view Side-By-Side changes
draft-ietf-ediint-as2-06.txtDale MobergExpires March 2000Internet draft Dick Brooks Expires: January 2001 Rik DrummondOctober 10 1999July 13 2000 HTTP Transport for Secure EDI draft-ietf-ediint-as2-07.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. To view the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in an Internet- Drafts Shadow Directory, see http://www.ietf.org/shadow.html. Any questions, comments, and reports of defects or ambiguities in this specification may be sent to the mailing list for the EDIINT working group of the IETF, using the address <ietf-ediint@imc.org>. Requests to subscribe to the mailing list should be addressed to <ietf-ediint-request@imc.org>. Abstract This document describes how to exchangeEDI documentsstructured business data securely usinghttpHTTP transport forEDIEDIFACT, X12, XML or other used for business to business data interchange. The datathatis packagedinusing standard MIMEmessages that use public keycontent-types. Authentication and privacy are obtained by using CMS (S/MIME) or OpenPGP security body parts. Authenticated acknowledgements make use of multipart/signed replies to the HTTP POST requests. This document extends the procedures and payload packaging options of AS1 in the following ways: HTTPS may be used to obtain data privacy, both synchronous and asynchronous reply procedures are described, multipart/form-data packaging may be used, a generalized multipart/report format is added to the MDN format of AS1, replies may include a multipart/mixed payload that contains both the acknowledgement and an additional EDI payload. This document is intended to be read in conjunction with AS1 and the referenced RFCs defining the MIME and cryptographic Moberg, Brooks, Drummond [page 1] HTTP Transport for Secure EDI March 1, 2000 packaging that are used to obtain secure, authenticated, and acknowledged transport. Feedback Instructions: If you want to provide feedback on this draft, follow these guidelines: -Send feedback via e-mail to the ietf-ediint list for discussion, with "AS#2" in the Subject field. To enter/follow the discussion, you need to subscribe at ietf-ediint@imc.org. -Be specific as to what section you are referring to, preferably quoting the portion that needs modification, after which you state your comments. -If you are recommending some text to be replaced with your suggested text, again, quote the section to be replaced, and be clear on the section in question. Table of Contents 1. Introduction 1.1 Purpose and relation to previous work 1.2 Overall operation 2. Stages and Details of HTTP EDI Transmission and Acknowledgment 2.1 Requesting receipts in the POSTED requestMoberg, Brooks, Drummond [page1] HTTP Transport for Secure EDI October 19992.1.1 Requesting MDN-based receipts 2.1.2 Requesting Generalized receipts 2.1.3 SummaryofRemarks on Receipt request options 2.2 Additional Commonly Used Headers 2.3 Sending EDI in HTTP POST Requests2.32.4 Using Transport Layer Security for Transmission2.4.2.5 Response Status Codes in Replies2.52.6 Receipt Reply2.5.12.6.1 MDNbasedReceipts and Signed MDN Receipts2.5.22.6.2 Generalized Receipts and Signed Generalized Receipts2.5.3 Example of GISB Acknowledgement Receipt 2.5.4 Example of GISB Error Notification Receipt 2.62.7 Additional Reply Content2.72.8 Non-Repudiation of the POST Reply2.82.9 Error Recovery 3.Referenced RFCsOther differences between HTTP andtheir contributionSMTP based transport 3.1RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1 [HTTP]Unused MIME headers and operations 3.1.1 Content-Transfer-Encoding not used 3.1.2 Epilogue must be empty 3.1.3 Lengthy message bodies and Message/partial 3.2RFC 2246: Transport Layer Security [TLS] 3.3 RFC 1847: MIME Security Multiparts [SECURITY] 3.4 RFC 1892: Multipart/report [REPORT] 3.5 RFC 1767: EDI Content [MIMEEDI] 3.6 RFC 2015: PGP/MIME [MIMEPGP] 3.7 RFC 2045, 2046, and 2049: MIME [MIME] 3.8 RFC 2298: Message Disposition Notification [MDN] 3.9 RFC 2311: S/MIME Version 2 Specification [SMIMEV2] 3.10 RFC 2633: S/MIME Version 3 Message Specification [SMIMEV3] 3.11 RFC XXXX: MIME-based Secure EDI [AS1] 3.12 RFC 2388: Multipart/form-data [FORMDATA] 4. Other differences to notice in HTTP and SMTP based transport 4.1 Unused MIME headers and operations 4.1.1 Content-Transfer-Encoding not used 4.1.2 Epilogue must be empty 4.1.3 Lengthy message bodies and Message/partial 4.2 Differences inDifferences in MIME or other headers or parameters used4.2.13.2.1 Content-Lengthneeded. 4.2.2needed 3.2.2 Final Recipient and Original Recipient4.2.33.2.3 Message-Id and Original-Message-Id4.2.33.2.3 Host header4.33.3 New Options for HTTP transport5.A. AS 2 MIME templates. B. Using AS2 Extensions in the GISB Protocol C. Samples of AS 2 Protocol Data Units D. Acknowledgments6.E. References7.F. Security Considerations Moberg, Brooks, Drummond [page 2] HTTP Transport for Secure EDI March 1, 2000 G. Authors' AddressesA. Example exchange.1. Introduction 1.1 Purpose and relation to previous workMoberg, Brooks, Drummond [page2] HTTP Transport for Secure EDI October 1999Early work on Internet EDI focused on specifying MIME content types for EDI data [MIMEEDI] The functional requirements document , "Requirements for Interoperable Internet EDI," [EDIINT] provides extensive information on EDI security and the business and user processes that can benefit from the use of EDI security. In addition, MIME structures appropriate for SMTP transport of the packaged EDI data are specified in ([AS1] "MIME-based Secure EDI" ) as well as the details needed to support signed receipts as acknowledgments. The framework of [AS1] shows how to implement the security features-- specifically data privacy, data integrity/authenticity, non-repudiation of origin and non-repudiation of receipt -- found to be requirements for secure EDI. In this document, it is assumed that the reader is familiar with the SMTP/MIME transport document, the requirements document, and the RFCs applied or referenced in those documents. This draft, like the SMTP/MIME transport document, builds on previous RFCs and is attempting to "re-invent" as little as possible. The goal here is to specify how previously specified MIME messaging structures and operations can be adapted for use with HTTP servers and clients to obtain secure, reliable, and acknowledged transport for EDI and other business data. The applicability statement, [AS1] "MIME-based Secure EDI," explained the basic EDI transaction using the concept of a "secure transmission loop" for EDI. This loop involves one organization sending a signed and encrypted EDI interchange to another organization, requesting a signed receipt, followedlaterby the receiving organization sending this signed receipt back to the sending organization. Thetransmissiontransmission, therefore, involves the following stages:i.1. The organization sendingEDI/ECbusiness data encrypts the data and provides a digital signature, using either PGP/MIME or S/MIME. In addition, they request a signed receipt.ii.2. The receiving organization decrypts the message and verifies the signature, resulting in verified integrity of the data and authenticity of the sender.iii.3. The receiving organization then sends a signed receipt using a signature over the hash of a message disposition notification, which contains a hash of the received message. The abovedescribesstages describe the functionalitywhich, when implemented,that would satisfy all security requirements.OtherApplications are expected to be able to provide full functionality, though users may agree to exchange data using only a restrictedsubsetssubset offunctionality (forMoberg, Brooks, Drummond [page 3] HTTP Transport for Secure EDI March 1, 2000 functionality. For example,only signature and nobusinesses may agree to send