Administrator
|
On 6/14/07, dev <[hidden email]> wrote:
> Hey, > I am pretty sure anyone following this thread would have read this > already, but I am sending it just for the sake of completeness : > > http://2006.xmlconference.org/proceedings/100/frame.htm > > is an essential reference for implementing XML Signatures inside XForms. Yes, this is very interesting. Thank you for the link! I didn't know about this presentation. It makes a lot of sense. Signing is then very similar to a submission, with: * A <xforms:signature> in the model that defines what to sign and how to do the signature (similar to <xforms:submission>). * A <xforms:sign> action to trigger a signature to performed (similar to <xforms:send>). The pending action is <xforms:validate> to validate a signature. * And with the signature stored in a separate instance. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by dev.bits
On 6/15/07, dev <[hidden email]> wrote:
> 1. We need the XML Instance (after the user fills in his info). This > will be made available by orbeon forms. This shouldn't be too much of an issue. For now, you can just assume that you have the instance to sign available as a string in a JavaScript variable. > 3. Now the signature created by that should be converted into an XML > Signature. Note that this can be done by the server. The browser can send just send the signature as a string to the server. Then in Java on the server we can build the signature and store it in an instance. > I was thinking ( :O !! ) , that if a web service is written that consumes the > XML Instance and spits out the XML Instance with enveloped signature as > well as another service which verifies the enveloped signature then > integrating XML Signatures within Orbeon would just consist of noticing > the presence of XML Signature Namespace. (We will ignore filters etc. for now). Or the server will just send to the client the XML instance in a canonical form. So the client doesn't have to worry about it. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
In reply to this post by Alessandro Vernet
Hey,
Why should the signature be stored in a separate instance? IMHO, an enveloped signature is better off. In the usual analogy, you sign the paper itself not take some photo of the paper and sign that . (wish I could think of a rather better analogy, !) Regards, devdatta On 6/15/07, Alessandro Vernet <[hidden email]> wrote: > On 6/14/07, dev <[hidden email]> wrote: > > Hey, > > I am pretty sure anyone following this thread would have read this > > already, but I am sending it just for the sake of completeness : > > > > http://2006.xmlconference.org/proceedings/100/frame.htm > > > > is an essential reference for implementing XML Signatures inside XForms. > > Yes, this is very interesting. Thank you for the link! I didn't know > about this presentation. It makes a lot of sense. Signing is then very > similar to a submission, with: > > * A <xforms:signature> in the model that defines what to sign and how > to do the signature (similar to <xforms:submission>). > * A <xforms:sign> action to trigger a signature to performed (similar > to <xforms:send>). The pending action is <xforms:validate> to validate > a signature. > * And with the signature stored in a separate instance. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > > > -- > You receive this message as a subscriber of the [hidden email] mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
In reply to this post by Alessandro Vernet
Hey,
1. Signature Verification , I believe should be a web service (basically, should be easily accessible by a wide range of clients etc.). The reasons are obvious: Anyone should be able to verify the document ... especially since the document doesn't consist of anything that should be hidden (except the form instance data ofcourse) and if someone changes the data , the signature will invalidate. 2. Ofcourse, everything will be done by the server only. The reason I was pressing on web services is that XForms can "access web services to populate itself" according to many docs available online. I believed that If I write the services, your jobs would be lessened very much and integrating this into Orbeon would become much easier. Ofcourse, I could write a simple servlet that does what we want (which is infact already there in the links I sent.) Again the canonicalization was included in the service to ease the integration into orbeon , thats all. If you believe it is much easier to include the code into orbeon, then so be it! :D In my previous mail, you could change the words Web Service to Java Servlet , it doesn't make much of a difference. :) Regards, dev -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hey,
Alex, don't mind my asking .... but should I be expecting an actual implementation , any time soon? Regards, dev -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hey,
Is there any way of accessing the XML Instance from inside the XForms? I was thinking that maybe something like this could be used to do everything in one go : <xf:load resource="javascript:crypto.signText(XMLInstance)" /> Thus the signing could happen in the same form. Ofcourse, I don't know whether I can access the XML Instance .... Another thing, if the signing is made a webservice , then maybe the XForms field can be populated by the webservice (as allowed by XForms). Thus once again everything can be done in a single form page. The canonicalization of XML can maybe be done by Javascript itself. I don't know whether it can be done though. Any comments? Regards, dev -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by dev.bits
dev wrote:
> Hey, > Alex, don't mind my asking .... but should I be expecting an actual > implementation , any time soon? This would be a great thing to have in Orbeon Forms, but it is currently not on our short-term roadmap. So I would say that this will likely be implemented as soon as we have a project that requires it, or as soon as somebody sponsors it. -Erik -- Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hey,
> So I would say that this will likely be implemented as soon as we have a > project that requires it, or as soon as somebody sponsors it. heh, ok! By the way , this is a issue which you will also face when and if you implement this ... lets say you have <?xml version="1.0" encoding="UTF-8"?> <MyData xmlns:xf="http://www.w3.org/2002/xforms" xmlns:ev="http://www.w3.org/2001/xml-events"> <Data1>One</Data1> <Data2>Two</Data2> <Data3>Three</Data3> </MyData> as XML Instance Now how should you sign it? Should you remove the new lines or not ? (we were talking about the canonicalization ). you were saying , we will remove the new lines first and I agreed. But lets say , you did remove the new lines then it becomes one loooong horizontal line. The firefox UI does not automatically word wrap it ... so the user has to scroll the long horizontal line , which is unacceptable. What do you suggest we should do? Regards, devdatta -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by dev.bits
On 6/15/07, dev <[hidden email]> wrote:
> Why should the signature be stored in a separate instance? IMHO, an > enveloped signature is better off. In the usual analogy, you sign the > paper itself not take some photo of the paper and sign that . (wish I > could think of a rather better analogy, !) Since both are possible with XML Signature, I guess some people will want enveloping signatures while other will want detached signatures. Ideally both should be supported :). Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by dev.bits
On 6/18/07, dev <[hidden email]> wrote:
> By the way , this is a issue which you will also face when and if you > implement this ... > lets say you have > > <?xml version="1.0" encoding="UTF-8"?> > <MyData xmlns:xf="http://www.w3.org/2002/xforms" > xmlns:ev="http://www.w3.org/2001/xml-events"> > <Data1>One</Data1> > <Data2>Two</Data2> > <Data3>Three</Data3> > </MyData> > > as XML Instance > Now how should you sign it? Should you remove the new lines or not ? > (we were talking about the canonicalization ). I'm not sure you will want to show the XML that is being signed to end-users anyway. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hey,
Well there you don't have a choice ... the browser will insist on showing the user what he is signing .. .you can't escape that . And I think that makes sense ... Regards, dev -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
In reply to this post by Alessandro Vernet
Alessandro,
Has there been any progress/development of xml signatures within Orbeon? Thank you.
|
In reply to this post by Erik Bruchez
Hi Erik,
I have similar requirement where I wont to apply digital signature to the form we build with Orbeon. I found this thread in forum but its quite old. I am not able to find any suitable answer. So, If you can guide that currently this feature is available with Orbeon or not ? If yes, can you pls provide me a link for how to integrate ? If No, do we have any plan when this be available ? Awaiting your quick help. Thank you, Hardik |
Administrator
|
Hi Hardik,
We have just implemented a new component to capture hand written signatures, which will be included in 4.11 PE. Is this something that could be helpful and your scenario? If not, what exactly would you be looking for? Alex
--
Follow Orbeon on Twitter: @orbeon Follow me on Twitter: @avernet |
Free forum by Nabble | Edit this page |