Create software_artifact_examples.md

[OR13]

No description provided.

[OR13]

can I have editor rights on this repo? I would live to be able to refine the software artifacts zoo :)

[SteveLasker]

@OR13, is this a draft?

[OR13]

@SteveLasker

This is ancient.... I requested the ability to create software artifacts examples, my intention was to just start a collection, so we have named examples to point to, when discussing specific artifact types.

[SteveLasker]

@OR13, so, do you want to merge, or is this old and now outdated? Just looking for what action to take (LGTM or ?)

[rjb4standards]

Steve, I wish to contribute the artifacts I plan to demonstrate during the SCITT Hackathon:
https://github.com/rjb4standards/SCITT-MVP-USeCases
SBOM, VDR and a Vendor Response File for OMB M-22-18.
FYI, these are actual production artifacts from REA's SAG-PM V1.2 product distribution.

[SteveLasker]

Thanks, @rjb4standards,
Could you open a PR or Issue to track separately from here?
Would these be examples of evidence submitted to a SCITT ledger? It would be great to get a narrative, or are you suggesting these could be the types of evidence documents we could submit as part of: https://github.com/ietf-scitt/scitt-web/blob/a604c8630217c43ec49dac461d2f75b66ae9d7d3/what-is-supply-chain.md

[rjb4standards]

In my view, a notary would examine these artifacts and the associated digital signatures of these artifacts and then insert a "trust declaration" claim into a SCITT Registry to indicate the combination of the artifact and digital signature are trustworthy.
I'll describe in more detail in an issue.

[rjb4standards]

Steve, I've created an Issue to track this concept: #26

[OR13]

Closing this PR, moving the content to the web repo, where I can merge.