Need to use a digest that is new since the last OCFL specification update

[zimeon]

The OCFL specification vN has been stable for some time and is widely adopted. However, there is concern over old digest algorithms and a need to use a new algorithm. How is this handled in a conforming way without requiring a specification update?

[ahankinson]

sha512 and blake2b, barring any discovered exploits, are widely accepted as being as close to cryptographically secure as we can get with our current understanding. The addition of a new algorithm, should either be broken, would be a backwards-compatible change (the old one would still be valid, if not cryptographically secure). So we would still be able to have a vN.X release if we update the specs to add a new algorithm, and update guidance on recommended fixity algorithms.

[zimeon]

My feeling is that we may at some stage want to separate the list of allowed algorithms from the spec in order to avoid having to update the spec to change algorithms. This is a placeholder for discussion of that vs the vN.X proposal.

[ahankinson]

Related to ocfl/spec#292

[rosy1280]

One of the issues with pushing the table into an addendum document is it becomes difficult for users to determine when an algorithm choice has changed which impacts automated tooling. As discussed in the meeting on 2019-04-03 we decided to keep the table in the spec.

[zimeon]

I wasn't proposing to remove from the spec now, it was intended as a placeholder for future discussion

[zimeon]

Editors discussion 2023-09-22:

The addition of a new digest would require writing a new version of every object to have the update and the update of code to support the new algorithm. However, the use of digests for content addressing (within an object) does not rely upon the cryptographic security of the digest. If cryptographic security is the issue then a new algorithm can be added within a fixity block without a change to the specification.

Closing this issue.