[FEATURE]: Need means to "reference" a person (identity) for MBOM

[mrutkows]

MBOM represents "Workflows" which, despite being focused on automation, MUST be able to represent "human" or manual processes which require a means to represent an identity that is not a URI/IRI (URN, URL...). The logical schema object to use would be an "externalReference"; however, it requires a URL.

Describe the feature

Propose adding/changes fields to/of an existing object like "externalReference" to allow other identification schemes and not assume a URL (perhaps using a "choice" or "oneOf" schema approach as we have used in other cases for "ref"-style types).

Possible solutions

As described above, update externalReference to allow another required field as a choice along with the existing (required) url field.

This should account for identity which could be an account name or an indirect identity (granted by an authority) such as a web token (i.e., token based access control) with info. about the authority for validation purposes.

Alternatives

Create a new field, but this would. cause lots more complexity in adding it as a "choice" every it would need to appear in the JSON schema for CDX.

Additional context

Note: for MBOM local builds, the most info. you can capture is that you are operating from an account with some level of associated access. Should consider elevation of access granted by "sudo" and such...

[jkowalleck]

so, it is intended for manual workflows, to capture WHO done it?