Hi;
Despite the valid interest in higher encryption schemes, I
prefer to set Blowfish as default now. That doesn't mean
we won't consider patches later on, of course.
BTW, can't we just use OpenSSL? I think it's included in
most linux/BSD distributions.
Pedro.
On Sat, 17 Sep 2011 12:47:59 -0400, Rob Weir <[email protected]>
wrote:
On 9/17/11, Mathias Bauer <[email protected]> wrote:
Am 17.09.2011 14:44, schrieb Rob Weir:
When the competition for a new algorithm ended, the winner was the
Advanced Encryption Standard (AES). We really need to support that
algorithm. There is a reason why ODF 1.3 recommends it. There are
regulations in several countries that specify what cryptographic
methods may be used for government work. In the US this is called
FIPS == Federal Information Processing Standards. There are
similar
rules, for example, in Japan. FIPS 140-2 recommends AES. It does
not
recommend Blowfish. So this has great relevance for government
users,
government contractors, as well as other sectors like healthcare.
As you said, OOo *1.3* will *recommend* it. Does that require
postponing
an AOOo 3.4 release until there is a code replacement for nss? Or do
you
already have something to use? IIRC it took roughly two weeks to
implement and test the new AES code for an engineer familiar with
the
code. I assume that for a newbie that would be quite some time more.
Support for AES exists in the JCE and via the ODF Toolkit. The later
is Apache 2.0 licensed.
IMHO getting 3.4 out fast is important. And of course having AES
encryption is important also - immediately after that.
I'm flexible on the staging of this. Eventually we'll want to get to
have full AES support. I've seen Microsoft push OOo out of
consideration for government accounts by arguing that the MS Office
crypto is certified and ours is using an algorithm (Blowfish) that is
not, that OOo uses a cipher that even the author recommends not
using.
We don't win that debate with a backwards compatibility argument.
YMMV.
Regards,
Mathias
