Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <003301cc7558$ce102c40$6a3084c0$@acm.org>
References: <4E727988.6080004@gmx.ch>
	<01ba01cc740e$9fd48150$df7d83f0$@acm.org>
	<4E730259.5030200@gmx.ch>
	<CAHZP38DxffB+_0fiqU_fgEKs-ZGVDpKR8e1_PJmFfmE7-SoCCw@mail.gmail.com>
	<1316162418.21796.43.camel@hchao-ThinkCentre-M58p>
	<4E73D023.3000306@gmx.net>
	<00df01cc74cb$81cc1340$856439c0$@acm.org>
	<CAP-ksogmmRBHpDdCjvZZfKqMzV-mvaBRZoNL2Q8a-d9oXsKsyw@mail.gmail.com>
	<003301cc7558$ce102c40$6a3084c0$@acm.org>
Date: Sat, 17 Sep 2011 12:58:11 -0400
Message-ID: 
 <CAP-ksojgTx8PEhEBom8S3+eQTsodJoJ0Ns717Cayfq97awZJ3Q@mail.gmail.com>
Subject: Re: AOOo can't save passwort protected file
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org, dennis.hamilton@acm.org
Content-Type: text/plain; charset=UTF-8

On 9/17/11, Dennis E. Hamilton <dennis.hamilton@acm.org> wrote:
> Rob,
>
> What are you talking about?
>
> There is no new draft of Part 3 for ODF 1.3 and ODF 1.2 does *not* recommend
> AES.
>
> This has nothing to do with history lessons about NIST choice of encryption
> methods. (And did you know they are starting the look for AES replacement
> now?)
>
> In any case, I would be shocked to see ODF encryption use, with *any*
> encryption method whatsoever, in official secure communications or as a
> recommended method even for secure commercial communications.
>
> As you said earlier, ODF encryption is likely valuable mainly for confined,
> personal usage of "Save As ... Password Protected."  There is no need to
> upgrade for that purpose, especially unilaterally without user control.
> Pity the user who has upgraded at home but not at the office (or vice versa)
> and who encrypted a file for carrying from one place to another and now
> can't open it at the destination.
>

That is one use.  That is not the only use.   I'm not arguing that we
don't support Blowfish at all.  I'm saying that we should also allow
saving with AES, as allowed by ODF, and as required by regulation for
many users.

Your use of the word "unilaterally" is rhetorical nonsense. As I said
before, I favor having option for the user to select the encryption
method to use.  We should try not to 2nd guess our users' preferences
and offer only lowest-common-denominator, one-size-fits-all solutions.
   We should try to provide configuration options for reasonable
alternatives, especially where we know different user populations will
have different preferences.

There are better ways to pity the poor user at home with a 3 year old
version of OOo.  For example, making it easier for them to know that
their best option is to save the document on ODF 1.1 format.  That
solves this issue, and several others.

>  - Dennis
>
> -----Original Message-----
> From: Rob Weir [mailto:robweir@apache.org]
> Sent: Saturday, September 17, 2011 05:45
> To: ooo-dev@incubator.apache.org
> Subject: Re: AOOo can't save passwort protected file
>
> On Fri, Sep 16, 2011 at 7:51 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> I think reverting to Blowfish with 8-bit CFB and the default algorithms is
>> a good idea regardless.
>>
>
> [ ... ]
>
> When the competition for a new algorithm ended, the winner was the
> Advanced Encryption Standard (AES).  We really need to support that
> algorithm.  There is a reason why ODF 1.3 recommends it.
>
> [ ... ]
>
>