RE: Forms security basic from Micah Dubinko on 2004-02-27 (www-forms@w3.org from February 2004)

From: Micah Dubinko <MDubinko@cardiff.com>
Date: Fri, 27 Feb 2004 15:23:32 -0800
To: 'Douglas Rechia' <rechia@inf.ufsc.br>, www-forms@w3.org
Message-ID: <BD2DBD26EE0BAA48B1A425C7BE7923002D099B@csmail.nato.cardiff.com>

Hi Douglas,

>I'm very interested in forms security.

Security is a challenging subject. People like to say 'if I follow spec XXX,
I'll be secure', but reality refuses to cooperate with such a simple point
of view. :-)

BTW, the XForms Working Group is en-route to a face-to-face meeting for the
week of March 1-5, and thus might not be too responsive over the next few
days.

>1. Why the last W3C note regarding XFDL dated September, 1998?

A NOTE is just that, a published idea with a date. It doesn't imply any
commitment to anything in particular.

>2. Does anybody know any XFDL implementation, experience, test, etc?

You should check with PureEdge, the proprietors of that particular markup
language.

>3. Why were XForms designed without supporting signatures

The W3C works through consensus, and the consensus was to get a solid
foundation done first, later adding signatures.

(Note that 'signatures' is a rather independent subject from 'security'!)

>4. And what about privacy?

Privacy is a similarly rich subject. Like security, it's not a matter of
simply supporting a particular specification or protocol.

You can achieve security and privacy through an XForms solution, but a large
part of the equation rests with the quality of the XForms implementation.
(This is another benefit of XForms/open standards over proprietary
solutions, IMHO--the freedom to choose your implementation)

Thanks,

.micah



-----Original Message-----
From: www-forms-request@w3.org [mailto:www-forms-request@w3.org]On
Behalf Of Douglas Rechia
Sent: Thursday, February 26, 2004 7:09 AM
To: www-forms@w3.org
Subject: Forms security basic



Hello everybody,

I'm very interested in forms security. I'm looking for messages in this 
mailing list regarding this topic. 

I've found some considerations in the message "RE: How secure is XForms?" 
(mail sent by John Boyer on 10 Oct 2003, available at 
http://lists.w3.org/Archives/Public/www-forms/2003Oct/0037.html). Also, on
16 
Oct 2003, John Boyer and John Messing made considerations about XForms 
signatures, XFDL, Microsoft InfoPath security, and so on (available at 
http://lists.w3.org/Archives/Public/www-forms/2003Oct/0070.html)

I started to study this topic short time ago. Some questions arise, and I 
would like to get the answers for the following:

1. Why the last W3C note regarding XFDL dated September, 1998? Isn't there a

newer note/recomendation about that? XForms is often being discussed and 
improved...

2. Does anybody know any XFDL implementation, experience, test, etc? On the 
second mail cited above, John Boyer said: "We want to position XFDL as a 
secure host language for XForms because we think it will be much harder to 
write securable XHTML". Is this already tested/implemented?

3. Why were XForms designed without supporting signatures (signing 
presentation and instance data)? Wasn't this an important issue when first 
version/draft of XForms was created?

4. And what about privacy? Can I achieve privacy on XForms and XFDL only by 
using SSL or similar? Isn't there any support to cipher forms data?

Thanks in advance.


Best Regards,

Douglas.

Received on Friday, 27 February 2004 18:23:33 UTC