- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 17 Nov 2005 16:35:21 +0100
- To: mikko.honkala@tml.hut.fi, petri.vuorimaa@tml.hut.fi
- Cc: steven@w3.org, jose@w3.org, www-archive@w3.org
Hello Mikko, Petri, I'm working on the W3C Team on security and privacy matters. Steven Pemberton recently pointed me to your paper "Secure Web Forms with Client-Side Signatures." The basic approach of your paper seems to be that the entire form, along with any instance data, and anything that might have affected its rendering, is signed, in order to capture the semantics of the signed content. In figure 3, for instance, you suggest including relevant scripts with the signature. The idea that non-declarative scripting needs to be included with the singed material, just to make sure that the signed material's semantics is captured, makes me nervous -- it sounds like a good vector for all kinds of attacks, in particular when the party that will evaluate the signed material and verify the signature decides to ignore that scripting. It also sounds like a source of interoperability problems, when user agents without scripting capabilities enter the picture, or when scripting depends on particular properties of the browser object. I wonder if you have considered the approach to separately capture the semantics of signed instance data, by adding information that leads to a less rich rendering than what might be used by the surrounding form? (E.g., a quite complex xhtml xform with lots of behaviors and scripting might end up generating relatively simplistic instance data. It would appear easy to add a simple style sheet and some explanatory xhtml to these instance data, to render that, and to ask users to sign it.) Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 17 November 2005 15:35:30 UTC