XForms Digital Signing and XML Signature

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Alessandro Vernet
Administrator
On 6/14/07, dev <[hidden email]> wrote:
> Hey,
>  I am pretty sure anyone following this thread would have read this
> already, but I am sending it just for the sake of completeness :
>
> http://2006.xmlconference.org/proceedings/100/frame.htm
>
> is an essential reference for implementing XML Signatures inside XForms.

Yes, this is very interesting. Thank you for the link! I didn't know
about this presentation. It makes a lot of sense. Signing is then very
similar to a submission, with:

* A <xforms:signature> in the model that defines what to sign and how
to do the signature (similar to <xforms:submission>).
* A <xforms:sign> action to trigger a signature to performed (similar
to <xforms:send>). The pending action is <xforms:validate> to validate
a signature.
* And with the signature stored in a separate instance.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Alessandro Vernet
Administrator
In reply to this post by dev.bits
On 6/15/07, dev <[hidden email]> wrote:
> 1. We need the XML Instance (after the user fills in his info). This
> will be made available by orbeon forms.

This shouldn't be too much of an issue. For now, you can just assume
that you have the instance to sign available as a string in a
JavaScript variable.

> 3. Now the signature created by that should be converted into an XML
> Signature.

Note that this can be done by the server. The browser can send just
send the signature as a string to the server. Then in Java on the
server we can build the signature and store it in an instance.

> I was thinking ( :O !! ) , that if a web service is written that consumes the
> XML Instance and spits out the XML Instance with enveloped signature as
> well as another service which verifies the enveloped signature then
> integrating XML Signatures within Orbeon would just consist of noticing
> the presence of XML Signature Namespace. (We will ignore filters etc. for now).

Or the server will just send to the client the XML instance in a
canonical form. So the client doesn't have to worry about it.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
In reply to this post by Alessandro Vernet
Hey,
 Why should the signature be stored in a separate instance? IMHO, an
enveloped signature is better off. In the usual analogy,  you sign the
paper itself not take some photo of the paper and sign that . (wish I
could think of  a rather better analogy, !)

Regards,
devdatta

On 6/15/07, Alessandro Vernet <[hidden email]> wrote:

> On 6/14/07, dev <[hidden email]> wrote:
> > Hey,
> >  I am pretty sure anyone following this thread would have read this
> > already, but I am sending it just for the sake of completeness :
> >
> > http://2006.xmlconference.org/proceedings/100/frame.htm
> >
> > is an essential reference for implementing XML Signatures inside XForms.
>
> Yes, this is very interesting. Thank you for the link! I didn't know
> about this presentation. It makes a lot of sense. Signing is then very
> similar to a submission, with:
>
> * A <xforms:signature> in the model that defines what to sign and how
> to do the signature (similar to <xforms:submission>).
> * A <xforms:sign> action to trigger a signature to performed (similar
> to <xforms:send>). The pending action is <xforms:validate> to validate
> a signature.
> * And with the signature stored in a separate instance.
>
> Alex
> --
> Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
> http://www.orbeon.com/
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
In reply to this post by Alessandro Vernet
Hey,

1. Signature Verification , I believe should be a web service
(basically, should be easily accessible by a wide range of clients
etc.). The reasons are obvious: Anyone should be able to verify the
document ... especially since the document doesn't consist of anything
that should be hidden (except the form instance data ofcourse) and if
someone changes the data , the signature will invalidate.

2. Ofcourse, everything will be done by the server only. The reason I
was pressing on web services is that XForms can "access web services
to populate itself" according to many docs available online. I
believed that If I write the services, your jobs would be lessened
very much and integrating this into Orbeon would become much easier.
Ofcourse, I could write a simple servlet that does what we want (which
is infact already there in the links I sent.) Again the
canonicalization was included in the service to ease the integration
into orbeon , thats all. If you believe it is much easier to include
the code into orbeon, then so be it! :D

In my previous mail, you could change the words Web Service to Java
Servlet , it doesn't make much of a difference. :)

Regards,
dev



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
Hey,
 Alex, don't mind my asking .... but should I be expecting an actual
implementation , any time soon?

Regards,
dev



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
Hey,
 Is there any way of accessing the XML Instance from inside the XForms?

I was thinking that maybe something like this could be used to do
everything in one go :

<xf:load resource="javascript:crypto.signText(XMLInstance)" />

Thus the signing could happen in the same form. Ofcourse, I don't know
whether I can access the XML Instance ....


Another thing, if the signing is made a webservice , then maybe the
XForms field can be populated by the webservice (as allowed by
XForms). Thus once again everything can be done in a single form page.
The canonicalization of XML can maybe be done by Javascript itself. I
don't know whether it can be done though.

Any comments?

Regards,
dev



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Erik Bruchez
Administrator
In reply to this post by dev.bits
dev wrote:
> Hey,
> Alex, don't mind my asking .... but should I be expecting an actual
> implementation , any time soon?

