Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 92EA79E31 for ; Mon, 26 Mar 2012 10:15:42 +0000 (UTC) Received: (qmail 1222 invoked by uid 500); 26 Mar 2012 10:15:42 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 1157 invoked by uid 500); 26 Mar 2012 10:15:42 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 1145 invoked by uid 99); 26 Mar 2012 10:15:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Mar 2012 10:15:42 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jogischmidt@googlemail.com designates 209.85.214.47 as permitted sender) Received: from [209.85.214.47] (HELO mail-bk0-f47.google.com) (209.85.214.47) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Mar 2012 10:15:35 +0000 Received: by bkcjg15 with SMTP id jg15so4235587bkc.6 for ; Mon, 26 Mar 2012 03:15:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=RIM00OpZLUgFhPY7bT29IM4QM8+0dbysRRyy7Ve+zGo=; b=cCnBVIavlCsZz8CEozEW5fMcxo6VeWTFQjxdMec0pdNIfEy+hOEVLi3/NuQMQzlZBD WO3SdSG6R3vUPVnBsxvkGlLKysUSHh9Q+E9WSOYpUNpGTG2RNSvMlnUbTB96shTB7Uzh uIpFwdUiqgo8t1zHXyou7UBPKn68xEJLeCsfwnF0sKbDxNAA4ctYhyEPZdJwPaRh8ZrD KM2Mr4fJ9mM/i0wyS1I+2/6aJpkVzcSy5IDpOUdyou7GMhDUbdwkCD6PfVLT8g4O0RMc 9gOucwklYTT9+xCXPeSJVrRz1JKpCKbQmlyEYi2yhkCUopHPuZ9oc5+IR3zbpslXuE6J uWeQ== Received: by 10.205.130.13 with SMTP id hk13mr8152875bkc.26.1332756914439; Mon, 26 Mar 2012 03:15:14 -0700 (PDT) Received: from [9.155.131.20] (deibp9eh1--blueice2n2.emea.ibm.com. [195.212.29.172]) by mx.google.com with ESMTPS id f5sm31346223bke.9.2012.03.26.03.15.13 (version=SSLv3 cipher=OTHER); Mon, 26 Mar 2012 03:15:13 -0700 (PDT) Message-ID: <4F7041B9.50606@googlemail.com> Date: Mon, 26 Mar 2012 12:15:21 +0200 From: =?ISO-8859-1?Q?J=FCrgen_Schmidt?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: ooo-dev@incubator.apache.org Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for Down-Level Implementations References: <4F672B1E.5050401@googlemail.com> <4F6731C1.30502@cfl.rr.com> <4F673912.8070504@googlemail.com> <4F6C54C1.8080100@a-w-f.de> <4F6CC04C.6060104@cfl.rr.com> <000c01cd0aed$e9f7caf0$bde760d0$@acm.org> <4F702481.9010109@googlemail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 3/26/12 11:21 AM, xia zhao wrote: > 2012/3/26 J�rgen Schmidt > >> On 3/26/12 3:15 AM, Dennis E. Hamilton wrote: >> >>> TJ, >>> >>> I was doing some nosing around and, based on some information on the >>> Community Forums (thank you Hagar), it looks like the settings are >>> controlled in a file called registrymodifications.xcu, at least on Windows. >>> The location will vary with different versions of windows. >>> >>> On windows, you can find one under the installed-user profile, such as >>> Documents& Settings\orcmid\Application Data [a hidden file], >>> OpenOffice/3/user/**registrymodification.xcu for any install since the >>> AES256 has been instituted as default. the *.xcu is actually an XML file >>> and you can find the settings by searching for "blowfish" and for "SHA1". >>> >>> >>> How this works for Mac, Solaris, OS/2, and the various Linus and BSD >>> builds, I have no idea. >>> >> >> I think I have mentioned before that it is easy to provide an extension to >> switch the relevant configuration settings. >> >> As the release manger I will accept the issue as critical enough to change >> the default back for 3.4. For AOO 4.0 we will switch the default again and >> will provide a GUI to allow the user the change it more easily. >> >> I give +1 for Juergen here, this issue is critical but I don't think it is > critical enough to block AOO 3.4 ship from QA view, for one software, one > new release may