Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-dev@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of jogischmidt@googlemail.com
 designates 209.85.214.47 as permitted sender)
Message-ID: <4F702481.9010109@googlemail.com>
Date: Mon, 26 Mar 2012 10:10:41 +0200
From: =?UTF-8?B?SsO8cmdlbiBTY2htaWR0?= <jogischmidt@googlemail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
 rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: ooo-dev@incubator.apache.org
Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for
 Down-Level
 Implementations
References: <4F672B1E.5050401@googlemail.com> <4F6731C1.30502@cfl.rr.com>
 <4F673912.8070504@googlemail.com> <4F6C54C1.8080100@a-w-f.de>
 <4F6CC04C.6060104@cfl.rr.com> <000c01cd0aed$e9f7caf0$bde760d0$@acm.org>
In-Reply-To: <000c01cd0aed$e9f7caf0$bde760d0$@acm.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 3/26/12 3:15 AM, Dennis E. Hamilton wrote:
> TJ,
>
> I was doing some nosing around and, based on some information on the Community Forums (thank you Hagar), it looks like the settings are controlled in a file called registrymodifications.xcu, at least on Windows.  The location will vary with different versions of windows.
>
> On windows, you can find one under the installed-user profile, such as Documents&  Settings\orcmid\Application Data [a hidden file], OpenOffice/3/user/registrymodification.xcu for any install since the AES256 has been instituted as default.  the *.xcu is actually an XML file and you can find the settings by searching for "blowfish" and for "SHA1".
>
> How this works for Mac, Solaris, OS/2, and the various Linus and BSD builds, I have no idea.

I think I have mentioned before that it is easy to provide an extension 
to switch the relevant configuration settings.

As the release manger I will accept the issue as critical enough to 
change the default back for 3.4. For AOO 4.0 we will switch the default 
again and will provide a GUI to allow the user the change it more easily.

For 3.4 we provide a mini extension that switch the default back to AES 
for users who prefer this encryption algorithm.

Juergen


>
>   - Dennis
>
> -----Original Message-----
> From: TJ Frazier [mailto:tjfrazier@cfl.rr.com]
> Sent: Friday, March 23, 2012 11:26
> To: ooo-dev@incubator.apache.org
> Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for Down-Level Implementations
>
> [ ... ]
>
> ... options to consider:
>
> 3. User change to config file, to use the new option.
>
> I have suggested a writeup on this, but such instructions are much
> better aimed at the (few?) users who want the "latest and greatest"
> security option, and will do a little work to get it. (Does anybody know
> what that file name is? Given that, I volunteer to update the Release
> Notes.)
>
> 4. Macro to toggle the settings.
>
> This could be distributed in a BASIC library (new or existing); no
> extension necessary. User instructions to find and run the macro are
> simple. I may be able to write this; preliminary investigation is
> promising but not certain. I volunteer to try. There are several real
> experts on this list, whom I might ask for help.
>
> /tj/
>>
>>
>>
>> [1] https://issues.apache.org/ooo/show_bug.cgi?id=119090
>>
>> On 19.03.2012 14:48, Jürgen Schmidt wrote:
>>> On 3/19/12 2:16 PM, TJ Frazier wrote:
>>>> On 3/19/2012 08:48, Jürgen Schmidt wrote:
>>>>> Hi,
>>>>>
>>>>> I think issue 119090 is no show stopper from my point of view. The new
>>>>> default provides a better security than before when I understand it
>>>>> correct. And if people detect potential problems they can save the
>>>>> document again with other settings.
>>>>>
>>>>> I agree that this is important for interoperability but no show
>>>>> stopper.
>>>>>
>>>>> Any other opinion?
>>>>>
>>>>> Juergen
>>>>>
>>>>>
>>>> Hi, Jürgen,
>>>>
>>>> Like Dennis, I'm nervous about this. Perhaps we can handle it with a
>>>> mention in the Release Notes; something like,
>>>>
>>>> PLEASE NOTE: the default options for [technical details here] should
>>>> provide your best /individual/ security. However, if you intend to share
>>>> the document in secure fashion, the default mode cannot be read by
>>>> * previous versions of OpenOffice.org
>>>> * current versions of LibreOffice, at least through [version]
>>>> * Ms Office [version info]
>>>> For compatibility, use the options [details here].
>>>>
>>>
>>> I agree that it make sense to mention it in the release notes.
>>>
>>> Any volunteer for updating the release notes?
>>>
>>> Juergen
>>
>>
>
>