W3C home > Mailing lists > Public > www-forms@w3.org > April 2000

Digital Signatures?

From: Kenneth Bandes <kbandes@home.com>
Date: Mon, 10 Apr 2000 21:12:45 -0400
Message-ID: <38F27C0D.9C3AD164@home.com>
To: XForms <www-forms@w3.org>
The XForms requirements document pretty much just has a place holder
for a discussion of digital signatures.  I was wondering what the
current thinking of the working group was.

The three level architecture of XForms I think is exactly right and
necessary for the requirements as described.  However, there's a
white paper at the PureEdge site that makes a surprisingly strong
case for combining all these things (data, logic, and presentation)
in one unit (http://www.uwi.com/xfdl/digest/feature.html).

The argument is based on the requirement of non-repudiation,
which seems to dictate that what is being signed includes what
was reliably presented to the user.  Since, for example,
style sheets can significantly add, delete, or rearrange content,
the signature needs to include the precise display instructions
used - otherwise, the signer could claim that he had not actually
seen (or been aware of the existence of) portions of what he 
apparently signed.

I imagine this could be worked around by signing an MHTML
file or some other mime multipart/related type format,
containing the user data, form specification, and style sheet.
Is that where this stuff is headed?

Alternatively, I suppose the signature could cover URIs and
digests of the remote components.  This might mean that the data
representation (the bottom of the three layers) would contain
these URIs and checksums, verifiably indicating what form template 
and style sheet (as well as any other components, such as graphics) 
were actually presented to the user who entered this data.

Anyway, for long-term archiving of the transaction, I guess
you'd still want actual copies of these components.

I'm sure I'm just restating badly what you folks have already
figured out.  I'd be interested to hear something more
authoritative on the subject.

Thanks,
Ken Bandes
Received on Monday, 10 April 2000 21:13:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:47 GMT