The license field should validate against a list of SPDX identifiers. We should also provide an API for tool builders (including us!) to use to pull that list for use with frontend validation and select list building.
The backend storage could be a model + a fixture file to populate the db or some more static listing. Take a look at SPDX bits and see if there is something that seems easy to keep in sync.