31 messages in org.oasis-open.lists.officeRe: [office] Digital Signature proposal| From | Sent On | Attachments |
|---|---|---|
| Jomar Silva | Jul 11, 2008 9:59 am | |
| Bob Jolliffe | Jul 12, 2008 7:09 am | |
| robe...@us.ibm.com | Jul 13, 2008 12:12 pm | |
| Duane Nickull | Jul 13, 2008 12:35 pm | |
| Bob Jolliffe | Jul 27, 2008 1:27 pm | |
| Ming Fei Jia | Jul 30, 2008 4:02 am |  .gif, .gif, .gif, 8 more |
| Bob Jolliffe | Jul 30, 2008 4:52 am | |
| Jomar Silva | Jul 30, 2008 9:01 am | |
| Duane Nickull | Jul 30, 2008 9:13 am | |
| Dave Pawson | Jul 30, 2008 9:40 am | |
| Duane Nickull | Jul 30, 2008 9:51 am | |
| Dave Pawson | Jul 30, 2008 10:28 am | |
| Duane Nickull | Jul 30, 2008 10:49 am | |
| Ming Fei Jia | Jul 31, 2008 9:17 am | .gif, .gif, .gif, 13 more |
| Dave Pawson | Jul 31, 2008 9:56 am | |
| Jomar Silva | Jul 31, 2008 10:32 am | |
| Bob Jolliffe | Jul 31, 2008 10:42 am | |
| Dave Pawson | Jul 31, 2008 11:41 am | |
| Duane Nickull | Jul 31, 2008 11:47 am | |
| robe...@us.ibm.com | Jul 31, 2008 2:43 pm | |
| Duane Nickull | Jul 31, 2008 2:54 pm | |
| Jomar Silva | Jul 31, 2008 3:15 pm | |
| Duane Nickull | Jul 31, 2008 3:32 pm | |
| Ming Fei Jia | Jul 31, 2008 10:53 pm | .gif, .gif, .gif, 6 more |
| Dee Schur | Aug 1, 2008 7:05 am | |
| Michael Brauer - Sun Germany - ham02 - Hamburg | Aug 8, 2008 5:57 am | |
| Michael Brauer - Sun Germany - ham02 - Hamburg | Aug 8, 2008 6:06 am | |
| Dave Pawson | Aug 8, 2008 6:11 am | |
| Bob Jolliffe | Aug 8, 2008 7:06 am | |
| Michael Brauer - Sun Germany - ham02 - Hamburg | Aug 11, 2008 4:49 am | |
| Bob Jolliffe | Aug 12, 2008 12:57 am |
| Subject: | Re: [office] Digital Signature proposal | |
|---|---|---|
| From: | Duane Nickull (dnic...@adobe.com) | |
| Date: | Jul 31, 2008 2:54:18 pm | |
| List: | org.oasis-open.lists.office | |
Title: Re: [office] Digital Signature proposal
Good thoughts Robert. I think we ought to call in the right people. You have an expert working for IBM by the name of Mary-ann Hondo (spelling?). I worked with her in other standards groups. I would also like to suggest we bring in some Adobe experts (people who know way more than me) and perhaps some neutral government people who are responsible for policy in this area.
The rationale? It would be pointless to build this part of the ODF specification and find out later it doesn't meet the minimal requirements for 9/10 governments worldwide. Let's at least attempt to get it right and make sure that implementers are not locked outside of government contracts due to the spec being sub-standard.
My $0.02 CAD.
Duane
On 31/07/08 2:44 PM, "robe...@us.ibm.com> wrote:
Duane Nickull <dnic...@adobe.com> wrote on 07/30/2008 01:49:45 PM:
> > It sounds like this TC has not documented dSig requirements from users. As > a big fan of ODF, I would like to suggest we consider collecting some as I > would hate to see implementations of ODF get pushed aside based on not > meeting the basic requirements for dSig. I can help reach out to the > Canadian Government, maybe UK, Austria, Germany and US too. > > Thoughts? >
Document security, both on the encryption and digital signature side is a critical issue to get right. I know that I'm not an expert in the area, but my gut feeling is that we need to bring in some expertise. This is similar to what we did when we brought it accessibility experts to evaluate our gaps and options with ODF 1.0.
The concerns I have are:
1) XAdES appears to satisfy the requirements of Brazil and possible Europe. But what about the US (FIPS)? What about Japan? What about China? Most of the ODF vendors today are selling their products internationally. The open source implementations are certainly distributing internationally. So I think we need a more comprehensive view of what the digital signature requirements are globally. Although XAdES may be part of this, I think it may be worth getting the requirements up front and to work this out comprehensively. Maybe it means we need W3C XML DigSig and 3 other standards, including XAdES. I don't know. But I don't want to wait for ODF 2.0 for this. I want us to get this done for ODF 1.2.
2) Are we doing the right thing for encryption? I read one blog post by a security expert suggesting that what we have specified today may not be adequate: http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx
3) Are we doing what we need now, to be flexible for what we may add tomorrow? For example, we may not allow field level encryption today, or slide-level signatures today, or multiple author signatures on overlapping parts of a document, but let's make sure that we don't specify these things in a way which would preclude us from adding more advanced features later. I'd like to be able to wave my arms and describe how these features could be done, by extending what we have specified, without looking too foolish.
Again, this is not my area of expertise, but I can certainly tap into security expertise within IBM. I wonder whether it would be worth putting together a few experts from TC members and member companies to review what we have today, and Jomar's/Bob's proposal, and suggest additional requirements that should be met for ODF 1.2, and serve as a reviewer of the security areas of the eventual draft text. This could be done as a "security subcommittee" like we did with accessibility. Or we could do it with a few conference calls, outside of the normal TC call schedule.
In the end we need these features in ODF to be world class, because that is our audience.
-Rob
-- ********************************************************************** Senior Technical Evangelist - Adobe Systems, Inc. Duane's World TV Show - http://www.duanesworldtv.org/ Blog - http://technoracle.blogspot.com Community Music - http://www.mix2r.com My Band - http://www.myspace.com/22ndcentury Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html **********************************************************************