(registered 2019-09-03, last updated 2019-09-03) Media type name: application Media subtype name: swid+xml Required parameters: None Optional parameters: "charset": This parameter has semantics identical to the charset parameter of the "application/xml" media type as specified in [RFC7303]. "version": This parameter specifies the version of the ISO/IEC 19770-2 standard. This should be a four numerical digit string representing a year. For example, "2009" for 2009 revision, or "2015" for the 2015 revision of the ISO/IEC 19770-2 standard. This parameter can be used to select from multiple SWID media corresponding to different revisions without needing to retrieve and parse the related resources. Encoding considerations: Identical to those of "application/xml" as described in [RFC7303] Security considerations: As this media type is an XML-based format, it shares the same security considerations as described in [RFC7303], Section 10. While Software identification (SWID) Tags are not executable files, SWID Tags allow the inclusion of additional metadata attributes and material in other namespaces, either of which can contain executable material. Parsers need to take precautions to prevent malicious or dangerous code from executing. In some cases, the information inside of a SWID tag may be used to drive other processes, in which case care should be taken to verify the SWID Tag as described below. SWID Tags are usually distributed alongside software, as part of a software install or software package. In these cases, a SWID tag maintains the same level of trust as any other part of the software installation. If the software can be trusted or verified, the SWID Tag can be considered trusted as well. When downloading a separate SWID Tag, care should be taken to verify the SWID Tag through a signature validation or hashing procedure. SWID Tags can be signed using XML Signature Syntax and Processing as specified by the W3C. SWID Tags are often used as authoritative information from the software vendor. In these cases, the SWID Tag should be signed by this same entity, which allows consumers to verify the origin of the SWID tag and that the SWID tag has not been tampered with. In non-authoritative use cases, signing of tags is still preferable, but less vital. ISO SWID tags can contain URLs referring to external objects, which may need to be resolved and processed as part of using the tag. ISO SWID tags often refer to external files related to the software described by the SWID Tag. These file references should include a hash value, allowing the referenced file's integrity to be verified. SWID Tags allow for multiple hash values to be provided using different hash algorithms. Interoperability considerations: There are no known interoperability issues. Published specification: ISO/IEC 19770-2: Information technology -- Software asset management -- Part 2: Software identification tag Applications which use this media: Various software packages include SWID Tags. Various endpoint management software suites search for and parse SWID Tags. Fragment identifier considerations: As specified for "+xml" registrations in [RFC7303], Section 5. Restrictions on usage: None Additional information: 1. Deprecated alias names for this type: N/A 2. Magic number(s): As specified for "application/xml" in [RFC7303], Section 3.2 3. File extension(s): .swidtag 4. Macintosh file type code: TEXT 5. Object Identifiers: N/A Person to contact for further information: 1. Name: David Waltermire, Ron Brill 2. Email: david.waltermire&nist.gov, Ronb&anglepoint.com Intended usage: Common Author/Change controller: ISO/IEC JTC 1/SC 7/WG 21