incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Stahl <...@openoffice.org>
Subject Re: AOOo can't save passwort protected file
Date Thu, 22 Sep 2011 15:49:29 GMT
On 17.09.2011 22:32, Pedro F. Giffuni wrote:
> 
> 
> --- On Sat, 9/17/11, Rob Weir <robweir@apache.org> wrote:
> ...
>>
>> OpenSSL is a a validated module when run in "FIPS mode":
>>
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1111
>>
>> But that would still apply to AES, not Blowfish.
>>
>> Think of it this way:  FIPS 140 defines what the
>> acceptable algorithms are.  Then the actual modules,
>> the actual libraries, are validated by 3rd party
>> testing labs according to NIST criteria.   If we use
>> validated modules implementing approved algorithms, then
>> we're golden.
>>
> 
> Thanks for this point. NSS is not certified and given the

where the heck did you get that idea?

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1280

> version OOo carries has known security issues I suggest
> we kill the configure option to avoid hazards to our users.

indeed the version shipped by OOo is outdated (3.12.6); newest one on the
FTP server is:

https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_11_RTM/src/

(of course the OOo internal OpenSSL is similarly out of date...)

> Without other options I prefer Blowfish to no security at all.
> Again, patches for OpenSSL or any other certified solution
> are welcome :).
> 
> While here .. I also think we should kill mozilla:
> 
> 1) The version we carry also has serious security issues.
> 2) Google Chromium has a better license.

but can Google Chromium read Mozilla address books?

AFAIK that is all that OOo uses Mozilla for...

> 3) I actually think we should be browser version agnostic. 
> 
>> I'd be happy if we had deep in some configuration dialog
>> the ability for user (or more likely the IT department)
>> to specify the algorithm to use.
>>
> 
> I would think it could be a compile time option so we could
> name such switch "configure --with-ssl".
> 
> See? Everyone happy now :).
> 
> Cheers,
> 
> Pedro.


Mime
View raw message