Contents

Using the com.inin.securedata property

To use the com.inin.securedata property, you will set the value to true or false using the following syntax:

If the property is set to true, the VoiceXML interpreter will assume that it is handling sensitive data, and so recognition handling and trace logging will be protected by obfuscating the data.
If the property is set to false (or any other value but true), then the VoiceXML interpreter will assume that it is handling normal data.

The com.inin.securedata property adheres to the same rules set out for all VoiceXML properties as outlined in Section 6.3 Property Element in the VoiceXML 2.0 Specification. (http://www.w3.org/TR/voicexml20/#dml6.3)

Properties may be defined for the whole application, for the whole document at the <vxml> level, for a particular dialog at the <form> or <menu> level, or for a particular form item. Properties apply to their parent element and all the descendants of the parent. A property at a lower level overrides a property at a higher level. When different values for a property are specified at the same level, the last one in document order applies. Properties specified in the application root document provide default values for properties in every document in the application; properties specified in an individual document override property values specified in the application root document.

Usage considerations

When using the com.inin.securedata property, there are several subtleties that you will need to be aware of:

Any <prompt> contents that are queued in com.inin.securedata as true are not necessarily output right away. They can be output at the next user input stage or at the end of the document. As such, if the value of com.inin.securedata changes to false while the <prompt> contents are still in the queue and not yet output, then the contents of the prompt are not treated as sensitive data.Trace logs should be secure, but if the call is being recorded by the CIC server, that recording won't treat the data as sensitive.

If sensitive data is passed back to the calling handler from an <exit> element, it is important to make sure that com.inin.securedata has a value of true when the <exit> is executed.Don't pass sensitive data in an <exit> element in a <form> where com.inin.securedata has a value of false.

If sensitive information is handled in ECMAScript, it is important that this is done when com.inin.securedata has a value of true.

Remember that a <subdialog> runs in a separate context from the calling document and the value of the com.inin.securedata property is not inherited from the calling document.The <subdialog> will either need to set the value of the com.inin.securedata property itself, or inherit it from a value set in the I3defaults.xml document. This can be inconvenient for those applications that use the Nuance NDM facilities, as they employ <subdialog> elements heavily.

Example

In order to help you effectively use the com.inin.securedata property in your VoiceXML documents, the following example script, which performs a simple output/input test while treating some data as secure, illustrates how the property is used.

<?xml version="1.0" encoding="UTF-8"?>

<!--

File:WhichDrink_secure.vxml

Date:07/03/2014

Author:WEB

Desc:This document does a simple output/input test whilst treating some data as secure.

Basic Steps:

- Play a text prompt

- Define an inline grammar

- Get input

- Play back the choice

-->

<vxml xmlns="http://www.w3.org/2001/vxml"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.w3.org/2001/vxml

http://www.w3.org/TR/voicexml20/vxml.xsd"

version="2.0">

<form>

<!--

We want to treat the "number", "drink" and "delight" information as sensitive data.

-->

Alternative text for Suzanna prompt.

</audio>

Punch a two digit number.

</prompt>

</field>

<prompt>Would you like coffee, tea, milk, or nothing?</prompt>

<one-of>

<item>coffee</item>

<item>nothing</item>

</one-of>

</rule>

</grammar>

</field>

<prompt>What kind of tasty delight would you like?</prompt>

<one-of>

<item>cookies</item>

<item>crumpets</item>

<item>biscuits</item>

<item>nothing</item>

</one-of>

</rule>

</grammar>

</field>

<prompt>You chose <value expr="number"/>, <value expr="drink"/> and <value
expr="delight"/>.</prompt>

</filled>

</form>

<!--

The weather information obtained in this form is not sensitive data.

Note that the <prompt> queued above ("You chose xxx and yyy.") is not actually issued until the
recognition input generated by the <form> below, and so is not treated as sensitive data.
Trace logs should be secure, but if the call is being recorded by the CIC server, then it won't
be secure.

-->

<prompt>Is the weather hot or cold?</prompt>

<one-of>

</one-of>

</rule>

</grammar>

</field>

<prompt>In which state do you live?</prompt>

<one-of>

<item>Indiana</item>

</one-of>

</rule>

</grammar>

</field>

Punch a three digit number.

</prompt>

</field>

<prompt>The weather is <value expr="temperature"/>.</prompt>

<prompt>You entered <value expr="number2"/>.</prompt>

</filled>

</form>

<block>

<!--

answer1 and answer2 contain sensitive data, and since we want to pass this

information back to the handler, we must make sure that we <exit> from a

secure form.

-->

<prompt>Your answers are <value expr="answer1"/>, <value expr="answer2"/> and <value
expr="answer3"/>.</prompt>

<log>I am logging sensitive data (Suzanna): (<value expr="answer1"/> and <value
expr="answer2"/>)</log>

</block>

</form>

</vxml>