RE: Mark-up on Interop Profile

[Hanssens Bart <Bart.Hanssens@fedict.be>]

Hello Andrew,


>> Regarding passwords:
>>
>>> "1 character password seem really strange.  One would think the
>>> lower end would be at least 4 maybe 6 characters."
>>
>> You're absolutely right on the Producer part, so that's why I only
>> mentioned *Consumer*. After all, one might receive a password
>> protected document created with an "insecure" implementation.
>> (IIRC, Koffice 2.x allows for 1-character passwords, for instance)
>
>
> but that document would not necessarily be a conforming interoperable
> doc.

Correct, assuming that ODF11i-Consumers can read "normal" ODF files
(perhaps only up till a certain point, but allowing for some flexibility for
interoperability purposes. Be liberal in what to accept etc, like you
mentioned in your email)


>>> "Requiring weak encryption as a conformance requirement is not
>>> correct"
>
>> That's not *requiring*, but *allowing* to consume weakly protected
>> documents. Remember, a plain text XML file is conforming as well :-)
>
> This would require that implementer implement 'weak encryption'.

Technically, that's a "weak password", not "weak encryption" :-)

> The problem is with the appearance of security without actual security.
> This is in effect requiring the support of weak encryption for
> conformance.

Here you and I respectfully disagree, so perhaps the other TC members
could share us their thoughts :)

I do see your point on security, but that should be part of a security profile,
as 99+ % of the ODF files don't have a password in the first place.
So if someone sends me a document with a short password (or the super
secret "password"), I'd rather have my ODF11i-Cons to be able to open it
then having to ask the user to choose a longer password and send the
document again... (most probably by emailing the document along with
the password...)

If my ODF11i-Prod doesn't allow me to set a 1-character password, fine,
that's something I can live with (and, once again, that's why I only added
something about the Consumer)

I've also started a draft on another profile, related to digital signatures
etc. In such a security profile, it would be entirely OK to demand at least
6 characters.



> I understand the idea of read liberally and write conservatively, but
> there is something strange about how that works in this document.

Well, the document is just a start, so there's quite some room for
improving it :-)


> I don't think these requirements are unreasonable - but I do believe
> that they need to be formulated differently.
> We need to separate requirements for consuming ODF11i-Doc, with
> requirements for translating non-ODF11i-Doc into ODF11i-Doc.

Good point, that'll make it easier to read and understand.


Best regards,

Bart