Xforms + signatures

Hello Mikko, Petri,

I'm working on the W3C Team on security and privacy matters.  Steven
Pemberton recently pointed me to your paper "Secure Web Forms with
Client-Side Signatures."

The basic approach of your paper seems to be that the entire form,
along with any instance data, and anything that might have affected
its rendering, is signed, in order to capture the semantics of the
signed content.  In figure 3, for instance, you suggest including
relevant scripts with the signature.

The idea that non-declarative scripting needs to be included with
the singed material, just to make sure that the signed material's
semantics is captured, makes me nervous -- it sounds like a good
vector for all kinds of attacks, in particular when the party that
will evaluate the signed material and verify the signature decides
to ignore that scripting.  It also sounds like a source of
interoperability problems, when user agents without scripting
capabilities enter the picture, or when scripting depends on
particular properties of the browser object.

I wonder if you have considered the approach to separately capture
the semantics of signed instance data, by adding information that
leads to a less rich rendering than what might be used by the
surrounding form?

(E.g., a quite complex xhtml xform with lots of behaviors and
scripting might end up generating relatively simplistic instance
data.  It would appear easy to add a simple style sheet and some
explanatory xhtml to these instance data, to render that, and to ask
users to sign it.)

Regards,
-- 
Thomas Roessler, W3C   <tlr@w3.org>

Received on Thursday, 17 November 2005 15:35:30 UTC