OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-2686) ODF 1.2 Part 1 3.16Macro Signature Meaningless and Inappropriate

    [ http://tools.oasis-open.org/issues/browse/OFFICE-2686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19347#action_19347 ] 

Dennis Hamilton commented on OFFICE-2686:

[transcribed from post by David Leblanc, 2010-06-01T22:01Z, <http://lists.oasis-open.org/archives/office/201006/msg00022.html>]:

I'm apparently still not able to log in to edit issues directly - I should see about fixing that.

At any rate, perhaps the right thing to do is to make this useful. The information needed to make this meaningful would be to identify the files or folder that a macro signature would be applied to - just where do you keep macros?

A second note would be to discuss whether a full document signature should also include the macros. One could argue that things would be signed by one or the other, or it could be argued that a full document signature should include everything, as a macro could change the appearance of the document. Microsoft Office has chosen to take the second option, where a macro signature only signs the macro, and a full document signature signs the macro along with the rest of the document.

I'm comfortable with leaving decisions made about what to do based on the validity of a macro signature up to the implementer - it isn't the job of the document format to determine behaviors (IMHO). 

I'd suggest that the files which may contain macros be defined in some way, and that the format of the signature also be defined to match a full document signature as closely as possible. It may be a good thing to go ahead and reserve a name for the macro signature file, though a consideration would be whether multiple macros might be independently signed. Perhaps a naming convention, or even a folder within META-INF that is designated for macro signatures.

Dennis has some good points, but perhaps the right thing is to go ahead and flesh out the requirement instead of removing it?

> ODF 1.2 Part 1 3.16 Macro Signature Meaningless and Inappropriate
> -----------------------------------------------------------------
>                 Key: OFFICE-2686
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-2686
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: General, Security
>    Affects Versions: ODF 1.2 CD 05
>         Environment: This defect applies in ODF 1.2 Part 1 CD04 and in the revisions leading up to CD05.  The specific text discussed is that in OpenDocument-v1.2-part1-cd04-rev05.odt
>            Reporter: Dennis Hamilton
>             Fix For: ODF 1.2 Part 1 CD 5
> Section 3.16 essentially restates provisions already provided in ODF 1.2 Part 3.  Most of the restatement is unnecessary and is somewhat self-contradictory.  There is a tiny amount of new material concerning META-INF/documentsignatures.xml.
> The vague treatment of macro signatures is uninformative and only serves to reserve the name META-INF/macrosignatures.xml for an unspecified purpose and significance.  In all material respects, its occurrence is already provided for in Part 3 and the absence of an actionable provision here adds no value.
> This non sequiter is not helpful:
> "Since macro code and executable code is implementation specific, this specification does not define to the files to which a macro signature applies."
> In addition, there is no indication what the signing of macros (and scripts?) signifies and how that is meaningful if document and such macro signatures can be applied simultaneously.
> If there is a problem with naming provisions for digital-signature files in the  META-INF/*signature*.xml family, it seems inappropriate that the solution be incorporation of reserved names for some unidentified party's implementaiton-specific purpose in the ODF 1.2 specification itself.  This problem needs to be dealt with in a generally-useful manner.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]