Security passport
The security passport is a stable, public page per product carrying the user information CRA Annex II expects to accompany a product with digital elements. It is designed to be the link you print in the manual or show as a QR code at the HMI — one URL that stays valid for the life of the product documentation.
What the passport shows
Section titled “What the passport shows”The page is assembled from data you maintain in Resilic, mapped to the Annex II items:
- Manufacturer identity — name, postal address, digital contact (item 1).
- Vulnerability reporting — the single point of contact for reporting vulnerabilities and where your CVD policy can be found (item 2).
- Product identification — name, type, unique identification (item 3).
- Support — the type of security support and the end date of the support period (item 7).
- Advisory channel — your CSAF publisher namespace, where security advisories appear.
- SBOM availability — a statement of where the SBOM can be accessed, if you choose to make it available to users (item 9).
- EU Declaration of Conformity — the internet address of the DoC, when recorded (item 6).
Items Resilic does not hold for you — intended purpose and security environment, foreseeable risk circumstances, and the detailed user instructions (items 4, 5, and 8) — are rendered as honest open lines (“provided by the manufacturer / not yet published here”). The passport prompts you in the app to close them; it never fabricates content on a public page.
Publishing the SBOM for download (opt-in)
Section titled “Publishing the SBOM for download (opt-in)”Annex II item 9 asks where the SBOM can be accessed, if you decide to make it available to users. The passport can be exactly that place: a toggle in the product drawer — “Publish SBOM for download”, off by default — adds per-version download links to the public passport page.
- Downloads deliver the original ingested file, byte for byte (CycloneDX JSON): a supplier’s signature and the recorded SHA-256 stay verifiable in your customer’s own CRA tooling.
- Only versions with a retained original appear; SBOMs ingested before raw retention existed have no download until re-uploaded.
- The links are gated by the passport itself: revoking the passport or switching the toggle off takes every download offline immediately. Rotating the URL keeps your publication decision.
- Publishing is your choice — the CRA does not force you to hand the full SBOM to users, and the passport’s default remains the honest “provided by the manufacturer on request” line.
Create, rotate, revoke
Section titled “Create, rotate, revoke”Manage the passport from the product drawer:
- Create generates the stable public URL (shown once for copying — put it in the manual or render it as a QR code). Unlike the evidence-pack share link, the passport does not expire.
- Rotate issues a new URL and immediately kills the old one — use it if a link leaked or you want to invalidate printed material deliberately. One passport link is active per product.
- Revoke takes the page offline entirely. Revoked or invalid links are simply not found.
What this is — and isn’t
Section titled “What this is — and isn’t”Annex II duties apply with the full CRA on 11 Dec 2027 — the passport is a way to be ready with that user information early, and the public page itself says so. Publishing a passport is not a conformity claim, and Resilic does not certify anything: the passport shows what you have recorded, marks what is still open, and leaves the legal statements (like the DoC) to you.