Re: [xml-dev] InfoPath Digital Signature controversy?
Lists Home |
Date Index |
In a message dated 29/10/2003 03:24:31 GMT Standard Time, firstname.lastname@example.org writes:
I came across this article in Robin Cover's xml.org newswire ...
http://www.vnunet.com/News/1145784 with the somewhat inflamatory
subtitle "World Wide Web Consortium says InfoPath signatures cannot be
trusted." A little searching identified what looks like the primary
0010.html (hardly an official pronouncement of the W3C!) The gist
seems to be:
"Since InfoPath signs the data only, it is extremely easy to add
things to the user interface after the user has signed, like fine print
obligating the user to terms and conditions to which the signer did not
originally agree "
The article implies that XForms is somehow more secure or friendly to
DSig than InfoPath, but the posting and followups make clear that
XForms has no DSig story.
Thoughts, or context on all this, anyone?
Apologies for being miles behind in my email.
The context is that I raised a question on security or otherwise of XForms. John Boyer gave a long response which included a very positive view on (his own?) XFDL. At the same time, as I recall, he acknowledged that XForms was lacking digital signatures in XForms 1.0.
I had pointed out that InfoPath has several security features including a form of digital signature that XForms 1.0 lacks. It seems from one of the follow-ups to your post that was interpreted as stating that InfoPath's security is vastly superior to XForms' security. I don't think I said that in those terms but haven't gone back to check.
There is a line of thinking (from the legal profession, in part) that the presentation form (that word again) of a form must be captured as well as the XML (instance) data. That seems to me to be philosophically different from the separation of presentation of data in XForms and, to a slightly lesser extent, in InfoPath.
I understood John Boyer to indicate that neither XForms nor InfoPath would meet those requirements for legal documents which he seemed to view positively. I don't find the failure of either XForms or InfoPath to solve this legal situation problematic since neither technology aims, as far as I am aware, to address such scenarios.
Nobody in authority at W3C
has jumped into this have they?
John Boyer who is on the XForms WG commented.
This was cross-posted all over the
place and I didn't follow the other threads ... anything interesting
come out in them?