incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 119090] Default Encryption Fails for Down-Level Implementations
Date Mon, 19 Mar 2012 16:23:01 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=119090

--- Comment #6 from Rob Weir <robweir@apache.org> 2012-03-19 16:23:01 UTC ---
I think this is a security versus interop trade-off.

It is interesting to note that the author of the Blowfish algorithm actually
recommends not to use it anymore:

http://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/?pp=3

He wrote TwoFish to replace Blowfish. Twofish was submitted in the competition
to replace the older DES standard.  AES was picked as the winner of that
competition, not Twofish.  So from a security standpoint, our default of AES is
the best choice.

But it does have the interop downside that Dennis has mentioned.  But I think
this can be handled by user education.  If users want to share encrypted files
with older editors, they can:

1) Save As ODF 1.0/1.1

or

2) Set a configuration entry to make Blowfish the default.

-- 
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message