Hi,
I think it is a very idea to reach out to the OASIS
DSS-TC. The chairs are Stefan Drees, stefan@drees.name,
and Juan Carlos Cruellas, cruellas@ac.upc.edu.
The chair of the OASIS EKMI TC, Arshad Noor (arshad.noor@STRONGAUTH.COM) and the
chair of the PKIA TC, Stephen Wilson (swilson@lockstep.com.au)
can give you guidance on encryption or direct you to others.
Best,
Dee
From: Duane Nickull
[mailto:dnickull@adobe.com]
Sent: Thursday, July 31, 2008 6:33
PM
To: Jomar Silva; Marc Straat;
Leonard Rosenthol
Cc: office@lists.oasis-open.org
Subject: Re: [office] Digital
Signature proposal
Jomar:
Excellent suggestion! Although I cannot (as a point of order) invite
people on behalf of the TC, I do know my Adobe colleagues on the DSS TC.
I have cc’d them. They have expressed a willingness to help.
Would anyone object to inviting them to a future meeting to help us
understand what we need to know? Maybe this TC needs to contemplate
setting up an official liaison as per the OASIS procedures?
Just an idea to put out there.
Duane
On 31/07/08 3:17 PM, "Jomar Silva" <jomar.silva@br.odfalliance.org>
wrote:
There is another TC on OASIS that may help us with that: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss
They are the OASIS Digital Signature Services TC and I think that they should
have a broader view about that subject.
Best,
Jomar
Duane Nickull escreveu:
Re: [office] Digital Signature proposal Good
thoughts Robert. I think we ought to call in the right people. You
have an expert working for IBM by the name of Mary-ann Hondo (spelling?).
I worked with her in other standards groups. I would also like to
suggest we bring in some Adobe experts (people who know way more than me) and
perhaps some neutral government people who are responsible for policy in this
area.
The rationale? It would be pointless to build this part of the ODF
specification and find out later it doesn’t meet the minimal requirements
for 9/10 governments worldwide. Let’s at least attempt to get it
right and make sure that implementers are not locked outside of government
contracts due to the spec being sub-standard.
My $0.02 CAD.
Duane
On 31/07/08 2:44 PM, "robert_weir@us.ibm.com"
<robert_weir@us.ibm.com> wrote:
Duane Nickull <dnickull@adobe.com>
wrote on 07/30/2008 01:49:45 PM:
>
> It sounds like this TC has not documented dSig requirements from users.
As
> a big fan of ODF, I would like to suggest we consider collecting some as
I
> would hate to see implementations of ODF get pushed aside based on not
> meeting the basic requirements for dSig. I can help reach out to the
> Canadian Government, maybe UK,
Austria, Germany and US
too.
>
> Thoughts?
>
Document security, both on the encryption and digital signature side is a
critical issue to get right. I know that I'm not an expert in the area,
but my gut feeling is that we need to bring in some expertise. This is
similar to what we did when we brought it accessibility experts to
evaluate our gaps and options with ODF 1.0.
The concerns I have are:
1) XAdES appears to satisfy the requirements of Brazil and possible
Europe. But what about the US (FIPS)?
What about Japan?
What about
China?
Most of the ODF vendors today are selling their products
internationally. The open source implementations are certainly
distributing internationally. So I think we need a more comprehensive
view of what the digital signature requirements are globally. Although
XAdES may be part of this, I think it may be worth getting the
requirements up front and to work this out comprehensively. Maybe it
means we need W3C XML DigSig and 3 other standards, including XAdES. I
don't know. But I don't want to wait for ODF 2.0 for this. I want
us to
get this done for ODF 1.2.
2) Are we doing the right thing for encryption? I read one blog post by a
security expert suggesting that what we have specified today may not be
adequate:
http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx
3) Are we doing what we need now, to be flexible for what we may add
tomorrow? For example, we may not allow field level encryption today, or
slide-level signatures today, or multiple author signatures on overlapping
parts of a document, but let's make sure that we don't specify these
things in a way which would preclude us from adding more advanced features
later. I'd like to be able to wave my arms and describe how these
features could be done, by extending what we have specified, without
looking too foolish.
Again, this is not my area of expertise, but I can certainly tap into
security expertise within IBM. I wonder whether it would be worth putting
together a few experts from TC members and member companies to review what
we have today, and Jomar's/Bob's proposal, and suggest additional
requirements that should be met for ODF 1.2, and serve as a reviewer of
the security areas of the eventual draft text. This could be done as a
"security subcommittee" like we did with accessibility. Or we
could do it
with a few conference calls, outside of the normal TC call schedule.
In the end we need these features in ODF to be world class, because that
is our audience.
-Rob
--
**********************************************************************
Senior Technical Evangelist - Adobe Systems, Inc.
Duane's World TV Show - http://www.duanesworldtv.org/
Blog - http://technoracle.blogspot.com
Community Music - http://www.mix2r.com
My Band - http://www.myspace.com/22ndcentury
Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html
**********************************************************************