signedreceipt) have also been characterized.data using TLS, and only request a simple, unsigned receipt. Implementations are expected to be configurable so that they may support business community agreements that use subsets of the full functionality. In this document, the goal is to make use of HTTP instead of SMTPMoberg, Brooks, Drummond [page3] HTTP Transport for Secure EDI October 1999as a transport protocol, and make the changes that are needed to adapt to protocol packaging differences. In either transport case, the body of the message is a MIME structure, using MIME headers ("content-type" and other "content-X" tags) to convey information about the data being transported. Also, one primary use of SMTP RFC 822 headers within SMTP based transport of secure EDI has been to enable requests for acknowledgements and to specify options for signatures over acknowledgements (asymmetric encryption and cryptographic hash algorithm preferences). One way to convey this information within the HTTP transport context is to use either HTTP entity-headers or extension-headers [11, section 7.1] that have the syntax of SMTP headers. Only the "From" header is overloaded by possibly different usages in the SMTP and HTTP contexts. TheFrom"From" header normally contains machine-usable email addresses as defined in [SMTPMSG]. The usage of theFROM"From" header in [HTTP] section 14.22 is to provide the email address of an administrative contact for the HTTP client. The function of the "From" header in the SMTP context of secure EDI transport has been to supply a value used in constructing the MDN style receipt. But the MDN receipt has been found to be too restrictive for some commercial EDI transport scenarios [GISB]. So alternative receipt mechanisms will be provided that, among other things, will remove any conflicts arising from trying to reuse the SMTP-MDN roles of "From" within the context of HTTP reserved usage of "FROM". Also, it is currently difficult to make use of HTML [HTML] and simple scripting to send HTTP entity-headers as part of the HTML FORM tag construct. For HTML-based POST situations [GISB], it is useful to specify ways to convey 'metadata' needed for the secure transmission loop that do not make use of HTTP headers. One way to specify this data is by using the MIME multipart/form-data packaging specified in [FORMDATA]. For SMTP transport, the receipt and signed receipt functions are implemented using MessageDispostionDisposition Notifications [MDN] and Multipart/signed Message Disposition Notifications [AS1].As mentioned previously, forFor HTTP transport, generalization of the Message Disposition Notification is useful. The MDN is a special kind of multipart/report[REPORT] MIME package[REPORT]. For MDNS, specialization isretained to support these generalizations, and multipart/signed packages are used to support signatures over these generalized receipts. Finally, withinachieved by assigning the "report-type" parameter in the content-type header the special value, Moberg, Brooks, Drummond [page 4] HTTPtransport context,Transport for Secure EDI March 1, 2000 "disposition-notification" and by having the second body part (the "machine-readable" body part) have the MIME content-type, "message/disposition-notification". To generalize a MDN, all that is needed is to remove the restrictions that make the underlying multipart/report into a MDN. In other words, the "report-type" parameter [REPORT, section 1] is given a new value and the second body part is changed to a content-type other than "message/disposition-notification". Acknowledgements defined by these changes will be referred to as "generalized receipts. Each receipt of this kind will have its own specific report-type parameter and its own specifications for the syntax and semantics of the automated response body part. Implementations are encouraged to be able to register new report-type handlers using only configuration changes (not recompiling) that specify how to process new report-type values. Nothing else needs to be changed to construct reply acknowledgements that are not restricted by the semantics of MDNs. Specifically, a signed reply will still be constructed by using a multipart/signed package to wrap up generalized receipts with their signatures. Finally, within the HTTP transport context, it is useful to make use of Transport Layer Security [TLS] to provide privacy. Compression can be provided using HTTP content-codings [HTTP], sections 3.5, 14.3, 14.12]. (Content codings are not be be confused with the MIME concept of content transfer encodings.)Moberg, Brooks, Drummond [page4] HTTP Transport for Secure EDI October 1999A variety of other minor differences (for example, absence of content-transfer-encoding) are noted below and summarized in the concluding section. 1.2 Overall operation A HTTP POST operation [HTTP] is used to send appropriately packagedEDIEDI, XML, or other business data. The Request-URI ([HTTP], section 9.5) identifies a process to unpack and handle the message data and to generate a reply for the client that contains a message disposition acknowledgement or a multipart/report, signed or unsigned, and possibly other turnaround transactions. This request/reply transactional interchange provides secure, reliable, and authenticated transport for EDI or other business data using HTTP; the security protocols and structures used also support auditable records of these transmissions, acknowledgements, and authentication. 2. Stages and Details of HTTP EDI Transmission and AcknowledgmentAn EDIA data file or stream is first structured into one of the message templates described in [AS1], sections 4.2.1 to 4.2.4 or 4.3.1 to 4.3.4 for PGP/MIME or S/MIME security. In addition to the content-types of [MIMEEDI], applications should be prepared for handling other content-types used in business to business transactions, such as those for XML [MIME-TYPES]. For convenience, these message templates, adapted for the HTTP transport context, are provided in Appendix A below. Moberg, Brooks, Drummond [page 5] HTTP Transport for Secure EDI March 1, 2000 If TLS is to be used, the typical packaging will be thatprovideddescribed in sections 4.2.2 or 4.3.2; that is, a multipart/signed message will be created with no encryption in the message. Otherwise, if privacy is desired, message templates 4.2.4 or 4.3.4 are used. Content transfer encoding is not used and a content-length field is to be provided. If HTML-based POST is used (using the METHOD=POST attribute within the "FORM" tag) [HTML, 17 Forms], then the messagetemplatespayload will be packagedasin thefinal partinput-data element of a multipart/form-data. The metadata needed for application layer routing, identification, requesting a reply and other transaction operations can be packaged in message body parts in the multipart/form-data. The labels for the metadata values are found in the "name" parameter of the Content-Disposition header in each form-data part as discussed in [FORMDATA, section 3]. In general, both HTTP servers and HTTP clients handling the message templates of [AS1] should be prepared to process these basic EDIINT data formats when they are embedded within MIME multiparts. In addition to the enveloping and MIME media type options defined in sections 4.2.x and 4.3.x of "MIME-based Secure EDI" [AS1], this specification enables the transport of payload objects containing other MIME media types.A listing of registered MIME media types is available from the Internet Assigned Numbers Authority (IANA) at: http://www.isi.edu/in-notes/iana/assignments/media-types/media-types [MIME-TYPES]. Moberg, Brooks, Drummond [page5] HTTP Transport for Secure EDI October 1999Implementors are to follow the appropriate specifications identified under "References" in [MIME-TYPES], for the type of object being transmitted. For example, to send an XML object, the MIME media type oftext/xmlapplication/xml is used in the Content-type MIME header and the specifications for enveloping the object are contained inRFC2376, (e.g.