and-identification">
      <name>Discovery and Identification</name>
      <t>There are many ways of doing discovering and identification. We catagorize them into two: active identification and passive identification.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Active Identification</strong>: The case where devices and services modifies its development and/or management process, actively self-announcing their cryptographic assets. Methods falls into this category includes:
          </t>
          <ul spacing="normal">
            <li>
              <t>CBOM Declaration</t>
            </li>
            <li>
              <t>Static Code Scanning</t>
            </li>
            <li>
              <t>Binary / Image Scanning</t>
            </li>
            <li>
              <t>CI/CD Integration</t>
            </li>
          </ul>
        </li>
        <li>
          <t><strong>Passive Identification</strong>: The case where devices and services will stay as-is and cannot self-announce their cryptographic assets. These devices will require additional external tools to assist the identification. Methods falls into this category includes:
          </t>
          <ul spacing="normal">
            <li>
              <t>Simulated Handshakes</t>
            </li>
            <li>
              <t>Configuration Extraction</t>
            </li>
            <li>
              <t>Traffic Pattern Analysis</t>
            </li>
            <li>
              <t>Process Identification</t>
            </li>
          </ul>
        </li>
      </ul>
      <section anchor="active-identification">
        <name>Active Identification</name>
        <section anchor="cryptographic-bill-of-materials-cbom-and-auxiliary-methods">
          <name>Cryptographic Bill of Materials (CBOM) and Auxiliary Methods</name>
          <t>CBOM-based identification is to empower cryptographic asset owners or vendors to explicitly declare cryptographic usage within their products, components, or services. Usually CBOM declaration is achieved through static code scanning and/or CI/CD integration, so we keep them in the same section.</t>
          <t><strong>Scanning Methods:</strong></t>
          <ul spacing="normal">
            <li>
              <t><strong>Static Code Scanning</strong>:
              </t>
              <ul spacing="normal">
                <li>
                  <t>SCA (Software Composition Analysis): Scan manifest files (like <tt>package.json</tt>, <tt>requirements.txt</tt>, or <tt>pom.xml</tt>) from the codebase to create CBOMS, usually for analyzing third-party libraries dependency.</t>
                </li>
                <li>
                  <t>SAST (Static Application Security Testing): Builds a Abstract Syntax Tree (AST) with parsed syntax and data flow of the target source code. It then uses AST to track call chain to end crypto library, track variables (data flow) from source to destination, do reference matching, etc.
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t>SCA and SAST is used by IBM CBOMKit-Hyperion.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>Binary / Image Scanning</strong>:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Scan for algorithmic constants, signatures; Extract from OS trust stores and runtime configurations... The process details are omitted in this document due to complexity.
                  </t>
                  <ul spacing="normal">
                    <li>
                      <t>Binary / Image Scanning is used by IBM CBOMKit-Theia and CycloneDX Cdxgen.</t>
                    </li>
                  </ul>
                </li>
              </ul>
            </li>
          </ul>
          <t><strong>Tools and Modelling:</strong></t>
          <ul spacing="normal">
            <li>
              <t><strong>IBM CBOMkit</strong>, Static code level scanning (Hyperion) and Artifact level scanning (Theia) <xref target="IBMCBOM"/>: uses <tt>implements</tt> and <tt>uses</tt> relationship to create dependency diagram.
              </t>
              <ul spacing="normal">
                <li>
                  <t><tt>implements</tt>: Describes the list of protocols or algorithms this module implements.</t>
                </li>
                <li>
                  <t><tt>uses</tt>: Describes what modules are used by this service.</t>
                </li>
                <li>
                  <t>For example, Application Nginx <tt>uses</tt> Library <tt>libssl.so</tt> that <tt>uses</tt> Protocol TLS v1.3/v1.2 that <tt>uses</tt> <tt>libcrypto.so</tt> that <tt>implements</tt> Algorithm MD5, SHA256, AES-128-GCM.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><strong>CycloneDX Cdxgen</strong>, Artifact level scanning <xref target="CDXGEN"/>: uses <tt>dependsOn</tt> and <tt>provides</tt> relationship to create dependency diagram.
