Re: XForms and XML Signatures : How to get the presentation layer? from John Boyer on 2007-06-19 (www-forms@w3.org from June 2007)

From: John Boyer <boyerj@ca.ibm.com>
Date: Tue, 19 Jun 2007 12:55:15 -0700
To: duryodhan <duryodhan125@gmail.com>
Cc: www-forms@w3.org, www-forms-request@w3.org
Message-ID: <OF32EBD725.1AE602BA-ON882572FF.006CEE51-882572FF.006D6D8E@ca.ibm.com>
If you sign only the instance data, then you are not achieving the 
principle of "What you see is what you sign" codified in the XML Signature 
recommendation.

Application developers are responsible for ensuring that the XML that they 
sign allows faithful reproduction of the full context of a transaction, 
not just the underlying data.

There will be lots of terms and conditions in an insurance contract, for 
example, that will not necessarily be expressed as instance data, and 
particular not in the same instance as the parameters of the policy, e.g. 
life/auto, policy size, deductible choices, etc.  Moreover, even if you 
did put "terms and conditions" in instances and your signature protected 
multiple instances, it still would not be enough since you must protect 
not only the data of the terms and conditions but how they were presented. 
 For example, you do not want a technology that allows the "terms and 
conditions" to be displayed with a font color equal to the background 
color during the signing event, and with a different color afterward.  Or 
to be placed in negative pixel space, or to have the font size changed, 
etc.

For this reason, XML signatures offer multiple Reference elements so that 
the signature can protect the presentation template as well as the data. 
It is up to the app author to control versioning of the presentation 
template, but this also is not hard to do.

John M. Boyer, Ph.D.
STSM: Lotus Forms Architect and Researcher
Chair, W3C Forms Working Group
Workplace, Portal and Collaboration Software
IBM Victoria Software Lab
E-Mail: boyerj@ca.ibm.com 

Blog: http://www.ibm.com/developerworks/blogs/page/JohnBoyer





duryodhan <duryodhan125@gmail.com> 
Sent by: www-forms-request@w3.org
06/19/2007 02:56 AM

To
www-forms@w3.org
cc

Subject
XForms and XML Signatures : How to get the presentation layer?







Hey,
 I am trying to implement a XForms with XML Signatures. .

 First off , some basic questions :
   1. Shoud I sign the whole XHTML doc or just the XML Instance?
The whole XHTML doc seems like an overkill to me..
   Should I sign :(from the XForms wikibook e.g on Submit)
--------code ----------

<?xml version="1.0" encoding="UTF-8"?>
<MyData xmlns:xf="http://www.w3.org/2002/xforms"
xmlns:ev="http://www.w3.org/2001/xml-events">
               <Data1>One</Data1>
               <Data2>Two</Data2>
               <Data3>Three</Data3>
            </MyData>

--------------------------
or should I sign this :
--------------------code ---------------------------

<html
   xmlns="http://www.w3.org/1999/xhtml"
   xmlns:xf="http://www.w3.org/2002/xforms"
   xmlns:ev="http://www.w3.org/2001/xml-events">
   <head>
      <title>XForms Submit Example</title>
      <xf:model>
         <xf:instance xmlns="">
            <MyData>
               <Data1>One</Data1>
               <Data2>Two</Data2>

               <Data3>Three</Data3>
            </MyData>
         </xf:instance>
         <xf:submission id="save" method="post" action="form.php" 
ref="/"/>
      </xf:model>
   </head>
   <body>
       <xf:submit submission="save">

         <xf:label>Save</xf:label>
      </xf:submit>
   </body>
</html>

---------------------------------------------


I mean ... what should be signed exactly? If I sign only the instance
then there is still a huge vulnerability in the application, and it is
ugly to sign just the instance. See
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003OctDec/0010.html

I am a noob , so most of this must be obvious to you all already ...
my apologies ..

Now the crude solution that I am thinking of , requires that the XML
to be signed be sent to the server first.

If I want to sign the presentation layer (XHTML here) + XML Instance
, how do I send it to the server ? ( I am using the mozilla XForms
extension).

Specifically, in the previous link, Dr. Boyer had said ...

Moreover, some implementations have added XML DSig as custom
extensions, but they are
uniformly signing data only because it is difficult or impossible to
get access to the presentation layer.

That was 2003 ... is it easier now to get access to the presentation 
layer?

AFAIK, there is no easy way to do XML Signing on the client side , so
my crude solution is the only way I could think off.

Regards,
duryodhan
Received on Tuesday, 19 June 2007 19:55:39 UTC