incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathias Bauer <Mathias_Ba...@gmx.net>
Subject Re: AOOo can't save passwort protected file
Date Sat, 17 Sep 2011 17:59:09 GMT
Am 17.09.2011 18:47, schrieb Rob Weir:

> On 9/17/11, Mathias Bauer <Mathias_Bauer@gmx.net> wrote:
>> Am 17.09.2011 14:44, schrieb Rob Weir:
>>
>>> When the competition for a new algorithm ended, the winner was the
>>> Advanced Encryption Standard (AES).  We really need to support that
>>> algorithm.  There is a reason why ODF 1.3 recommends it.  There are
>>> regulations in several countries that specify what cryptographic
>>> methods may be used for government work.  In the US this is called
>>> FIPS == Federal Information Processing Standards.  There are similar
>>> rules, for example, in Japan.  FIPS 140-2 recommends AES. It does not
>>> recommend Blowfish.  So this has great relevance for government users,
>>> government contractors, as well as other sectors like healthcare.
>>
>> As you said, OOo *1.3* will *recommend* it. Does that require postponing
>> an AOOo 3.4 release until there is a code replacement for nss? Or do you
>> already have something to use? IIRC it took roughly two weeks to
>> implement and test the new AES code for an engineer familiar with the
>> code. I assume that for a newbie that would be quite some time more.
>>
> 
> Support for AES exists in the JCE and via the ODF Toolkit.  The later
> is Apache 2.0 licensed.
> 
>> IMHO getting 3.4 out fast is important. And of course having AES
>> encryption is important also - immediately after that.
>>
> 
> I'm flexible on the staging of this.  Eventually we'll want to get to
> have full AES support.  I've seen Microsoft push OOo out of
> consideration for government accounts by arguing that the MS Office
> crypto is certified and ours is using an algorithm (Blowfish) that is
> not, that OOo uses a cipher that even the author recommends not using.
>   We don't win that debate with a backwards compatibility argument.

Sure, I wasn't aiming at backwards compatibility. In fact I was one of
those who where responsible for adding AES encryption to OOo's ODF code,
for the same reasons as yours.

I just recommended giving the urgency of a 3.4 release a higher priority
than the usage of AES encryption for saving ODF 1.2 documents in that
release.

Regards,
Mathias


Mime
View raw message