OASIS Open Document Format for Office Applications (OpenDocument) TC

 View Only
  • 1.  Table Protection: Uselessness of table:protection-key

    Posted 01-02-2009 06:31
    While researching the Table Protection proposal I noticed an interesting thing.  
    
    It seems that the table:protection-key feature is of no great value in protecting table cells against unauthorized alteration.
    
    This suggests that tightening up the specification of the new ODF 1.2 attribute table:protection-key-digest-algorithm may be wasted effort compared with avoiding it altogether.
    
    Before we go to the trouble to clean up the table:protection-key-digest-algorithm attribute so that it is well-specified, I suggest we consider whether we are better off without it, deprecating and removing table:protection-key instead.
    
     - Dennis
    
    1. SUMMARY
    
    1.1 In the existing OASIS Standards for ODF, a 


  • 2.  Re: [office] Table Protection: Uselessness of table:protection-key

    Posted 01-02-2009 21:26
    Hello Dennis
    
    The analysis you layout below is, at least in my opinion, correct.
    The way table cells (and other aspects of documents) have been
    "protected" by office applications historically is, at best, naive
    and, at worst, fraudulent.  Perhaps some sort of warning is required
    in the specification to prevent the latter charge.  The only reason
    one can think of to maintain such a feature is to have backward
    compatibility as well as interoperability with other applications
    which do something similar.  I have, over time, become reluctantly
    persuaded that these are sufficiently valuable aims to maintain the
    "feature" though I would not compromise over using a known weak
    algorithm to protect the password - Florien will remember long
    arguments over a similar "feature" in ooxml.  As you point out, the
    password is the only thing being protected here.  Of course in time
    other algorithms become weak (and some even become known to be so) but
    that's another matter.
    
    That some of the resulting problems can be overcome by applying a
    signature to the "protected" part was one of the use cases I had in
    mind when I suggested that we should provide explicit support for the
    signing of XML document fragments in the original DSIG proposal
    submitted by Jomar and myself (the other use case was to provide for
    visible signature graphics).  For a couple of reasons, we chose not to
    pursue this for the moment:
    
    (1)  there is actually nothing in the specification which prevents
    applications calculating such signatures anyway.  So if the integrity
    of protected cells in a table is really important to you, you can sign
    them.  But for the specification to effectively require some form of
    PKI is probably not appropriate.
    
    (2)  there is a wide range of other possible signature scenarios
    involving different types of signatures, different combinations of
    signed content etc etc.  We need to have a fairly rich and well
    thought out means to say things about these signatures.  Current
    thinking seems to suggest that the ODF metadata mechanism will be the
    correct way to do this.  I agree and I see this as a high priority
    next/requirements issue rather than something we should try to get
    right in a hurry.
    
    For the moment I don't think that any implementors are unaware of the
    issue.  Of course the hapless users are another matter.  Perhaps we
    should recommend that implementations provide a warning to users that
    cell-protection is not a security feature - simply an application
    convenience.
    
    Regards
    Bob
    
    2009/1/2 Dennis E. Hamilton