incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 119090] Default Encryption Fails for Down-Level Implementations
Date Tue, 20 Mar 2012 14:20:28 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=119090

--- Comment #15 from orcmid <orcmid@apache.org> 2012-03-20 14:20:28 UTC ---
@Oliver.  Issue r117562 is based on an incorrect premise.  ODF 1.2 does not
change the default encryption in any way.  I quoted the ODF 1.2 specification
in an earlier comment.  Here it is again, with more emphasis (ODF 1.2 Part 3
section 4.8.1):

"Package producers that support encryption SHALL support the value Blowfish
CFB. Package consumers that support encryption SHALL support the values
Blowfish CFB and urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#blowfish."

There is conformance language related to the use of the manifest:checksum,
which is not about security but being able to determine whether a decryption is
correct.  That language is in 4.8.3,

"Package producers that support encryption SHOULD use the
urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k algorithm, Package
consumers that support encryption SHALL support the values SHA1/1K,
urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha1-1k and
urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#sha256-1k."

For the legacy case, the values "SHA1" and "SHA1/1K" are the only ones
recognized in use and some implementations treat "SHA1" the same as "SHA1/1K".

When blowfish is used, the SHA1/1K should always be used for interoperability
reasons.

-- 
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message