              </t>
              <ul spacing="normal">
                <li>
                  <t><tt>dependsOn</tt>: Describes other modules or services this module depends on.</t>
                </li>
                <li>
                  <t><tt>provides</tt>: Describes all capabilities this module provides.</t>
                </li>
                <li>
                  <t>For example, Application Nginx <tt>dependsOn</tt> Library <tt>libssl.so</tt> , which <tt>provides</tt> TLS 1.2.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>After scanning, the result will be recorded as a CBOM object.</t>
          <t><strong>CBOM data specification:</strong> A standardized cryptographic asset object includes cryptographic algorithms, digital certificates, protocols, private keys, public keys, cryptographic keys, ciphertext information, digital signatures, digests (the output values of hash functions), initialization vectors (input parameters for encryption algorithms), seeds, salts, shared secrets, authentication tags, passwords, credentials, and tokens. For a detailed specification, see CycloneDX SBOM v1.6 https://cyclonedx.org/news/cyclonedx-v1.6-released/</t>
          <artwork><![CDATA[
"components": [
 {
  "name": "google.com",
  "type": "cryptographic-asset",
  "bom-ref": "crypto/certificate/google.com@sha256:1e15e0fbd3ce9...",
  "cryptoProperties": {
    "assetType": "certificate",
    "certificateProperties": {
      "subjectName": "CN = www.google.com",
      "issuerName": "C = US, O = Google Trust ... LLC, CN = GTS CA 1C3",
      "notValidBefore": "2016-11-21T08:00:00Z",
      "notValidAfter": "2017-11-22T07:59:59Z",
      "signatureAlgorithmRef": "crypto/algorithm/sha-512-rsa@1.2.840..",
      "subjectPublicKeyRef": "crypto/key/rsa-2048@1.2.840.113549.1.1.1",
      "certificateFormat": "X.509",
      "certificateExtension": "crt"
    }
  }
]]></artwork>
          <t><em>Figure 1: Example CBOM</em></t>
          <t><strong>Gaps:</strong> Obviously, this does not help with identifying the mass legacy devices, components or services.</t>
        </section>
      </section>
      <section anchor="passive-identification">
        <name>Passive Identification</name>
        <section anchor="simulated-handshakes">
          <name>Simulated Handshakes</name>
          <t>Simulated handshake is a network-probing technique where a discovery tool acts as a client and intentionally initiates cryptographic protocol negotiations (e.g., TLS, SSH, IPsec) with enterprise network endpoints without completing the full data session. During the negotiation process, the discovery tool determines the specific cryptographic protocol versions, negotiation mechanisms, and ciphersuites supported by the endpoint. This is also known as <em>Active Probing</em>.</t>
          <t><strong>Steps of simulated handshake include:</strong></t>
          <ol spacing="normal" type="1"><li>
              <t><strong>Port Scan:</strong> The tool scans for typical ports for specific secure communication protocols (443 for HTTPS, 22 for SSH, etc)</t>
            </li>
            <li>
              <t><strong>Probing:</strong> The tool generates a RFC-compliant connection initialization packet, including all currently standardized ciphersuites, and examine the response.</t>
            </li>
            <li>
              <t><strong>Response Extraction:</strong> The target object respond with supported ciphersuites, following its own internal priority rules.</t>
