OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-2315) Public Comment: ODF1.2 part 1 cd03 - 3.16 digital sig, certificate chain (CLONE)

    [ http://tools.oasis-open.org/issues/browse/OFFICE-2315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18789#action_18789 ] 

Dennis Hamilton commented on OFFICE-2315:

We can't use MUST.  We must use SHALL.   (Malte, I was responding to the =>MUST in your earlier.  I wasn't sure what you meant by that.)

I have questions around we we mean by "all files in the package," including anything else that begins with META-INF/, (namely, other digital-signature files) the META-INF/manifest.xml, the mimetype, any thumbnail file, and any (other) files not included in META-INF/manifest.xml?   

There's already a problem with not being able to encrypt the digital signature files, but if they can be encrypted, it is impossible that they can sign manifest.xml.  How do we reconcile that problem?  Failing to encrypt digital signatures is a rather scary information leakage.

I also assume that only the last signature added to document.signature.xml can also sign documentsignature.xml and no more can be safely added after that without invalidating the signing of documentsignature.xml itself?)

Is it a signature-verification error if there are files in the package that have not been included in the META-INF/documentsignature.xml signature(s)?

Each Question Leads to Another.  Here are my last two:

Is there any advice on the transform(s) to be used in the specific case of META-INF/documentsignature.xml?

And finally, what is it that is nonrepudiatable when a successful verification of the signatures in META-INF/documentsignature.xml is obtained?

> Public Comment: ODF 1.2 part 1 cd03 - 3.16 digital sig, certificate chain (CLONE)
> ---------------------------------------------------------------------------------
>                 Key: OFFICE-2315
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-2315
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: ODF 1.2 Part 1 CD 4 
>         Environment: This issue applies to OpenDocument-v1.2-part1-cd04 and Public Review of that document.
>            Reporter: Robert Weir 
>            Priority: Blocker
> Copied from office-comment list
> Original author: Hanssens Bart <Bart.Hanssens@fedict.be> 
> Original date: 24 Dec 2009 13:37:19 -0000
> Original URL: http://lists.oasis-open.org/archives/office-comment/200912/msg00023.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]