RE: How secure is Infopath? Was RE: How secure is XForms?

Hi John, John and Andrew,

I just wanted to take a moment to clarify how InfoPath supports the W3C
XML Signature standard (XMLDSIG). InfoPath uses XMLDSIG to secure the
XML data created by a user via an InfoPath form. Any change to the XML
data occurring after the InfoPath form has been digitally signed will
invalidate the digital signature, which will be detected by InfoPath
when InfoPath attempts to load or otherwise consume the data.  XMLDSIG
digital signatures are most commonly used to ascertain that the XML data
underlying the InfoPath form has not been altered since the form was
originally signed.

Applications that attach semantic meanings to digital signatures, which
InfoPath does not currently support, relate to making a signed statement
about the data that was presented to the user, how it was presented,
and/or whether there were any semantic implications to the user making
the signature.  In these cases, the presentation of the form itself to
the signer needs to be secured along with the data supplied by the
signer to the form.  As the XMLDSIG specification states in its
introduction: "XMLDSIG is a method of associating a key with referenced
data; it does not normatively specify...the meaning of the data being
referenced and signed."  Such semantics may be built on top of XMLDSIG
but that requires that additional semantic elements be defined on top of
the core XMLDSIG syntax.  Based on customer feedback, InfoPath will
enable this additional digital signature functionality as a part of a
web download expected to be made available in the first half of 2004.

				--Brian LaMacchia
				  Microsoft

					

Received on Friday, 31 October 2003 17:54:01 UTC