OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-2270) Public Comment: FW:[oic] encryption of signature files

    [ http://tools.oasis-open.org/issues/browse/OFFICE-2270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16842#action_16842 ] 

Dennis Hamilton commented on OFFICE-2270:

As this issue report notes, ODF DSIG files cannot be encrypted because they all have full-name values beginning with "META-INF/" and are therefore not permitted to have <manifest:file-entry> elements in the manifest.xml file.

It is undesirable that signature files be unencrypted when ODF 1.2 encryption is applied, because this constitutes an unwarranted information-leakage vulnerability.  Also, since the signatures are presumably against the unencrypted (and, indeed, uncompressed) package files, it makes no sense for them not to be encrypted.

I presume one difficulty with including signature files in the manifest is that it makes it difficult to subject the manifest.xml flle to any signature, especially if it is expected that signatures can be injected into the package.  The problem would be that addition of a new signature into the package would invalidate any existing signature that included the manifest as it existed before that injection led to alteration of the manifest.

This problem arises only if there is more than one signature file in the package and it is not known whether any of them include the manifest in what they require to be unmodified in order for signature verification to succeed.

I propose that META-INF/manifest.xml and thumbnail be the only files excluded from META-INF/manifest.xml and that digital signature files be included in the manifest the same as any other files.  

 - - - -

PS: I have been unable to invent a situation that requires a signature to embrace the manifest.xml file in order to be an effective signature.  First, It is not possible for any ODF DSIG signature to sign the entire package to the exclusion of additional material.  It appears that only an external signature can accomplish that.  In addition, injection of additional files into a package, whether additional signatures, metadata.rdf, or anything else that does not alter package files that are included in a signing is benign as far as the integrity of those signatures is concerned.  Furthermore, requiring signature files, and those others, to be included in manifest.xml is the most application-unaware package integrity check we can have.  Finally, I have failed to conceive of a scenario where one or more files in a package are signed without the package structure being understood and the proper recording of the dsig file in the manifest necessarily being a capability of the signing process.

> Public Comment: FW: [oic] encryption of signature files
> -------------------------------------------------------
>                 Key: OFFICE-2270
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-2270
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>    Affects Versions: ODF 1.2 Part 3 CD 1
>            Reporter: Robert Weir 
>            Priority: Blocker
> Copied from office-comment list
> Original author: Hanssens Bart <Bart.Hanssens@fedict.be> 
> Original date: 17 Dec 2009 16:43:51 -0000
> Original URL: http://lists.oasis-open.org/archives/office-comment/200912/msg00015.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]