OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [office] Proper identifier for Excel-style digest algorithm

Hi Bob,


Yes, the legacy algorithm was not named, and naming it would have required some of the other changes we had put together in the US/CA/SA agreement you mentioned, which didn’t get addressed in the BRM.  There are two sets of attributes in the IS29500 element for hashing algorithm, and the name attribute was added in the new set of attributes, which explicitly didn’t support the legacy algorithm.  So the old algorithm could only be named in an attribute whose presence precluded the use of it. J


In any event, I entirely agree with your comment that “applications, such as openoffice, should be free to implement the algorithm for reading and writing .xls or .doc files, but I would strongly discourage its use in odf files.”  It’s an issue for interoperability with existing documents that have used it in the past, but it’s not an algorithm that should be used going forward, for all the reasons we discussed during DIS29500.


Regarding how to name the algorithm, since it’s not named in IS29500 we can do whatever makes sense to everyone here.  Perhaps Rob’s suggestion (ISO/IEC 29500 Legacy Hash), or do what Adobe does if Duane finds they’ve named it something already.


- Doug


From: Bob Jolliffe [mailto:bobj@dst.gov.za]
Sent: Monday, July 07, 2008 3:43 PM
To: office
Cc: Kohei Yoshida
Subject: Re: [office] Proper identifier for Excel-style digest algorithm



It is unfortunate that this problem of not naming the legacy algorithm relates to one of the resolutions which never got tabled at the Geneva BRM back in February due to lack of time.  The USA, Canada and South Africa arrived at an agreement over a set of editing instructions which included amongst others:

Name the legacy algorithm for use in Transitional Migration, Features (normative) in A.1.6"

As I recall the situation, the legacy algorithm is assumed if the algorithm is not named.  The resolution including the above wasn't tabled, so as far as I can tell, it is still not named.  I still have a copy of our resolution which I guess we will put through to SC34 when the mechanism for receiving comments is up and running.

So for the moment we can name it ourselves as Rob suggested, but it would be nice for everyone to call it the same thing. 

One of the other issues which was raised back then relates to writing out hashes of passwords made using the legacy algorithm.  There was a strong sense that the legacy hash algorithm be used to verify existing passwords, but that "strict" conforming applications should not generate hashes of new passwords using this algorithm.  Unfortunately all this remains unresolved and there are no editing instructions approved by the BRM regarding the issues.

But it does give rise to the question: are we going to support saving passwords hashed using iso-29500-legacy-hash in odf v1.2?  Currently I guess we do as we leave the choice of algorithm completely open.  Its a tricky one.  I would suggest that applications, such as openoffice, should be free to implement the algorithm for reading and writing .xls or .doc files, but I would strongly discourage its use in odf files.


----- Original Message -----
From: "robert weir" <robert_weir@us.ibm.com>
To: "Kohei Yoshida" <kyoshida@novell.com>
Cc: "office" <office@lists.oasis-open.org>
Sent: Monday, July 7, 2008 9:50:05 PM (GMT+0200) Africa/Harare
Subject: Re: [office] Proper identifier for Excel-style digest algorithm

Kohei Yoshida <kyoshida@novell.com> wrote on 07/07/2008 03:03:46 PM:

> Hi there,
> I've already asked privately to Michael and Rob, and I think it's
> appropriate to ask this list.
> I'm working on supporting the password hash algorithm that Excel uses to
> hash worksheet and document passwords in OOo.  Luckily this doesn't
> require any modification to the ODF schema since ODF already allows
> alternative digest algorithm as described in Section 18.972
> table:protected (as of v1.2 draft7-3).  But I'd like to correctly
> associate and document this Excel-style algorithm in the ODF spec.
> The algorithm itself is documented in Section of ECMA TC-45
> OOXML specification.  The code contained therein, however, is not
> entirely correct, so I posted the correct algorithm in my blog page[1]
> for now.  I assume the final version of the OOXML spec will contain the
> correct algorithm, but so far, the latest (public) version of the spec
> that I have access to still contains the old, incorrect version.
> The question I'd like to ask the list members is this: what identifier
> should we use as the value of the table:protection-key-digest-algorithm
> attribute to refer to the new algorithm?  The current definition for
> this attribute:
> <attribute name="table:protection-key-digest-algorithm"
>            a:defaultValue="
>     <ref name="anyURI"/>
> </attribute>
> suggests that the name must be a URI.  But I'm not sure what URI to use
> for this new algorithm.
> Any ideas, anyone?

How does OOXML, in their revised text, refer to the legacy algorithm?  I thought they also supported modern algorithms now like SHA256.  So they must have some way of indicating or referring to the legacy algorithm.  It might not be a URI, but they must describe it somehow, right?  If all else fails, call it something like "ISO/IEC 29500 Legacy Hash".

Ideally we would refer to either ISO/IEC 29500, section or  Ecma-376 (second edition) whenever either one of those documents appears in a publicly viewable form.  I don't think we want to duplicate their algorithm definition if we can avoid doing so.  Better to reference what they already have, when it is corrected.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]