Checksum, spdx:algorithm: why not use a more secure algorithm than SHA-1?

[jimjyang]

In DCAT-AP it is now mandatory to use spdx:checksumAlgorithm_sha1 for spdx:algorithm in the class Checksum, and the usage note says also "Currently, SHA-1 is the only supported algorithm."

During the public consultation on our DCAT-AP-NO that we had recently, we got a question which I hereby forward to DCAT-AP:

What is the reason for choosing SHA-1 and not a more secure algorithm e.g. SHA-256?

[akuckartz]

See https://www.dcat-ap.de/def/hashAlgorithms/ for comparison

[bertvannuffelen]

The property spdx:algorithm is indeed fixed, for now, to the SHA1 algorithm in DCAT-AP. So in principle there is an ability to relax this, by not enforcing the SHA1 algorithm.

The argumentation I presume was that by selecting 1 algorithm users only need to implement one check. Additional arguments could be based on the usage: the goal was to improve the trust but not the complexity the access to the data. (E.g. use data only when the checksum has been verified approach). Since checksums are additional proofs of the integrity of the data, limiting the range initially to one algorithm was a good to see it usage in practice.

Relaxing the range restriction implies though we can agree on a preferred codelist so that users can match the algorithm specification with their implementation.

Proposal: can we agree that the supported values come from this https://spdx.org/rdf/terms/#d4e1968 list?

[jimjyang]

Agreed!

[bertvannuffelen]

During WG 21 Oct 2021, the wg accepted the proposal.