New property: OID

[toscalix]

Background

An OID uniquely identifies a cryptographic algorithm by serving as a standardized, globally unique numeric reference that distinguishes one algorithm from all others across systems and organizations. By using OIDs, cryptographic systems achieve consistency, security, and universality in identifying algorithms, a necessity for secure communications and interoperable standards in PKI and related systems.

• An OID is a sequence of integers separated by dots, such as 1.2.840.113549.1.11.2.840.113549.1.1, forming a managed hierarchy assigned by authorities like ISO, ITU, or IANA.
• In cryptographic standards, OIDs are used to unambiguously identify algorithms (like RSA, SHA, AES) or object classes, ensuring that software and systems recognize and process the same algorithm regardless of vendor or platform.
• OIDs are encoded in data structures (such as ASN.1) within certificates, signed messages, and protocol exchanges, enabling consistent identification and parameterization of cryptographic operations.

OIDs are assigned through a managed, hierarchical tree structure governed by international standards bodies (like ISO and ITU), which delegate ranges to organizations, ensuring that every OID is globally unique and cannot clash with identifiers from another source.

The OID for RSA encryption is 1.2.840.113549.1.1.11.2.840.113549.1.1.1, and for AES encryption it’s 2.16.840.1.101.3.4.12.16.840.1.101.3.4.1. These numbers are unique identifiers that directly reference their corresponding algorithms in global databases and protocol specifications, preventing any possibility of misinterpretation or collision between algorithms.

References

• NIST Cryptographic Algorithm Object Registration list
• CSOR at NIST algorithms registration
• Web pages with descriptions/explanations
  • Comprehensive List of Cryptographic Algorithm Identifiers. link
  • Example from CycloneDX. link

Rationale

SPDX Crytographic Algorithms List should include a property where the OID number could be included when it does exist. Given that many does not have it, it cannot be considered the identifier

Description

The goal is to include OID as optional property for any crypto algorithms of the list

Actions

• Discussion and agreement on including OID as property
• Define the property name and description
• Define where it should be placed on the list and how
• Create a ticket with the list of algorithms that has an OID assigned, together with the OID
  • Include the references where such OID could be consulted
• Add all the OID from that list to the SPDX Crypto Algorithms List
• Add the property description to the Properties Description document

DoD

• OID included in the Properties Description document
  • Link to the corresponding PR oid as new SPDX Cryptographic Algorithms List property #35
  • Link to the corresponding version of the Properties Description document, after the PR is merged
• All the algorithms present in the corresponding ticket list have been included in the SPDX List.
  • Link to the corresponding PR oid as new SPDX Cryptographic Algorithms List property #35
  • Link to the corresponding version of the list, once the PR is merged.

[toscalix]

Property Definition

An Object Identifier (OID) is a unique, globally unambiguous identifier, managed by registration authorities to ensure it clearly identifies a specific object, such as a cryptographic algorithm. In cryptographic standards, OIDs are used to unambiguously identify algorithms or object classes, ensuring that software and systems recognize and process the same algorithm regardless of vendor or platform. OID offers a stable, universally recognized reference, providing machine-readable certainty about the specific cryptographic algorithms.

Property Values

An OID is built as a series of integers separated by dots, where each number represents a level in a tree structure. The first numbers identify the organization or standard body (like 1.2 for ISO), and the following numbers become more specific until they identify one exact algorithm.

[toscalix]

Algorithms currently in our list that has OID assigned

This is a first draft including algorithms that has OID assigned. They need to be confirmed since I haven't done it one by one, which is why I provide links. Note: some OIDs are incorrect.

Here is the table compiling the cryptographic algorithms from the SPDX Cryptographic Algorithm List that have assigned OIDs, based on the multiple sources and references consolidated in your attached document. The table includes the SPDX Algorithm ID, Name, official OID value, link to the authoritative source where the OID is registered or described, and the entity that provided or registered the OID.

