To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=39382
------- Additional comments from [EMAIL PROTECTED] Tue Oct 17 11:33:27 -0700 2006 ------- Hello, Let's divide the subject into two: 1. Signing document, this process requires user private credential and X.509 certificate. Here there should be a simple implementation to use PKCS#12 files or PKCS#11 tokens in order to actually perform the signature, using libxmlsec and OpenSSL. If using PKCS#12 based storage, GUI should prompt the user for a file and passphrase. If using PKCS#11 based token, GUI should prompt the user with a list of certificates and allow the user to select one. Also a GUI should be available to allow user to specify which providers to load. This should be simple enough, and can be integrated directly into Open Office. 2. Verifying document, this process requires validating a certificate chain. This feature is more complex only because it involve in more GUI... Since it really doesn't access any user private credentials. But actually it quite simple... Since the verification using libxmlsec and OpenSSL should be simple. Displaying the certificate chain using text dump is also simple enough. The problem is verifying the certificate chain, downloading CRLs, using OCSP etc... > OOo currently uses the mozilla certificate store and certificate verification > function. True... But it is not built in... I don't think I am simple user, but I was unable to activate it... The external dependency makes it very hard. One option is integrating NSS into your build, but I find OpensSSL better API. > Moreover it uses the libxmlsec (external project) which uses itself > mozilla functionality. The libxmlsec could be configured to use another PKI > framework, such as OpenSSL. However, Mozilla already brings a GUI for > certificate management. True... But I think the GUI should be Open Office built-in... To be user friendly, many people have already national id cards, and wish to sign... But in KDE/Open Office environment, external dependency of Mozilla is not intuitive. > Direct support of PKCS#11 is certainly interessting but does not seem to solve > the problem of the dependency to Mozilla. Currently we do not intent to > implement a certificate store on our own. Frankly, this should be part of the > operating system. Well... I don't agree... Operating system should handle resource allocation... and be as small as it can... (Unlike Windows...). Operating system should not pop up dialogs (Unlike Windows, again). Maybe you refer to a common library that can be used by multiple applications... But again, I don't think this common library should provide user interface, but allow you to perform your requirements using a simple API. NSS is one API.... But you should implement a UI to integrate correctly, OpenSSL is another, the same effort of integrating UI, with simpler API. KDE has its own certificate store, I am sure Gnome has one also... > Was your idea to completely get rid of the dependency or only decouple the > PKCS#11 functionality? I think PKI functionality should be integrated into Open Office. So first stage is to integrate this functionality, then the what most projects find it hard to accomplish is to integrate smart card functionality. Here I usually come to help... :) But reading your response, I think I can help you also with integrating PKI functionality... I prefer OpenSSL, this do require some UI additions. And we can do the chain checking in steps, first one is to require CRLs already downloaded, second stage is to use OCSP, third is to download CRL automatically. In short... I think it is very important to integrate X.509 into Open Office, thus allowing out of the box solution for users, this solution should support smartcards using PKCS#11 interface, to used in Windows and *inux environments. Best Regards, Alon Bar-Lev. --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
