openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: OOXML
Date Sun, 03 Aug 2014 19:02:47 GMT
In a later note, Jan asks about my statement concerning digital signatures, private content,
and covert content:

  "In the other mail you write a quite interesting note about 
   digital signing of artifact the user cannot see. Do you 
   happen to know how microsoft goes around that with the web 
   based offerings ?

Digital signatures officially entered ODF with the ODF 1.2 specification, although there was
an implementation of that capability in versions of OpenOffice.org that extended their ODF
1.0/1.1 support to provide digital signatures.  (The ODF 1.2 version is incompatible and that
created some interesting interoperability issues until the implementations sorted it out.)

With regard to Microsoft Office.  Microsoft supports the ODF 1.2 digital signature in their
support for ODF in Microsoft Office 2013.  Since Microsoft is careful about what is signed
and whether the user knows what is being signed (in terms of what is visible to users), there
is no problem.

On receiving digitally signed ODF 1.2 documents, Microsoft verifies those signatures as provided.
 Any editing will break the signature (as is true for all Consumers) and if the result is
signed, there will be no unsupported features or private/covert content left, so all is well.

I am not certain how this applies to the Office Web Applications.  It appears that the Web
Applications notice that a document is signed (whether they check it or not I have not tested)
but provide no way to sign a document that is edited in one of the Web Applications.  


PS: Here is what I did.

I downloaded an OpenOffice Calc (.ods) file that I already had in OneDrive, saved it under
a new name, and signed it using LibreOffice.  I put that back up on OneDrive.  Now, when I
open the .ods, I am warned that there may be features lost because editing is with the on-line
Excel application.  The Excel Online Help reports that an existing digital signature will
be lost if any attempt to edit is performed.

When I edited the document anyhow, there was no way to sign it on saving it back to OneDrive.
 It appears that I have to open it either in AOO or LibO or Excel on the desktop and sign
it there.  That's easy to do on Windows 8 because I have a OneDrive virtual folder on my desktop.
 (By the way, the making of a copy of the Calc file before editing in the Web Application
is no longer automatic.  I can edit the Calc document directly, but there is a warning about
it.  The warning links to details of what can be lost when Excel edits the Calc document.
 That includes loss of the digital signature.)

I just uploaded a signed Microsoft Word 2013 document.  When I opened it in the Web Application
to edit it, I was warned that editing would invalidate the signature.  After editing, I could
find no way using the Web Application to sign the document.  I would have to open it in the
desktop application in order to do that.


-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] 
Sent: Saturday, August 2, 2014 13:05
To: dev@openoffice.apache.org
Subject: RE: OOXML

[ ... ]
There are some tricky cases, including

- Changes that overlap/conflict with tracked changes but tracked changes are not updated/preserved
properly
- Accessibility impacts
- Digital signature applying to content not observable by the signer
- Covert content of various kinds
- breaking of RDF/RDA connections into the document (along with failure to preserve markers
correctly)

The digital signature and covert-content avoidance cases work against preserving material
that is not evident in a given application.  In the case of ODF, the damage to tracked changes
is survivable (with some loss), because the ODF approach is resilient.  But not knowing about
the tracked changes gets into the digital signature problem if the material is preserved while
not being visible to the user.

[ ... ]


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message