Proposal of a new property: origin

[toscalix]

Background

Every algorithms on the list has a reference, an origin. Usually it is a paper or an article where the cryptographic algorithm is described, including the rationale behind it, the target use case, the mathematical description and some other aspects.
The proposal is to include this origin, in the form of a link to every crypto algorithm

origin

• Description: link pointing at the description of the corresponding algorithm
• Values: URL

examples

For AES (Advanced Encryption Standard)

• origin: https://doi.org/10.6028/NIST.FIPS.197-upd1

The origin is a newer version of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
Reference: FIPS PUB 197 – Specification for the Advanced Encryption Standard (AES)

For Ed25519

• origin: https://ed25519.cr.yp.to/ed25519-20110926.pdf

Reference: Daniel J. Bernstein et al. – High-speed high-security signatures

Rationale

Each algorithms definition should include in the SPDX C.A. List links pointing to the publication that originally describes the algorithm or to the URL that points to where the algorithm is described technically.

In the detection use case, as well as in the auditing use case, such link is relevant to understand in detail the characteristices of the algorithm, what is used for, how it should be implemented and used, etc...

Description

This new property requires:

• A property name
• A property description
• A values description
• Some origins as example

Points for discussion

• Some of the algorithms has gone through revisions and even standardization processes. origin might refer to the current version of the algorithm.
• If the algorithm is deprecated by another algorithm but still present in the list, origin refers again to the latest version or revision before it was deprecated
• In an original exploration, it might be difficult or controversial to find the origin. What do we do in such cases?
• Is origin the right term, given that there might be revisions and standardizations processes for some cases?
• In some cases, the origin is a well known portal for papers and the origin comes in different formats, like LaTeX, pdf.... Which link should we take?

Actions

• Agreement on a name for the property
• Draft of the property description
• Agreement on the description of the property
• Property values draft
• Agreement on the potential values of the property
• Provide a list of around 20 origins to include on the list
• Agreement on the list of origins

DoD

• Property name:
• Link to the property description draft
• Link to the properties values description draft
• Agreement on the property name, description and values
• Link to PR
• PR merged

[toscalix]

Attribute convenience

During the last two meetings, there was a general consensus that such a reference would be ideal to have it as part of the list. In which form is still to be discussed, given that we might have to reference papers, standards or descriptions in regulation or standardization bodies.

Another point is that the crypto algorithms might go through several revisions or might be published in more than one place so we might have more than one candidate

Attribute Name

During the SPDX Crypto Algorithms List meeting on 2025-05-21, participants questioned the name "origin". This questioning became a consensus during the following meeting.

Which name do we use instead?