incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pedro Giffuni <giffu...@tutopia.com>
Subject Re: AOOo can't save passwort protected file
Date Sat, 17 Sep 2011 17:26:55 GMT
 Hi;

 Despite the valid interest in higher encryption schemes, I
 prefer to set Blowfish as default now. That doesn't mean
 we won't consider patches later on, of course.

 BTW, can't we just use OpenSSL? I think it's included in
 most linux/BSD distributions.

 Pedro.

 On Sat, 17 Sep 2011 12:47:59 -0400, Rob Weir <robweir@apache.org> 
 wrote:
> On 9/17/11, Mathias Bauer <Mathias_Bauer@gmx.net> wrote:
>> Am 17.09.2011 14:44, schrieb Rob Weir:
>>
>>> When the competition for a new algorithm ended, the winner was the
>>> Advanced Encryption Standard (AES).  We really need to support that
>>> algorithm.  There is a reason why ODF 1.3 recommends it.  There are
>>> regulations in several countries that specify what cryptographic
>>> methods may be used for government work.  In the US this is called
>>> FIPS == Federal Information Processing Standards.  There are 
>>> similar
>>> rules, for example, in Japan.  FIPS 140-2 recommends AES. It does 
>>> not
>>> recommend Blowfish.  So this has great relevance for government 
>>> users,
>>> government contractors, as well as other sectors like healthcare.
>>
>> As you said, OOo *1.3* will *recommend* it. Does that require 
>> postponing
>> an AOOo 3.4 release until there is a code replacement for nss? Or do 
>> you
>> already have something to use? IIRC it took roughly two weeks to
>> implement and test the new AES code for an engineer familiar with 
>> the
>> code. I assume that for a newbie that would be quite some time more.
>>
>
> Support for AES exists in the JCE and via the ODF Toolkit.  The later
> is Apache 2.0 licensed.
>
>> IMHO getting 3.4 out fast is important. And of course having AES
>> encryption is important also - immediately after that.
>>
>
> I'm flexible on the staging of this.  Eventually we'll want to get to
> have full AES support.  I've seen Microsoft push OOo out of
> consideration for government accounts by arguing that the MS Office
> crypto is certified and ours is using an algorithm (Blowfish) that is
> not, that OOo uses a cipher that even the author recommends not 
> using.
>   We don't win that debate with a backwards compatibility argument.
>
>> YMMV.
>>
>> Regards,
>> Mathias
>>


Mime
View raw message