has some difference with previous release, even for the > same feature. I don't think this issue locates at changing the default > setting back for 3.4 or not, the point is which encryption algorithm is > more polular and buy in by users. I am not sure, most users don't care about the technical details and they will be simply confused if it won't work any more with older office versions. We should make it better in AOO 4.0 and allow more flexibility > > But I agree offering user more flexibility by modifying the configuration > file etc is one good idea. > > Lily > > For 3.4 we provide a mini extension that switch the default back to AES for >> users who prefer this encryption algorithm. I put a small oxt together, you can find it under http://people.apache.org/~jsc/extensions/ODF12-Default-encryption-AES256-cbc.oxt Feel free to test it, it should work in AOO3.4 only (in contains a minimal and maximal version dependency) Juergen >> >> Juergen >> >> >> >> >>> - Dennis >>> >>> -----Original Message----- >>> From: TJ Frazier [mailto:tjfrazier@cfl.rr.com] >>> Sent: Friday, March 23, 2012 11:26 >>> To: ooo-dev@incubator.apache.org >>> Subject: Re: [RELEASE,CODE]: Bug 119090 - Default Encryption Fails for >>> Down-Level Implementations >>> >>> [ ... ] >>> >>> ... options to consider: >>> >>> 3. User change to config file, to use the new option. >>> >>> I have suggested a writeup on this, but such instructions are much >>> better aimed at the (few?) users who want the "latest and greatest" >>> security option, and will do a little work to get it. (Does anybody know >>> what that file name is? Given that, I volunteer to update the Release >>> Notes.) >>> >>> 4. Macro to toggle the settings. >>> >>> This could be distributed in a BASIC library (new or existing); no >>> extension necessary. User instructions to find and run the macro are >>> simple. I may be able to write this; preliminary investigation is >>> promising but not certain. I volunteer to try. There are several real >>> experts on this list, whom I might ask for help. >>> >>> /tj/ >>> >>>> >>>> >>>> >>>> [1] https://issues.apache.org/ooo/**show_bug.cgi?id=119090 >>>> >>>> On 19.03.2012 14:48, J�rgen Schmidt wrote: >>>> >>>>> On 3/19/12 2:16 PM, TJ Frazier wrote: >>>>> >>>>>> On 3/19/2012 08:48, J�rgen Schmidt wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I think issue 119090 is no show stopper from my point of view. The new >>>>>>> default provides a better security than before when I understand it >>>>>>> correct. And if people detect potential problems they can save the >>>>>>> document again with other settings. >>>>>>> >>>>>>> I agree that this is important for interoperability but no show >>>>>>> stopper. >>>>>>> >>>>>>> Any other opinion? >>>>>>> >>>>>>> Juergen >>>>>>> >>>>>>> >>>>>>> Hi, J�rgen, >>>>>> >>>>>> Like Dennis, I'm nervous about this. Perhaps we can handle it with a >>>>>> mention in the Release Notes; something like, >>>>>> >>>>>> PLEASE NOTE: the default options for [technical details here] should >>>>>> provide your best /individual/ security. However, if you intend to >>>>>> share >>>>>> the document in secure fashion, the default mode cannot be read by >>>>>> * previous versions of OpenOffice.org >>>>>> * current versions of LibreOffice, at least through [version] >>>>>> * Ms Office [version info] >>>>>> For compatibility, use the options [details here]. >>>>>> >>>>>> >>>>> I agree that it make sense to mention it in the release notes. >>>>> >>>>> Any volunteer for updating the release notes? >>>>> >>>>> Juergen >>>>> >>>> >>>> >>>> >>> >>> >> >