Re: How secure is XForms? from AndrewWatt2001@aol.com on 2003-10-10 (www-forms@w3.org from October 2003)

From: <AndrewWatt2001@aol.com>
Date: Fri, 10 Oct 2003 04:32:25 EDT
To: jmessing@law-on-line.com
Cc: www-forms@w3.org, XForms@yahoogroups.com
Message-ID: <78.48ccd813.2cb7c899@aol.com>
In a message dated 10/10/2003 05:25:17 GMT Daylight Time, 
jmessing@law-on-line.com writes:

> The issues raised by Mr. Sioulis have been discussed periodically for some 
> time now by the Information Security Committee of the American Bar 
> Association and some of them are currently actively being vetted by the Digital 
> Signature Services Technical Committee of OASIS.
> 
> Signing the structure may provide a useful audit function, but for a legal 
> signatures of the type envisioned by the US ESign legislation, and most common 
> law jurisdictions, the presentation as well as the structure must be signed. 
> Otherwise, it is not possible to determine the intent of the signer, because 
> what is signed must be what was seen by the signer, and it must be 
> reproducible after the fact and verifiable. The problem arose quite early with 
> Netscape, pre-version 4.x, when it was possible to sign submitted data from an html 
> form as it was being posted. Once it was in the database, it was not possible 
> to tell how the fields had been arranged in the form to determine their 
> order, the text in between them, or the intent of the signer by affixing the 
> signature. So the signature obtained by the process was valueless for most 
> practical purposes.
> 
> It appears preferable to have a two level signature, of the structure in a 
> first instance and the structure plus presentation level, which may be 
> required for legally binding signatures. Browsing the discussions of the archives of 
> the Digital Signature Services Technical Committee of OASIS, while perhaps 
> not easy or light reading, may provide some further insight into these issues.
> 
> XMLDSig has ways of signing XML data that could be adapted to forms in this 
> manner, based upon the use of appropriate transformations. There however is a 
> claimed patent in the area of digitally signed XML forms data, a reference 
> to which was posted on the XMLDSIG website. If anyone is interested and in 
> need of further assistance to locate the source material, I can provide links 
> via private email.
> 
> Best regards.
> 
> John Messing
> American Bar Association representative to OASIS
> Chair, Electronic Filing Committee, American Bar Association
> Chair, eNotary TC, LegalXML

John,

Interesting comments.

Has your committee looked at how InfoPath supports digital signatures? 
InfoPath also has a versioning feature which ... and I haven't thought this through 
fully ... may allow the recreation not only of the content but of the visual 
"form" that the user saw (a "view" in InfoPath jargon).

For the purposes of simple XML forms the InfoPath approach to versioning 
struck me as overkill but it *may* provide the means to associate "form" (forgive 
the pun) and content that you indicate current (US?) legislation requires. Of 
course that would require that each version of an InfoPath form template be 
archived.

Andrew Watt
<A HREF="http://www.tfosorciM.org/blog/">http://www.tfosorciM.org/blog/</A> - "Reflecting on Microsoft"
Received on Friday, 10 October 2003 04:32:32 UTC