OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-3467) ODF 1.2 CD05-110.4.1 Frame Substitutions Repudiatable


    [ http://tools.oasis-open.org/issues/browse/OFFICE-3467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21967#action_21967 ] 

David LeBlanc commented on OFFICE-3467:
---------------------------------------

All you can really do is make a best effort. If some particular item is really problematical, then an implementation would be free to convert the item to a bitmap, or something else static.

Likewise with external links. It is rarely practical to sign external data. However, you should sign the link, or someone could alter the link, which leads to a lot of mischief. Or you could always get a current copy of the linked data, and store it in the archive, and then sign that.

You'll always run into difficulties with the presentation layer - just an innate problem for digital documents. I'm not sure we want to bog down the standard with this, though.

> ODF 1.2 CD05-1 10.4.1 Frame Substitutions Repudiatable
> ------------------------------------------------------
>
>                 Key: OFFICE-3467
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-3467
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Graphics, Part 1 (Schema), Security
>            Reporter: Dennis Hamilton
>
> Because different consumers may present different alternatives in a <draw:frame>, one that is presented by a consumer need not be the one that was seen when a producer provided a digital signature on the document.
> A signer may successfully claim that the document as presented by a consumer is not the one that was signed, even though the signature is verified.  
> The difficulty is magnified when one or more of the alternatives is by reference to external material that is not covered by the signature and is not cached so as to be included in the signature.  (This is a general concern when the document contains links to external material that may be accessed automatically and presented as if it is an inherent part of the document without it being somehow reflected in the document package files that are signed.)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]