Amend Artifact Identifiers to use SHA-1DC, SHA-1, and SHA-256, to match Git.

[david-a-wheeler]

“SHA1” is not the algorithm used by git. I think OmniBOR should use git's algorithm instead (SHA-1DC) and clearly say so.

Here's the background. The OmniBOR site says it uses SHA-1, but it justifies this by saying that “Git Blobs are identified by the sha1 of the blob object”. The latter statement is not true; git uses SHA-1DC, not SHA-1. Historically it’s true that git used SHA-1, but for security reasons that changed. On 23 February 2017 the SHAttered attack (https://shattered.io/) demonstrated a practical SHA-1 hash collision. Git v2.13.0 and later subsequently moved to a hardened SHA-1 implementation by default, which isn’t vulnerable to the SHAttered attack. Its result is the same as SHA-1 in “normal” cases, but when it detects a “SHAttered attack” it produces a different result. This algorithmic variant is called SHA-1DC. SHA-1 is still weak; many consider this algorithm a transitional measure, so SHA-256 work began. Unfortunately, git was not designed to change hash algorithms, so changing it has been challenging. Indeed, transitioning git to SHA-256 has been challenging and stalled in 2022. So I think it's important to clarify "SHA-1" is really "SHA-1DC" since it's not clear how long this "transitional" state will be "transitional".

[alilleybrinker]

Thanks @david-a-wheeler!

There are actually two relevant issues here:

• Use of SHA-1DC to detect collisions by default, rather than normal SHA-1.
• Use of what I'll call the "Git construction" which hashes in the object type name, a space, the length of the thing being hashed in bytes, and a null terminator before hashing in the contents of the object (tracked in issue Define the "GitOID construction" scheme used for creating Artifact Identifiers. #60)

Together, these really reinforce that we ought to update the spec and website to be precise about how OmniBOR Artifact Identifiers are constructed.

[alilleybrinker]

In last week's WG meeting, there was a proposal of defining three mandatory hashes be used for artifact identifier construction (and thus also for manifests): SHA-1DC, SHA-1, and SHA-256. This is in part in recognition that older Git versions use plain SHA-1, and also that Git can still today fallback to plain SHA-1 if the SHA-1DC implementation is unavailable (though we expect this to be uncommon).

[alilleybrinker]

The spec has now been updated to only use SHA-256, after extensive discussion on the trade-offs of multi-hash support, and the challenges of SHA-1 vs. SHA-1CD.