Bob, Rob,
On 09/01/09 19:02, Robert Weir/Cambridge/IBM wrote:
> The reason to allow more than one algorithm, aside from preferences
> (individual, corporate, national requirements etc.) is that an attack
> could be found against any one of these algorithms and you don't want to
> be in a situation where the only algorithms specified are weak or broken.
Yes, this is a valid point. In addition, there may be situations where
any of the algorithms defined by the W3C or any set of algorithms we may
define ourselves does not include an algorithm that is mandated by a
particular organization or government that wishes to use ODF. So, also
from that perspective, it seems to be reasonable to me that, if we allow
additional algorithms, that we are not again restricting them to a
particular set. But of cause, the proposal should clearer state that for
the algorithms defines the the W3C specifications, the IRIs defined be
the W3C specification shall be used.
Regarding implementation defined IRIs, we have already a requirement
that conforming implementations have to document the implementation
defined values they are using. This includes the IRIs that denote
algorithms.
> The use of SHA1, in particular, does not seem to be a good algorithm
> today.
>
> Of course, this doesn't mean you need to leave it open ended.
>
> It really boils down to three questions:
>
> 1) For each algorithm type (hash, encryption, etc.), what unique
> identifier to we associate with each algorithm?
This actually needs to be clarified in my proposal.
>
> 2) For the sake of encouraging interoperability do we recommend or mandate
> that a subset of these algorithms be supported?
The idea behind the proposal was to open encryption for additional
algorithms as a first step In ODF 1.2. The algorithms that we had
already in ODF 1.1 remain mandatory for implementations that support
encryption. This set may be extended in later versions.
>
> 3) Do we allow implementation-defined algorithms beyond those which we
> have assigned identifiers to?
I would recommend that for the reasons mentioned above.
>
> But remember, there is nothing in the standard that mandates the support
> of the document encryption feature at all, so #2 doesn't really help us
> much here, does it?
Thank you for our feedback
Michael
>
> -Rob
>
>
>
>
> From:
> Bob Jolliffe