incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathias Bauer <Mathias_Ba...@gmx.net>
Subject Re: AOOo can't save passwort protected file
Date Thu, 22 Sep 2011 20:38:33 GMT
Am 22.09.2011 17:49, schrieb Michael Stahl:

> On 17.09.2011 22:32, Pedro F. Giffuni wrote:
>> 
>> 
>> --- On Sat, 9/17/11, Rob Weir <robweir@apache.org> wrote:
>> ...
>>>
>>> OpenSSL is a a validated module when run in "FIPS mode":
>>>
>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1111
>>>
>>> But that would still apply to AES, not Blowfish.
>>>
>>> Think of it this way:  FIPS 140 defines what the
>>> acceptable algorithms are.  Then the actual modules,
>>> the actual libraries, are validated by 3rd party
>>> testing labs according to NIST criteria.   If we use
>>> validated modules implementing approved algorithms, then
>>> we're golden.
>>>
>> 
>> Thanks for this point. NSS is not certified and given the
> 
> where the heck did you get that idea?
> 
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1280
> 
>> version OOo carries has known security issues I suggest
>> we kill the configure option to avoid hazards to our users.
> 
> indeed the version shipped by OOo is outdated (3.12.6); newest one on the
> FTP server is:
> 
> https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_11_RTM/src/
> 
> (of course the OOo internal OpenSSL is similarly out of date...)
> 
>> Without other options I prefer Blowfish to no security at all.
>> Again, patches for OpenSSL or any other certified solution
>> are welcome :).
>> 
>> While here .. I also think we should kill mozilla:
>> 
>> 1) The version we carry also has serious security issues.
>> 2) Google Chromium has a better license.
> 
> but can Google Chromium read Mozilla address books?
> 
> AFAIK that is all that OOo uses Mozilla for...

AFAIR a genius has bound our whole address book support code (not only
the code for the Mozilla address book) to Mozilla code. And we also use
the Mozilla stuff for ldap. All other formerly Mozilla based
functionality in OOo nowadays uses nss.

All just IIRC.

Regards,
Mathias

Mime
View raw message