Microsoft added “digital signature” support in InfoPath 2010 to make more secure signatures with improved cryptographic algorithms and makes long-term storage of signed forms more robust by supporting 3rd-party time stamping. This post describes these improvements and shows you how to strengthen any signature created in InfoPath 2010 Filler:
- Signing with particular algorithm: When creating signature, user may sign with one of potentially many certificates installed on their machine. Signature algorithm is determined by chosen digital certificate. To determine algorithm: Begin signing process; Change your signing certificate; Highlight desired certificate and click View Certificate; Look at Public key field under Details tab.
- Administrator Settings: By default, InfoPath 2010 hashes signature data using SHA1. This’s done to maintain backwards compatibility with InfoPath 2007 and InfoPath 2003. InfoPath 2010 also supports SHA2 family of hashing algorithms. If backwards compatibility isn’t a concern, an administrator can set hahing algorithm in registry.
- Signing and Hashing Algorithm Compatibility: following table shows which versions of InfoPath are able to sign and/or verify signatures with given combinations of signing and hashing algorithms:
- Long-term Signature Support: Certificates guarantee identity of signer, but expire after a while. Without a trusted timestamp, InfoPath will show the signature as invalid, with the reason in Signature Details dialog:
If such a timestamp exists and confirms that the signature was made when the signing certificate was valid, InfoPath can safely conclude that the signature is entirely valid:
- Server Support: InfoPath 2010 Forms Services signs forms using RSA and SHA1, and is able to verify any signature created in InfoPath 2010 client. XAdES is a client-only feature.