[XMLTYPES]; for example: Content-type:text/xml; charset="utf-8").application/xml; charset="utf-8" Many of the specifications referenced by [MIME-TYPES] were designed for SMTP transports. Implementors are advised to make appropriate adjustments for HTTP transport as indicated in section 4 of this document. Finally, several industry groups currently make use of"encapsulated" (or"encapsulated"(or opaque) signatures within encrypted or signed objects. Encapsulated signatures should be supported in order to accommodate these existing practices. Objects containing encapsulated signatures must be prepared according to the specifications contained in section 3.4.2 ofRFC 2311[SMIMEV2][SMIMEV2] or, in the case of PGP, according to the specifications contained in section 6.2 of "MIME Security with Pretty Good Privacy (PGP)" [MIMEPGP] and "OpenPGP Message Format" [RFC2440]. 2.1 Requesting Receipts 2.1.1 Requesting MDN-based receipts For requesting MDN based receipts, the originator supplies metadata using the syntax of extension headers (the [SMTPMSG] header syntax) that precede the message body.The header "tags" areMoberg, Brooks, Drummond [page 6] HTTP Transport for Secure EDI March 1, 2000 The header "tags" are as follows: A Disposition-Notification-To header is added to indicate that a message disposition notification is requested in the reply to the POST request. This header is specified in [MDN]. It may have values other than email addresses, such as a D-U-N-S number, when it is found as a name parameter in a form-data body part When this tag is used in HTTP extension headers, it follows the MDN usage. A Message-ID header is added to support message reconciliation, so that an Original-Message-Id value can be returned in the MDN body part of the receipt.(Receipts(The term "Receipts" is here used to refer to the signed or unsigned multipart/reportbody parts.)content.) Both "From" and "To" extension headers are to be supplied. The "From" value needs to have an email address as specified in [SMTPMSG] and [HTTP]. If other uses of "From" are needed, the generalized receipts to be next discussed should be used. There the role ofFrom"From" is replaced bytagssymbols not having a reserved HTTPandor SMTP usage. Other headers, especially "Subject" and "Date", should be supplied; the values of these headers are often mentioned in the human-readable section of a MDN to aid in identifying the original message. A Disposition-Notification-Options header is used to request a signed message disposition notification. The parameters used to select protocols for signed message dispositionMoberg, Brooks, Drummond [page6] HTTP Transport for Secure EDI October 1999notification are found in [AS1]. Disposition-Notification-To is a name that, if present, indicates that the MDN style of receipt is to be used. Disposition-notification-options identifies characteristics of message disposition notification in accordance with [AS1] and [MDN]. A Receipt-delivery-option is a header whose value is a URL that indicates how the receipt is to be delivered.While theThis header is only used within AS2. The default mode of operation is synchronous within HTTPtransport is to returntransport, which means that the receipt (be it MDN, signed MDN, generalized report receipt, or signed report receipt) is returned in the replybody,body. By using the "receipt-delivery-option," an asynchronous replyis allowed through use of this name.mode can be requested. The"mailto",values for this option are URLs that indicate the destination for the reply, and may use any appropriate protocol ("mailto", "http", and "https" will be the more commontypes of valuetypes) for this information. If thisheaderheader/metadata isfound and contains the value "default" (case-insensitive),absent, thenanythe mode of operation is synchronous, which means that the receipt isto bereturned in the reply to the current HTTP request. 2.1.2 Requesting Generalized Receipts In this section, the ways to request generalized receipts are specified. Generalized receipts are multipart/reports Moberg, Brooks, Drummond [page 7] HTTP Transport for Secure EDI March 1, 2000 with a report-type other than "disposition-notification," and a second automated response with a content type other than "message/disposition-notification". For requesting generalized receipts using the MIME template for multipart/reports [REPORTS], the following metadatacanelements will besupplied using the syntaxuseful. A specific example of a generalized receipt with report-type "GISB-Acknowledgement-Receipt" will be presented in appendix B. When thename parameter withinterm "metadata" is used in theContent-Disposition header offollowing, themultipart/form-data structure. Within HTML, these names correspond toterm indicates that thenameinformation may be supplied in one of two ways: First, the metadata information may be supplied using the syntax of HTTP headers. That is, the symbol name is followed by a colon and its value follows; the header is subject to processing of structured field bodies [SMTPMSG, section 3.1.4], also including parameters. Second, the metadata information may be supplied by using the syntax of the "name" parameter within the "Content-Disposition" header of the multipart/form-data structure, when that MIME packaging [FORMDATA] is used. For example, --boundaryformdata Content-Disposition: form-data; name="Receipt-Report-Type" GISB-Acknowledgement-Receipt --boundaryformdata Within HTML, the symbols used for these names correspond to the value of the name attribute within the INPUT element, where the "type" attribute has a "text" value. [HTML], section18. The18; for example, <FORM action="http://somesite.com/responder" method="post"> <INPUT type="text" name="Receipt-Report-Type"> <INPUT type="submit" value="Send"> <INPUT type="reset"> </FORM> Toname contains an identifier identifyingindicate theintended recipient of a data exchange and may be D&B D-U-N-S number [DUNS] or other agreed upon identifier system. Applications should allow users to configure these elements invarious options for generalized receipts, theautomated HTTP agents processing these values. For example,basic metadata that thebody part MIME header line looks likePOSTing client needs to convey to thefollowing line: Content-Disposition: form-data; name="To"replying server are: "Receipt-Disposition-To", "Receipt-report-type", "Receipt-Security-Selection", and "Receipt-Delivery-Option". TheFrom name contains a textualpresence of the metadata valueidentifying"Receipt-Disposition-To", using thesender ofextension header syntax, indicates adata exchange, such as therequest for aD&B D-U-N-S number [DUNS] as in [GISB].generalized receipt. Because"From"HTTP already has aspecified use within [HTTP],role for theFrom name parameter is not to be considered equivalent to"From" header, theextension header. If an extension"Receipt-Disposition-To" header"From"isto beusedit should within HTTP, it should conformto avoid conflicts with [HTTP], when using theusage, syntax, and semantics of [HTTTP] section 14.22. The extensionheadercounterpart of the sender ofsyntax for metadata. (Within adata exchange ismultipart/form-data package, theextension header version of "Receipt-disposition-to". The Input-format name identifies the type of data contained in a data file. The Agent name parameter indicates the network or agent where the data exchange originated. The Application name identifies the application used to process the data next(after the URI-request process has finished with the stream)."From" value Moberg, Brooks, Drummond[page7][page 8] HTTP Transport for