Chapter 14, Security, Control, and Digital Signatures
XFA Specification
Signed Forms
412
Template Provides Instructions on Signature Operation
The
signData
property specifies a signature-related operation, which may be used to produce a
signature (
sign
), verify an existing signature (
verify
), or clear an existing signature (
clear
). If the
operation is to produce a signature, the
signData
property specifies how the digital signature should be
produced, including the signature handler, the signature destination, and the signature manifest (what
part of the XFA document is being signed). If the operation is to verify or clear an existing signature, only
the location of the signature (as the
ref
property) need be provided. The signature being cleared or
verified is self-describing.
Signature filter: Handler, algorithms, and certificates to use to produce a signature
The
signData filter
property specifies the signature handler and certificates for use in producing the
signature. It also specifies a list of potential reasons a document is being signed.
The architecture specified by
[XMLDSIG-CORE]
allows for different signatures to use different signature
algorithms. XFA processors support at least the RSA-SHA1 and DSA-SHA1 methods. The method used is
recorded in the digital signature so that the signature can be processed by generic software.
A digital certificate allows a document’s recipient to know whether or not a specific public key really
belongs to a specific individual. Digital certificates bind a person (or entity) to a public key. Certificate
authorities (CA) issue these certificates and recipients must trust the CA who issued the certificate. X.509 is
the widely accepted certificate standard that Adobe uses.
Most of the properties in
filter
include a
type
subproperty. This property indicates whether the XFA
processing application is restricted to using the indicated item or selecting from the indicated items. The
following example requires the XFA processing application to use the signature method
"
Adobe.PPKList
" and to restrict the signing certificates to one of the seed values provided. These
settings limit the individuals who can use this signature to the department head and the supervisor.
Example 14.2 Signature instructions that restrict who can sign
<event>
<signData operation="sign" …>
<manifest … />
<filter>
<handler type="required">Adobe.PPKList</handler>
<certificates url="">
<signing type="required">
<!-- Department heads certificate -->
<certificate>MIB4jCCAUugAwkdE13 … </certificate>
<!-- Supervisors certificate -->
<certificate>MIB4jCCAUugAwkdE13 … </certificate>
</signing>
</certificates>
</filter>
</signData>
</event>
Manifest: Data and other content digested by the signature handler
The
signData manifest
property provides a list of SOM expressions that specify which parts of the
form should be reflected in the digital signature. If the manifest is non-empty, the signature handler uses
the referenced items in its production of the XML digital signature. The SOM expressions may reference
Home Index Bookmark Pages
Pages: Home Index All Pages