Move "verifiedUsing" from Element to Artifact

[davaya]

Based on snippet punch list discussion:

1. "verifiedUsing" always applies to content (sequence of bytes), never to metadata (element properties)
2. only Artifact element types have content. (Annotation, Relationship, Collection, Actor, and Identity do not.)
3. gitoid is a hash algorithm and can be added to verifiedUsing algorithm list (hashes can be used as content unique ids, but not as artifact ids)
4. multiple artifacts that have the identical content / hash can be linked using a COPY relationship
5. verifiedUsing is not a content unique identifier because different signatures apply to the same content. But it does apply only to content (including hardware), not to metadata.

Since "verifiedUsing" does not apply to most elements, move it from Element to Artifact, removing confusion that it might apply to metadata. SpdxDocument has content; it must either extend Artifact or have a "verifiedUsing" property.

[maxhbr]

verifiedUsing is also part of ExternalMap, and there it does not (necessarily) apply to a sequence of bytes?

[iamwillbar]

• "verifiedUsing" always applies to content (sequence of bytes), never to metadata (element properties)
  This is true today, but subject to the proposal from the canonicalization subgroup.

• only Artifact element types have content. (Annotation, Relationship, Collection, Actor, and Identity do not.)
  This is not necessarily true, for example, if we were to add a PublicKey subclass of IntegrityMethod then the content of an Annotation could be digitally signed and the PublicKey used to verify it. Future subclasses of Element in other profiles may have content that can be verified. We didn't want to restrict this capability to only Artifacts.

• gitoid is a hash algorithm and can be added to verifiedUsing algorithm list (hashes can be used as content unique ids, but not as artifact ids)
  Yes, I believe that's true. Can you check with Jeff and if he agrees, propose what the enum value should be?

• multiple artifacts that have the identical content / hash can be linked using a COPY relationship
  Correct. The addition of the contentIdentifier as discussed last Friday will also help identify identical content even in the absence of a relationship.

• verifiedUsing is not a content unique identifier because different signatures apply to the same content. But it does apply only to content (including hardware), not to metadata.
  Correct.

@maxhbr in today's implementation the verifiedUsing in ExternalMap would be a sequence of bytes, however, when canonicalization is in place it may be a canonical hash instead.

[armintaenzertng]

If I understand @iamwillbar's comment correctly, verifiedUsing will not be moved to Artifact, so this issue can be closed, right?

The only remaining todo I can glean from this discussion is whether gitoid should be a supported HashsumAlgorithm. Is this still under consideration?

[kestewart]

Agree with @armintaenzertng , and closing this issue for now. If there are still open discussions points, please open a new issue more focused.