Clarify some terms

[tschmidtb51]

Hi @santosomar,
thank you for getting us started on that important topic.

I feel there are a few things that need to clarified:

1. Who assigns / How is the supplierID assgined?
2. When you say supplier: Do you think of the source where you got that from or the developer(s) (project)? (E.g. I might get an open source software A from a service provider B that guarantees software updates / vulnerability fixes for 5 years. Who do I put into supplier? A or B?
3. When you define a productId: Is that a globally valid productId or is it document-local? Who assigns that?

[santosomar]

Thank you so much for your input and contributions, @tschmidtb51 ! These are extremely relevant questions. We can track and address them in separate issues. I see that you already started doing some of that earlier.

1. Who assigns / How is the supplierID assigned?
   SupplierID assignment: The supplierID can be assigned by a central authority or registry responsible for maintaining a unique identifier for each supplier in the industry. Alternatively, it can be generated using a specific algorithm or process that ensures uniqueness and avoids conflicts. However, this is something that we will need to discuss in the industry, once we take the next steps and work with other industry peers soon.

2. Who is a supplier?
   Regarding the supplier: In the case you mentioned, the supplier can be considered as the service provider (B) who guarantees software updates and vulnerability fixes for the open-source software (A) for a specified duration. This is because the service provider (B) is the entity responsible for the support and maintenance of the software in this context. However, it's essential to document both the original developer (A) and the service provider (B) in the EOL and EOS information to ensure complete transparency.

3. Defining the productId
   The productId should ideally be globally unique to ensure consistency and avoid confusion across different documents or systems. The assignment of productIds can be managed by a central authority, similar to the supplierID, or follow a standardized naming convention established by the industry. By ensuring a globally unique productId, it becomes easier to track and manage EOL and EOS information for products across various sources and platforms. Getting consensus of this central authority will be one of the most challenging parts of all this. However, we can start the conversation with other industry leaders, CISA, and other participants.

[santosomar]

I am creating separate issues for these.