> -----Original Message-----
> From: Don Lewis [mailto:truck...@apache.org]
> Sent: Monday, March 28, 2016 15:32
> To: dev@openoffice.apache.org
> Cc: dennis.hamil...@acm.org
> Subject: Re: Release Manager for 4.2.0?
> 
> On 28 Mar, Dennis E. Hamilton wrote:
> > Commenting just on document signing ...
> >
> >> -----Original Message-----
> >> From: Pedro Giffuni [mailto:p...@apache.org]
> >> Sent: Monday, March 28, 2016 13:48
> >> To: OOo Apache <dev@openoffice.apache.org>
> >> Subject: Re: Release Manager for 4.2.0?
> > [ ... ]
> >>
> >> [ ... ] I am unsure about what in OpenOffice
> >> uses the new cyphers. I think OpenSSL is used for signing documents:
> >> when we update OpenSSL will AOO automatically accept more signing
> >> options? I would expect browsers will bring their own SSL
> >> implementations.
> > [orcmid]
> >
> > The document signature support in Apache OpenOffice is based on XML
> > Digital Signatures Second Edition,
> > <http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/>. This has
> > nothing to do with communications via secure sockets of course.
> > Granted that OpenSSL provides library functions for more than that,
> > there is still very limited use for signing documents.
> >
> > X.509 digital certificates are employed.  XadES extensions may be used
> > (impacting metadata information mainly and only implemented by
> > Microsoft in ODF as far as I know).  Depending on the platform the
> > operating-system secure store for the signing key will usually be
> > employed, so there is operating-system integration.  (This is
> > definitely true for Windows.)
> 
> OpenSSL also provides libcrypto which contains functions for creating,
> validating, and using certificates.  It uses some of this functionality
> to verify that a secure socket connection is actually connected to the
> desired remote endpoint.  I've used to the openssl command line tool to
> produce a certificate that was used to authenticate a connection from a
> local application to a remote service.
> 
> There seems to be a standard place to store certificates under a user's
> home directory in the *nix world.  A while back I signed up for a
> service that requires updates from me to be signed with a certificate
> that they created for me and that my browser downloaded and stashed away
> somewhere.  When I tried signing a document with OpenOffice, it found
> this certificate and offered it as a choice for signing.
> 
> Since OpenOffice also uses curl, which is used for downloading files,
> and curl uses OpenSSL, it looks like OpenOffice depends on OpenSSL for
> secure downloads.  I don't know if it downloads anything other than
> extensions and updates.
[orcmid] 

That's useful to know.

Apache OpenOffice doesn't generate any client-side certificates, but it does 
use certs it can find for signing documents.  

I suspect, for secure downloads, AOO only works with the cert from the server, 
HTTPS-style.
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to