            </li>
            <li>
              <t><strong>Parsing:</strong> The tool intercepts this raw response and decodes it as cryptographic assets.</t>
            </li>
          </ol>
          <t>This works for most secure protocols that includes negotiation:</t>
          <ul spacing="normal">
            <li>
              <t>IPSEC</t>
            </li>
            <li>
              <t>TLS</t>
            </li>
            <li>
              <t>SSH</t>
            </li>
          </ul>
          <t><strong>Pros and Cons/Gaps:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Strengths:
              </t>
              <ul spacing="normal">
                <li>
                  <t>This kind of method does not require complex engineering refactoring. Since it is agnostic to the design of the target, it works best for the case where the manager operates vast heteogenous devices from different vendors, versions and locations, hence telecommunications case.</t>
                </li>
                <li>
                  <t>This probing is one-time, thus it will not create unhandleable amount of probing packets.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The limitation of this method is that
              </t>
              <ul spacing="normal">
                <li>
                  <t>Some masking mechanism will stop the probing (firewalls, load balancers, port-concealing protocols like Single Packet Authorization that enforce a default drop for unexpected packets), leaving a hidden security posture inside of the system.</t>
                </li>
                <li>
                  <t>Network management cannot know local application components that rests internally in the device and are not exposed over a socket.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t><strong>Tools:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Cisco Mercury project <xref target="MERCURY"/> provides an open source packet capture and analysis tool. It can read network packets, identify metadata of interest, and write out the metadata (including cryptographic-related) in JSON format.</t>
            </li>
          </ul>
        </section>
        <section anchor="traffic-pattern-analysis">
          <name>Traffic Pattern Analysis</name>
          <t>Unlike simulated handshakes that actively query an endpoint, Traffic Pattern Analysis listens passively to live network traffic at strategic aggregation points. It infers cryptographic asset usage from protocol metadata, statistical characteristics, and behaviors without decrypting the underlying data payload.</t>
          <t><strong>Methods of Traffic Pattern Analysis includes:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Listen to unencrypted negotiations like <tt>clientHello</tt>/<tt>serverHello</tt>, Server Name Indication (SNI), response of an unencrypted server digital certificate request, etc.</t>
            </li>
            <li>
              <t>Listen to handshake fingerprints and compare them to existing patterns, as protocol implementations and behaviors are often rigid.</t>
            </li>
            <li>
              <t>Listen to packet length and arrival time, do statistical pattern recognition.</t>
            </li>
          </ul>
