Infopath Signature Validity Over a Number of Years
-
15. dubna 2012 16:57
I have designed a number of InfoPath Web Forms that will be deployed as a Site Content Type in SharePoint 2010.
These will be used in a number of Libraries accross the Site Collection that hosts the Content Type.
Our Users require that these forms be signed, so I have designed the forms with Signable sections. All of this works very well.
The signatures, once applied need to remain valid, essentially "forever", since the user has signed the document and the electronic signature is taking the place of a hardcopy signature, which wouldn't ever expire.
From what I can see, whenever Infopath displays the form it verifies that signatures applied to it are valid when the form is being viewed.
What is the best approach to create/link to a repository of signatures that can be queried against, essentially forever?
Would such a repository enable specifying that signatures are valid for documents signed between a start and an end date - e.g. the signature is valid for any Document Signed between January 1 and December 31st 2012. Using that signature, a document is signed July 1st, 2012. If they document were viewed on January 1, 2016 then the signatures on it should still be verified as valid, since the signature was applied when that signature was valid.
Also - can a signature be revoked effective a certain date, but remain effective for any document that were signed before that date?
Any insight that others can provide would be greatly appreciated!
Thank you in advance,
Stephen.
Všechny reakce
-
16. dubna 2012 10:02Moderátor
Hi ,
I understand that you want to signature last longer or a time stamp which can prove that the signature is valid when signed .You can use XAdES(XML Advanced Electronic Signatures) with office 2010 .XAdES is a set of tiered extensions to XML-DSig, the levels of which build upon the previous to provide more and more reliable digital signatures. After configure Time stamping digital signatures (XAdES-T signatures) you can just create signatures like you normally would. A timestamp from a trusted timestamp server extends the life of your signature, because even after the certificate expires, the timestamp proves that the certificate had not expired at the time of signing.
For more information about XML-DSig ,please refer to this site:
Digital Signatures in Office 2010: http://blogs.technet.com/b/office2010/archive/2009/12/08/digital-signitures-in-office-2010.aspx
ThanksEntan Ming
TechNet Community Support
-
16. dubna 2012 19:06
Entan,
Thank you for your reply - this has got me pointed in the right direction.
If I understand correctly, InfoPath Browser Web forms will native support AXdES-T signatures (or AXdES-X-L signatures too), so requirement is for our users to have a Signature based on this stardard, then install the certificate for each signature on our SharePoint server.
Do I have this right?
I am going to investigate the best place to procure such signatures. Do you have any pointers?
Thank you,
Stephen.
-
17. dubna 2012 1:44Moderátor
Hi ,
The ability with Office 2010 to add a time stamp to a digital signature allows for helping to extend the lifespan of a digital signature. You don’t need to buy that kind of signature .To use the time stamp functionality with digital signatures, you must complete the following:
- Set up a time stamp server that is compliant with RFC 3161
- Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.
You can also configure additional time stamp parameters by configuring one or more of the following Group Policy settings:
- Configure time stamping hashing algorithm
- Set timestamp server timeout
For more information ,please refer to this site:
Plan digital signature settings for Office 2010: http://technet.microsoft.com/en-us/library/cc545900.aspx
ThanksEntan Ming
TechNet Community Support
-
17. dubna 2012 2:09
I understand how that solution would work within a corporate network where all computers are on the same domain a subject to the same group policy.
We also have remote users who need to sign infopath web forms strictly through the browser. We setup domain accounts for these users, but their computers are not members of our domain, and we have no control over the domain their computer belongs to - since these people work for another company.
We can issue them certificates through our domain, for what they do in our SharePoint enviroment.
If we expose the time stamp server to the internet, would that work for Web forms that they sign if they use the certificate we issue to them?
Thanks again!
-
2. května 2012 18:11
We are still struggling to determine if it is any way feasible to have long term signatures with Infopath Web Forms in SharePoint 2010.
Has anyone been able to come up with a solution/workaround to this issue of Expiring certificates used for signing Web Forms? I would be so grateful for some help. The proposed solutions I have seen only apply to Filler forms.
Here are the options we have considered and the issue/limitation:
1. Use AXdES-T signatures > Not supported in Web Forms, only in Filler forms.
2. Disable the feature that checks if Certificates have expired > Can't find a way to disable it.
3. Live with Expired certificates > Infopath does not display the User that signed form unless you open the certificate.
4. Create a certificate that is valid "forever" > Right now this seems to be the only option
At this point in time I would have to advise anyone who is looking at signatures in Web Forms to proceed with extreme caution as this limitation may not present itself until it is too late.
Help!!
.png)
