Certified Regids - The First Step To SAM Consistency

Organizations joining TagVault.org start the process by creating a registration identifier (regid).  The regid is a unique and consistent identifier for an organization at a specific point in time. (Time is important because regids include domain names, which can be transferred between organizations.) An organization's regid is used in many places, such as in software identification tags (SWID tags). The regid ensures that every reference to an organization will always be exactly the same - making software asset management (SAM) reporting and management processes much easier. After an organization creates its regid, it sends it to TagVault.org for certification.

Process diagram for creating and certifying SWID tags

Regids have multiple uses in the SAM market.  The use of regids enables SAM tool and service providers to:
  • Determine the genealogical history of a software title through acquisitions, mergers and divestitures
  • Highlight that a tag creator is a different entity from the software licensor (this can be appropriate, where third parties are legitimately creating SWID tags)
  • Identify all software titles that come from one software publisher, even where those software titles may come from different development organizations within the software publisher
  • Ensure the identifier for a software title is unique across the entire software market
  • Recognize which elements of the tag cannot be modified by other entities and which elements are modifiable to support an organization's own processes (such as support for ITIL release procedures)

TagVault.org-certified Regids Are Stronger

TagVault.org strengthens the definition of regid provided by the ISO/IEC 19770-2 standard.  The standard defined regids without the expectation that a registration authority would be available, which offered easier industry adoption but did not provide the level of structure required to ensure consistency. With TagVault.org acting as a registration authority, the regid definition can be strengthened to mandate consistency, without adversely affecting industry adoption of the standard.
Let's look at an example regid. We will use Symantec as our example organization.
A regid consists of:
  • The tag regid
  • A period (.) separator .
  • The date at which the entity creating the regid first owned the domain that is also used in the regid in year-month format: 1992-12
  • A period (.) separator .
  • The domain of the entity, in reverse order: com.symantec
Symantec's base regid is therefore regid.1992-12.com.symantec.

The standard allows for, but does not require, additional sub-entities that are added as a suffix to the above regid. These may look as follows:

regid.1992-12.com.symantec,Altiris
regid.1992-12.com.symantec,Norton
TagVault.org's certified regids require that at least one suffix is used. TagVault.org's regid rules are shown below:

 

Certified base regid
(Cannot be used in any SWID tag)
regid.1992-12.com.symantec
Certified sub-entity regid
(may be used in any SWID tag)
regid.1992-12.com.symantec,Altiris

Certified sub-entity regid 
(may be used in any SWID tag)
regid.1992-12.com.symantec,Norton

 

By requiring that a certified sub-entity regid also be created for use, TagVault.org ensures that SAM practitioners can easily roll up or group all SWID tags according to the primary licensing organization. 
This structure provides a benefit to the software publisher as well.  By creating a certified regid for each development group, each group can develop and release its products independently of a centralized release manager. Note that the use of multiple sub-entities is not required. If a software publisher prefers to use a single regid for publication, it may do this by registering a base regid and a single sub-entity regid, which it then uses for all SWID tags.