Secure EDIOctober 1999 The DateTime name provides the date and time the data was created and uses the format specified in [SMTPMSG] as updated by RFC 1123. The RefNum is an integer valueMarch 1, 2000 can be used touniquelyidentify thecommunication exchange and is in a textual format. The RefNum is similar to the Message-ID and Content-Id headers of SMTPsending party without any conflict with HTTP headers.) Notice thatare used in constructing values in receipts based on MDNs. The UserParam is a user defined parameter. GISB-Version is a protocol version number [GISB]. Transaction-set is an optional data element identifying the EDI transaction. Input-data isthesending side's local file system namevalue forthe file being sent Receipt-disposition-to name contains an identifer identifying the party to receive positive notification of delivery. Thisthis identifiermayneed not be an email address or aD&B D-U-N-S number [DUNS]URL. In this way, other systems of identification (such asin [GISB]. Receipt-delivery-option is a URL containingavalue indicating howDUNS number) may be used, if needed. Notice that the information needed for delivery of the receipt isto be delivered. Whilefound in the receipt-delivery-option element described below; delivery information is not generally needed if the default mode of operationwithin HTTP transport is to returnoccurs. In that case, the receipt(be it MDN, signed MDN, generalized report receipt, or signed report receipt)just goes back in the replybody, asynchronous reply is allowed through use of this name. The "MAILTO", "HTTP", and "HTTPS" will be the more common types of value for this information. Forto the current HTTPand HTTPS schemes, the POST method is to be used. Receipt-report-typerequest. "Receipt-Report-Type" indicates the desired value of the "report-type" parameter in the multipart/report content type of a specific version of the generalized receipt.If multiple types are toThis parameter must beindicated, usesupplied when "Receipt-Disposition-To" is used to indicate asemi-colon asrequest for aseparator.generalized receipt because this indicates what specific type of receipt is desired. An example for this value (discussedbelow)in appendix A) is"GISB-Acknowledgement- Receipt." Receipt-security-selection"GISB-Acknowledgement-Receipt". "Receipt-Security-Selection" is a name that indicates the protocol and algorithm choices for a digital signature over the receipt. Signatures are always in multipart/signed packages. The format for protocol and algorithm choices is that used in [AS1] and[MDN]. Disposition-Notification-To[MDN]; for example, Receipt-Security-Selection: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,rsa-sha1 "Receipt-Delivery-Option" isa name that, if present, indicates thatused to indicate theMDN styleURL for asynchronous delivery ofreceiptthe receipt. While the default mode of operation within HTTP transport is tobe used. It may have values other than email addresses whenreturn the receipt (be itis found as a name parameter in a form-data body part, such as a D-U-N-S number. When this tag is used in HTTP extension headersMDN, signed MDN, generalized receipt, or signed generalized receipt) inSMTP headers it follows Moberg, Brooks, Drummond [page8] HTTP Transport for Secure EDI October 1999theMDN usage. Disposition-notification-options identifies characteristicsreply body, asynchronous reply is allowed through use ofmessage disposition notification in accordance with [AS1]this symbol. The URLs will typically use the "MAILTO", "HTTP", and[MDN]. Application"HTTPS" schemes. For the HTTP and HTTPS schemes, the POST method is to be used. 2.1.3 Summary Remarks on Receipt request options Applications are encouraged to support handling all metadata values whether they make use of the name parameter syntax within a multipart/form-data or whether they use the message header syntax used in SMTP or HTTP headers [SMTPMSG]. If metadata items are repeated in extension headers and in form-data parts, but the values are not the same, the extension header values will be selected for use.The presence of the metadata value "Receipt-Disposition-To" using the extension header syntax indicates a request for a generalized receipt. This value also fulfillsBecause therole of "From" when a value other than an email address needs to be used. Thevalue in Receipt-Disposition-To may have no significance forsetting up the transport connection. Therefore,how the receipt is transported, Moberg, Brooks, Drummond [page 9] HTTP Transport for Secure EDI March 1, 2000 the extension header" Receipt-delivery-option" should"Receipt-delivery-option" is to be used to provide thatinformation asinformation. The receipt-delivery-option's value should be a URLor asindicating thespecial value "default."delivery transport destination for the receipt. The Receipt-delivery-option field is used when asynchronous delivery is desired. It should not be present if the intention is to deliver the reply synchronously; synchonous delivery of the reply is the default mode of delivery. For signed generalized receipts, an extension header of "Receipt-security-selection" should be added to indicate the desired security protocol for the multipart/signed over the multipart/report.2.1.3 Summary of Receipt request optionsIn summary, the receipt request and constructionprocessprocesses nowhashave the followingoptions.options: 1. Receipt requests are made by conveying metadata values using a syntax of either the name parameter in a multipart/form-data's Content-Disposition headers or by using a syntax of HTTP extension headers. 2. Both MDN and generalized receipts can be requestedinusing eitherway, thoughsyntax. However, using an extension header syntax and requesting a MDN receipt means restricting the "From" values to email addresses.And either3. Either type of receipt comes in signed or unsigned versions. 4. Finally, receipts may be delivered synchronously(HTTP only)(delivered in the HTTP reply) or asynchronously by using the" Receipt-delivery-option""Receipt-delivery-option" header. 2.2Sending EDI in HTTP Client Requests using POST For sending EDI, theAdditional Commonly Used Headers The followingprotocolset of header data elements aretypically present: a request line ([HTTP], section 5.1), entity headers, a CRLF pairalso available for use. Organizations wishing tomarkuse this specification for theendsecure and reliable transport of business documents are not required to utilize all of these headers and are free to use whatever subset they deem appropriate for their business needs. TO: The To name contains an identifier identifying theentity headers, followed byintended recipient of a data exchange and may be D&B D-U-N-S number [DUNS] or other agreed upon identifier system. Applications should allow users to configure these elements in themessage-body. The requestautomated HTTP agents processing these values. For example, the body part MIME header linewill havelooks like theform: "POST Request-URI HTTP/1.1", with spaces and followed by a CRLF.following line: Content-Disposition: form-data; name="To" FROM: TheRequest-URI is typicallyFrom name contains a textual value identifying the sender of a data exchange, such as the a D&B D-U-N-S number Moberg, Brooks, Drummond[page9][page 10] HTTP Transport for Secure EDIOctober 1999 exchanged out of band,March 1, 2000 [DUNS] aspart of setting upin [GISB]. Because "From" has abilateral trading partner agreement. Applications shouldspecified use within [HTTP], the From name parameter is not to bepreparedconsidered equivalent todeal with an initial reply containing a status indicating a need for authentication oftheusual typesextension header. If an extension header "From" is to be usedfor authorizing accessit should within HTTP, it should conform to theRequest-URI ([HTTP], section 