Fog Creek Software
Discussion Board




XML Digital Signatures & InfoPath beta

I'm looking for information on digitally signing XML docs, using XML DSIG.  Google is surprisingly sparse... anyone done anything like this on a .NET platform?  I'm looking for a .NET version of http://www.alphaworks.ibm.com/tech/xmlsecuritysuite

I'm looking into the possibility of using InfoPath to manage our forms, then using XML DSIG to sign them...  Anyone done anything like this?  Can you point me in the right direction?  Thanks!

nathan
Wednesday, August 27, 2003

You will find a complete implementation of XML Digital Signatures ( http://www.w3.org/TR/xmldsig-core/ ) is included in the .NET platfom. You can find it at System.Security.Cryptography.Xml , with help and examples in the MSDN docs.

However, if you want to integrate more fully with a PKI infrastructure, you will find there is some interaction with CAPICOM involved (for validating X509Certificates etc.).

All CAPICOM info is included in the Platform SDK, and there are examples that will get you up to speed quickly.

It has been hinted by MS that more PKI goodies will be available in Withbey, but we will have to wait another six weeks before we find out.

I have no experience with InfoPath.

Just me (Sir to you)
Wednesday, August 27, 2003

You may also want to look at the WS-Security inititative by Microsoft, IBM and I believe Sun.

MS offers much of the WS-Security spec as managed classes for .NET.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/wssecurspecindex.asp

Mark Hoffman
Wednesday, August 27, 2003

As far as I have looked into the WSE 2 preview the current implementation of XMLDigSig in there is very specialized to signing a SOAP message and not as complete as the one in System.Security.Cryptography.Xml.
Microsoft.Web.Services.Security.X509 is interesting but just as System.Security.Cryptography.X509Certificates will not get you to do full managed PKI interaction.
A fully managed free alternative I have seen is the Mentalis security library http://www.mentalis.org/soft/projects/seclib/ , but I have no experience using it myself.

Just me (Sir to you)
Wednesday, August 27, 2003

InfoPath can sign documents. I haven't used it to sign anything myself, but you can look around and ask questions on the microsoft.public.infopath newsgroup. Note that InfoPath is for users interacting with forms, you can't automate it.

A cross-platform tool is xmlsec, see http://www.aleksey.com/xmlsec . probably more complex than the .NET framework.

mb
Wednesday, August 27, 2003

If you want you can get details how to use InfoPath signed documents in .Net
look in the above newsgroup ( http://communities.microsoft.com/newsgroups/default.asp?ICP=Prod_officebeta&sGroupURL=microsoft.public.infopath&sLCID=us ) Message from July 30. It has details how to use .Net to verify signatures.

WildTiger
Wednesday, August 27, 2003

How is InfoPath, anyway?  Worth looking into?  Or is it in NDA land?

Jim Rankin
Wednesday, August 27, 2003

WildTiger,

I did not get a chance to look at that code, but from the description of it think I can see what they would do. The catch with both described methods is that the signature will be checked, but the Certificate will not be checked. It will be trusted without verification.
It is the part of Certificate verification that needs one to go to CAPICOM or CryptoAPI for now, or use some non-ms managed certificate classes.
Wether you need to check the certificate is of course dependent on your use cases/treath models, so it could not apply in Nathan's case. If it does not apply I would advise Nathan to just go with System.Security.Cryptography.Xml , which in that case will serve all his needs.

Just me (Sir to you)
Thursday, August 28, 2003

infopath seems to be pretty cool.  it's almost like a cross between the forms designer component in VS and filling out a PDF form in Acrobat.  i haven't had a chance to mess around with the routing and approval. 

we're trying to fit this into our online purchasing system - looking for a nice way to enter PO's & such online.

the thing i found out yesterday was that each person viewing forms created in InfoPath needs to have a special viewer (unless they have InfoPath)... I think this is fairly expensive ... >$100.  that could be a deal-breaker.

nathan
Thursday, August 28, 2003

To fill out an InfoPath form, you need InfoPath.
To just view the results, well, it's XML, so you can use any viewer tool. Even leverage the views created in InfoPath (which use XSL and HTML).

mb
Thursday, August 28, 2003

*  Recent Topics

*  Fog Creek Home