When creating signature filters, use the
omit flag rather than the
keep flag. Digital signatures with
omit flags sign
everything in the form except those elements that you specifically exclude.
Consistently using this practice prevents you from accidentally excluding items and options that should be signed. If you don't sign the proper form items and options, the form is vulnerable to malicious alteration. In turn, this may lead to forms that will not withstand scrutiny.
When setting filter options with the Designer,
omit is the default flag. Accepting this default ensures that users sign everything except the items and options you specifically exclude.
If you rely on
keep filters, you must specify each item and option the signature is to sign. This increases the risk that you will miss an item or option you intended to include in the signature. Also, using keep filters could subsequently allow someone to add to the form's contents without breaking the signature. This is prevented if you use
omit filters.
Note: Filters which use the keep or omit flag include
signitems,
signoptions,
signgroups,
signdatagroups,
signitemrefs,
signoptionrefs, and
signpagerefs.
Example
There are certain options that form designers must always omit in a form. If you create your forms using the Designer, it automatically creates the signoptions filter for you. These options are
triggeritem and
coordinates. Both of these options are normally updated after the form is signed. For example,
triggeritem is set when you submit the form, even if you have already signed it.
The following code depicts an omit filter that excludes
triggeritem and
coordinates:
<signoptions>
<filter>omit</filter>
<optiontype>triggeritem</optiontype>
<optiontype>coordinates</optiontype>
</signoptions>
This construction creates a filter that excludes a minimum of information from the signed form. In general, this is a good practice when creating filters.
Note: When omitting items from the signature, ensure that you secure their positioning information.
Exceptions to this practice
An exception to this practice may occur when you are filtering multiple and overlapping signatures. You should generally use
omit for the form’s primary signature, but you can use
keep for a secondary signature if it signs only the primary signature.