MIME and OOXML digital signature

MURATA Makoto (FAMILY Given) eb2m-mrt at asahi-net.or.jp
Tue Jul 28 05:00:56 CEST 2009


Dear colleagues,

I am trying to register media types of OOXML.  

The IANA reviwer asked me a question:

> Makoto wrote:
> > However, when each part is exposed as a MIME body, it is not
> > controlled by office suites any more. It is certainly possible to reconstruct
> > OOXML documents after modifying core.xml by generic XML editors or even
> > text editors. If the original part is covered by OOXML digital signature (
> ISO/IEC
> > 29500-2, Clause 13), it is possible to detect that whether
> > the part has been altered.
> 
> This is very unclear. I think what you are saying is that XML digital
> signatures are employed by some software, but other software doesn't
> necessary know how to compute such signatures so after some sorts of processing
> the signatures may be invalid.
> 
> if that''s what you meant to say, then how about:
> 
> OOXML media types can employ digital signatures (ISO/IEC 29500-2, Clause 13)
> to make it possible to detect tampering. However, since OOXML documents
> may be consructed or alternated through a variety of means, including
> generic XML editors or even text editors, it may not be possible to
> rely on such signatures.

In my understanding, an OOXML document will have an incorrect signature,
if a signed OPC part is changed later.  Application programs are able 
to detect such (probably malicious) changes but they are not oblideged
to examine signatures.

The IANA reviwer also asked about macros and encryption.  AFAIK, neither
macros nor encryptions are specified by 29500.  Am I right? 


Regards,

SC34/WG4 Convenor
MURATA Makoto (FAMILY Given)




More information about the sc34wg4 mailing list