This would be a great thing to have in Orbeon Forms, but it is currently
not on our short-term roadmap.

So I would say that this will likely be implemented as soon as we have a
project that requires it, or as soon as somebody sponsors it.

-Erik

--
Orbeon Forms - Web Forms for the Enterprise Done the Right Way
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
Hey,

> So I would say that this will likely be implemented as soon as we have a
> project that requires it, or as soon as somebody sponsors it.

heh, ok!

By the way , this is a issue which you will also face when and if you
implement this ...
lets say you have

<?xml version="1.0" encoding="UTF-8"?>
<MyData xmlns:xf="http://www.w3.org/2002/xforms"
xmlns:ev="http://www.w3.org/2001/xml-events">
               <Data1>One</Data1>
               <Data2>Two</Data2>
               <Data3>Three</Data3>
            </MyData>

as XML Instance
Now how should you sign it? Should you remove the new lines or not ?
(we were talking about the canonicalization ).

you were saying , we will remove the new lines  first and I agreed.
But lets say , you did remove the new lines then it becomes one
loooong horizontal line. The firefox UI does not automatically word
wrap it ... so the user has to scroll the long horizontal line , which
is unacceptable.

What do you suggest we should do?

Regards,
devdatta



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Alessandro Vernet
Administrator
In reply to this post by dev.bits
On 6/15/07, dev <[hidden email]> wrote:
>  Why should the signature be stored in a separate instance? IMHO, an
> enveloped signature is better off. In the usual analogy,  you sign the
> paper itself not take some photo of the paper and sign that . (wish I
> could think of  a rather better analogy, !)

Since both are possible with XML Signature, I guess some people will
want enveloping signatures while other will want detached signatures.
Ideally both should be supported :).

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Alessandro Vernet
Administrator
In reply to this post by dev.bits
On 6/18/07, dev <[hidden email]> wrote:

> By the way , this is a issue which you will also face when and if you
> implement this ...
> lets say you have
>
> <?xml version="1.0" encoding="UTF-8"?>
> <MyData xmlns:xf="http://www.w3.org/2002/xforms"
> xmlns:ev="http://www.w3.org/2001/xml-events">
>                <Data1>One</Data1>
>                <Data2>Two</Data2>
>                <Data3>Three</Data3>
>             </MyData>
>
> as XML Instance
> Now how should you sign it? Should you remove the new lines or not ?
> (we were talking about the canonicalization ).
I don't think canonicalization will remove the new lines. And anyway,
I'm not sure you will want to show the XML that is being signed to
end-users anyway.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

dev.bits
Hey,
Well there you don't have a choice ... the browser will insist on
showing the user what he is signing .. .you can't escape that . And I
think that makes sense ...

Regards,
dev



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

bsteuhl
In reply to this post by Alessandro Vernet
Alessandro,

Has there been any progress/development of xml signatures within Orbeon?  Thank you.

Alessandro Vernet wrote
On 6/12/07, dev <dev.akhawe@gmail.com> wrote:
> crypto.signText seems to work fine in all non-IE browsers whereas in
> IE , you require some capicom libs etc. I am still looking into that ,
> although many articles around the web suggest it is possible in
> Javascript. See http://www.ddj.com/dept/security/184405885 for an e.g
> Alternatively search in Google Code search for crypto.signText
> [...]

Thank you for all this great info. I will make sure to get back to it
if we get to implement this one day.

> As a side note, firefox is "incredibly anal" about what it uses to
> sign than what it imports. i.e it allows you to import any cert, but
> while signing if the CA's root cert isn't there it won't sign the
> document and go down with the very informative "error:internalError".
> I busted my head on this for hours... :)

Yes, and it will be tricky to get this to work flawlessly on all
browsers, while keeping things simple for the end-users who sometimes
won't have a clue of what PKI is :).

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the ops-users@objectweb.org mailing list.
To unsubscribe: mailto:ops-users-unsubscribe@objectweb.org
For general help: mailto:sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

hjadeja
In reply to this post by Erik Bruchez
Hi Erik,

 I have similar requirement where I wont to apply digital signature to the form we build with Orbeon.
I found this thread in forum but its quite old. I am not able to find any suitable answer.
So, If you can guide that currently this feature is available with Orbeon or not ?
If yes, can you pls provide me a link for how to integrate ?
If No, do we have any plan when this be available ?

Awaiting your quick help.

Thank you,

Hardik
Reply | Threaded
Open this post in threaded view
|

Re: XForms Digital Signing and XML Signature

Alessandro  Vernet
Administrator
Hi Hardik,

We have just implemented a new component to capture hand written signatures, which will be included in 4.11 PE. Is this something that could be helpful and your scenario? If not, what exactly would you be looking for?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
12