XPS Five Points of Light – Part 2: Trustworthy

  • Article

Trustworthy is an integral part of a successful electronic document format. So what do I mean by that? Trust XPS? Trust Microsoft (of course!)? Trust Me? Well, our goal is that end customers can implicitly trust XPS as an electronic document format as an integral part of their document workflow. Or..simply that an end-user can open up an XPS document and know they won’t get a virus or some other nasty thing created by someone with too much time on their hands. But, most of all, that the electronic document created by the author – arrives at its published destination faithfully representing the exact thing that author intended it to represent. OK, let’s try and be a little more organized about this. XPS as a trustworthy document format means:

It is a fixed-format document – period

XPS represents a fixed, paginated document. It does not reflow, contain interactive elements, nor will it try and sell you something while you read it– it is simple electronic paper that will faithfully represent the original content created by the author. The published rendition is designed to be accurate regardless of the target platform, viewer or device.

No code in the format

By eliminating interactivity, we also eliminated the need for code, macros and (non-image) binaries.) This is a good thing. You don’t need to create a ‘cleansed’ version of XPS to be sure that it is safe, can be archived and is ‘just’ electronic paper – we have designed XPS with that goal in mind from the beginning. This is what customers have been asking us for! It is electronic paper in its’ true form. I can send you an XPS file, you do not need to know who I am, you do not need to decide if you trust me, you can open it and feel safe.

At this point I think it is important to be clear about the above statement. Microsoft has a huge platform investment around Windows and is always innovating to improve the developer experiences around Windows. XPS is just one part of the Windows Presentation Foundation, our next-generation platform designed to provide a seamless experience between UI, media and documents. Using WPF, you can create documents that are re-flowable, interactive and include form fields, validation databinding—anything you need to create efficient and powerful user experiences. We believe the Windows platform and other investments across Office, Infopath, etc provide great end-to-end solutions for any end customer or developer who needs a document solution.

Safer Viewing

Workflows and custom applications may have a legitimate need to extend the XPS document—and they can. Content that follows the "markup compatibility" rules in the OPC spec will be ignored by Microsoft viewers. But after that processing things get stricter. The XPS Viewer validates all markup it attempts to load against the XPS XSD, and will quit immediately if it encounters unknown content.

The XPS Viewer also runs in a "partial trust" sandbox, with system permissions narrowly constrained to expected operations. Even if unknown markup passed XSD validation, it won’t be able to load code, write to disk, etc. These features are basically invisible to the user, but it does make viewing XPS documents safer.

Digital Signatures

To me, digital signatures is all about trust. Trusting that you know who created the document or whoever last altered it. Digital signatures need to become and effortless, natural part of any document workflow, today it is mysterious and seldom implemented. I believe that XPS will change that. At PDC we demonstrated a scanner that scanned a document, created it and signed it with a digital signature. If I was archiving thousands of scanned documents, I would want to have each one with a signature on it so that I know no bits were altered since the document was scanned. This is all about trusting the sources of the document. Digital Signatures are built into the format, easy to implement in a scanner, and we will have a great user experience built directly into the XPS viewer.

Constrained markup, XSD validation, partial-trust sandboxes, digital signatures—not very sexy stuff. But being trustworthy isn’t very sexy, at least not at first. XPS leaves the glamour to WPF, hoping to be loved just for being clean, safe, and easy to create. (Makes you just want to give a big hug, doesn’t it?)

Part 3 will be about High-fidelity Graphics.

- Andy