OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-3466) ODF 1.2 CD05-110.4.4 <draw:image> xlink:href case Repudiatable


    [ http://tools.oasis-open.org/issues/browse/OFFICE-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21960#action_21960 ] 

Andreas Guelzow  commented on OFFICE-3466:
------------------------------------------

I don't think that this is quite correct. The xlink:href form of <draw:image> may be used to refer to an image contained in a separate file of the ODf package. Signing the package should then also sign the image.

Of course when  the xlink:href form of <draw:image> is used to refer to an external image, that is not the case, but I don't think that it is appropriate to force implementation to include that image. I might be referring to an image that I am not allowed to distribute or that may in fact be volatile (ie. changes over time). In that case including  a cache is contrary to teh intentions of the author.

I think it is up to the consumer to ensure that the users knows tha the image was not signed and up to the producer  to inform the user tha the image will not be signed.

> ODF 1.2 CD05-1 10.4.4 <draw:image> xlink:href case Repudiatable
> ---------------------------------------------------------------
>
>                 Key: OFFICE-3466
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-3466
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Graphics, Part 1 (Schema)
>    Affects Versions: ODF 1.2 CD 05
>            Reporter: Dennis Hamilton
>             Fix For: ODF 1.2 CD 06
>
>
> When the xlink:href form of <draw:image> is used, the image is not captured in the document markup.
> That means that any digital signature of the markup does not include the image that may have been presented to the user, it only includes the xlink:href that is not to content that is part of the signed material.
> In this case, an user that requests the document be signed may believe that the image that is presented is included in that signature.  Alternatively, an user can repudiate that the document with a particular image presented is the one that was signed, because the image itself is not covered by the document signature.
> One way for a producer to safeguard that is to include a cache of the image that was rendered (if it was rendered) in the <draw:image> element in some way.  There is no provision for such a means of assuring, by it being included in the signature, that the user signed the document as seen when that particular image was presented.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]