Microsoft in standards battle with W3C
Lisa Kelly Oct 24 2003
World Wide Web Consortium says InfoPath signatures cannot be trusted ..
.. Dr John Boyer, a research scientist at e-forms specialist PureEdge
Solutions, and co-author of the XML DSig standard and the XForms 1.0
recommendation, said that businesses cannot rely on InfoPath signatures
He claimed that, in under five minutes, PureEdge managed to change a
signed InfoPath form from an 'Employment Applicant Rating' form to a
'Prisoner Registration' form.
"The InfoPath signature remained valid, but the signer was proving a
rating of a job applicant, not agreeing to go to prison," said Dr Boyer,
warning that this problem could lead to disputes between businesses and
a signer ..
.. Neil Laver, group product marketing manager at Microsoft, said:
"Although the InfoPath signature is constructed to follow the grammar of
the WC3 recommendation for XML digital signatures, it does not follow
the intent of the standard as given in section 8.1.2 of the
recommendation," he explained.
"We support the W3C standard in terms of knowing that XML code has not
been tampered with."
But, he added, there is currently no way of proving whether an InfoPath
signature has not been tampered with in a court of law.
"We will [be able to] in time," he added. "We constantly review security
but it is a trade off. If we completely lock the signature down, there
is no room for modification."
--- unquote ---