[OASIS Issue Tracker] Commented: (OFFICE-2686) ODF 1.2 Part 1 3.16Macro Signature Meaningless and Inappropriate

[OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>]

    [ http://tools.oasis-open.org/issues/browse/OFFICE-2686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19348#action_19348 ] 

Dennis Hamilton commented on OFFICE-2686:
-----------------------------------------

Since there is no specification for macros at this point (see ODF 1.2 CD05 Part 1 sections 3.12-3.13), it seems weird to specify an implementation-dependent basis for their signatures.

Also, since the META-INF/documentsignatures.xml file is expected to sign enverything, the possible exception being the META-INF/documentsignatures.xml file itself, it appears that it is expected to sign the proposed META-INF/macrosignatures.xml, I don't quite see what it means for them to happen concurrently.

I also don't understand what the use case is.  Perhaps there is more to be found out in OOXML, except I didn't think there were macros there.

Finally, I am concerned by the way that these files are expected to be named and how that forces some sort of out-of-band undefined agreement on avoiding collisions on the names.  (The Package specification allows ad lib creation of META-INF*signatures* files, with the only requirement being that they all use the same XML root element and basic schema.)

I suppose it is fair for a consumer to simply ignore digital signature files it doesn't understand, and only create those that it does.  If this is all we are establihsing here, I'd hope there would be a simpler way to accomplish that little.  

I still think we need something around how these are named so a consumer can confirm that an encountered META-INF/*signature* file is one that it does understand and might have created itself.



> ODF 1.2 Part 1 3.16 Macro Signature Meaningless and Inappropriate
> -----------------------------------------------------------------
>
>                 Key: OFFICE-2686
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-2686
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: General, Security
>    Affects Versions: ODF 1.2 CD 05
>         Environment: This defect applies in ODF 1.2 Part 1 CD04 and in the revisions leading up to CD05.  The specific text discussed is that in OpenDocument-v1.2-part1-cd04-rev05.odt
>            Reporter: Dennis Hamilton
>             Fix For: ODF 1.2 Part 1 CD 5
>
>
> Section 3.16 essentially restates provisions already provided in ODF 1.2 Part 3.  Most of the restatement is unnecessary and is somewhat self-contradictory.  There is a tiny amount of new material concerning META-INF/documentsignatures.xml.
> MACRO SIGNATURE DIFFICULTIES
> The vague treatment of macro signatures is uninformative and only serves to reserve the name META-INF/macrosignatures.xml for an unspecified purpose and significance.  In all material respects, its occurrence is already provided for in Part 3 and the absence of an actionable provision here adds no value.
> This non sequiter is not helpful:
> "Since macro code and executable code is implementation specific, this specification does not define to the files to which a macro signature applies."
> In addition, there is no indication what the signing of macros (and scripts?) signifies and how that is meaningful if document and such macro signatures can be applied simultaneously.
> If there is a problem with naming provisions for digital-signature files in the  META-INF/*signature*.xml family, it seems inappropriate that the solution be incorporation of reserved names for some unidentified party's implementaiton-specific purpose in the ODF 1.2 specification itself.  This problem needs to be dealt with in a generally-useful manner.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira