About digital signatures

Microsoft Office InfoPath 2003

previous page next page

About digital signatures

When designing a form, you can enable digital signatures so that users filling out your form can digitally sign it. This signature confirms that the form originated from the signer and has not been altered. In addition, the signature can contain a comment from the signer. After being signed, the values in the form cannot be modified without invalidating the signature.

When adding a digital signature, the user must use a digital certificate. Digital certificates, which you can obtain through commercial certification authorities or from your internal security administrator, establish the authenticity of the signature.

In addition to enabling digital signatures so that users can sign your form, you can digitally sign your form template, which authenticates you as the author of the form template in the same way that a digital signature on a form authenticates the user who filled out the form. By doing so, you can enable scenarios that require greater trust for the form. For example, form templates that have been distributed to users in an e-mail message can be updated more efficiently if they have been digitally signed.

Note Digital signatures in Microsoft Office InfoPath 2003 make use of XML Signatures.

Digital signature options

When designing a form, you can enable digital signatures for the entire form or for specific parts of the form. If you enable digital signatures for part of the form, you must determine which data in the form should be signed. You can additionally associate that data with a section in the form. When users sign the form, the digital signature locks the data so that it cannot be changed, and stores the view with the digital signature.

In addition, you can specify whether to allow multiple digital signatures for a form, and whether those signatures should be co-signed (in which case each signature is independent of the other signatures) or counter-signed (in which case each signature signs the form, as well as the signatures that precede it).

Note You cannot enable digital signatures for a form that was designed based on an XML Schema that does not have a digital signature namespace.

Digital certificates

When you digitally sign a form, InfoPath uses only those certificates that have a private key and a Digital Signature or Both value for the Key Usage attribute. In addition, the purpose of the certificate must be set as Client Authentication or Code Signing. (If you are using a certificate to digitally sign a form template, the certificate must be set as Code Signing.) These restrictions apply because InfoPath uses XML Signatures to digitally sign forms.

Note Because a digital certificate you create is not issued by a formal certification authority, forms signed using a certificate you created are referred to as self-signed forms. These certificates are considered unauthenticated and will generate a security warning if the form's security level is set to High or Medium. InfoPath trusts self-signed certificates only on computers that have access to the private key for that certificate. In most cases, this means that InfoPath trusts self-signed certificates only on the computer that created the certificate, unless the private key is shared with other computers.

There are two types of certification authorities, commercial certification authorities and internal certification authorities.

Show Commercial certification authorities

If you are a developer and want to obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., you or your organization must submit an application to that authority.

To learn more about certification authorities that offer services for Microsoft products, see the Microsoft TechNet Security Web site.

Depending on your status as a developer, you should apply for a Class 2 or Class 3 digital certificate for software publishers:

Class 2 digital certificate A digital certificate designed for people who publish software as individuals. This class of digital certificate helps provide assurance about the identity of the individual publisher.
Class 3 digital certificate A digital certificate designed for companies and other organizations that publish software. This class of digital certificate helps provide greater assurance about the identity of the publishing organization. Class 3 digital certificates are designed to represent the level of assurance provided by retail channels for software. An applicant for a Class 3 digital certificate must also meet a minimum financial stability level based on ratings from Dun & Bradstreet Financial Services.

When you receive your digital certificate, you are given instructions on how to install it on the computer you use to sign your InfoPath forms.

Show Internal certification authorities

Some organizations and corporations might have a security administrator or group act as their own certification authority. This administrator or group can produce or distribute digital certificates using certification authority tools such as Microsoft Certificate Server. Depending on how Microsoft Office digital-signature features are used in your organization, you might be able to sign forms using a digital certificate from your organization's internal certification authority. Or you might need to have an administrator sign your forms for you using an approved certificate. For information about your organization's policy, contact your network administrator or IT department.

Note The information in this topic may not apply if you are working with a form designed using Microsoft Office InfoPath 2003 without the service pack installed. Learn more

previous page start next page