Remove checksum as a required element for the Document

[goneall]

This is a proposed structural change.

Background: The document is the actual artifact containing the BOM itself. Creating a checksum and storing in itself is mathematically impossible since storing the checksum in the document will modify the content and therefore modify the checksum.

This is also incompatible with SPDX.

The checksum is currently an inherited attribute from Element.

There are several possible solutions.

The approach SPDX took was to introduce another abstract class. In SBOM, the Artifact class could serve this purpose.

Proposal to resolve this issue: Move the checksum attribute from Element to Artifact.

[CASTResearchLabs]

to handle the checksum of an element which contains a checksum value field, a usual approach is to compute the checksum with the checksum value field blank then fill the field; to check that the content is consistent with the checksum, simply compute the checksum on the content after removing the checksum value
that is what I did when I generated illustrations (not aligned anymore) such as https://drive.google.com/drive/folders/19tUtMIF90J2YBY1anIz4y6w40pR-W7hF
the "a9850b708ccb51a963f4c058b14e03484083b6ceaf5a291e3ec7c695f5db1a09" checksum value was computed on the whole file with this field blank; I replaced the value afterwards and I would blank it again upon reception to validate the equality of checksum values

[goneall]

This seems like a straightforward approach. It is something we would need to document. I would also suggest calling it something other than a document checksum so that it isn't confused with a checksum of the complete document without this approach.

There is another problem, however. If you allow for more than one format (e.g. JSON and XML), the checksum values for each document would be different. If you store the document in something other than a file (like I do in my tools), there is no document to checksum. Even if you have agree everything should be in the same format (say JSON), you need to agree on the encoding (e.g. UTF-8), line endings (CR/LF or just LF).

[stevespringett]

I don't see any benefit of having a document checksum at all. What value will it provide? If I want to validate the document hasn't been tampered with I would sign it and verify the signature upon receipt.

Having the checksum placed in the same document that I'm validating does not improve security. If document checksums are required, they should be out-of-band - different files communicated to the rest of the supply chain in a different payloads, with different protocols.