RE: How secure is Infopath? Was RE: How secure is XForms?

Hi Brian,

I appreciate the time you have taken to post this clarification, but as

one XML DSig co-author to another, I am wondering if you spent

any time considering the technical merits of the clarification originally

posted by Infopath program manager Alessandro Catorcini to the

microsoft.public.infopath newsgroup?

Your well-respected work on XML DSig pertained mostly to the

development of an XML Signature implementation. However,

Mr. Catorcini seems not to have appreciated that InfoPath is a consumer

of XML Signature technology, not an implementer of said technology.

This is a crucial distinction that he seems not to have made when he cites

from the spec as follows: "XMLDSIG is a method of associating a key with

referenced data; it does not normatively specify...the meaning of the data being
referenced and signed."

Of course XML DSig cannot be responsible for semantics of the

consuming application. This is precisely why the consuming application must

therefore be responsible or else XML DSig is being misused. Indeed, the

principal reason we allowed multiple references in a single signature was

to permit separated data and UI to be brought together in a single signature.

In fact, in Section 8.1.2 we directly codified the obligation of consuming

applications to include in a signature enough references and transforms to

preserve not just the data but also the presentation layer information.

Thus, the posted clarification seems to do little but solidify the reality

of the security problem we have identified with InfoPath signatures,

especially when it states that "XMLDSIG digital signatures are most commonly

used to ascertain that the XML data underlying the InfoPath form has not been

altered since the form was originally signed". We see clearly that InfoPath

provides data-only signatures, and we have not been able to circumvent

the design environment to force InfoPath to create secure signatures. It

may be that server-to-server communications must secure only data, but

InfoPath is a client-to-server application.

Unfortunately, an end-user signature over only the data has little or no

security value because the end-user does not see the data, but rather

the end-user sees a presentation layer view of the data, which can be

substantially modified by the relying party (the government organizations,

insurance companies, financial institutions, etc. that are the usual validators

of signature) ** without breaking the InfoPath signature **.

I would recommend, and I encourage you to recommend to Mr. Catorcini,

that InfoPath be patched immediately to remove support for the current

insecure signatures so that Microsoft does not have to provide backwards

compatibility support for them. Consuming applications of XML DSig

(such as InfoPath) should neither encourage nor even support the current

insecure variety of digital signatures.

Thanks for your further attention to this important security concern.

Sincerely,

John M. Boyer, Ph.D.

Senior Product Architect and Research Scientist

PureEdge Solutions Inc.

-----Original Message-----
From: Brian LaMacchia [mailto:bal@exchange.microsoft.com]
Sent: Fri 10/31/2003 2:49 PM
To: John Boyer; AndrewWatt2001@aol.com; jmessing@law-on-line.com
Cc: www-forms@w3.org; XForms@yahoogroups.com; w3c-ietf-xmldsig@w3.org
Subject: RE: How secure is Infopath? Was RE: How secure is XForms?

Hi John, John and Andrew,

I just wanted to take a moment to clarify how InfoPath supports the W3C
XML Signature standard (XMLDSIG). InfoPath uses XMLDSIG to secure the
XML data created by a user via an InfoPath form. Any change to the XML
data occurring after the InfoPath form has been digitally signed will
invalidate the digital signature, which will be detected by InfoPath
when InfoPath attempts to load or otherwise consume the data. XMLDSIG
digital signatures are most commonly used to ascertain that the XML data
underlying the InfoPath form has not been altered since the form was
originally signed.

Applications that attach semantic meanings to digital signatures, which
InfoPath does not currently support, relate to making a signed statement
about the data that was presented to the user, how it was presented,
and/or whether there were any semantic implications to the user making
the signature. In these cases, the presentation of the form itself to
the signer needs to be secured along with the data supplied by the
signer to the form. As the XMLDSIG specification states in its
introduction: "XMLDSIG is a method of associating a key with referenced
data; it does not normatively specify...the meaning of the data being
referenced and signed." Such semantics may be built on top of XMLDSIG
but that requires that additional semantic elements be defined on top of
the core XMLDSIG syntax. Based on customer feedback, InfoPath will
enable this additional digital signature functionality as a part of a
web download expected to be made available in the first half of 2004.

                                --Brian LaMacchia
                                Microsoft