[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: InfoPath Digital Signature controversy?


infopath signature
Earlier this year, the U.S. Federal CIO Council conducted an "E-Forms
for E-Gov" pilot in which I participated (PureEdge did as well). One of
the points that was brought out in Section 6.7 (Archival Records Domain)
of the final report [1] was the importance of binding together
presentation, content, and context:

<Quote>
Briefly, the National Archives and Records Administration (NARA)
guidlines require that the "presentation", "content", and "context" must
be bound together in such a way that they can be demonstrated to belong
to the same transaction. This may mean physically combining these into a
single physical file, or ensuring that they are bound together through
some other trusted means, such as electronic hashes and signatures. In
addition, any signature must be applied to this combination of
presentation, content, and context, and the authentication process must
ensure integrity.

For most government applications, E-Forms solutions must be designed and
selected with these core archival requirements in mind.
</Quote>

Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton

[1] http://www.fenestra.com/eforms/deliverables/final_report.htm

Mark Seaborne wrote:
> 
> The context is an ongoing discussion of some of the problems of electronic forms signing and security. I think that John Boyer has actually been pretty even handed in criticising both XForms and InfoPath for their inadequacies, as well as giving a very readable account of just how complex an area this is. John's remarks about InfoPath were prompted by the suggestion that InfoPath is vastly superior to XForms because it already supports DSig. John was merely pointing out the limitations of that support, whilst certainly not denying that it is still more than is offered by XForms.
> 
> I suppose the news story was prompted by the fact that both InfoPath and XForms are reasonably newsworthy at the moment, John's example is rather colourful, and there was scope for dressing the whole thing up as high drama and conflict between two well known and much loved organisations.
> 
> All the best
> 
> Mark
> 
> The information in this email is sent in confidence for the addressee only and may be legally privileged.  Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately of the error in transmission.  If you are not the intended recipient, any disclosure, copying, distribution or any action taken in reliance on its content is prohibited and may be unlawful.
> 
> Origo Services Ltd accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or the contents.
> 
> > -----Original Message-----
> > From: Michael Champion [mailto:mc@x...]
> > Sent: 29 October 2003 03:23
> > To: xml-dev@l...
> > Subject:  InfoPath Digital Signature controversy?
> >
> >
> > I came across this article in Robin Cover's xml.org newswire ...
> > http://www.vnunet.com/News/1145784   with the somewhat inflamatory
> > subtitle "World Wide Web Consortium says InfoPath signatures
> > cannot be
> > trusted."  A little searching identified what looks like the primary
> > source:
> > http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003OctDec/
> > 0010.html  (hardly an official pronouncement of the W3C!)  The gist
> > seems to be:
> >
> >      "Since InfoPath signs the data only, it is extremely
> > easy to add
> > things to the user interface after the user has signed, like
> > fine print
> > obligating the user to terms and conditions to which the
> > signer did not
> > originally agree "
> >
> > The article implies that XForms is somehow more secure or
> > friendly to
> > DSig than InfoPath, but the posting and followups make clear that
> > XForms has no DSig story.
> >
> > Thoughts, or context on all this, anyone?   Nobody in
> > authority at W3C
> > has jumped into this have they?  This was cross-posted all over the
> > place and I didn't follow the other threads ... anything interesting
> > come out in them?
> >
> >
> > -----------------------------------------------------------------
> > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> > initiative of OASIS <http://www.oasis-open.org>
> >
> > The list archives are at http://lists.xml.org/archives/xml-dev/
> >
> > To subscribe or unsubscribe from this list use the subscription
> > manager: <http://lists.xml.org/ob/adm.pl>
> >
> >
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@b...
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.