[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Mark-up on Interop Profile
Hello Andrew, >> Regarding passwords: >> >>> "1 character password seem really strange. One would think the >>> lower end would be at least 4 maybe 6 characters." >> >> You're absolutely right on the Producer part, so that's why I only >> mentioned *Consumer*. After all, one might receive a password >> protected document created with an "insecure" implementation. >> (IIRC, Koffice 2.x allows for 1-character passwords, for instance) > > > but that document would not necessarily be a conforming interoperable > doc. Correct, assuming that ODF11i-Consumers can read "normal" ODF files (perhaps only up till a certain point, but allowing for some flexibility for interoperability purposes. Be liberal in what to accept etc, like you mentioned in your email) >>> "Requiring weak encryption as a conformance requirement is not >>> correct" > >> That's not *requiring*, but *allowing* to consume weakly protected >> documents. Remember, a plain text XML file is conforming as well :-) > > This would require that implementer implement 'weak encryption'. Technically, that's a "weak password", not "weak encryption" :-) > The problem is with the appearance of security without actual security. > This is in effect requiring the support of weak encryption for > conformance. Here you and I respectfully disagree, so perhaps the other TC members could share us their thoughts :) I do see your point on security, but that should be part of a security profile, as 99+ % of the ODF files don't have a password in the first place. So if someone sends me a document with a short password (or the super secret "password"), I'd rather have my ODF11i-Cons to be able to open it then having to ask the user to choose a longer password and send the document again... (most probably by emailing the document along with the password...) If my ODF11i-Prod doesn't allow me to set a 1-character password, fine, that's something I can live with (and, once again, that's why I only added something about the Consumer) I've also started a draft on another profile, related to digital signatures etc. In such a security profile, it would be entirely OK to demand at least 6 characters. > I understand the idea of read liberally and write conservatively, but > there is something strange about how that works in this document. Well, the document is just a start, so there's quite some room for improving it :-) > I don't think these requirements are unreasonable - but I do believe > that they need to be formulated differently. > We need to separate requirements for consuming ODF11i-Doc, with > requirements for translating non-ODF11i-Doc into ODF11i-Doc. Good point, that'll make it easier to read and understand. Best regards, Bart
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]