incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 119090] Default Encryption Fails for Down-Level Implementations
Date Fri, 23 Mar 2012 06:13:30 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=119090

--- Comment #19 from orcmid <orcmid@apache.org> 2012-03-23 06:13:30 UTC ---
(In reply to comment #10)
> Thinking on this a little more.
> At some point we need to change to AES and at that point we will break compat
> with earlier editors.  We cannot avoid that.  We can only delay that.
> But delay does have some value.  We can seed the install base with the ability
> to read AES files,and do that for a release or two before we enable AES as the
> default for writing.  So then in the future, when we make AES the default for
> writing, the older versions (at least 3.4+) have the ability to read them as
> well.
> I have no idea whether changing the default is easy or hard, or whether any one
> volunteers to do this.  But it is one possible approach.
> The user could then change the default via the configuration option.

Since you were looking for a volunteer, I dug through the SVN and found the
place where the defaults can be changed with ease.  I submitted the patch that
makes it so.

I have seen no review of the patch (which I requested just to be on the safe
side).  

Now the question seems to be whether or not the change of the default is
desirable or not.  I claim that it is for interoperability reasons.  There is
no basis for assuming that switching from Blowfish CFB to AES256 CBC does
anything to reduce the actual vulnerabilities and the cost to interoperability
is quite high if there is no staging and means to gradual switch-over.

How do we resolve this?

-- 
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message