Re: Xforms + signatures from Mikko Honkala on 2005-11-17 (www-archive@w3.org from November 2005)

From: Mikko Honkala <honkkis@tml.hut.fi>
Date: Thu, 17 Nov 2005 23:30:13 +0200
To: Thomas Roessler <tlr@w3.org>, mikko.honkala@tml.hut.fi, petri.vuorimaa@tml.hut.fi, steven@w3.org, jose@w3.org, www-archive@w3.org
Message-ID: <437CF665.1090905@tml.hut.fi>

Hello Thomas,

Thanks for your mail. Just a quick reply now:

I agree that it is a _very_ bad idea to include scripting in a page that
is signed. But the scheme we propose, allows the server to create a more
simplistic view, which is then presented to the user at the signing
time. Of course, it might be good to actually say that a page with
scripts should not be allowed to be signed at all.

Did this clarify your concern?

-mikko

Thomas Roessler wrote:
> Hello Mikko, Petri,
> 
> I'm working on the W3C Team on security and privacy matters.  Steven
> Pemberton recently pointed me to your paper "Secure Web Forms with
> Client-Side Signatures."
> 
> The basic approach of your paper seems to be that the entire form,
> along with any instance data, and anything that might have affected
> its rendering, is signed, in order to capture the semantics of the
> signed content.  In figure 3, for instance, you suggest including
> relevant scripts with the signature.
> 
> The idea that non-declarative scripting needs to be included with
> the singed material, just to make sure that the signed material's
> semantics is captured, makes me nervous -- it sounds like a good
> vector for all kinds of attacks, in particular when the party that
> will evaluate the signed material and verify the signature decides
> to ignore that scripting.  It also sounds like a source of
> interoperability problems, when user agents without scripting
> capabilities enter the picture, or when scripting depends on
> particular properties of the browser object.
> 
> I wonder if you have considered the approach to separately capture
> the semantics of signed instance data, by adding information that
> leads to a less rich rendering than what might be used by the
> surrounding form?
> 
> (E.g., a quite complex xhtml xform with lots of behaviors and
> scripting might end up generating relatively simplistic instance
> data.  It would appear easy to add a simple style sheet and some
> explanatory xhtml to these instance data, to render that, and to ask
> users to sign it.)
> 
> Regards,

Received on Thursday, 17 November 2005 21:30:30 UTC