incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pedro F. Giffuni" <giffu...@tutopia.com>
Subject Re: AOOo can't save passwort protected file
Date Sat, 17 Sep 2011 20:32:15 GMT


--- On Sat, 9/17/11, Rob Weir <robweir@apache.org> wrote:
...
> 
> OpenSSL is a a validated module when run in "FIPS mode":
> 
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1111
> 
> But that would still apply to AES, not Blowfish.
> 
> Think of it this way:  FIPS 140 defines what the
> acceptable algorithms are.  Then the actual modules,
> the actual libraries, are validated by 3rd party
> testing labs according to NIST criteria.   If we use
> validated modules implementing approved algorithms, then
> we're golden.
> 

Thanks for this point. NSS is not certified and given the
version OOo carries has known security issues I suggest
we kill the configure option to avoid hazards to our users.

Without other options I prefer Blowfish to no security at all.
Again, patches for OpenSSL or any other certified solution
are welcome :).

While here .. I also think we should kill mozilla:

1) The version we carry also has serious security issues.
2) Google Chromium has a better license.
3) I actually think we should be browser version agnostic. 

> I'd be happy if we had deep in some configuration dialog
> the ability for user (or more likely the IT department)
> to specify the algorithm to use.
>

I would think it could be a compile time option so we could
name such switch "configure --with-ssl".

See? Everyone happy now :).

Cheers,

Pedro.


Mime
View raw message