There are security hazards in the current use of protection keys in ODF documents.  The nfoWorks-defined enhancements provide alternatives that reduce the risk of password compromise and malicious reuse of keys.

1.1 There are two protection-key attributes defined in ODF 10.0/1.1/1.2: text:protection-key and table:protection-key.  The default values for these attributes are Base64 encodings of 160-bit (20-byte) SHA1 digests derived from manually-entered passwords. 

1.2 For ODF 1.2 there are two companion attributes for optional use with the corresponding protection-key attribute: text:protection-key-digest-algorithm and table:protection-key-digest-algorithm.  The attribute explicitly identifies an algorithm used to derive the protection-key value.  SHA1 (the default), SHA256 (recommended), SHA512, and RIPEMD-160 are specifiable using standard identifiers.  ODF 1.2 consumers are required to support SHA1 (explicitly and by default) and SHA256.

1.3 Implementation-defined protection-key-digest-algorithm values are permitted.  Implementation-provided definitions describe the procedure and its utilization of the associated protection-key value.

1.4 {http://nfoworks.org/ns/odf/1.2/protection#} is the namespace for nfoWorks-defined digest-algorithm identifications.  These definitions and their identifiers are available for interoperable usage by any ODF 1.2 consumers and producers.

1.5 The nfoWorks-defined procedures are proposed for adoption in ODF 1.3.  If the proposed procedures and reserved identifiers for them are published in an ODF 1.3 Committee Draft, the nfoWorks-defined identifications become provisional identifiers as well.

 [2012-11-22 Notice: Although implementation-defined local names and protection-key-digest-algorithm identifiers are allowed in ODF 1.2, the implementation-defined nfoWorks identifiers below are withheld from implementation until reserved counterparts are defined in an ODF Committee Draft.]

0.02 2017-06-14 20:22 -0700