10.4.2usage, syntax, andelsewhere). Automationsemantics ofthis process[HTTTP] section 14.22. The extension header counterpart of the sender of a data exchange isnot discussedthe extension header version of "Receipt-disposition-to". INPUT-FORMAT: The Input-format name identifies the type of data contained inthis document but might involve obtaining a session URL fromapage requesting authentication and possibly other information about proposed EDI standard versions and other trading conventionsdata file. AGENT: The Agent name parameter indicates the network or agent where the data exchange originated. APPLICATION: The Application name identifies the application used tobe used.process the data next(after the URI-request process has finished with the stream). DATETIME: Therequest line is followed by entity headers specifying content length ([HTTP] section 14.14)DateTime name provides the date andcontent type [HTTP] section 14.18.time the data was created and uses the format specified in [SMTPMSG] as updated by RFC 1123. REFNUM: TheHost request header ([HTTP] sections 9RefNum is an integer value used to uniquely identify the communication exchange and14.23)isalso included.in a textual format. Theentity or extensionRefNum is similar to the Message-ID and Content-Id headersused for requesting a MDN (unsigned or signed) have previously been mentioned, as have those ("To" "From" "Message-Id")of SMTP that areneeded asused in constructing valuesfor MDN fields or for other receipt requests. For generalizedin receipts based onthe multipart/report content type, the metadata can be the values found in extension headers, but can also be placed in body parts ofMDNs. USERPARAM: The UserParam is amultipart/form-data using "name" parameters in the content-disposition header. Finally,user defined parameter. Version: Version is a protocol version number [GISB]. TRANSACTION-SET: Transaction-set is an optional data element identifying thepayloadEDI transaction. INPUT-DATA: Input-data isfound in any ofthemessage patterns of [AS1] sections 4.2.1 to 4.2.4 or 4.3.1 to 4.3.4sending side's local file system name forPGP/MIME or S/MIME security. These payloads may arrivethe file being sent. The payload is contained as thefinalbody part ofa multipart/form-data or may even be enclosed in some other multipart. 2.3 Using Transport Layer Security To use Transport Layer Security [TLS], the request-URI shouldthis header element. PRIORITY: The "Priority" name is used to indicate theappropriate scheme value, HTTPS. Usually only a multipart/signedprocessing priority of each messagebody would berelative to other messages sentusing TLS, as encrypted message bodies would be redundant. Encrypted message bodies are not prohibited, however. For asynchronous receipt delivery requests, use the "Receipt-delivery- option" header withby a given party. The value "1" indicates highest priority and aURLvaluemaking useof "5" indicates theHTTPS scheme to obtain security privacy. 2.4 Response Status Codes in Replieslowest priority. EXPIRATION: Thestatus line for response"Expiration" name is used toerrors inindicate thePOST request line will be provided bydate and time at which astatus line with the following protocol elements present ( [HTTP], section 6.1 ) : HTTP version (normally, HTTP/1.1), a status code, reason phrase, and CRLF. The status codes return status concerning HTTP operations. For example, the status code 401, together with the WWW-Authenticate header,message isused to challengeno longer transportable. No message delivery should be attempted beyond theclient to repeatdate and time specified in this value. The date/time format must follow therequest with an Authorization header. Other explicit status codes arespecifications Moberg, Brooks, Drummond[page10][page 11] HTTP Transport for Secure EDIOctober 1999 documentedMarch 1, 2000 contained in[HTTP], sections 6.1.1 and throughoutsection10. For errors5 of RFC822. 2.3 Sending EDI in HTTP Client Requests using POST For sending EDI, therequest-URI, 400 ("Bad Request"), 404 ("Not Found") and similar codes are appropriate status codes. These codes and their semanticsfollowing protocol elements arespecified by [HTTP]. A careful examinationtypically present: a request line ([HTTP], section 5.1), entity headers, a CRLF pair to mark the end ofthese codesthe entity headers, followed by the message-body. The request line will have the form: "POST Request-URI HTTP/1.1", with spaces andtheir semantics should be made before implementing any retry functionality thatfollowed by a CRLF. The Request-URI isdescribed below; specifically, retriestypically exchanged out of band, as part of setting up a bilateral trading partner agreement. Applications shouldnotbemade if the error is not transient or if retries are explicitly discouraged (for real authentication failures,prepared to deal with an initial reply containing a status indicating a need forexample.) 2.5 Receipt Reply The detailsauthentication of theresponseusual types used for authorizing access to thePOST command vary depending upon whether a receipt has been requestedRequest-URI ([HTTP], section 10.4.2 andupon what kindelsewhere). Automation ofreceipt has been requested. With no extended header requestingthis process is not discussed in this document but might involve obtaining areceipt,session URL from a page requesting authentication andno errors accessing the request-URI specified processing, the statuspossibly other information about proposed EDI standard versions and other trading conventions to be used. The request lineinis followed by entity headers specifying content length ([HTTP] section 14.14) and content type [HTTP], section 14.18. The Host request header ([HTTP] sections 9 and 14.23) is also included. The entity or extension headers used for requesting a MDN (unsigned or signed) have previously been mentioned, as have those ("To" "From" "Message-Id") that are needed as values for MDN fields or for other receipt requests. For generalized receipts based on theResponse tomultipart/report content type, thePOST request shouldmetadata can beinthe200 range. Status codesvalues found inthe 200 range shouldextension headers, but can also beused when an entity is returned (a signed receiptplaced in body parts of amultipart/signed content type or an unsigned receiptmultipart/form-data using "name" parameters ina multipart/report). That is, even whenthedisposition ofcontent-disposition header. Finally, thedata was an error condition atpayload is found in any of theauthentication, decryptionmessage patterns of [AS1] sections 4.2.1 to 4.2.4 orother higher level,4.3.1 to 4.3.4 for PGP/MIME or S/MIME security. These payloads may arrive as theHTTP status code should indicate success at"input-data" part of theHTTP level. The HTTP server-side application may respond with an unsolicited multipart/report as a message body that the HTTP client might not have solicited, but thismultipart/form-data or may even bediscarded by the client. Applications should avoid emitting unsolicited receipt replies because bandwidth or processing limitations might have led administators to suspend asking for acknowledgements. When a Disposition-Notification-To extension header is presentenclosed in some other multipart. 2.4 Using Transport Layer Security To use Transport Layer Security [TLS], thePOST request entity headers, then entity headers for the MDNrequest-URI shouldbe included. The content type forindicate theMDN receipt ( multipart/report [REPORT] orappropriate scheme value, HTTPS. Usually only a multipart/signed[SECURITY]) shouldmessage body would beincluded in the Response entity headers. The The basic responsibilities of responding to requestssent using TLS, as encrypted message bodies would be redundant. Encrypted message bodies arediscussed at length in [AS1] section 5, and in detail within section 5.2.1. 