Microsoft in standards battle with W3C man

Microsoft and working group members of the World Wide Web Consortium (W3C) are at loggerheads over competing standards for electronic forms which help automate business processes.

On Tuesday, Microsoft released InfoPath, its new XML-based application in Office 2003 allowing users to organise and share data.

But the security of its signatures has been called into question on a W3C discussion forum.

The W3C recently released the specification for XForms 1.0, which allows the creation of interactive forms to help automate the exchange of corporate data.

It is being backed by IBM and Sun Microsystems as a more open approach for heterogeneous environments that rely on interoperability.

Dr John Boyer, a research scientist at e-forms specialist PureEdge Solutions, and co-author of the XML DSig standard and the XForms 1.0 recommendation, said that businesses cannot rely on InfoPath signatures for security.

He claimed that, in under five minutes, PureEdge managed to change a signed InfoPath form from an 'Employment Applicant Rating' form to a 'Prisoner Registration' form.

"The InfoPath signature remained valid, but the signer was proving a rating of a job applicant, not agreeing to go to prison," said Dr Boyer, warning that this problem could lead to disputes between businesses and a signer.

"Although the InfoPath signature is constructed to follow the grammar of the WC3 recommendation for XML digital signatures, it does not follow the intent of the standard as given in section 8.1.2 of the recommendation," he explained.

Neil Laver, group product marketing manager at Microsoft, said: "We support the W3C standard in terms of knowing that XML code has not been tampered with."

But, he added, there is currently no way of proving whether an InfoPath signature has not been tampered with in a court of law.

"We will [be able to] in time," he added. "We constantly review security but it is a trade off. If we completely lock the signature down, there is no room for modification."

Laver explained that InfoPath is "more of a workflow application. It makes form creation easy as data can be collected from CRM and ERP systems and sales and marketing databases. We are not making the claim that it is legally binding."

Choosing InfoPath for a mixed environment, however, may not be the best choice, according to analysts.

Martin Langham, practice leader for enterprise content management and collaboration at Bloor Research, said: "InfoPath is further on than XForms, but businesses with a mixed environment could have a problem as some interface solution would be necessary if not using Word."

Laver added: "InfoPath is for the Windows platform. On the desktop, less than one per cent is a mixed environment."