> -----Original Message----- > From: Don Lewis [mailto:truck...@apache.org] > Sent: Monday, March 28, 2016 15:32 > To: dev@openoffice.apache.org > Cc: dennis.hamil...@acm.org > Subject: Re: Release Manager for 4.2.0? > > On 28 Mar, Dennis E. Hamilton wrote: > > Commenting just on document signing ... > > > >> -----Original Message----- > >> From: Pedro Giffuni [mailto:p...@apache.org] > >> Sent: Monday, March 28, 2016 13:48 > >> To: OOo Apache <dev@openoffice.apache.org> > >> Subject: Re: Release Manager for 4.2.0? > > [ ... ] > >> > >> [ ... ] I am unsure about what in OpenOffice > >> uses the new cyphers. I think OpenSSL is used for signing documents: > >> when we update OpenSSL will AOO automatically accept more signing > >> options? I would expect browsers will bring their own SSL > >> implementations. > > [orcmid] > > > > The document signature support in Apache OpenOffice is based on XML > > Digital Signatures Second Edition, > > <http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/>. This has > > nothing to do with communications via secure sockets of course. > > Granted that OpenSSL provides library functions for more than that, > > there is still very limited use for signing documents. > > > > X.509 digital certificates are employed. XadES extensions may be used > > (impacting metadata information mainly and only implemented by > > Microsoft in ODF as far as I know). Depending on the platform the > > operating-system secure store for the signing key will usually be > > employed, so there is operating-system integration. (This is > > definitely true for Windows.) > > OpenSSL also provides libcrypto which contains functions for creating, > validating, and using certificates. It uses some of this functionality > to verify that a secure socket connection is actually connected to the > desired remote endpoint. I've used to the openssl command line tool to > produce a certificate that was used to authenticate a connection from a > local application to a remote service. > > There seems to be a standard place to store certificates under a user's > home directory in the *nix world. A while back I signed up for a > service that requires updates from me to be signed with a certificate > that they created for me and that my browser downloaded and stashed away > somewhere. When I tried signing a document with OpenOffice, it found > this certificate and offered it as a choice for signing. > > Since OpenOffice also uses curl, which is used for downloading files, > and curl uses OpenSSL, it looks like OpenOffice depends on OpenSSL for > secure downloads. I don't know if it downloads anything other than > extensions and updates. [orcmid]
That's useful to know. Apache OpenOffice doesn't generate any client-side certificates, but it does use certs it can find for signing documents. I suspect, for secure downloads, AOO only works with the cert from the server, HTTPS-style. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