          <t><strong>Pros and Cons/Gaps:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Strengths:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Similar to Simulated Handshakes, this kind of method is not intrusive and is agnostic to the design of the target.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The limitation of this method is that
              </t>
              <ul spacing="normal">
                <li>
                  <t>Negotiation information like <tt>clientHello</tt> <xref target="RFC9849"/> and SNI are tending to be encrypted.</t>
                </li>
                <li>
                  <t>Protocols tend to have constant size packets <xref target="RFC9347"/>.</t>
                </li>
                <li>
                  <t>Alternative routing: network requests/responses could exit through a different routing path.</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="process-identification">
          <name>Process Identification</name>
          <t>Process Identification requires Endpoint Detection and Response (EDR) installed to have cryptographic visibility inside of a system.</t>
          <t><strong>Methods of Process Identification includes:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Kernel-Level System Call Auditing by deploying eBPF programs into the kernal space. These filters can capture kernel events to determine exactly which process (down to PID) have initiated an encrypted network communication.</t>
            </li>
            <li>
              <t>Shared Library and Binary Hooking, by monitoring process load table to see if cryptographic dynamic libraries are loaded into the memory space.</t>
            </li>
            <li>
              <t>Live Memory Scanning, by periodically scanning volatile memory for indication of creation of keys or signatures (as high-entropy memory segments), and then compare them with known patterns.</t>
            </li>
          </ul>
          <t><strong>Pros and Cons/Gaps:</strong></t>
          <ul spacing="normal">
            <li>
              <t>Strengths:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Have deeper visibility for cryptographic assets within devices.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>The limitation of this method is that
              </t>
              <ul spacing="normal">
                <li>
                  <t>Requires loading new software (at least EDR/RDR) to legacy devices.</t>
                </li>
                <li>
                  <t>Potential blind spots due to lower pattern coverage.</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="configuration-extraction">
          <name>Configuration Extraction</name>
          <t>The Configuration Extraction is a bit similar to the source code scanning. This section focuses more on the runtime configurations. In different use cases, the configuration extraction methods differs significantly. This section is to be extended.</t>
          <t><strong>Methods of Configuration Extraction includes:</strong></t>
          <ul spacing="normal">
            <li>
              <t>In network device management, NETCONF and YANG provide a standardized, model-driven management interface that enables programmable configuration and state validation. The network managing platform can define a YANG model and extract configurations from a device.</t>
            </li>
            <li>
              <t>In cloud-native development, general <tt>.yaml</tt> configuration files, <tt>.env</tt> environment variables files, Kubernetes secret manifest, etc, can be extracted by administrative scripts or through management interfaces (e.g., AWS CloudControl, Kubernetes API).</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="inventory">
