Return-Path: X-Original-To: apmail-incubator-ooo-issues-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 585099208 for ; Wed, 11 Apr 2012 01:16:09 +0000 (UTC) Received: (qmail 91111 invoked by uid 500); 11 Apr 2012 01:16:09 -0000 Delivered-To: apmail-incubator-ooo-issues-archive@incubator.apache.org Received: (qmail 91082 invoked by uid 500); 11 Apr 2012 01:16:09 -0000 Mailing-List: contact ooo-issues-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-issues@incubator.apache.org Delivered-To: mailing list ooo-issues@incubator.apache.org Received: (qmail 91074 invoked by uid 99); 11 Apr 2012 01:16:09 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2012 01:16:09 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.123] (HELO sif.zones.apache.org) (140.211.11.123) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2012 01:16:06 +0000 Received: by sif.zones.apache.org (Postfix, from userid 80) id C4E74465B; Wed, 11 Apr 2012 01:15:45 +0000 (UTC) From: bugzilla@apache.org To: ooo-issues@incubator.apache.org Subject: DO NOT REPLY [Bug 54274] Security : password of Redlining history can easily be removed Date: Wed, 11 Apr 2012 01:15:42 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Word processor X-Bugzilla-Component: configuration X-Bugzilla-Keywords: X-Bugzilla-Severity: trivial X-Bugzilla-Who: orcmid@apache.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: ama@openoffice.org X-Bugzilla-Target-Milestone: OOo Later X-Bugzilla-Changed-Fields: Status CC Version Resolution Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://issues.apache.org/ooo/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/ooo/show_bug.cgi?id=54274 orcmid changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED CC| |orcmid@apache.org Version|OOO 2.0 Beta2 |605 Resolution| |WONTFIX --- Comment #3 from orcmid 2012-04-11 01:15:42 UTC --- None of the ways of setting protections, including protect against changing the change-tracking settings and protecting a document as read-only are security provisions. It is easy for the protection settings to be overcome by direct manipulation of XML elements in the ODF package. The protection can be removed, forged, and moved onto other documents without knowing the password that is used. I agree that users do need to know that these protections are not the same as the strong, encryption-enforced protection that is achieved solely by the "Save with Password" option when saving documents. It would help were the interface arranged in such a way that the setting of protections is not a document-security measure and the setting of protections is more for prevention of accidents than any strong preservation of document integrity. If there is any way to prevent future vulnerabiities against the passwords themselves (a genuine security issue) and to provide some security-enforced protection of certain content and settings, that needs to be dealt with by new approaches. Other issues shold be raised for that. The ODF format and the use of password-digests as protection authenticators in that format is not now amenable to any other approach. -- Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.