2.5.1 MDN based Receipts and Signed MDN Receipts Message Disposition Notifications, when used in the HTTP reply context, will closely parallel a SMTP MDN.not prohibited, however. Forexample, the disposition field is a required element inasynchronous receipt delivery requests, use themachine readable second part of a multipart/report for"Receipt-delivery-option" header with aMDN. The final-recipient-field([MDN] section 3.1)URL valueshould be derived from the entity headersmaking use of the HTTPS scheme to obtain security privacy. 2.5 Response Status Codes in Replies The status line for response to errors in the POST requestIfline will be provided by a status line with the"To" field is missing, for signed messages,following protocol Moberg, Brooks, Drummond[page11][page 12] HTTP Transport for Secure EDIOctober 1999 the value for Original-recipient may beMarch 1, 2000 elements present ( [HTTP], section 6.1 ) : HTTP version (normally, HTTP/1.1), a status code, reason phrase, and CRLF. The status codes return status concerning HTTP operations. For example, theemail address field fromstatus code 401, together with thesigner's X.509 attribute for email addresses, if that valueWWW-Authenticate header, isavailable. For a MDN,used to challenge the client to repeat the request with anapplication must reportAuthorization header. Other explicit status codes are documented in [HTTP], sections 6.1.1 and throughout section 10. For errors in theMessage-IDrequest-URI, 400 ("Bad Request"), 404 ("Not Found") and similar codes are appropriate status codes. These codes and their semantics are specified by [HTTP]. A careful examination of these codes and their semantics should be made before implementing any retry functionality that is described below; specifically, retries should not be made if therequest.error is not transient or if retries are explicitly discouraged (for real authentication failures, for example.) 2.6 Receipt Reply Thehuman readable part (the first partdetails of themultipart/report) should include items such asresponse to thesubject, datePOST command vary depending upon whether a receipt has been requested andother information when those fields are present in entityupon what kind of receipt has been requested. With no extended headerfields followingrequesting a receipt, and no errors accessing thePOST request The HTTP reply should normally omitrequest-URI specified processing, thethird optional part ofstatus line in themultipart/report (usedResponse toreturntheoriginal message or its headersPOST request should be in theSMTP context). 2.5.2 Generalized Receipts and Signed Receipts In addition, a generalized receipt using200 range. Status codes in themultipart/report [REPORT] and200 range should also be used when an entity is returned (a signed receipt in a multipart/signedcontainingcontent type or an unsigned receipt in amultipart/report asmultipart/report). That is, even when thesigned data is allowed. The basic structuredisposition of themultipart/report is used so thatdata was an error condition at thefirst part is a "human-readable" message concerningauthentication, decryption or other higher level, thereceived message. The second part should be for automated process utilization soHTTP status code should indicate success atleast possess some common Internet syntax for expressing names and values, such asthe[SMTPMSG] header syntax, XML, or some MIME content type correlated with automated processing.HTTP level. TheMDN requirements are removed for this second part but fields used in MDNsHTTP server-side application maybe used here. The third part of the multipart report is usually omitted inrespond with an unsolicited multipart/report as a message body that the HTTPcontext,client might not have solicited, butwould includethis may be discarded by theextension headers when usedclient. Applications should avoid emitting unsolicited receipt replies because bandwidth or processing limitations might have led administators toprovide diagnostic hints. A multipart/signed oversuspend asking for acknowledgements. When amultipart/reportDisposition-Notification-To extension header isconstructed preciselypresent in thesame way as a multipart/signed over aPOST request entity headers, then entity headers for the MDN[AS1]. To indicate a desireshould be included. The content type fora generalizedthe MDN receipt(which may( multipart/report [REPORT] or multipart/signed [SECURITY]) should befulfilled by a MDN),included in thefollowing metadata elements areResponse entity headers. The The basic responsibilities of responding tobe includedrequests are discussed inthe original message[AS1] section 5, and in detail within section 5.2.1. 2.6.1 MDN based Receipts and Signed MDN Receipts Message Disposition Notifications, when used ineither the extended header format ortheform-data format: The Receipt-Disposition-To metadata element contains an identifier identifyingHTTP reply context, will closely parallel a SMTP MDN. For example, theparty to receive positive notification of delivery. Thisdisposition field isusually the same value contained in the "From" metadata element. The Receipt-report-type metadataa required elementis used byin thesender to request a specific typemachine readable second part ofgeneral acknowledgement receipt. At present only one report type is defined, GISB-acknowledgement-receipt.a multipart/report for a MDN. Thecontent and format of this report type is defined infinal-recipient-field([MDN] section2.5.3 of this document. Receipt-delivery-option is either the key word (case-insensitive)3.1) value"default" or a URL that indicates how and where the receipt is toshould bedelivered. Whilederived from thedefault modeentity headers ofoperation within HTTP transport is to return the receipt (be it MDN, signed MDN, generalized report receipt, or signed report receipt) inthereply body, asynchronous reply isrequest Moberg, Brooks, Drummond[page12][page 13] HTTP Transport for Secure EDIOctober 1999 allowed through use of this metadata value. The "MAILTO", "HTTP", and "HTTPS" will be the more common schemes found inMarch 1, 2000 If theURL value. Receipt-security-selection"To" field isa name that indicatesmissing, for signed messages, theprotocol and algorithm choicesvalue fora digital signature overOriginal-recipient may be thereceipt. Signatures are always in multipart/signed packages. The formatemail address field from the signer's X.509 attribute forprotocol and algorithm choices isemail addresses, if thatused in [AS1] and [MDN]. One metadata element should, if at all possible, be within the automated part. This is the Received-Content-MIC (also allowing X-Received-Content-MIC). Thisvalue isconstructed and formatted as described in [AS1] andavailable. For a MDN, an application must report thesyntaxMessage-ID of the request. The human readable part (the first part of the multipart/report) shouldbe either RFC822: Received-Content-MIC: w7AguNJEmhF/qIjJw6LnnA==,rsa-md5 or simple XML <ReceivedContentMic algid=rsa-md5 encode=base64 > w7AguNJEmhF/qIjJw6LnnA== </ReceivedContentMic> Any original metadata thought useful toinclude items such as the subject, date and other information when those fields are present in entity header fields following theautomatedPOST request The HTTP reply should normally omit the third optional partmay be reflected back using "Original-X", as in Original-Message-ID: <43141asfioufasd@somewhere.com> Otherwiseof theautomated acknowledgement semantics are left openmultipart/report (used tofurther semantic specification by specific electronic commerce communities, such asreturn the original message or its headers in[GISB]. Each specialization ofthe SMTP context). 