W3C home > Mailing lists > Public > www-forms@w3.org > October 2003

RE: How secure is XForms?

From: John Boyer <JBoyer@PureEdge.com>
Date: Fri, 10 Oct 2003 09:59:17 -0700
Message-ID: <7874BFCCD289A645B5CE3935769F0B52683D18@tigger.pureedge.com>
To: <jmessing@law-on-line.com>, <AndrewWatt2001@aol.com>, <www-forms@w3.org>
Cc: <XForms@yahoogroups.com>

Hi John and Andrew,

John has done well articulating a belief that we at PureEdge 
have been pushing for years now with our XFDL forms products.  
While it is true that pre-version 4.x Netscape had the problem 
cited by John, I am quite sure that it was not generally
realized within the web security community.

I personally spent a great deal of time raising awareness of 
this issue on the XML DSig working group.  This resulted in
language around 'what you see is what you sign' (which, for
the sake of Section 508 compliant accessibilty software, 
should be 'what you sense is what you sign') as well as 
signature filters for handling more complex signing scenarios.

PureEdge forms products have supported precisely the functionality
that John requires, and has done so since 1997 in a manner
not obstructed by any patents.  We first published a paper on
our views at the World Wide Web conference in 1999 
There are many sources cited in this paper that further
substantiate our (and John's) views, including the AIIM guidelines
for legal acceptance of electronic records produced by 
information technology systems.

In the RSA 2000 proceedings, we presented this core issue of 
how to properly secure a form with a signature, but then
expanded to issues that arise in complex signing scenarios.  
Many security issues arise when work must be done to a form
after it has been signed, yet these types of forms arise
frequently in practice.  Some simple examples include 
the multiple signer scenario and the 'office use only' section
of a form.  Much more difficult are joint legal filings in
which multiple signers must each add to and fill out more of 
the form, and attachment supporting documents.  It is very
easy to write insecure forms in such scenarios.  We have been
working for years on XFDL to make it equally easy to write
secure forms.

We are now working within the XForms group to ensure that
these advanced signature requirements can be addressed as 
the group begins to consider how integrate XML DSig into XForms. 
Principally, PureEdge believes that it will be very difficult to 
secure XForms hosted in a language like XHTML that is not designed
around security.  In XFDL, we have already taken the necessary
steps to have XFDL secure both instance data and the presentation,
and we will be working toward having enough flexibility in the 
integration of XForms and DSig to allow XFDL to be the secure host 
language for XForms.  

This will be particularly critical to the ability to secure
forms with the latest security techniques we have developed, 
which we will be presenting at the upcoming ACM Workshop on 
XML Security (and which we began deploying in our products
two years ago).

As to Andrew's point about Microsoft InfoPath, you may with 
significant effort be able to create a basic signature for a 
form that meets the requirements described in our WWW8 paper
from 1999, but this is 2003 and you will need XFDL to handle 
many of signing scenarios that arise in practice and that are 
of greater interest to the security communities at RSA and the ACM.

Best regards,
John M. Boyer, Ph.D.
Senior Product Architect and Research Scientist
PureEdge Solutions Inc.

-----Original Message-----
From: jmessing [mailto:jmessing@law-on-line.com]
Sent: Thursday, October 09, 2003 9:17 PM
To: AndrewWatt2001@aol.com; www-forms@w3.org;
Cc: XForms@yahoogroups.com
Subject: Re: How secure is XForms?

The issues raised by Mr. Sioulis have been discussed periodically for some time now by the Information Security Committee of the American Bar Association and some of them are currently actively being vetted by the Digital Signature Services Technical Committee of OASIS.

Signing the structure may provide a useful audit function, but for a legal signatures of the type envisioned by the US ESign legislation, and most common law jurisdictions, the presentation as well as the structure must be signed. Otherwise, it is not possible to determine the intent of the signer, because what is signed must be what was seen by the signer, and it must be reproducible after the fact and verifiable. The problem arose quite early with Netscape, pre-version 4.x, when it was possible to sign submitted data from an html form as it was being posted. Once it was in the database, it was not possible to tell how the fields had been arranged in the form to determine their order, the text in between them, or the intent of the signer by affixing the signature. So the signature obtained by the process was valueless for most practical purposes.

It appears preferable to have a two level signature, of the structure in a first instance and the structure plus presentation level, which may be required for legally binding signatures. Browsing the discussions of the archives of the Digital Signature Services Technical Committee of OASIS, while perhaps not easy or light reading, may provide some further insight into these issues.

XMLDSig has ways of signing XML data that could be adapted to forms in this manner, based upon the use of appropriate transformations. There however is a claimed patent in the area of digitally signed XML forms data, a reference to which was posted on the XMLDSIG website. If anyone is interested and in need of further assistance to locate the source material, I can provide links via private email.

Best regards.

John Messing
American Bar Association representative to OASIS
Chair, Electronic Filing Committee, American Bar Association
Chair, eNotary TC, LegalXML

---------- Original Message ----------------------------------
From: 22=3F=3F=3F=3F=3F=3F=3F_=3F=2E_=3F=3F=3F=3F=3F?= 3F=3F_=28Christos_E=2E_Sioulis=29=22?= <CSioulis@dsa.gr>
Date:  Fri, 10 Oct 2003 00:32:31 +0300

>In my point of view, the most important 'issue of security' using XForms 
>technology in real transactions, is (apart of the origin and integrity 
>of the relative browser plug-in) "how secure is the instance data" that 
>is collected and transmitted by the 'XForm User Interface' and 'XForm 
>Submit Protocol' units respectively!
>Having in mind that XForms could be a nice instrument to serve quotidian 
>legal transactions (i.e. filling predefined application/order web forms 
>with needed data, or filling a 'tax declaration' in a web based 
>'official document',-and in many other e-government applications, etc), 
>the next step for your nice work, IMO, it should be the liaison with the 
>XML-Signature (XadES) WG, with the goal to provide a standard method on 
>how the provided 'XML instance data' can be digitally signed (providing 
>data authenticity, integrity, and/or non repudiation) by its author. 
>(-Have you seen the new Adobe Acrobat 6.0 digital signing features 
>combined with Adobe Forms?)
>I have already mentioned this issue in this mailing list (about 1 year 
>ago!) and the answer was that it maybe would make part of a future 
>development of XForms.
>(-Andrew, do you feel that this time has come?)  :-)
>Christos Sioulis
>(Athens Lawyer)
>>-----Original Message-----
>>From: AndrewWatt2001@aol.com [mailto:AndrewWatt2001@aol.com]
>>Sent: 09 October 2003 18:15
>>To: www-forms@w3.org; XForms@yahoogroups.com
>>Subject: How secure is XForms?
>>I would like to pose a question that I first asked many months ago, "How
>>secure is XForms?" I didn't find the answers given at the time totally
>>Particularly for potential business users of XForms it seems to me a
>>fundamental question.
>>What is the best, most complete answer that the XForms WG or XForms tool
>>vendors care to put forward to provide reassurance on this point?
>>Andrew Watt
>>http://www.tfosorciM.org/blog - "Reflecting on Microsoft" 
Received on Friday, 10 October 2003 12:59:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:36:09 UTC