Using Authenticated Clickwrap signaturesAdded by IBM on October 10, 2012 | Version 1 (Original)
|Authenticated Clickwrap enables users to securely sign a form without relying on an extended PKI infrastructure.
In normal use, the user signs the form by entering an ID and secret, such as a password. When the form is sent to the server, the server retrieves the user's secret from a database and uses that secret to verify the signature. Furthermore, the server can notarize the Authenticated Clickwrap by signing it with a digital certificate, thereby creating a secondary digital signature. This secondary signature shows that the server has confirmed the identity of the signer, and ensures that the original signature can be trusted over time.
Authenticated Clickwrap signatures use all of the parameters that Clickwrap signatures support. However, in practice you will probably only use the question1Text through question5Text, and some additional parameters that are unique to Authenticated Clickwrap.
To create a signature button that uses the Authenticated Clickwrap engine, set the following parameters in the signformat option:
In addition to these parameters and the parameters used by Clickwrap signature, Authenticated Clickwrap signatures also use the following parameters:
- MIME type — The MIME type that is used to store the signature information. You should always use application/vnd.xfdl.
- engine — The name of the signing engine to use. In this case, HMAC-ClickWrap.
- delete — Optional. This flag sets whether the user can delete the signature. By default, users can delete all signatures. If you want to prevent a signature from being deleted, set this to off.
Note: The HMACSigner and the HMACSecret cannot point to the same answer. Furthermore, if you list more than one answer, you must separate the answers with a comma. Be sure not to add any additional white space, such as a space. For example, "answer1,answer2" is correct.
For example, the following code shows a signature button that will request the user's ID and password:
- HMACSigner — Indicates which answers identify the signer. The answer is always written as answern. For example, if question1Text asked the user's name, then answer1 would identify the signer. Note that this parameter is mandatory.
- HMACSecret — Indicates which answers contain the secret. The answer is always written as answern. For example, if question2Text asked for the user's secret, then answer2 would identify the signer. Note that this parameter is mandatory.
- readonly — Indicates which answers are read-only. This is useful if you have prepopulated the form, and want to ensure certain answers cannot be changed. The answer is always written as answern. For example, if you wanted to make the first answer read-only, then you would use answer1.
question1Text="Enter your ID:";
question2Text="Enter your password:";
- If the form is opened in Webform Server, then signing an Authenticated Clickwrap signature requires the use of the Webform Server plugin/ActiveX control. The plugin/ActiveX control is automatically downloaded to the browser when it is needed.