Algorithm ID (SPDX)	Algorithm Name	OID Value	Source/Reference Link	Issuing Organization	Notes
3des / tdes / desede	Triple Data Encryption Standard	1.2.840.113549.3.7	RFC 3370, OID Repository	RSA Laboratories	Also registered as 1.3.14.3.2.17 (OIW)
aes	Advanced Encryption Standard	2.16.840.1.101.3.4.1.x	NIST CSOR, RFC 3565	NIST	Base OID; specific modes have unique suffixes
aes-128-cbc	AES 128-bit CBC mode	2.16.840.1.101.3.4.1.2	NIST CSOR	NIST	Specific mode variant
aes-192-cbc	AES 192-bit CBC mode	2.16.840.1.101.3.4.1.22	Microsoft Docs	NIST	Specific mode variant
aes-192-ccm	AES 192-bit CCM mode	2.16.840.1.101.3.4.1.27	NIST CSOR	NIST	Specific mode variant
aes-256-cbc	AES 256-bit CBC mode	2.16.840.1.101.3.4.1.42	Microsoft Docs	NIST	Specific mode variant
aes-256-gcm	AES 256-bit GCM mode	2.16.840.1.101.3.4.1.46	NIST CSOR	NIST	Specific mode variant
argon2	Argon2	1.3.6.1.4.1.50370.1.x	IANA	Password Hashing Competition	Parameter-dependent suffix
aria	Aria Block Cipher	1.2.410.200046.1.1.1	RFC 5794	NSRI (Korea)	Korean standard
blowfish	Blowfish Cipher	1.3.6.1.4.1.3029.1.2	Assigned by Bruce Schneier	Bruce Schneier	-
camellia	Camellia Cipher	1.2.392.200011.61.1.1.1.2	RFC 3657, OID Repository	NTT / Mitsubishi	Base OID for various modes
cast	CAST-128 / Carlisle Adams Stafford Tavares	1.2.840.113533.7.66.10	RFC 2144	Entrust Technologies	Also 1.2.840.113549.1.12.1.2.1
cmac	Cipher-based Message Authentication Code	1.2.840.113549.1.9.16.3.25	RFC 4493, NIST SP 800-38B	NIST	-
des	Data Encryption Standard	1.3.14.3.2.7	RFC 3279, OID Repository	ANSI	Also 1.3.14.3.2.6 (ISO/IEC)
diffiehellman	Diffie-Hellman Key Exchange	1.2.840.113549.1.3.1	PKCS#3	RSA Laboratories	Also 1.2.840.10046.2.1 (ANSI X9.42)
dsa	Digital Signature Algorithm	1.2.840.10040.4.1	FIPS 186, RFC 3279	NIST	Base DSA OID
dsa-sha1	DSA with SHA-1	1.3.14.3.2.13	Microsoft Docs	NIST	Combined signature OID
ecdh	Elliptic-Curve Diffie-Hellman	1.3.132.1.12	ANSI X9.63, RFC 5480	ANSI X9 / Certicom	Standard ECDH
ecmqv	Elliptic Curve Menezes-Qu-Vanstone	1.3.132.1.13	RFC 5480	Certicom	-
ed25519	Edwards-curve Digital Signature 25519	1.3.101.112	RFC 8410	IETF	EdDSA variant
ed448	Edwards-curve Digital Signature 448	1.3.101.113	RFC 8410	IETF	EdDSA variant
elgamal	ElGamal Encryption System	1.3.6.1.4.1.3029.1.2.1	Assigned OID	-	-
gost	GOST Block Cipher	1.2.643.2.2.21	GOST 28147-89	Russian Federal Standard	-
idea	International Data Encryption Algorithm	1.3.6.1.4.1.188.7.1.1.2	RFC 1423	Ascom Tech AG	-
keccak / sha3	Keccak Hash Function / SHA-3	2.16.840.1.101.3.4.2.x	NIST CSOR	NIST	Various SHA-3 variants with different suffixes
md2	Message-Digest Algorithm 2	1.2.840.113549.2.2	RFC 1319, OID Repository	RSA Laboratories	Legacy, deprecated
md4	Message-Digest Algorithm 4	1.2.840.113549.2.4	RFC 1320, RFC 8017	RSA Laboratories	Legacy, deprecated
md5	Message-Digest Algorithm 5	1.2.840.113549.2.5	RFC 1321, OID Repository	RSA Laboratories	Legacy, vulnerable to collisions
pbkdf2	Password-Based Key Derivation Function 2	1.2.840.113549.1.5.12	PKCS#5, RFC 2898	RSA Laboratories	Requires parameters (iterations, PRF)
pkcs7	PKCS #7 Cryptographic Message Syntax	1.2.840.113549.1.7.1	RFC 2315, OID Repository	RSA Laboratories	Structural OID
pkcs12	PKCS #12	1.2.840.113549.1.12	PKCS#12, RFC 7292	RSA Laboratories	Container format
rc2	Rivest Cipher 2	1.2.840.113549.3.2	RFC 2268, OID Repository	RSA Laboratories	-
rc4	Rivest Cipher 4	1.2.840.113549.3.4	OID Repository	RSA Laboratories	Deprecated in TLS
rc5	Rivest Cipher 5	1.2.840.113549.3.8	RFC 2040, OID Repository	RSA Laboratories	-
rc6	Rivest Cipher 6	1.2.840.113549.3.9	OID Repository	RSA Laboratories	AES finalist
rijndael	Rijndael (AES Candidate)	2.16.840.1.101.3.4.1	NIST CSOR	NIST	Standardized as AES
ripemd / ripemd160	RIPEMD-160	1.3.36.3.2.1	ISO/IEC 10118-3	ISO/IEC / RIPEMD Consortium	160-bit hash
rsa	Rivest–Shamir–Adleman Algorithm	1.2.840.113549.1.1.1	PKCS#1, RFC 3447, OID Repository	RSA Laboratories	Base RSA encryption OID
rsa-oaep	RSA with Optimal Asymmetric Encryption Padding	1.2.840.113549.1.1.7	RFC 4055, RFC 8017	RSA Laboratories	RSA with OAEP padding
rsa-sha1	RSA with SHA-1	1.3.14.3.2.15	Microsoft Docs	NIST	Combined signature OID
seed	SEED Block Cipher	1.2.410.200004.1.x	RFC 4009, RFC 4269	KISA (Korea Information Security Agency)	Korean standard
serpent	Serpent Block Cipher	1.3.6.1.4.1.25258.3.x	Serpent Team	Serpent Team / GNU Project	AES finalist
shax	SHA Family (SHA-1, SHA-2, SHA-3)	Various (see notes)	NIST CSOR	NIST	Multiple OIDs for different variants
sha1	Secure Hash Algorithm 1	1.3.14.3.2.26	RFC 3370, OID Repository	ANSI / NIST	Deprecated for signatures
sha256	Secure Hash Algorithm 256	2.16.840.1.101.3.4.2.1	NIST CSOR	NIST	SHA-2 family
sha384	Secure Hash Algorithm 384	2.16.840.1.101.3.4.2.2	NIST CSOR	NIST	SHA-2 family
sha512	Secure Hash Algorithm 512	2.16.840.1.101.3.4.2.3	NIST CSOR	NIST	SHA-2 family
sha3-256	SHA-3 256-bit	2.16.840.1.101.3.4.2.8	NIST CSOR	NIST	SHA-3 family
shake256	SHAKE256 Extendable Output Function	2.16.840.1.101.3.4.2.12	NIST CSOR	NIST	SHA-3 XOF
twofish	Twofish Block Cipher	1.3.6.1.4.1.25258.1.x	Assigned by authors	Twofish Team	AES finalist
x25519	X25519 Key Exchange	1.3.101.110	RFC 8410	IETF	ECDH using Curve25519
x448	X448 Key Exchange	1.3.101.111	RFC 8410	IETF	ECDH using Curve448
x509	ITU-T Recommendation X.509	2.5.4.x	ITU-T X.509	ITU-T	PKI certificate framework