      <name>Inventory</name>
      <t>TBD: After discovery, the result should best be presented in a unified network management platform for a comprehensive view. The Network Inventory (IVY) working group is working on this topic and cryptographic properties could become extensions to IVY records. The details of this section could invite more network management experts for input.</t>
    </section>
    <section anchor="potentially-related-working-groups">
      <name>Potentially Related Working Groups</name>
      <ul spacing="normal">
        <li>
          <t>IVY -- extend network management views with cryptographic attributes.</t>
        </li>
        <li>
          <t>SCITT -- extend SBOMs to adapt CBOMs.</t>
        </li>
        <li>
          <t>PQUIP -- as a migration guideline.</t>
        </li>
      </ul>
    </section>
    <section anchor="tools-compilation">
      <name>Tools Compilation</name>
      <t>Due to limited time, compiling existing CADI tools remain open and will be done in next version.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document has no further security considerations.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9849">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC9347">
          <front>
            <title>Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)</title>
            <author fullname="C. Hopps" initials="C." surname="Hopps"/>
            <date month="January" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for aggregation and fragmentation of IP packets when they are being encapsulated in Encapsulating Security Payload (ESP). This new payload type can be used for various purposes, such as decreasing encapsulation overhead for small IP packets; however, the focus in this document is to enhance IP Traffic Flow Security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP-encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-size, constant-send-rate IPsec tunnel. The solution allows for congestion control, as well as nonconstant send-rate usage.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9347"/>
          <seriesInfo name="DOI" value="10.17487/RFC9347"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="G7" target="https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf">
          <front>
            <title>Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector</title>
            <author>
              <organization/>
            </author>
            <date year="2026" month="January"/>
          </front>
        </reference>
        <reference anchor="CISAACDI" target="https://www.cisa.gov/sites/default/files/2024-09/Strategy-for-Migrating-to-Automated-PQC-Discovery-and-Inventory-Tools.pdf">
          <front>
            <title>Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
        </reference>
        <reference anchor="NCCOEFAQ" target="https://pages.nist.gov/nccoe-migration-post-quantum-cryptography/FAQ/index.html">
          <front>
            <title>Frequently Asked Questions about Post-Quantum Cryptography</title>
            <author>
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
        <reference anchor="OMBM2302" target="https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf">
          <front>
