Am 17.09.2011 18:47, schrieb Rob Weir: > On 9/17/11, Mathias Bauer <mathias_ba...@gmx.net> wrote: >> Am 17.09.2011 14:44, schrieb Rob Weir: >> >>> When the competition for a new algorithm ended, the winner was the >>> Advanced Encryption Standard (AES). We really need to support that >>> algorithm. There is a reason why ODF 1.3 recommends it. There are >>> regulations in several countries that specify what cryptographic >>> methods may be used for government work. In the US this is called >>> FIPS == Federal Information Processing Standards. There are similar >>> rules, for example, in Japan. FIPS 140-2 recommends AES. It does not >>> recommend Blowfish. So this has great relevance for government users, >>> government contractors, as well as other sectors like healthcare. >> >> As you said, OOo *1.3* will *recommend* it. Does that require postponing >> an AOOo 3.4 release until there is a code replacement for nss? Or do you >> already have something to use? IIRC it took roughly two weeks to >> implement and test the new AES code for an engineer familiar with the >> code. I assume that for a newbie that would be quite some time more. >> > > Support for AES exists in the JCE and via the ODF Toolkit. The later > is Apache 2.0 licensed. > >> IMHO getting 3.4 out fast is important. And of course having AES >> encryption is important also - immediately after that. >> > > I'm flexible on the staging of this. Eventually we'll want to get to > have full AES support. I've seen Microsoft push OOo out of > consideration for government accounts by arguing that the MS Office > crypto is certified and ours is using an algorithm (Blowfish) that is > not, that OOo uses a cipher that even the author recommends not using. > We don't win that debate with a backwards compatibility argument.
Sure, I wasn't aiming at backwards compatibility. In fact I was one of those who where responsible for adding AES encryption to OOo's ODF code, for the same reasons as yours. I just recommended giving the urgency of a 3.4 release a higher priority than the usage of AES encryption for saving ODF 1.2 documents in that release. Regards, Mathias
