On 15/06/2011 21:50, Dennis E. Hamilton wrote:
This is a heads-up concerning these requirements:
< http://www.apache.org/dev/crypto.html>.
There are cryptographic functions in the OpenOffice code base, specifically for
providing digital signatures on document and also for encryption of ODF
packages.
It appears that the Apache procedures for such code kick in *before* the code
itself is placed in public view (i.e., committed to the SVN repository).
This is correct. Good catch.
We mentors should have dealt with that already - thanks for being vigilant.
Ross
I guess it is time I looked at the JIRA to see if there is a good place to
track this kind of thing.
- Dennis
DETAILS
Digital Signature provisions are new in ODF 1.2 although some ODF 1.1
implementations include an OpenOffice.org-specific early implementation. They
are implemented in current releases of OpenOffice.org and LibreOffice, at
least. XML DSig is used in a profile that deals with the fact that components
within a Zip file are being signed. Late additions to the ODF 1.2 sequence of
Committee Drafts introduced provisions for ETSI profiles, especially XaDES.
The encryption provisions have been included since ODF 1.0 (at least). The
specification for ODF 1.2 has been tightened, providing additional encryption
methods beyond the default use of Blowfish and Password Based Key Derivation
(PBKDF2) using HMAC-SHA1. I don't know that any alternative encryptions are
yet to be found in the wild.
There are also some password-protection one-way functions in OpenOffice, mainly for
obscuring passwords use to set locks of various kinds within documents. The digest
algorithms are not considered encryption method. (The FAQ is handy for this and
related questions:< http://www.apache.org/dev/crypto.html#faq>.)
BACKGROUND
I have been thinking that the Apache OOo would be a good place to do a
reference implementation for a supplemental whole-package encryption that has
been discussed on the ODF TC but that was considered too late in the game for
ODF 1.2 (Now OASIS ODF 1.2 Committee Specification 01 and pending public review
as a Candidate OASIS Standard). The nice part of such an effort is that it is
independent of the rest of OOo development. It is about a wrapper that
encloses the ODF package as a single encrypted file. There are a number of
technical matters to be tested as part of choosing a specific approach for ODF
1.3 (say), and having a pilot reference implementation would help settle some
of those questions as well as alert implementers in mitigating potential
disruption, especially of down-level implementations.
It was thinking about that mini-sub-project that led to the policies on
handling encryption caught my eye.