            <title>MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES, Migrating to Post-Quantum Cryptography</title>
            <author>
              <organization/>
            </author>
            <date year="2022" month="November"/>
          </front>
        </reference>
        <reference anchor="NIST-SP-1800-38B" target="https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38b-preliminary-draft.pdf">
          <front>
            <title>Migration to Post-Quantum Cryptography Quantum Readiness- Cryptographic Discovery</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="December"/>
          </front>
        </reference>
        <reference anchor="MERCURY" target="https://github.com/cisco/mercury/">
          <front>
            <title>Mercury - network metadata capture and analysis.</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IBMCBOM" target="https://github.com/IBM/CBOM">
          <front>
            <title>CBOM</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="CDXGEN" target="https://github.com/cdxgen/cdxgen">
          <front>
            <title>CycloneDX Generator</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA71cWXPbVpZ+V5X+wy35YSQVQWqxY1tdU9U0tXasxSLdnZ55
GIHAJXlb2IILiGJUzm/v75y7AKCpTJKqmeqkRQJ3Pct3ViYIgu0tXYVZ/D9h
kmfyRFRlLbe3orCS87xcnQhdxRhRT1OltcqzyarAoKuzyfn2lipKHq+ro4OD
jwdH21tJmM1PhMy2t7a3KlUlGDoqV0WVz8uwWKhIDLWWlThVOsqfZLkS2Fhc
ZU8yq7DZ9lY4nZbyCZOGp1fbW3EeZWGKNeIynFVBouogCmMVHBxub+VTnSey
kvpEbG/VRRzSR0zBX3qCpUoZ0qdlXj7Oy7wuzOPHJUYJEdgt6NPdlxFPqKtF
XtLbgJ6rDEuP+uKuLz6rmp6Ys4wWdRYtlLjD5qV7lZfzMFO/hBUodCIu63Ap
FT2XaaiSE4GTR2baXxf8rh/lKb2P8jqriMqjhcpCOkWWlymWeZJ8zPvz0ccP
bz/6z8dv35/QKJXNOuMu3vMfISzRh/FTmEUqm4tQjPK8jLF6JWNxn4dxGhYC
s0W1kGJShplWdGpR5eIu11XwpQ6zqk7bfFuBGDz8HMtg2TARYxmBY2ZPQ/Oj
g6MfmDN8jLCcy+pELKqq0CeDwSJPZb8CR3Rdrvrz/GmgV7qS6WCmEqkHh8c/
DC7eB6OzC7d9YE/aL+IZLTm6Gg+Ho9Or7jXHVUlyuuL7XCsctqI74yrDuspT
vvLrl3pFCsUkzxO9drW3wcGHzVdbLpf9SOnQ3EpBDAexnIV1UtnLmdkfB+6w
AQ4b+MMGVR74wwYQxcAfK8CxAn+sgI/l6HEzGt2enQ+/dOlxXsqfawxPVlC0
R1z+Sy01cVeLcJrX1evE+J6TP2y+bhHOpe5nSld84SyKchmk5jZ5FhS0wc+W
h1FrgwEOO1BZLJ/7iypNaPHb60/XR8cHR907XJ9d394Pb06/Xovz23sxuTwT
l2fD07G4PRdnP52Nvk6u/n4mTs/uhveT67ObyVhgsBhenN2Mrs7Gva4Y/N77
HgWHr0gusXe5AFsXea0l33lZBFGeVaDzoC4SyCnz+GhweDi4Do6Og4Oj4Dq4
lmkegCAdRrePE7SP49l6NZ4E47vg8MPBQXD84dMaaRyZf1tZ3cN7CbDMpNbB
Ggh7CVujwnFwePQ6FZjVDedfEXVaY1D8HLVkgqYEunCXmgZFKROVAksg1Qzt
7vrXZ/ejr/f/XLu1LCOgBoA6kxWhuUhlFeLQoYjCoqpLyfobZmGy0kr3N99g
rqpFPSXcHUR0/UFqlh3Q8KtP16NPt9fdfenJ/7oWZg7cwNHpT5DCtUVWEZnV
05/EhcwkCOJA87fOFz/PZWb/mNHbW0EQQIc1MCSqyAJMFkoLGMg6hRzCjqQF
cUDIZxCbhP8PmF2xS7Zwj8i6yGPdUPMXKYqc5JwQfx4WRFtzklTFcSLp2xus
U5V5XEcsmC9vFH39Rq/+xBFKOZOlJvEOBQ3PZ/gM2OPR81rFEBxINIxRWIkQ
DomuyDbhOQ45W+HiPdAiSWCd+DNb00T9Yl+UELzQvKEFSYtVVkOxAZiw1FmF
f9loJolog1fA84CnIV1C97BnlNQxDcUaMzWvjajjTSwLCZSDlZTa7FJrQCbv
JZ8rLZZgNI4cijmMd9bxHHrCWMUenorCEFWAXoXsi6tKELirEref5tVCVDJa
ZCoCZxoKpWDbXLJEhAUWCKOFNEy7DrNVFzKqxvSXxtZqsQifpFio+SLBv3Rf
MvoqLfISHmIkiR0tUotEzsNo1aYU+GxIRO4ThtKMsHtJDMDlo7JmPwJQUISs
FiuBD1VfnOPu8jlMi0Syq7MvJjjExXs4omAB3w2L7Pw/eTg74uXl4v23b4I2
ZkOKUUAcDXOQxEbdhFbP4lGCvl8a1BPQU/WEjY2HSkq8L4ZLeKWEyMytO3t3
5vz+/iuqsb/fE/dKP7ICaW2YS7Pha2csyo1ZOHuWUW3Wax5OpDYi/3doQmwP
hwWu80xhA7zqM4lB9MjcBZSGkRchIWuic1HU00TpBagLKsHzyM882jIvxpjz
I91/EeKIrLRYD75M6xR/y+sykyuip/Ndvn3rO/Z+xVGw/JhYrAXZTrAtBo8c
Gy9hy3hle0XI6SlRryJ6GHIO50br+Ei/zwug0zgvBDx2Cnbi+QUcmMkYuJ2I
0C2PBXf298cUEVVrsm/UF1RysPZpJa7DlXjbY/NqkTWrgS8rI0gwfrLc398h
FoCaTtcqNsoCT5gBVvgMA8gVFjHOGTEZdv4PneCdlxfneDOztreGCWxEPV8w
