Dear colleagues,
regarding pull request #1135 "Comment Resolution CSD01PR: #1083" (https://github.com/oasis-tcs/csaf/pull/1135) and the underlying issue #1083 "disallow MD5 and SHA1 to simplify format and tests" (https://github.com/oasis-tcs/csaf/issues/1083):
I hereby submit the following motion and request that if seconded and no objection received per this list before one week has passed on 2025-08-27 12:00 UTC to automatically carry. The motion may be superseded by a passing motion during the TC meeting on 2025-08-20.
The Chair usually states the result per mail to this list when the period has passed.
I, Thomas Schmidt, move to accept the resolution as suggested in https://github.com/oasis-tcs/csaf/pull/1135 and merge the pull request. The resolution in the pull request includes to not make changes to 6.2.8 and 6.2.9 to still provide the option to provide available weak hashes in a CSAF document (rather than having to remove them and loos data).
Rationale: In the distribution of CSAF, MD5 and SHA1 were never really used. However, providing MD5 or SHA1 together with binaries was still common a few years back and for some vendors is still today). So, asset databases or SBOMs might still contain that data. Therefore, prohibiting the option to provide existant weak hashes does not make sense.
Best wishes,
Thomas
------------------------------
Thomas Schmidt
Subject Matter Expert
Federal Office for Information Security (BSI) Germany
------------------------------