- From: Mikko Honkala <honkkis@tml.hut.fi>
- Date: Thu, 17 Nov 2005 23:30:13 +0200
- To: Thomas Roessler <tlr@w3.org>, mikko.honkala@tml.hut.fi, petri.vuorimaa@tml.hut.fi, steven@w3.org, jose@w3.org, www-archive@w3.org
Hello Thomas, Thanks for your mail. Just a quick reply now: I agree that it is a _very_ bad idea to include scripting in a page that is signed. But the scheme we propose, allows the server to create a more simplistic view, which is then presented to the user at the signing time. Of course, it might be good to actually say that a page with scripts should not be allowed to be signed at all. Did this clarify your concern? -mikko Thomas Roessler wrote: > Hello Mikko, Petri, > > I'm working on the W3C Team on security and privacy matters. Steven > Pemberton recently pointed me to your paper "Secure Web Forms with > Client-Side Signatures." > > The basic approach of your paper seems to be that the entire form, > along with any instance data, and anything that might have affected > its rendering, is signed, in order to capture the semantics of the > signed content. In figure 3, for instance, you suggest including > relevant scripts with the signature. > > The idea that non-declarative scripting needs to be included with > the singed material, just to make sure that the signed material's > semantics is captured, makes me nervous -- it sounds like a good > vector for all kinds of attacks, in particular when the party that > will evaluate the signed material and verify the signature decides > to ignore that scripting. It also sounds like a source of > interoperability problems, when user agents without scripting > capabilities enter the picture, or when scripting depends on > particular properties of the browser object. > > I wonder if you have considered the approach to separately capture > the semantics of signed instance data, by adding information that > leads to a less rich rendering than what might be used by the > surrounding form? > > (E.g., a quite complex xhtml xform with lots of behaviors and > scripting might end up generating relatively simplistic instance > data. It would appear easy to add a simple style sheet and some > explanatory xhtml to these instance data, to render that, and to ask > users to sign it.) > > Regards,
Received on Thursday, 17 November 2005 21:30:30 UTC