2.6.2 Generalized Receipts and Signed Receipts For generalized receipts, the multipart/report [REPORT] or a multipart/signed containing a multipart/report as the signed data is the basic MIME packaging. Each generalized receiptshould make use ofneeds aspecific identifyingvalueto be placed infor theparametermultipart/report parameter, "report-type,"Content-Type: multipart/report; report-type="organizationalid"; boundary="=-Trfds88fd99" 2.5.3 Examplea selection ofGISB Acknowledgement Receipt An "Acknowledgement Receipt" containsa content-type for its second body part, when signed, a hash value over a defined portion of the original message and, when asynchronously delivered, informationindicatingallowing thesuccess/failureidentification ofa file transfer. Acknowledgement Receipts are communicated onthesame session connection asoriginal POSTed message. The basic structure of theHTTP POST, bymultipart/report is used so that thereceiving party's system, immediately after receiving all offirst part is a "human-readable" message concerning theMIME parts containedreceived message. The second part should be for automated process utilization. It should at least possess some common Internet syntax for expressing names and values, such as the [SMTPMSG] header syntax, XML, or some MIME content type correlated with automated processing. The MDN requirements, therefore, are removed for this second part, but information used inan HTTP POST request. These receipts containMDNs may be used here. The third part of thefollowing data elements: time-cmultipart report is usually omitted in thetime of transfer completion atHTTP context, but could include theserver. The formatextension headers, or even the entire payload, to provide diagnostic information. A multipart/signed over a multipart/report isyyyymmddhhmmss. request-statusconstructed precisely in the same way as atext status indicator bymultipart/signed over a MDN [AS1]. One metadata element should be within theserver. The definedautomated part. This is the Received-Content-MIC (also allowing X-Received-Content-MIC). This value is constructed and formatted as described in [AS1] and the syntax should be either RFC822: Received-Content-MIC: w7AguNJEmhF/qIjJw6LnnA==,rsa-md5 or simple XML <ReceivedContentMic algid=rsa-md5 encode=base64 > w7AguNJEmhF/qIjJw6LnnA== </ReceivedContentMic> Moberg, Brooks, Drummond[page13][page 14] HTTP Transport for Secure EDIOctober 1999 for a successful transfer is "ok". If an error is identified, the server should supply a descriptive indication of the error detected following the standards for error codes and messages presentedMarch 1, 2000 Any original metadata thought useful to include inAPPENDIX A. server-id hostname.domainname uniquely identifyingtheserver associated withautomated part may be reflected back using "Original-X", as in Original-Message-ID: <43141asfioufasd@somewhere.com> Otherwise theprogram that received and processedautomated acknowledgement semantics are left open to further semantic specification by specific electronic commerce communities, such as in [GISB]. Each specialization of thefile. trans-idgeneralized receipt should make use of anumber (integer) upspecific identifying value to15 charactersbe placed inlength uniquely identifying the received transaction file attheserver. The trans-id will uniquely identifyparameter "report-type," Content-Type: multipart/report; report-type="identifying-value"; boundary="=-Trfds88fd99" Implementations should attempt to be configurable to allow for new report-type values to be added; communities can then agree to thefile only atspecific extensions they need to support application level routing, transaction identification, timestamps, and other specialized information about thereceiving server. A client may receive non-unique trans-ids across multiple servers. The abovedataelements must be formatted into Name/Value pairs with "=" separating Names from Values (e.g. server-id=www.mydomain.com)they have exchanged. 2.7 Additional Reply Content In general, both HTTP servers and"*" separating each Name/Value pair (e.g. time-c=19990804090000*request- status=ok*server-id=www.me.com*trans-id=12345*). The receipt canHTTP clients should beidentified as either text/plain or text/html. If text/html is usedprepared to process thesetbasic EDIINT data formats when they are embedded within MIME multiparts. This is true for HTTP request payloads as well as HTTP reply payloads. So, as previosuly mentioned, for HTML-based POSTS, any ofall name/value pairs must be encapsulatedthe EDIINT templates described in<html> </html> tags. The report-type parameter value[AS1], sections 4.2.1 to 4.2.4 or 4.3.1 to 4.3.4 forthe Acknowledgement Receipt is "GISB-Acknowledgement-Receipt," andPGP/MIME or S/MIME security, may be found as parts of acase insensitive match is usedmultipart/form-data. [Consult Appendix A fortestingthevalue. See Appendix A.4 and A.5templates adapated forformatted examples. 2.5.4 Example of GISB Error Notification Though a filethis document.] In addition, the response to the POST operation maybe received correctly initially, and a positive "Acknowledgement Recipt" has been delivered, errors can occur during a later stage of processing, such as decryption. Wheninclude other MIME wrapped content besides an MDN Receipt, Signed MDN, Generalized Receipt or Signed Generalized Receipt. If afile passesreceipt was requested within thedecryption step no notifying communicationPOST data, and additional content issent backto be returned, theoriginal sender. However, if the decryption step fails, an Error Notificationreceipt multipart/report must besent to the original sender of the file. In general,combined with thestandard formatother data using some MIME multipart pattern. Real-time EDI processing systems may use MIME multipart content-types to include a response EDI message, forError Notification appliesexample, a Quote in response to a Request-For-Quote transaction. Also, if requested, theposting ofsender may request anerror message after the sender's session has been disconnected.asynchronous mode for return of receipt. ThisError Notification hasmode is indicated by including thepotentialmetadata for Receipt-delivery-option as explained above. 2.8 Non-Repudiation ofoccurring only aftertheoriginal HTTP Response is returned with an "ok" or a warning. Error Notifications are sent using HTTP POST,POST Reply If thesame method usedreply tosend EDI files. The sender ofaError Notification must adhere to the specifications in section 2 of this document, usingPOST operation needs avalue of "error"MDN receipt for non- repudiation (for example, theinput-format data element. Error Notifications are sentreply includes content other than a receipt), the top-level headers incleartext (non-encrypted) withintheinput-data element and containresponse include thefollowingsame headers required for POST dataelements:described above: Disposition-Notification-To, Message-ID, From, and To. Other headers described above used in a MDN should be included, Moberg, Brooks, Drummond[page14][page 15] HTTP Transport for Secure EDIOctober 1999 orig-from The "from" value from the original transmission orig-to The "to" value from the original transmission. orig-input-format The "input-format" value from the original transmission. resp-time-c The "time-c" value from the original Acknowledgement Receipt. resp-server-id The "server-id" value from the original Acknowledgement Receipt resp-trans-id The "trans-id" value from the original Acknowledgement Receipt. request-status The new status of the transaction based on the occurance of an error during a later stage of processing; see APPENDIX A, "Standard Error Codes and Messages"March 1, 2000 fora listingexample, Date and Subject. The MDN receipt ofpossible values. comments Any commentstheoriginal receiving server wishes to include. The aboveresponse dataelements must be formatted into Name/Value pairs with "=" separating Names from Values (e.g. server-id=www.mydomain.com) and "*" separating each Name/Value pair (e.g. time-c=19990804090000*request-status= ok*server-id=www.me.com*trans-id=12345*). The data elements must be formatted as text/plain. The report-type parameter value for the Error Notificationis"GISB-Error-Notification," andreturned using acase insensitive match is used for testing the value. " The extension header "Receipt-delivery-option" (or its form data correlate) may besubsequent POST operation. A POST operation used only toindicatetransmit an MDN should not include thedesired destination for any GISB-Error-Notifications. See Appendix A.6 for a formatted example. 