I'm aware of the "workaround" included in the article but it's not one I
would ever recommend. If you elect to install a SelfCert you are installing
it as a Trusted Root Certificate, not merely a Trusted Publisher for
documents/templates containing macros. Which, btw, I'm not sure if this
still works for Word 2007 in light of the security concerns - there's a
reason they elected to prevent the enabling of macros on documents signed
with a SelfCert.
FWIW, I've had several discussions with Microsoft regarding this very topic
and was told the inability to enable macros is by design. My position is
they shouldn't make SelfCert available if that's how it's going to work (it
doesn't make sense that documents/templates containing macros and no attempt
to authenticate can be enabled) -- and I think it provides a false sense of
security because recipients may not understand how a Digital Signature
should actually work. Not to mention folks simply disregard the warnings
they include, such as "Windows will automatically trust any certification
issued by this CA. Installing a certificate with an unconfirmed thumbprint
is a security risk." This message appears when you install someone's
SelfCert. (I'm sure those doing the installing are told, "Just click through
it", right? ;-) )
If you are uploading templates to a web site then what you really need is a
real Digital Signature -- one authenticated by a Certificate Authority.
Someone could easily create a SelfCert using your information obtained from
the SelfCert and use it maliciously, such as modify your templates and
re-sign them using a forged SelfCert. Note that all someone needs is a copy
of your SelfCert for the forgery and if it's available on a web site it
makes it easy to access. I personally wouldn't install someone's SelfCert on
my computer or use it as a means of authentication for that matter. The
whole purpose of a Digital Signature is a guarantee of authentication and a
SelfCert doesn't offer that. (I suspect if the school board were aware of
the fact that a SelfCert doesn't offer any real security they wouldn't
approve the process.)
If you are providing instructions on how to install the SelfCert then why
not offer instructions for how to place the template in their Trusted
Templates (User Templates) folder instead?
I know this isn't the answer you want to hear but if true security is a
concern it's the only answer.
Please post all follow-up questions to the newsgroup. Requests for
assistance by email cannot be acknowledged.
~~~~~~~~~~~~~~~
Beth Melton
Microsoft Office MVP
Coauthor of Word 2007 Inside Out:
http://www.microsoft.com/MSPress/books/9801.aspx#AboutTheBook
Word FAQ:
http://mvps.org/word
TechTrax eZine:
http://mousetrax.com/techtrax/
MVP FAQ site:
http://mvps.org/
Kim K said:
Beth,
Thanks for replying, however your suggestions will not work for my
situation. The forms will need to be uploaded to a state run web site and
utilized by nearly 10 other school districts. This is not a problem for
my
office 03 users and I am still testing on my machines before releassing to
the school boards for final approval.
I need a way to be able to use my templates (.dot format) with macros to
run
in 07 without taking off macro security.
BTW - I used this as a reference -
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=194
