OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-1225) Public Comment: ODFsecurity hazard? (ODF all versions)

    [ http://tools.oasis-open.org/issues/browse/OFFICE-1225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021#action_16021 ] 

Mingfei Jia commented on OFFICE-1225:

First a quick summary of the raw mails. The reporter Alex Brown suggests to forbid DTD in ODF and refer to RFC3023 to avoid security vulnerabilities. Michael disagrees to forbid DTD because it is a general XML issue not specific to ODF and would not list the security items in ODF. Rob suggests to add security considerations in ODF appendix or work out "Secure ODF" profile, not only for XML DTD issue, but also for script, OLE etc. Additionally Bart gave a comment that ODF zip package often is filtered out by some system firewall.

I think most of security issues are caused by ODF implementations, generally can not be solved by file format specification. We can not restrict feature set in general ODF specification just because of security issues. So I prefer Rob's approach to give security considerations in ODF appendix or "Secure ODF" profile independently, and the contents may involve XML security, script security, OLE security, digital siganature, encryption algorithms etc. These security guidelines are not mandatory, just suggestions for ODF vendors if they would like to implement a secure ODF. TC can defer this JIRA issue to ODF next for further investigation.

> Public Comment: ODF security hazard? (ODF all versions)
> -------------------------------------------------------
>                 Key: OFFICE-1225
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-1225
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: ODF 1.0, ODF 1.0 (second edition), ODF 1.1, ODF 1.2
>            Reporter: Robert Weir 
>            Assignee: Robert Weir 
>            Priority: Blocker
>             Fix For: ODF 1.2
> Copied from office-comment list
> Original author: "Alex Brown" <alexb@griffinbrown.co.uk> 
> Original date: 21 Feb 2009 12:35:07 -0000
> Original URL: http://lists.oasis-open.org/archives/office-comment/200902/msg00026.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]