Preventing exploitable overlaps of signed elementsAdded by IBM on October 10, 2012 | Version 1 (Original)
|Since the guiding principle of signatures is that "you sign what you see", a scenario in which visual items are hidden or significantly overlapped cannot be allowed. If the signer cannot see elements of the form, then the signature cannot be considered valid.
Unlike paper documents, digital documents also offer the potential for visual elements to overlap. For example, it is possible to create a block of text in a document, and to then obscure or hide that text with a second, overlapping block of text. In this scenario, even if the first block of text was secured with a signature, it would be possible to move the second block of text after the document was signed. This would change the meaning of the document by revealing information that was previously hidden.
When a document is signed, the XFDL processor must ensure that none of the signed visual elements are overlapping with unsigned visual elements. If an overlap is detected, the software must either warn the user or prevent the signature from being created. Furthermore, if an existing signature is found to include elements that are overlapping with unsigned elements, the document has been altered and the software must warn the user.
However, this test must allow for certain tolerances. Most of the visual elements in an XFDL document are surrounded by a small border of unused space which can be allowed to overlap without obscuring the item itself. For example, two labels might overlap slightly without the text in either label being obscured. In fact, this sort of overlap is often necessary when reproducing tightly spaced paper forms. Thus, an overlap of two pixels should be allowed for each item.
This test may also ignore signed elements that overlap each other, since the layout tests discussed earlier prevent signed elements from being moved. Furthermore, this test must also make exceptions for box items. Boxes are often used to visually create sections in a document, and will overlap other visual elements as a result. This overlap is allowed in the following cases:
Overlap is not allowed in the following cases:
- A signed box can overlap with any unsigned item, with the exception of other boxes.
- A signed box can overlap with an unsigned box if the unsigned box appears on top of the signed box (that is, if the unsigned box comes after the signed box in the XFDL serialization, such that it is drawn after the signed box). This allows the desired behavior of signing a large box but allowing unsigned items (including boxes) to appear on top of part of the signed box, and it disallows the unsigned box from later being moved in the XFDL serialization such that it disappears. Note that an unsigned box can be added after signing and allowed to overlap a signed box that was previously unobscured, but the other overlap rules prevent this from happening if the unsigned box overlaps other signed items in the signed box. To protect empty spaces in signed boxes from being obscured by unsigned boxes, the form author should place empty signed transparent labels in the spaces.
The XFDL processor should perform this overlap test at the following times:
- A signed item overlapping an unsigned container pane or table item.
- A signed item overlapping an unsigned surrounding box item.
- Immediately after a signature is created, it should test the entire document. This ensures that the process of generating the signature did not create overlaps.
- Whenever a page of the document is viewed, it should test that page.
- Whenever an item is computationally added, deleted, or moved, it should test the appropriate page.
- Whenever the details of a signature are viewed, it should test all portions of the document signed by that signature.