https://issues.apache.org/ooo/show_bug.cgi?id=119090
--- Comment #15 from orcmid <[email protected]> 2012-03-20 14:20:28 UTC --- @Oliver. Issue r117562 is based on an incorrect premise. ODF 1.2 does not change the default encryption in any way. I quoted the ODF 1.2 specification in an earlier comment. Here it is again, with more emphasis (ODF 1.2 Part 3 section 4.8.1): "Package producers that support encryption SHALL support the value Blowfish CFB. Package consumers that support encryption SHALL support the values Blowfish CFB and urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#blowfish." There is conformance language related to the use of the manifest:checksum, which is not about security but being able to determine whether a decryption is correct. That language is in 4.8.3, "Package producers that support encryption SHOULD use the urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k algorithm, Package consumers that support encryption SHALL support the values SHA1/1K, urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha1-1k and urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k." For the legacy case, the values "SHA1" and "SHA1/1K" are the only ones recognized in use and some implementations treat "SHA1" the same as "SHA1/1K". When blowfish is used, the SHA1/1K should always be used for interoperability reasons. -- Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
