I think this is only a moderately-bad idea. For encryption, one presumably is limiting the
recipients and has some way to share the password to the limited number of users. Often, it is the
same user, protecting their own documents with encryption. In that case, when the usage is
highly-coordinated, the users can make an informed decision and ensured that any software needed to
open the documents is available to those who need to do so.
I would do three things:
1. When the defaults are used, they should be done as defaults (that is, the additional attributes
should be omitted, so it looks exactly like what ODF 1.1 supports). I would omit the
<manifest:manifest> manifest:version attribute also.
2. When non-defaults allowed under ODF 1.2 are used (including the recommended - not required -
uses of SHA256 and alternatives to PBKDF2+HMACSHA1 and Blowfish CFB), the additional attributes
have to appear *so* the package should be identified as having <manifest:manifest>
manifest:version="1.2" because no down-level implementation is expected to deal with them.
3. The use of default should be the default (because people do expect interoperability by default)
and the use of non-default cases should be an option, at least on Save As ... and perhaps on Tools
| Options | Load-Save. There needs to be warnings that the document may require the same software
[version] to be opened successfully. Maybe the option for selection should express this as a
feature. E.g., "Limit the document to being opened by software that implements the additional
required ODF 1.2 security features."
The case (3) allows for additional features as ODF 1.2+ implementation-defined provisions that
tighten some of the security aspects of these packages as well. (E.g., the next button would be
"Limit the document to being opened by software that implements xyz extended security features.")
- Dennis
-----Original Message-----
From: libreoffice-bounces+dennis.hamilton=acm.org@lists.freedesktop.org
[mailto:libreoffice-bounces+dennis.hamilton=acm.org@lists.freedesktop.org] On Behalf Of Caolán
McNamara
Sent: Monday, August 15, 2011 03:05
To: LibreOffice
Cc: Thorsten Behrens
Subject: [Libreoffice] default ODF encryption/checksum algorithms changed in master. Good thing ?
Since 5dd2784030e00fa1857b30ee8c5da62e221bfd32 (inherited change) the
default encryption and checksum algorithms used in our .odt export
changed, e.g. sha1 to sha256. They changed for settings of "ODF >=
1.2".
What it means in practice is that encrypted document exported from >=
3.5/3.6 won't be openable in older versions, e.g. <= 3.4
There is a UseSHA1InODF12 and UseBlowfishInODF12 setting which is
currently disabled.
Such a change shouldn't go unnoticed anyway. So...
a) is this a good thing that should be welcomed, with a "users using
older version of LibreOffice/OpenOffice.org should upgrade and/or hassle
their vendors for patched versions with support for these backported"
b) a bad idea ?
C.
_______________________________________________
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.