ODF 1.2 Part 3 Section 3.8.1 manifest:algorithm-name

[Jesper Lund Stocholm <4a4553504552@gmail.com>]

Hello ODF TC,

I have been looking at the file located at
http://docs.oasis-open.org/office/v1.2/part3/cd01/OpenDocument-v1.2-part3-cd01.odt,
dated 19. October 2009.

ODF 1.2 is the first major "over-haul" of ODF since ODF 1.0 was
approved, so this would be a good time to tighten a few things up in
terms of support of already existing applications and where to ODF
should be driven in the future.

* Section 3.8.1 manifest:algorithm-name

I like the idea of reusing already standardised functionality in "XML
Encryption Syntax and Processing". Especially the reusage of the
xmlenc-core way of specifiying algorithms look really good and
facilitate interoperability and reuse of existing implementations of
encryption algorithms in the best possible way.

However, I do not understand the need to persist Blowfish as the
preferred, default algorithm. I also do not understand the need to
include usage of Blowfish in the list of possible algorithms complying
with "standard OpenDocument conformance" (and not making it extended
conformance) - especially since the creator of Blowfish (Bruce
Schneier) himself discourages the usage of Blowfish today to other
alternatives.

I therefore propose the entire paragraph to be changed to:

[Section 3.8.1 start]

The manifest:algorithm-name attribute specifies the name of the
algorithm used to encrypt a file entry, and also specifies in which
mode this algorithm was used.

Defined values for the manifest:algorithm-name attribute are:

* An IRI listed in §5.2 or §5.3 of [xmlenc-core]: The algorithm
specified in §5.2 or §5.3 of [xmlenc-core] for this IRI, or
* The IRI of an alternative algorithm as specified in §5.1 of  [xmlenc-core].

To maintain compatibility with existing applications and documents
conforming to earlier versions of this specification, an application
may support Blowfish in CBC-code. The defined values for this
algorithm are "Blowfish CBC" or
"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0#blowfish" See
[Blowfish].

Package producers and package consumers that support encryption shall
support AES-128 CBC using the value
http://www.w3.org/2001/04/xmlenc#aes128-cbc.

Alternative algorithms other than an IRI listed in §5.2 or §5.3 of
[xmlenc-core] may be specified by extended conforming documents only.
They shall not be specified by conforming documents.

(section describing schema at the end of the section remains the same)

[Section 3.8.1 end]

Justification:

The idea is basically to promote "standard" algorithms as those
mentioned in [xmlenc-core] to "first class citizens" of ODF while
making usage of Blowfish a second class citizen - while acknowledging
that there are legacy documents and applications out there using
Blowfish. Also, the words above are carefully chosen as not to require
any code change in any application nor making any existing documents
non-conformant (as such).

Additionally, as you may know, I fully support your two new
conformance classes "normal" and "extended in ODF 1.2", but I really
feel that saying "to be conformant (and not extended) you need to use
this list of standardised encryption algorithms ... or this
non-standardised, legacy one (Blowfish)" ... is a bit weird.

I hope you will take this into consideration.

--
Jesper Lund Stocholm
www.idippedut.dk
SC34/WG4 http://www.itscj.ipsj.or.jp/sc34/wg4/
S-445 - Danish mirror committee to SC34