Additional SHA Variants

Variant	OID	Notes
SHA-224	2.16.840.1.101.3.4.2.4	SHA-2 family
SHA-512/224	2.16.840.1.101.3.4.2.5	SHA-2 truncated variant
SHA-512/256	2.16.840.1.101.3.4.2.6	SHA-2 truncated variant
SHA3-224	2.16.840.1.101.3.4.2.7	SHA-3 family
SHA3-384	2.16.840.1.101.3.4.2.9	SHA-3 family
SHA3-512	2.16.840.1.101.3.4.2.10	SHA-3 family
SHAKE128	2.16.840.1.101.3.4.2.11	SHA-3 XOF

Post-Quantum Cryptography (Recently Added)

Algorithm	OID	Notes
ML-KEM-768	2.16.840.1.101.3.4.4.2	Post-quantum key encapsulation
ML-DSA-87-SHA512	2.16.840.1.101.3.4.3.34	Post-quantum digital signature
SLH-DSA-SHA2-256f	2.16.840.1.101.3.4.3.25	Post-quantum hash-based signature

Notes

1. OID Notation: ".x" suffix indicates multiple variants with different parameter values
2. Deprecated Algorithms: MD2, MD4, MD5, SHA-1, RC4 are deprecated for security-sensitive applications
3. Regional Standards: ARIA, SEED (Korean), GOST (Russian), SM series (Chinese) are regional standards
4. Legacy Support: Some algorithms have multiple OIDs from different standards bodies (e.g., 3DES)
5. Parameter Requirements: Algorithms like PBKDF2, AES modes, and RSASSA-PSS require additional parameters beyond the OID

Key OID Arcs

• 2.16.840.1.101.3.4: NIST algorithms (AES, SHA families)
• 1.2.840.113549: RSA Laboratories (PKCS standards)
• 1.3.14.3.2: OIW (legacy standards)
• 1.3.101: IETF (EdDSA, modern curves)
• 1.2.840.10040.4: NIST DSA
• 1.3.132: Certicom (elliptic curves)

[toscalix]

The above list include mistakes. Check in these websites to confirm or not these OIDs:

• http://gmssl.org/docs/oid.html
• https://oidref.com/
• https://oid-base.com/
• https://www.alvestrand.no/objectid/