XForms and XML Signatures : How to get the presentation layer? from duryodhan on 2007-06-19 (www-forms@w3.org from June 2007)

From: duryodhan <duryodhan125@gmail.com>
Date: Tue, 19 Jun 2007 15:26:31 +0530
To: www-forms@w3.org
Message-ID: <ecf35a1b0706190256t34eb0cf6r22b6c5028f676337@mail.gmail.com>

Hey,
 I am trying to implement a XForms with XML Signatures. .

 First off , some basic questions :
   1. Shoud I sign the whole XHTML doc or just the XML Instance?
The whole XHTML doc seems like an overkill to me..
   Should I sign :(from the XForms wikibook e.g on Submit)
--------code ----------

<?xml version="1.0" encoding="UTF-8"?>
<MyData xmlns:xf="http://www.w3.org/2002/xforms"
xmlns:ev="http://www.w3.org/2001/xml-events">
               <Data1>One</Data1>
               <Data2>Two</Data2>
               <Data3>Three</Data3>
            </MyData>

--------------------------
or should I sign this :
--------------------code ---------------------------

<html
   xmlns="http://www.w3.org/1999/xhtml"
   xmlns:xf="http://www.w3.org/2002/xforms"
   xmlns:ev="http://www.w3.org/2001/xml-events">
   <head>
      <title>XForms Submit Example</title>
      <xf:model>
         <xf:instance xmlns="">
            <MyData>
               <Data1>One</Data1>
               <Data2>Two</Data2>

               <Data3>Three</Data3>
            </MyData>
         </xf:instance>
         <xf:submission id="save" method="post" action="form.php" ref="/"/>
      </xf:model>
   </head>
   <body>
       <xf:submit submission="save">

         <xf:label>Save</xf:label>
      </xf:submit>
   </body>
</html>

---------------------------------------------


I mean ... what should be signed exactly? If I sign only the instance
then there is still a huge vulnerability in the application, and it is
ugly to sign just the instance. See
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003OctDec/0010.html

I am a noob , so most of this must be obvious to you all already ...
my apologies ..

Now the crude solution that I am thinking of , requires that the XML
to be signed be sent to the server first.

If I want to sign the presentation layer (XHTML here) + XML Instance
, how do I send it to the server ? ( I am using the mozilla XForms
extension).

Specifically, in the previous link, Dr. Boyer had said ...

Moreover, some implementations have added XML DSig as custom
extensions, but they are
uniformly signing data only because it is difficult or impossible to
get access to the presentation layer.

That was 2003 ... is it easier now to get access to the presentation layer?

AFAIK, there is no easy way to do XML Signing on the client side , so
my crude solution is the only way I could think off.

Regards,
duryodhan

Received on Tuesday, 19 June 2007 09:56:39 UTC