Specify relationship between standardName and standardCompliance

[bact]

Background

In SPDX 3.0, we have two properties related to standards:

• Core/standardName
  • Summary:

    The name of a relevant standard that may apply to an artifact.

  • Description:

    Various standards may be relevant to useful to capture for specific artifacts.

• AI/standardCompliance
  • Summary:

    Captures a standard that is being complied with.

  • Description:

    A free-form text that captures a standard that the AI software complies with.
    This includes both published and unpublished standards, such as those developed by ISO, IEEE, and ETSI.
    The standard may, but is not necessarily required to, satisfy a legal or regulatory requirement.

What can be improved

There are at least two things we can improved here:

1. Amend the summary/description to explicitly specify the difference between the two properties and how they can working together
2. Considering revise the description and making the standardCompliance to be more generic and allow it to be use in non-AI context (in a non-breaking way for SPDX 3.x)

• Moving the property to Core Profile will change the IRI and it's a break. But amending the description will not.

Proposal (one of)

Currently, in the AI BOM whitepaper (to be released), @bennetkl distinguished the two in this way:

• standardName - standards adhered to but that compliance was not obtained
• standardCompliance - standards that compliance are obtained (for example, from a third-party attestation or certification)