incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <>
Subject Re: Watch out for OpenOffice Crypto
Date Wed, 15 Jun 2011 21:12:46 GMT
On 15/06/2011 21:50, Dennis E. Hamilton wrote:
> This is a heads-up concerning these requirements:
> <>.
> There are cryptographic functions in the OpenOffice code base, specifically for providing
digital signatures on document and also for encryption of ODF packages.
> It appears that the Apache procedures for such code kick in *before* the code itself
is placed in public view (i.e., committed to the SVN repository).

This is correct. Good catch.

We mentors should have dealt with that already - thanks for being vigilant.


> I guess it is time I looked at the JIRA to see if there is a good place to track this
kind of thing.
>   - Dennis
> Digital Signature provisions are new in ODF 1.2 although some ODF 1.1 implementations
include an early implementation.  They are implemented in current
releases of and LibreOffice, at least.  XML DSig is used in a profile that
deals with the fact that components within a Zip file are being signed.  Late additions to
the ODF 1.2 sequence of Committee Drafts introduced provisions for ETSI profiles, especially
> The encryption provisions have been included since ODF 1.0 (at least).  The specification
for ODF 1.2 has been tightened, providing additional encryption methods beyond the default
use of Blowfish and Password Based Key Derivation (PBKDF2) using HMAC-SHA1.  I don't know
that any alternative encryptions are yet to be found in the wild.
> There are also some password-protection one-way functions in OpenOffice, mainly for obscuring
passwords use to set locks of various kinds within documents.  The digest algorithms are not
considered encryption method.  (The FAQ is handy for this and related questions:<>.)
> I have been thinking that the Apache OOo would be a good place to do a reference implementation
for a supplemental whole-package encryption that has been discussed on the ODF TC but that
was considered too late in the game for ODF 1.2 (Now OASIS ODF 1.2 Committee Specification
01 and pending public review as a Candidate OASIS Standard).  The nice part of such an effort
is that it is independent of the rest of OOo development.  It is about a wrapper that encloses
the ODF package as a single encrypted file.  There are a number of technical matters to be
tested as part of choosing a specific approach for ODF 1.3 (say), and having a pilot reference
implementation would help settle some of those questions as well as alert implementers in
mitigating potential disruption, especially of down-level implementations.
> It was thinking about that mini-sub-project that led to the policies on handling encryption
caught my eye.

View raw message