Preventing layout changesAdded by IBM on October 10, 2012 | Version 1 (Original)
|Once a document is signed, it is also implicit that the layout of that document should be secure. For example, if it were possible to move a paragraph, or even a line, the meaning of the document could be changed.
To reflect this, any software processing XFDL must maintain the position of signed visual elements. This means that both the position and the size of the visual elements must be secured. If a visual element can change size, then it could be enlarged to obscure another visible element and thereby change the meaning of the document. Clearly, this must be prevented.
Thus, when a document is signed, the width, height, and position of all visible signed elements must be recorded. XFDL provides the layoutinfo option as a place to store this information within a given signature element. Furthermore, the layoutinfo option itself should be signed as part of the signature, ensuring that it cannot be changed.
The layout can later be tested by re-calculating the position of all signed elements and comparing this to the information stored in the layoutinfo option for that signature. If the information does not match, then the document has been modified and cannot be trusted.
The software processing the XFDL should perform this layout test at the following times:
- Immediately after a signature is created, it should test the entire document. This ensures that the process of generating the signature did not change the information.
- Whenever a page of the document is viewed, it should test the signed contents of that page.
- Whenever an item is computationally added, deleted, or moved, it should test the appropriate page.
- Whenever the details of a signature are viewed, it should test all portions of the document signed by that signature.