Hello Dennis
The analysis you layout below is, at least in my opinion, correct.
The way table cells (and other aspects of documents) have been
"protected" by office applications historically is, at best, naive
and, at worst, fraudulent. Perhaps some sort of warning is required
in the specification to prevent the latter charge. The only reason
one can think of to maintain such a feature is to have backward
compatibility as well as interoperability with other applications
which do something similar. I have, over time, become reluctantly
persuaded that these are sufficiently valuable aims to maintain the
"feature" though I would not compromise over using a known weak
algorithm to protect the password - Florien will remember long
arguments over a similar "feature" in ooxml. As you point out, the
password is the only thing being protected here. Of course in time
other algorithms become weak (and some even become known to be so) but
that's another matter.
That some of the resulting problems can be overcome by applying a
signature to the "protected" part was one of the use cases I had in
mind when I suggested that we should provide explicit support for the
signing of XML document fragments in the original DSIG proposal
submitted by Jomar and myself (the other use case was to provide for
visible signature graphics). For a couple of reasons, we chose not to
pursue this for the moment:
(1) there is actually nothing in the specification which prevents
applications calculating such signatures anyway. So if the integrity
of protected cells in a table is really important to you, you can sign
them. But for the specification to effectively require some form of
PKI is probably not appropriate.
(2) there is a wide range of other possible signature scenarios
involving different types of signatures, different combinations of
signed content etc etc. We need to have a fairly rich and well
thought out means to say things about these signatures. Current
thinking seems to suggest that the ODF metadata mechanism will be the
correct way to do this. I agree and I see this as a high priority
next/requirements issue rather than something we should try to get
right in a hurry.
For the moment I don't think that any implementors are unaware of the
issue. Of course the hapless users are another matter. Perhaps we
should recommend that implementations provide a warning to users that
cell-protection is not a security feature - simply an application
convenience.
Regards
Bob
2009/1/2 Dennis E. Hamilton