You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@corinthia.apache.org by "Dennis E. Hamilton (JIRA)" <ji...@apache.org> on 2015/01/10 01:03:35 UTC

[jira] [Commented] (COR-19) Security, Safety and Forensics

    [ https://issues.apache.org/jira/browse/COR-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14272113#comment-14272113 ] 

Dennis E. Hamilton commented on COR-19:
---------------------------------------

This project did not achieve its funding.  Tariq Rashid has a few interesting blog posts at http://secure-odf.blogspot.co.uk/

There's a draft profile white paper at https://docs.google.com/document/d/1PTt7PKrQBriy1MGKMb8A_QtlkCByh0LPdSNT6KXEgEs/edit

It's probably appropriate to close this item, since it was basically as a "watch" item on GitHub.

> Security, Safety and Forensics
> ------------------------------
>
>                 Key: COR-19
>                 URL: https://issues.apache.org/jira/browse/COR-19
>             Project: Corinthia
>          Issue Type: New Feature
>         Environment: source
>            Reporter: jan iversen
>            Priority: Minor
>
> The Secure ODF initiative
> I don't expect to see much on this effort, which I had seen early rumblings about: https://www.kickstarter.com/projects/849734365/secure-open-document-format
> 100,000 Euro in under 30 days is certainly a great Christmas present, but that is a monstrous reach for a from-zero effort.
> Drive-By Thoughts
> Document security in terms of how to avoid exploits via maliciously-crafted document files is a big deal. So that is a profile case for safe documents as well as a compliance case for how processors are resilient about it and don't do anything to produce unsafe documents or to perpetuate unsafe features from input to output.
> For me, I see an absence of forensic tools, all the way up from the raw/packaged files into practices around how various matters are dealt with up the levels through XML tricks, covert content, dangerous Internet references, etc.
> The nice thing about forensic tools is they are not burdened with UI and formatting-fidelity issues, yet they can reuse (or be sources of) vetted components. I was reminded of that when I saw other MiniZip-related work of Mathias Svensson that includes tools for extracting the structure of a Zip in human-readable form, http://result42.com/projects.
> It is always nice to build forensic tools as part of working up the layers of reusable modules for format analysis and related tasks. It goes with unit tests as a valuable way to confirm library modules and demonstrate their effective use.
> Just some thoughts.
> jan: 
> This is an extremely interesting topic. And might be one that can attract attention. It is at least a theme that triggers the programmer in me.
> Crowd sourcing is also very interesting, sadly enough ASF does not allow targeted donations. But it would not be a problem if part of the community tried to do it as persons....I am sure it could be interesting for some. The proposal would in that case be, that people pay to get a specific feature developed, there is only little caveat, the proposal cannot promise that the feature becomes part of corinthia, only the community can decide that (but one can ask in advance).
> dennis: I don't expect us or anyone to seek crowd-funding for Corinthia in any manner. My observation is that the proposed effort is interesting. I don't think Tariq will reach the funding target he has set, so he won't receive any funding at all. One problem is that the only thing a contributor receives is a thank you, with the loudness of the acknowledgment dependent on the funding level. (Usually there is bling of some sort, including T shirts, other goodies.) And his result is very undefined -- there is no commitment to what will be covered at a minimum, what stretch goals are, etc. I don't think this will work out as a kick-starter.
> I do think that document security and safety will be a consideration in Corinthia, however, and it applies to profiling and also the idea of preserving unconverted provisions of input documents. I also see that it matters with regard to the plug-in design and what can be done to deal with malicious/counterfeit plug-ins.
> (I am thinking that using the ODF 1.2 Package and its provision for digital signatures is a way of packaging and authenticating plug-ins, if dynamic plug-in integration is offered for Corinthia. It is overdue for OpenOffice to update their OXT plug-in package which is almost but not quite an ODF package already.)
> Oh, funny. I just received a notice about this in my inbox: http://rcbd.buaa.edu.cn/issc/
> I separate crowd-funding from crowd-sourcing (as in searching for comets, cracking hash functions, operating wireless grids, creating gaming components and accessories, and distributed hack-a-thons). I didn't realized that crowd-sourcing is used for the funding model too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)