About signing formsAdded by IBM on October 10, 2012 | Version 1 (Original)
|To properly implement support for digital signatures in an XFDL document, you should consider common use scenarios and overall security.
For example, signatures are often used to sign only a portion of a document. Furthermore, a secondary signature is often used to sign the rest of the document while also endorsing the first part of the document. The classic example of this is the “For Office Use Only” section in any form. The implementation of digital signatures in XFDL must support scenarios like this, allowing both for filtering of what is signed and for overlapping signatures.
Furthermore, while digital signatures clearly identify the user, the application of digital signatures must also add a measure of security to the document itself. That is, once a document is signed, it should be impossible to change any of the information that was signed. Thus, a number of algorithms and rules must be enforced by the XFDL processor in use.
Documents often require multiple signatures. Furthermore, it is common practice for some signatures to endorse other signatures. XFDL provides a signature filtering system to support multiple signatures in a single document.
Some signature filters refer to the elements to be omitted (or included) by their element tag names. These filters are signitems, signoptions and signoptionrefs. These options are lists whose members are compared to element tags. The comparison is namespace aware. For example, if <itemref>xfdl:field</itemref> is a member of the signitems filter, then the member will match any item-level element with the local name field and a namespace URI equal to the one bound to the prefix xfdl.
Paper documents rely on ink to secure the document. That is, once a document is signed, it is difficult to change the document because it is difficult to erase ink from paper. The very nature of paper and ink enforce the security of the document, since attempts to change the document generally leave detectable traces.
Once a document is signed, it is also implicit that the layout of that document should be secure. For example, if it were possible to move a paragraph, or even a line, the meaning of the document could be changed.
Since the guiding principle of signatures is that "you sign what you see", a scenario in which visual items are hidden or significantly overlapped cannot be allowed. If the signer cannot see elements of the form, then the signature cannot be considered valid.