Hi, this is Gergely Kota, a developer on the InfoPath team. Digitally signing data when filling out a form makes the data tamper-proof, authenticates its signer, and is a key component of trusting form data. In this post, I’d like to share the improvements that have been made to digital signature support in InfoPath 2010. InfoPath 2010 allows you to make more secure signatures with improved cryptographic algorithms and makes long-term storage of signed forms more robust by supporting 3rd-party time stamping. This post describes these improvements and shows you how to strengthen any signature created in InfoPath 2010 Filler. For a primer on digital signatures, read an Introduction to Digital Signatures in InfoPath.
Note - Data signing should not be confused with code/template signing, which remains unchanged.
Digital signatures are only as secure as the cryptographic algorithms they use to ensure signed data hasn't been tampered with. InfoPath 2007 and 2003 support RSA or DSA for signing and SHA1 for hashing. Though a combination of RSA and SHA1 is considered secure for now, algorithms become exposed to attack over time and are eventually rendered obsolete. If either the signing or hashing algorithm is cracked or compromised, the integrity of the signature can no longer be verified. InfoPath 2010 enables you to address these concerns by supporting newer, more secure, ECC signing and SHA-2 family of hashing algorithms.
When creating a signature, a user may sign with one of potentially many certificates installed on their machine. The signature algorithm is determined by the chosen digital certificate. To determine the algorithm:
By default, InfoPath 2010 hashes signature data using SHA1. This is done to maintain backwards compatibility with InfoPath 2007 and InfoPath 2003. InfoPath 2010 also supports the SHA2 family of hashing algorithms. If backwards compatibility is not a concern, an administrator can set the hashing algorithm in the registry.
The following table shows which versions of InfoPath are able to sign and/or verify signatures with the given combinations of signing and hashing algorithms:
Certificates guarantee the identity of the signer, but expire after a while. This is to reduce the time attackers have to deduce an associated private key (which would allow them to impersonate a signer) and to limit the shelf-life of a compromised certificate. Certificates may also be revoked if they are taken out of commission before their expiration date. If the certificate used to create a signature is now expired or revoked, we should be cautious of whether the signed data is valid or not unless we can verify that the data was signed while the certificate was still valid. This poses an impending problem because all certificates expire (often in a year!), and we would require a trusted timestamp to confirm when the signature was created. Without such a trusted timestamp, InfoPath will show the signature as invalid, with the reason in the Signature Details dialog:
This can be especially problematic, for example, for a printed copy of the form which would show an invalid signature, and there would be no way to verify why. InfoPath 2010 adds support for XML Advanced Electronic Signature (XAdES), which allows for adding a trusted timestamp that can be used to resolve when the signature was added relative to the signing certificate's expiration and/or revocation time (see a detailed discussion of XAdES in Microsoft Office for details and level options). If such a timestamp exists and confirms that the signature was made when the signing certificate was valid, InfoPath can safely conclude that the signature is entirely valid:
InfoPath 2010 Forms Services signs forms using RSA and SHA1, and is able to verify any signature created in the InfoPath 2010 client. XAdES is a client-only feature.
By leveraging the security improvements and time-stamping support described in this post, you are increasing the strength and longevity of your signatures. Happy signing!
Gergely, InfoPath dev
Take a look at this Knowledge Base article:
Description of the Office Forms Server 2007 hotfix package (ifswfe-x-none.msp): December 14, 2010
This is the equivalent fix to the one you mentioned but this is for the server.
So, if the client signs a browser-enabled form using Internet Explorer, the timestamp is not trusted? Why?
If XAdES is client side, then why does Internet Explorer not implement this?
I do not understand. What will happen to all the forms already signed? The signatures cannot be trusted and will fail to pass an audit?
Can you advise me in what I should do now with over 500 signed forms that have a fuzzy timestamp?
Check out support.microsoft.com/.../t
The timestamp is not trusted because the consumer of the signature has no guarantee about where that value came from. The untrusted timestamp is taken from the signing machine's system clock which can be set by the signer at will.
The client in this case is the InfoPath client application (infopath.exe). The implementation of all the XAdES timestamping exists in the Office client applications only (and thus not in IE - also it requires configuration that a browser-based form user is unlikely to be able to do correctly). The XAdES information is added to the signed information that InfoPath would place there anyways (follow 'XAdES in Microsoft Office' link in the blog post for more info on format and config). The goal is to get a trusted timestamp of what was signed from a 3rd-party time-stamping service, thus we can later verify that the signature was created while the signing cert was valid.
When a signing cert is expired, the InfoPath client will check the additional XAdES information to verify that it's fine to consider the signature valid anyways. Forms that are signed without XAdES information will eventually fail to validate due to the signing certificate's expiration. There are patches released for both the server and client to override this behavior.
"There are patches released for both the server and client to override this behavior. "
I could find a patch for InfoPath Form Services 2010..
Do you have links?
I could NOT find a patch for InfoPath Form Services 2010..
I have a form in 2007 that has digital signature and it works fine form infopath 2007 to infopath 2007; however, when people try to open this form with infopath 2010, it crashes. Can you advise what is the fix for this issue? Thank you,
On your machines with Office/InfoPath 2010, have you applied Service Pack 1 for Office 2010? The reason I ask is that there was an issue with the original released version where InfoPath 2010 would crash. This was resolved with a fix that was part of Service Pack 1.
I have a somewhat odd issue: when opening an Infopath document on a computer with Office 2010, a user is not able to sign the document because the "Sign" button is greyed out. We utilize Infopath as a template for a Form Library on SharePoint 2007. This error occurs even when opening Infopath 2007 documents, but only on computers with Office 2010; a computer on Office 2007 can still open, sign, and save Infopath documents. Even creating a new Infopath document with Infopath Designer on a 2010 computer, without even using SharePoint, we are still unable to sign the document.
After not being able to sign the document (either on your own computer or
from the SharePoint) and selecting "Cancel", Infopath freezes up, displays
"Not Responding" and forces you to close the program without saving. If you
click "See additional information about what you are signing...", Infopath
also freezes up, Infopath freezes up, displays "Not Responding" and forces
you to close the program without saving. Selecting "Change..." and
selecting a different certificate gives the same result.
Is there a patch, work around, or fix action that will allow users with Office 2010 to digitally sign Infopath documents? Is it a security issue or a software issue with Office 2010?
I can provide a screenshot if necessary.
This was an issue that was corrected with Service Pack 1 (SP1) for Office/InfoPath 2010. Please install that update and you should be good.
I've been doing this for years using a program called PDFpen, which also lets you add text to documents. For example, you can use it to fill out scanned PDF forms. With PDFpen, you can even modify text that's already there (but not scanned text).
Can forms with digital signatures be submitted to a CRM database using the web services submit option?
How do you enforce data validation when using an electronic signature? I don't want the user to be able to sign the form if certain fields aren't filled in. Right now a pop up box just comes up saying there are validation errors - and it lets you override the message and still sign.
Assuming your area to be signed is a "section" then you can simply wrap that section within another section and then add conditional formatting to this new section that insures it is hidden until your other field has been completed.
We have recently made some minor changes to one of our InfoPath templates that uses Digital Signatures and upgraded the Forms library in SharePoint that already had a number of forms there. We now get the following warning "This form is digitally signed, but was created with an older version of the form template. This form will be upgraded to work with the new template, but this may remove its signatures. Do you want to view the signatures before upgrading?" whenever we try to open one of the existing forms (i.e. ones that existed prior to the template upgrade). If we proceed it invalidates the signatures stored in these existing forms. Can anyone suggest a solution?