Eight months in, the list is growing, the community is asking questions, and the next steps are clear.
Precedents
Back in October I wrote about the genesis of the SPDX Cryptographic Algorithm List (SPDX CryptAlg) and how it was evolving. This is an update of that blog post.
What the List Looks Like Today
Let me start by the List definition we have agreed on within the Cryptography Group.
“Modeled after the SPDX License List, this list provides a shared and unambiguous vocabulary for identifying and referencing cryptographic algorithms in Bills of Materials (BOM), SPDX documents, and related tooling.
The SPDX Cryptographic Algorithm List includes a standardized short identifier, the full name, OID, cryptoClass, and references.
The purpose of the SPDX Cryptographic Algorithm List is to enable efficient and reliable identification of Cryptographic Algorithms in an SPDX document, in source files or elsewhere.”
The List keeps maturing. It currently includes more than 120 algorithms. The total number has stayed roughly the same since the last report: some algorithms were added, but some were also removed for various reasons. Each algorithm is described using seven properties, when available. Two of those properties are new since the last report: oid and reference.
The list also comes with complementary documentation. You can find a general description of the project and a guide on how to contribute. This content will mature in the coming weeks.
Where We Are Headed
The SPDX Cryptography Group have identified a few concrete tasks to deliver in the coming weeks or couple of months. First, we will be adding a new property: mode. Modes are technically more a parameter than a property. However, we do not have a common and shared understanding yet of how to handle parameters in general. Since the number of modes is finite and small, we decided to add them as properties for now. Time will tell if this is the right decision or if we will need to adjust it.
A second important line of work is completeness. So far, we have favored adding more algorithms over making sure every algorithm has all its properties filled in. At some point in the future, we will require that every new algorithm submission includes values for every property. We are not there yet. For now, we keep working in adding values to the properties little by little.
We are also opening a line of work that should end with the list published on the SPDX website. This step requires adopting new procedures, policies, and processes that we do not have in place today. It is a sign of maturity, but also a risk of over-engineering the initiative. We are analysing how to meet all validation requirements while keeping the list flexible and easy to contribute to. As part of this, we are working on a release policy.
Finally, we will add to each property clear information about which ones are mandatory and whether they accept a single value or multiple values.
Growing Recognition and Open Questions
The SPDX Security Profile has confirmed that it will use the SPDX CryptAlg as a reference. Other groups and profiles within SPDX are discussing doing the same. This is a good sign.
As more people learn about our work, we receive an increasing number of questions about how we compare to the work done by CycloneDX in defining cryptographic assets. As our work matures, both the similarities and the differences are becoming more visible. They are still unclear to most people. We are working on two things: explaining what we are doing and the reasoning behind it, and accepting that it is still too early for those differences to be obvious to the majority of our future users. We have been working for around 7 months. I think we will need another 3 to 5 months before those questions start to fade.
During last week’s SPDX tech-meeting, I did a presentation about the SPDX Crypt List, together with another member of the Group, Steven C. Feel free to download it for further details.
Sponsorship and Call for Participation
Last year, my work on the SPDX CryptAlg was sponsored by SCANOSS. Since December 1st 2025, I am sponsored by the Software Transparency Foundation (STF), where SCANOSS is a Strategic Member, to contribute to the SPDX Crypt Alg. This sponsorship, together with SCANOSS contributions to the List, has been essential for reaching this point in just over half a year. Thank you to both.
If you are interested in cryptography, or if you think that having a canonical and standardized way to identify and declare algorithms matters, feel free to join our meetings and participate in the Group on a best effort basis, as usual.
Check the first report of this series, published back in October.
This article was polished using AI
toscalix 