U4zEdKTeQgmdUwJ9cM4ZEJ1kNjMIKZ7CkqGRFpjRfMbyDRiCue2jNUQlqrC+
ATyYZeSK8O0RRckZLmGDI5wHWlyXqlqJ29lMRc62kCZhjebY0zqGNeZ92CHp
vCygaTC1mJLlOOkCMS4BMgEG2WAa3xNL6W1mY4Nh0zpWdYM1fQP9LOEL5UkO
Fr68gTik3wzu8fTdP2BF9wRM8/A3DWcstZqTIBEZrHgYlDe4DoNi8MNZUfrs
rKh/Ze0ofaH1EzWTERwd2TZA3yP/f+iNpoJBYNMt+TKxgmcEgpFFXABxyODJ
xGzhTWksnxSZpxJ3L+ljoBFws6XB62QOlKsWMKspTGoie12jja+ljA1fYIEl
vlVsgeFUpXVmKUL2uMpBlYDllb6BPGwOzHJ2BZI1I67QSZY8EEKTFErBPivb
XZtM4RODc6DZBiqMDZoQGaw5gd3JZxUZEZq5CMuYPysylkQRc1JsCKygEYBR
uU5zRw3rROEiT2yoWzMsgM8gAvmSBNlSFZZs93CPyNVYEflsFIImASBpL3oF
9dR/EbtHe+6hZHcrMyKFV9hr93htrafGQGE1x3kS2JDcfN0XuyGCkDK2+NYG
773v6Mcgew9ZeSI89eAHT7muCAh2R/dfRlZlOIhBhJYA6jHYBrAOzxFmhNOE
r6jz5Il3B31q+Hllwp4QscLYda3rtHACg0kpW60lKeAKriDIwNY0CgjAojUP
pMiTVZanBBCVSiGoTozvAflEobPRyKLGnVndmEzvFIwWuLXMyHq/vCk0A8mQ
zKSYlXnKp04pTqhyAgOaYW2eMaOEuLWmQ4ZT4EvPOjveEQhhDZeEgG4TMME5
hBt123pwn42jeDWaWJLCDaaFCU+xEJAJ3xiTKEe0bg2KEsEiST+Rl84IcI2g
ohQLPTJjLJAACbF4GPfWFujqh3FsYimLZGXVlGxkzzi+K96gVNOanxGJFgh2
JGlgmYPDC8r75XAGJOIGkYQrkiWrMeyTGySHDxU9Gv8mfCQRaewXQNJ4AEv2
IavwETaDMJYWDFNKCbI2zWDGcM2VrCwf0pDWVXBKppLdYSIFAWJu8cTqdCLJ
j9fO9MnnItdGf+g819YgJQr7dhHnE62Nra9BkBJSSEqC4HYP6EAOCx8U9jxi
FzyDKBjgZTnQMpkFcG5wfECxqgzYl2sC0YOpRcgGFtPQCtRMikaEbEDhViXi
W3kxR//86nucGqYVdOEQhq82TcCBaf5MzkZK4Y834SHhGkUogJeEQ4g45hCB
AxI6MS1YWguac2SQGveH3AZQEmjRc2YTk9hS02gXF6TSMK2FoW1Fs2oBp9+7
aPv7iPSMR7/m7lQsP278PMuJ6RhO2sJJBJFP/wWewLxavDJG3gbyZUTZq4gB
1C5y5YSeVsEhzYVoQe+6+FRLK6LEaghFbaTrCU9+F6zkTBG0YSWnZiZJIbsA
Q4Ot22G8h+Z07GKbyymdGs3bcAqnsISwup4DhMhZ88Y5LjmqdtFvr3G5IMBw
5CID3srH4XR/DrGdDlNpoy8u86WEg9UzY0vK4+POGJbxHSxQ4hAWjtc8so4z
ZSlhgZRFcRmuGDTinM7jHF3P+870vvgHjDhcBzLcv7C3RiEGsX+ZnzjHoDvH
eJuUIPnuFR+YoxtIk5nbPe7+/gnHZBGCObHkc3cUzvoC5EwR1zXrOkbIJC+c
oAzIlWiYBmZgBuVDeEOwoo0W1p6qcrN76AFrBiZqe3PiiqtR2WyMj9v4coRb
CBGjxEbYrVdkMrH8KIfbM7Y613r9iROTYiCuUkrcbBgxuhqMTsVVI4meoHeW
5H+OokuCX4AShEgHyry0ONlF19+iFjbSzfq8pFXBNszJZyB85pNHJiiiXMb3
scCfZMBYpbVJml3iHnoB46HbNGy74IjqObHZ5dMEkRUOIe7Cig4LL9jkHFpD
7oxgbVC4N2/ERuk27978XsPHiYX6WSWKZMISgpObeB1MQ/KV1lRPMTklInn4
OBsD23yZsdNQCmBVnJugFFYabqGi2k3MYrvuuZs8YgNbyucIdY8TwPDpMvrc
hEEQh6/a+BqsD3GjDxxFA3yht5TmKzmo10YzItKMtjUidTZC34JfeKc5hb2P
8KQcKBk4DVP2Pjza7O87JXIUPNnfNyYQrzZoIxTGpWDGo6HYHbuoh7z33Kbz
nDjsnfA8whvEoRBhrkWIXXYCHgryERFe/Uvn2UNPPLTNUb96rh6YXg9Fnvaf
0+Rhr3GUiQrEYGIOhymSiTjugROGpmzNOOi3VqWMA3K24cioacl5jiYfvOr7
Kw3HE9zJ3HtYENvXkhU2ZYebfapVQskDMbS5f0SFMLDPUA4pxS5W2mORoOQp
yaI2bzmRQdHmjDwd550ab0HndRmZ63FaGa8yiky0oHOxDw6aiYiT4ItQceJU
EhSxONq7raz/zfkccsJBcb+jpaLdCXNivpAVmzg3eX5JUAZPAFJI6UlZRX2v
2pbzdA8mF6SVg6fpioo1zIgfVRVcruCQGDEjWXoFutviRJLCfHNxMMs7uYKs
O02w+RcHSuYut2PT6cDxuoud4KkjTFurAfT7Jp9qjR7uXoUqMVEHHPWqMmm8
qlPAiWsjZzmFKs+QgQ4pXrnXa1TB7io08aAvP424mmTVceJTQ9eQAvaBWxrp
lnpUFSWfxy1QSMjMN9Cw6+hvgbIEDBLF1ofxgfYQr9tC27dvJ0biHnxoph94
iQd6/CBcfkkvVNHSv0aZ4DOF5Kd7pWqvdALDryPEcNLkZxIybFAC5yUy9HYS
IUrb3FATK+pmaT5Te9ElRVlmguGr4wKvZMHXz29VNHodfb9B5PvsrvzZqJV4
gH5pnfR1/mCiOfv+zh5eTD6PxdNh/3iA/zvqDKGpRklbs9sUHro7i+vTd+Ds
5fDo3Q8409k4ODz6EFyMrq0ircsNycFr3H15MYXPhqmGTfo2szy1OaY/xFdf
M2mt1mZBTiGx50HL5HW4aecKRgi7nj9NezkGO0rzwNJXam0VN+N3c7RFgE1s
7UGAVLRoE4aYCnaaIJNqAp6+vXaItrTBfykpDcYFSap/kW03QaBVcGPtCY51
ISPvm0DJKT9M7V5hGSOYiDf7J7yU9+pezSD2fI4ukqX1gCja9npGH9UTcZjy
gT2b+rJfuqvaZ6oAW6lQKlSTxe9tyAXyM1gVmB2iT15XRV1RBrE2FahFqBdi
Bm+ZxW2PSraK87O2CvnE5T3MVhlNpEJcKjkvSNahlclsrrtH2WEZk5UIEzYW
i5DSViZlTNFNTba0csKAiI3uDJoiiI11O89sS8NV/ihhMFieQmsoaME2z3jT
FpCPibVQ/R9860Bk3sXP/bycDzK51M2jgEZS+VqSqzog6fj111+3t3Yah3Hn
RPw3BPuFhHuHetzwYGee5/NEUjvCTo9fVEB6etHhWsDyYkdM8xQbzZpBg5ZU
