OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-3417) Public Comment:Comment on ODF v1.2 CD 05 - Document Signatures

    [ http://tools.oasis-open.org/issues/browse/OFFICE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21111#action_21111 ] 

Dennis Hamilton commented on OFFICE-3417:

I examined some of the material that Nick Pope links to.

There are more problems than just the name of the signature file.

First, they require that the META-INF/signatures.xml document be the container for all digital signatures for the package.  So all manner of signatures must be incorporated into the one XML document.

Second, encryption is handled with a META-INF/encryption.xml file and it, with the currently-stated interdependencies with signatures.xml and with the piecewise encryption of package files, raises a series of difficulties that we have already been struggling with.  There is also a requirement that META-INF/signatures.xml never be encrypted and they seem not to flinch over signing the unencrypted plaintext of what is then encrypted.  The signing of ciphertext seems to be ambigously described.  I'm not sure how the cases are differentiated.  It may be a mimic of the implementation used in OO.o but it is not clear in my quick analysis.

The description of the META-INF/signatures.xml file is lacking.  For example, the <Signatures> root element has no namespace.  There are also some statements about the use of xml-dsig as the interior individual signatures that seem even looser than those we are proposing to improve in ODF 1.2.

Having said all of that, there is some interesting language on the ability to add more signatures to the <Signatures> element (which works as a list in pretty much the same way as our namespaced element of similar name), and how that becomes prevented (unless the last signer is willing to invalidate the previous signatures), in which case the earlier signatures could simply be removed, of course.

The general problem of package material, including signatures, being injected after a META-INF/[document]signatures.xml has been created is a touchy case for all of us, it would seem.

> Public Comment: Comment on ODF v1.2 CD 05 - Document Signatures
> ---------------------------------------------------------------
>                 Key: OFFICE-3417
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-3417
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Packaging
>    Affects Versions: ODF 1.2 CD 05
>            Reporter: Robert Weir 
> Copied from office-comment list
> Original author: "Pope, Nick" <Nick.Pope@thales-esecurity.com> 
> Original date: 6 Sep 2010 19:48:26 -0000
> Original URL: http://lists.oasis-open.org/archives/office-comment/201009/msg00001.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]