Re: How secure is XForms? from AndrewWatt2001@aol.com on 2003-10-10 (www-forms@w3.org from October 2003)

From: <AndrewWatt2001@aol.com>
Date: Fri, 10 Oct 2003 04:24:08 EDT
To: CSioulis@dsa.gr
Cc: www-forms@w3.org, XForms@yahoogroups.com
Message-ID: <1e8.11047d0b.2cb7c6a8@aol.com>
In a message dated 09/10/2003 22:33:55 GMT Daylight Time, CSioulis@dsa.gr 
writes:

> In my point of view, the most important 'issue of security' using XForms 
> technology in real transactions, is (apart of the origin and integrity 
> of the relative browser plug-in) "how secure is the instance data" that 
> is collected and transmitted by the ‘XForm User Interface’ and ‘XForm 
> Submit Protocol’ units respectively!

There are at least a couple of issues there. Data integrity - is what was 
sent from the client what was received at the server? Also, as you indicate 
below, non-repudiation - that data can be reliably associated with a person/entity 
submitting it.

Others have commented on other potential security issues earlier in this 
thread and I won't repeat those here.

> 
> Having in mind that XForms could be a nice instrument to serve quotidian 
> legal transactions (i.e. filling predefined application/order web forms 
> with needed data, or filling a 'tax declaration' in a web based 
> 'official document’,-and in many other e-government applications, etc), 
> the next step for your nice work, IMO, it should be the liaison with the 
> XML-Signature (XadES) WG, with the goal to provide a standard method on 
> how the provided ‘XML instance data’ can be digitally signed (providing 
> data authenticity, integrity, and/or non repudiation) by its author. 
> (-Have you seen the new Adobe Acrobat 6.0 digital signing features 
> combined with Adobe Forms?)
> 

Digital signatures will be important for some uses. No doubt in my mind about 
that.

InfoPath provides a digital signature option too.

As I hinted in an earlier post there is a spectrum of forms usage - from the 
kind of digitally signed scenario that Christos mentions to "casual" forms 
filling. Which niches XForms, InfoPath and Adobe's upcoming XML/PDF technology 
will compete best in remains to be seen.

> I have already mentioned this issue in this mailing list (about 1 year 
> ago!) and the answer was that it maybe would make part of a future 
> development of XForms.
> (-Andrew, do you feel that this time has come?)  :-)
> 

:) ... Christos, I have no role with the XForms WG other than being a 
(hopefully constructive) thorn in their side. :)

To be fair to the WG they are bound by W3C process as well as various 
practical concerns. The approach of finishing XForms 1.0 before looking in detail at 
what comes next is sensible both for organisational and practical reasons.

There were indications a long time ago that the XForms WG had digital 
signatures on their future agenda. I don't have a URL at hand but it was mentioned / 
hinted at somewhere in the XForms material at w3.org.

To make sure that it is formally there for the Requirements process for 
XForms 2.0 then I suggest you send an email to www-forms-editor@w3.org making the 
case for digital signatures. If you send a contribution there then W3C process 
implies that the WG must address it. They can disagree with it and decide not 
to do it but they must consider it and respond. In reality, I think they 
already are well aware that digital signatures are needed for some workflows.

Andrew Watt
Received on Friday, 10 October 2003 04:24:14 UTC