Applying XML Signatures to XForms-based Documents

The W3C XForms Recommendation provides a standard markup language for documents that allow content creation into the XML data structures that drive business-oriented web applications. The XForms architecture provides an open platform for expressing the core processing model and view of XML data while delegating presentation to a host language most suited to application-specific requirements. This architecture presents an interesting security challenge for digital signatures, which must protect not only data but also its presentation. The W3C XML Signatures Recommendation provides a standardized markup language for expressing digital signatures in XML that secure both XML and binary resources. The usage patterns and features of this language are designed to support the full range of security requirements, so it is important for all features of XML Signatures to be available to XForms-based document authors. Prior researchers have presented an integration of XML Signatures and XForms in which the XForms processor generated an enveloping signature containing the XML data and references to all external resources used to present the data. The solution is good at creating a single signature that follows the XML Signatures maxim "What you see is what you sign." However, due to validating signature only on the server, the non-repudiable nature of the signatures is not well-preserved when later users view the signed information. In essence, the system does not adhere to the corollary of the above maxim: "What you validate is what you see." On the client-side, core validation must not only occur, but it must be augmented to ensure that signed resources are the ones being used to present the document. One challenging aspect of this unification stems from the design of XForms, in which XML instance data is separated from the document and processed independently. Since the signatures must be added to the data, the XML signature processing model uses the separated data as the resolution to same-document references, not the XForms document containing the data. This paper includes an answer for this problem, which enables document-centric XForms host languages to consume the signature solution. Client-side validation flushes out another issue: multiple signer scenarios. In these cases, the XForms author needs the flexibility to author the references and transforms of the XML signature, which is not possible if the XForms processor generates the references and transforms. Finally, there should be strong encapsulation that separates the XForms processor, the host language processor and the user agent. The above prior solution assumed that XForms processor has access to the resources at all of these levels. Instead, due to the XForms design principle of host language independence, the containing document and user agent must be allowed to participate in the sign and validate operations initiated by the XForms processor. This paper presents an architectural framework that fully unifies XForms and XML signatures while allowing for host language independence. Moreover, the form author is given control over the type of signature, what it signs, and how it selects the signed content.