OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 

 
   Re: [xml-dev] InfoPath Digital Signature controversy?

[ Lists Home | Date Index | Thread Index ]
In a message dated 29/10/2003 03:24:31 GMT Standard Time, mc@xegesis.org writes:

I came across this article in Robin Cover's xml.org newswire ...  
http://www.vnunet.com/News/1145784   with the somewhat inflamatory 
subtitle "World Wide Web Consortium says InfoPath signatures cannot be 
trusted."  A little searching identified what looks like the primary 
source: 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003OctDec/
0010.html  (hardly an official pronouncement of the W3C!)  The gist 
seems to be:

   "Since InfoPath signs the data only, it is extremely easy to add 
things to the user interface after the user has signed, like fine print 
obligating the user to terms and conditions to which the signer did not 
originally agree "

The article implies that XForms is somehow more secure or friendly to 
DSig than InfoPath, but the posting and followups make clear that 
XForms has no DSig story.

Thoughts, or context on all this, anyone?


Mike,

Apologies for being miles behind in my email.

The context is that I raised a question on security or otherwise of XForms. John Boyer gave a long response which included a very positive view on (his own?) XFDL. At the same time, as I recall, he acknowledged that XForms was lacking digital signatures in XForms 1.0.

I had pointed out that InfoPath has several security features including a form of digital signature that XForms 1.0 lacks. It seems from one of the follow-ups to your post that was interpreted as stating that InfoPath's security is vastly superior to XForms' security. I don't think I said that in those terms but haven't gone back to check.

There is a line of thinking (from the legal profession, in part) that the presentation form (that word again) of a form must be captured as well as the XML (instance) data. That seems to me to be philosophically different from the separation of presentation of data in XForms and, to a slightly lesser extent, in InfoPath.

I understood John Boyer to indicate that neither XForms nor InfoPath would meet those requirements for legal documents which he seemed to view positively. I don't find the failure of either XForms or InfoPath to solve this legal situation problematic since neither technology aims, as far as I am aware, to address such scenarios.

  Nobody in authority at W3C 
has jumped into this have they? 


John Boyer who is on the XForms WG commented.

Andrew Watt

This was cross-posted all over the 
place and I didn't follow the other threads ... anything interesting 
come out in them?

 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS