W3C home > Mailing lists > Public > www-forms@w3.org > October 2003

Re: How secure is XForms?

From: jmessing <jmessing@law-on-line.com>
Date: Fri, 10 Oct 2003 00:17:08 -0400
Message-Id: <200310100017.AA500171318@law-on-line.com>
To: <AndrewWatt2001@aol.com>, <www-forms@w3.org>, 22=3F=3F=3F=3F=3F=3F=3F_=3F=2E_=3F=3F=3F=3F=3F?= 3F=3F_=28Christos_E=2E_Sioulis=29=22?= <CSioulis@dsa.gr>
Cc: <XForms@yahoogroups.com>


The issues raised by Mr. Sioulis have been discussed periodically for some time now by the Information Security Committee of the American Bar Association and some of them are currently actively being vetted by the Digital Signature Services Technical Committee of OASIS.

Signing the structure may provide a useful audit function, but for a legal signatures of the type envisioned by the US ESign legislation, and most common law jurisdictions, the presentation as well as the structure must be signed. Otherwise, it is not possible to determine the intent of the signer, because what is signed must be what was seen by the signer, and it must be reproducible after the fact and verifiable. The problem arose quite early with Netscape, pre-version 4.x, when it was possible to sign submitted data from an html form as it was being posted. Once it was in the database, it was not possible to tell how the fields had been arranged in the form to determine their order, the text in between them, or the intent of the signer by affixing the signature. So the signature obtained by the process was valueless for most practical purposes.

It appears preferable to have a two level signature, of the structure in a first instance and the structure plus presentation level, which may be required for legally binding signatures. Browsing the discussions of the archives of the Digital Signature Services Technical Committee of OASIS, while perhaps not easy or light reading, may provide some further insight into these issues.

XMLDSig has ways of signing XML data that could be adapted to forms in this manner, based upon the use of appropriate transformations. There however is a claimed patent in the area of digitally signed XML forms data, a reference to which was posted on the XMLDSIG website. If anyone is interested and in need of further assistance to locate the source material, I can provide links via private email.

Best regards.

John Messing
American Bar Association representative to OASIS
Chair, Electronic Filing Committee, American Bar Association
Chair, eNotary TC, LegalXML

---------- Original Message ----------------------------------
From: 22=3F=3F=3F=3F=3F=3F=3F_=3F=2E_=3F=3F=3F=3F=3F?= 3F=3F_=28Christos_E=2E_Sioulis=29=22?= <CSioulis@dsa.gr>
Date:  Fri, 10 Oct 2003 00:32:31 +0300

>
>In my point of view, the most important 'issue of security' using XForms 
>technology in real transactions, is (apart of the origin and integrity 
>of the relative browser plug-in) "how secure is the instance data" that 
>is collected and transmitted by the ‘XForm User Interface’ and ‘XForm 
>Submit Protocol’ units respectively!
>
>Having in mind that XForms could be a nice instrument to serve quotidian 
>legal transactions (i.e. filling predefined application/order web forms 
>with needed data, or filling a 'tax declaration' in a web based 
>'official document’,-and in many other e-government applications, etc), 
>the next step for your nice work, IMO, it should be the liaison with the 
>XML-Signature (XadES) WG, with the goal to provide a standard method on 
>how the provided ‘XML instance data’ can be digitally signed (providing 
>data authenticity, integrity, and/or non repudiation) by its author. 
>(-Have you seen the new Adobe Acrobat 6.0 digital signing features 
>combined with Adobe Forms?)
>
>I have already mentioned this issue in this mailing list (about 1 year 
>ago!) and the answer was that it maybe would make part of a future 
>development of XForms.
>(-Andrew, do you feel that this time has come?)  :-)
>
>Christos Sioulis
>(Athens Lawyer)
>
>>-----Original Message-----
>>From: AndrewWatt2001@aol.com [mailto:AndrewWatt2001@aol.com]
>>Sent: 09 October 2003 18:15
>>To: www-forms@w3.org; XForms@yahoogroups.com
>>Subject: How secure is XForms?
>>
>>
>>I would like to pose a question that I first asked many months ago, "How
>>secure is XForms?" I didn't find the answers given at the time totally
>>compelling.
>>
>>Particularly for potential business users of XForms it seems to me a
>>fundamental question.
>>
>>What is the best, most complete answer that the XForms WG or XForms tool
>>vendors care to put forward to provide reassurance on this point?
>>
>>Andrew Watt
>>http://www.tfosorciM.org/blog - "Reflecting on Microsoft" 
>>
>>
>>
>>  
>>
>
>
Received on Friday, 10 October 2003 00:24:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:56 GMT