OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Commented: (OFFICE-3467) ODF 1.2 CD05-110.4.1 Frame Substitutions Repudiatable



    [ http://tools.oasis-open.org/issues/browse/OFFICE-3467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21963#action_21963 ] 

Bart Hanssens commented on OFFICE-3467:
---------------------------------------

A long time ago I started drafting a "secure" signature profile (http://www.oasis-open.org/committees/document.php?document_id=32052&wg_abbrev=oic), perhaps it should be revived.

Actually, one is never completely sure what one signs (e.g. if implementation A mixes up columns in tables, or caches calculated values, or leaves out an appendix, or subdocuments...)


External files are indeed an issue, I suppose a ds:Reference to external resources can be added to the signatures.xml

> ODF 1.2 CD05-1 10.4.1 Frame Substitutions Repudiatable
> ------------------------------------------------------
>
>                 Key: OFFICE-3467
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-3467
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Graphics, Part 1 (Schema), Security
>            Reporter: Dennis Hamilton
>
> Because different consumers may present different alternatives in a <draw:frame>, one that is presented by a consumer need not be the one that was seen when a producer provided a digital signature on the document.
> A signer may successfully claim that the document as presented by a consumer is not the one that was signed, even though the signature is verified.  
> The difficulty is magnified when one or more of the alternatives is by reference to external material that is not covered by the signature and is not cached so as to be included in the signature.  (This is a general concern when the document contains links to external material that may be accessed automatically and presented as if it is an inherent part of the document without it being somehow reflected in the document package files that are signed.)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]