incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: AOOo can't save passwort protected file
Date Sat, 17 Sep 2011 16:47:59 GMT
On 9/17/11, Mathias Bauer <Mathias_Bauer@gmx.net> wrote:
> Am 17.09.2011 14:44, schrieb Rob Weir:
>
>> When the competition for a new algorithm ended, the winner was the
>> Advanced Encryption Standard (AES).  We really need to support that
>> algorithm.  There is a reason why ODF 1.3 recommends it.  There are
>> regulations in several countries that specify what cryptographic
>> methods may be used for government work.  In the US this is called
>> FIPS == Federal Information Processing Standards.  There are similar
>> rules, for example, in Japan.  FIPS 140-2 recommends AES. It does not
>> recommend Blowfish.  So this has great relevance for government users,
>> government contractors, as well as other sectors like healthcare.
>
> As you said, OOo *1.3* will *recommend* it. Does that require postponing
> an AOOo 3.4 release until there is a code replacement for nss? Or do you
> already have something to use? IIRC it took roughly two weeks to
> implement and test the new AES code for an engineer familiar with the
> code. I assume that for a newbie that would be quite some time more.
>

Support for AES exists in the JCE and via the ODF Toolkit.  The later
is Apache 2.0 licensed.

> IMHO getting 3.4 out fast is important. And of course having AES
> encryption is important also - immediately after that.
>

I'm flexible on the staging of this.  Eventually we'll want to get to
have full AES support.  I've seen Microsoft push OOo out of
consideration for government accounts by arguing that the MS Office
crypto is certified and ours is using an algorithm (Blowfish) that is
not, that OOo uses a cipher that even the author recommends not using.
  We don't win that debate with a backwards compatibility argument.

> YMMV.
>
> Regards,
> Mathias
>

Mime
View raw message