DJoF/wqyAXZODuXhO3kwm8bHkfwIo2mXMXOBdgXNlnS8F6N3O7zbxB2kWdzM
FJ1nmxbACF2zbN/Ya45uxH8Kam5Zvy8PVlrXsvRjMfQrvL9b/L3g4XDCyCMg
g//586gneLWLyVjAczkcHbdWQgjH1ddPEtLFqx0dHP4QHB4GR4eTgw8nBwf4
5782TGAssOPf8/ijycH7k3cf8U97vFcMD/H3HVZ4KR6A+sG7w6Og1OFfCXE+
vD1wtG9T6I5V9Ue56q4DNR1gZnB08PaDn354ePzu7cf+If2vtVKLG+esyrTO
T/13Bx83D4K/BW2AyJv9qh0z6Bv9+Wbldv+cHC0pDk/gnjEAM/oZ32X/Iiwo
tBC30yfFXR0952bZzB+nG9lfbvcxcFocwrWWf2xHVZ2gysaXm4N9F2Bujn+3
t5rnC/fcVDRtsiugugGfihs8fq5dyiBsFUQ51xhS/cl0UyTKZegUN6ZxkM/p
bQK96jsMdwiNTec5jeCU3q7sz/s9skXwDcaXPXF1B2yzAQZWlSXgHAGRS8vB
xhW5ymxTC/UXGv+1ckSd1TBXxgxJky0Tp3Xp3rb2bjJE9GLtnjHhcmr7fqRH
x9euhIna9OK0N0gl1amUTi30Gkuja+piE7ouqO7ufDjpb+bK8rYO/5ghdCeS
u8zZneHVfl/YOLeSBZsfvYnLxp5aT/uwT/ki7MruPEktBQ0miYwHxg4BdTnB
T6czT/ztbU1xc5ESvHz79pgnXE4md+Dn0RF/Y7Yi0trb3jriA5gLdLafm041
LpHfn48CZqoKuc3MVfDWzSmF2VQ2bRqj2KOqy9K0o3Z9jhbte7aKGBKDnasD
pdPkPx/TEe/t91aSyB+3nf+2E2Mjrg1Lu7s1CXlKWxI7SWNKk/pXOYffJfmU
2P4tUwiB9TqFeEoki8r6iWW49Mc2sbekcIlSoyQtr1S9bRMfqZLhbZpTfGn4
2nCS3Xjvi7Vk2lYRru7GZyMuNH0e0x+w2AgjeGuCvBHONbDYaOaMK/BlXi2a
Vhc+yqOiHP/M9iw0sOkSiDY89TU7U9egoMD2EY2VKf6wxthsPqcUSKu5KtFN
RvRorCHAlFM3tt2nlSk14Eyp5NKWHyQ1keiKK3FUiKOymct3cqzeNJ3Y/FrP
g4LpV8gj16634CREBf+oo0iaT9DvEMfhMjc9ycAUaKtFzVxmx5zbQ0xEU2ek
9/C6uDzpa3puDaMutqo14RA1VU353gQfhgnKSoDPYOQpWysuKnpUc7njnFNx
fp/dGdi2pLRtT1CnspiGCXXyEUlIPaiROZIhF8EaiePMGVhJLs4dn5RaiRZU
frCeLR1IkoMesV0yTcAihs9l60HyGThF2mdvCt+ZqpKmX88WVH2BkprGSeab
nkHGeS4weR7cfF8LsrlxQmXmaUJ1Hx+LtYw3n7fkaMFpe+Jb/mzziCmW2Zo0
VUxxeDJC1Ima0x3auROvSCMyVb5FGSRkJHp5sZ3M37754JG7Yah+ZLNihjAb
W5gZZDg3R9kqCFRTCbPk7DU1U98MTc2ZdDlc04DqsqS+KDLLrENu3G6rebXj
zNsm1z0izN/GtzfCBGB959G8no/f3vqasdBsMHuuWddVfuDQcJXM29jeqwtz
4gYuoatkUQ2a8o9PjQtS2akhJea4D46+zOclPDljmNhBYWIioqT4blPEa3Lr
DB7ej3AE63VK7dA3MkLAPnpgzReXnRWFk84RggHgAPL7VhHmQRGuSB2tSLn6
Cjj4Kil8icVJ3memDREE2uZ7bDr+nMmAG+fwUsLuPQweyImVpfkGL4+/CQpx
xFUWO9XZHd9cQWO9STO9XO19zDKb4n82FiyDJqHbPWvjDc1ADHYoXf8m6WtY
2vpmuxZdGFoQrXXDnu+aOjp84GQrtwSUOGL83Tms9iVsBa3uU6rCNd7EeYfr
9gicd5lnqlXZ+ENGFr6/SkJqLNgYHthoZc0KK2ODqa++5niD3fzfZ1/7f9y+
3LSc5lYOZoMwAebs79MAc5ypv7liwoPGrkVrKpsGMA/ld41vIzkLYhrPXRoe
KPKLw0dtNzl++547UF1fLoM4u+Al1I38Mw8JVv70wImvpp/ZmWbtype6wpaX
YJcgLi882r1eWtz8pmnPP7PAJk5lZb1loo73Y3fPTu/3XPuJbN2/A0xPSivO
Rq7avfSNVVwDjlcO9R1s/AjCyST4zDlc22E4Il99WFNxGFSYUgBcJDmjlfx0
d970xNjSL6Xz2GPWYJJ0JeeZSjh/RjbLWbVH3k3IJ2OG8yaWM83D1ATFqVBX
LNmNySWnnu2r0z1DFhfDxsZoNEhn2N3x26yej01izuVeifq2hHKZ54+cVMUt
U98A77dnH6lip41bmrD7bI0v8SoLqWjUlPhI5Gki13UsgVJqYV9ZAjnwwWWu
zfOxT+7iHFxCiW3Dok+rP+WUKk/8UuRXqQai81nTO4nPlD7lHIVPkIpdoCW1
tAWSfpFTrPyZ5JzLAXs2B0nlvw72cvxkQl0HvX8G7C6JedRmBzvREma6x8Zf
jNjKtvXk/wRy3TsFJGaYJqZl0zC7axrjEDdA/Qb3pILkTHQyPg1C+UbtaUJo
DM2lJhdTpEu4sO9MAmcqTAOv7Sx4tbPBNES99t5kgaaK8M+bCXaEm4KtFw+b
mLBVdhA14tKLad81fu0r1UlqXG+gD7M41LGZl85YahJxZ3Nd7GamZjljlKHo
fu0wpgGCkJ8SerHc4Oa8ToN1vLrKvKZbR70JAHri5mwyur05Z5n85/Dmwrcz
h52MA3d+S98dttZOViKAlS6mMaVsi3gpI0GXKNyxQ023rXZlU/DtdKsxqkCD
yYAyJCJIItgLzTn5PDb1YarMXTYZX9R1tvc9LaIkr+PAmr5W01XPZm0S8dBf
hWnysHZq7ono4aXMnh5wzSdV5hlToKnf2zE/1lNCbc6LcWXDd1awS9fj2xju
sifMSbMwBqgrdsG5TT0qVWGyps7gbiK6TzkO/zEWI7oaBANglXROMby72uu7
3xr6/1QAlOnT6YkwxTKfMexUy2wzJmcWptJ1J5rye+ibFjc0GXrGcacAo2Mp
F5Scxt2elFwahruQtPUzxqu//3OPExrEf/7PDgib4qEHuS37I0wn3MvWy2+F
L1pYl2VKaQmrSLbBNxfYwxYATbuX7zBw+OgU0ayhwGxIK0PDhrtSpO6Si1wL
cw3mrcbJe/vzx3/Ye1zQxbQVSpwmCKyub9qA6GXQfR33K9tnbcB+PLqaTFpL
UaHLdKbF8CY4zW8G3n35enVHA8Puj3j8z1zcD2u4y2HEP431ztupxXCyKuR7
sbdvfj7L/k7ntzumOc50f5rgneNqW4SN6TcTivDpuXIJJru17+QhQ6li1zT7
/Q93FyF592JWl1zP9imRqDPPSf/wZvh7V+SxBlSbn+1O4VNv/RsoPf4P80MA
AA==

-->

</rfc>