2.6 Additional Reply Content In general, both HTTP serversDisposition- Notification-To receipt request, andHTTP clients shouldonly a 200 ("OK") response would bepreparedexpected. An MDN in response toprocess the basic EDIINT data formats when they are embedded within MIME multiparts. This is true for HTTP request payloads as well as HTTPa replypayloads. So, as previosuly mentioned, for HTML-based POSTS, Moberg, Brooks, Drummond [page15] HTTP Transport for Securemay be combined with a subsequent EDIOctober 1999 any of the EDIINT templates describedmessage sent with a POST operation, for example a Purchase-Order transaction in[AS1], sections 4.2.1response to4.2.4 or 4.3.1a Quote. The MIME multipart/mixed form is used to4.3.4 for PGP/MIME or S/MIME security, may be foundcombine the MDN with the other data, the same asparts offor amultipart/form-data. In addition,POST reply. 2.9 Error Recovery If theresponseHTTP client fails to read the HTTP server response data, the POST operationmay include other MIME wrappedwith identical contentbesides an MDN Receipt, Signed MDN, Generalized Report Receipt or Signed Report Receipt. If a receipt was requested within the POST data,(including Message-ID, RefNum, andadditional content is toother header elements) should bereturned, the receipt multipart/report must be combined with the other data using some MIME multipart pattern. Real-time EDI processing systems may use MIME multipart content-types to include a response EDI message, for example, a Quote in response to a Request-For-Quote transaction. Also, if requested, the sender may request an asynchronous mode for return of receipt. This mode is indicated by including the metadata for Receipt-delivery-option as explained above and choosing a URL rather than the value "default". 2.7 Non-Repudiation of the POST Reply If the reply to a POST operation needs a MDN receipt for non- repudiation (for example, the reply includes content other than a receipt), the top-level headers in the response include the same headers required for POST data described above: Disposition-Notification-To, Message-ID, From, and To. Other headers described above used in a MDN should be included, for example, Date and Subject. The MDN receipt of the response data is returned using a subsequent POST operation. A POST operation used only to transmit an MDN should not include the Disposition- Notification-To receipt request, and only a 200 ("OK") response would be expected. An MDN in response to a reply may be combined with a subsequent EDI message sent with a POST operation, for example a Purchase-Order transaction in response to a Quote. The MIME multipart/mixed form is used to combine the MDN with the other data, the same as for a POST reply. 2.8 Error Recovery If the HTTP client fails to read the HTTP server response data, the POST operation with identical content (including Message-ID) should be repeated, ifrepeated, if the error condition is transient. The Message-ID or RefNum on a POST operation can be reused if and only if all of the content (including the original Date) is identical.Moberg, Brooks, Drummond [page16] HTTP Transport for Secure EDI October 1999Details of the retry process -- including time intervals to pause, number of retries to attempt, timeouts for retrying -- are implementation dependent. Servers should be prepared to receive a POST with a repeated Message-ID. The MIME reply body previously sent should be resent, including the MDN and other MIME parts. 3.Referenced RFCs and their contribution 3.1 RFC 2068 [HTTP] : The HyperText Transfer Protocol, HTTP, provides an application level protocol for distributed hypermedia information systems. This standard specifies the protocol HTTP/1.1. 3.2 RFC 2246 [TLS] : Transport Layer Security Security specifies a protocol similarOther differences toSSL version 3 that provides communications privacy over the Internet. Applications can communicate without eavesdropping, tampering, or message forgery. 3.3 RFC 1847 [SECURITY] : MIME Security Multiparts This document defines security multiparts for MIME: multipart/encryptednotice in HTTP andmultipart/signed. 3.4 RFC 1892 [REPORT] : Multipart/report This RFC defines the use of the multipart/report content type that the MDN RFC 2298 [MDN] presupposes. 3.5 RFC 1767 [MIMEEDI] : EDI Content This RFC definesSMTP based transport For HTTP version 1.1, TCP persistent connections are theuse of content type "application" for ANSI X12 (application/EDI-X12), EDIFACT (application/EDIFACT)default, ( [HTTP] sections 8.1.2, 8.2, andmutually defined EDI (application/EDI-Consent). 3.6 RFC 2015 [MIMEPGP] : PGP/MIME This RFC defines the use19.7.1). A number ofcontent types "multipart/encrypted", "multipart/signed", "application/pgp encrypted" and "application/pgp-signature" for definingother differences exist because HTTP does not conform to MIMEPGP content. 3.7 RFC 2045, 2046, and 2049[MIME]: MIME Theseas used in SMTP transport. Relevant differences arethe basic MIME standards, upon which allsummarized below. 3.1 Unused MIMErelated RFCs build, including this one. Key contributions include definition of "content type", "sub-type"headers and"multipart", as well as encoding guidelines, which establishes 7-bit US-ASCII as the canonical character set to beoperations 3.1.1 Content-Transfer-Encoding not used inInternet messaging. Moberg, Brooks, Drummond [page17]HTTPTransport for Secure EDI October 1999 3.8 RFC 2298 [MDN] : Message Disposition Notification This RFC defines how a message disposition notification (MDN) is requested,transport HTTP can handle binary data and so there is no need to use theformat and syntaxContent transfer encodings ofthe MDN. The MDN is the basis upon which receipts and signed receipts are defined in this and in [AS1]. 3.9 RFC 2311 [SMIMEV2] : S/MIME Version 2 Message Specification This specification describes how MIME shall carry PKCS7 1.5 envelopes. 3.10 RFC 2633 [SMIMEV3] : This specification updates formats and procedures for combining cryptographic encryption and signature services with MIME processing. See also [CMS]. 3.11 RFC XXXX X [AS1] : MIME-based Secure EDI This applicability statement describes security patterns, MIME content types, and acknowledgement policies and mechanisms for EDI or business data transport. 3.12 RFC 2388 [FORMDATA] : This specifies a standard Internet Media Type useful for returning a set of values as the result of a user filling out a form. 4. Other differences to notice in HTTP and SMTP based transport For HTTP version 1.1, TCP persistent connections are the default, ( [HTTP] sections 8.1.2, 8.2, and 19.7.1). A number of other differences exist because HTTP does not conform to MIME [MIME] as used in SMTP transport. Relevant differences are summarized below. 4.1 Unused MIME headers and operations 4.1.1 Content-Transfer-Encoding not used in HTTP transport HTTP can handle binary data and so there is no need to use the Content transfer encodings of MIME [MIME]. This differenceMIME [MIME]. This difference is discussed in [HTTP] section 19.4.4.4.1.23.1.2 Epilogue must be empty The EBNF for a multipart [MIME] RFC 2046, section 5.1.1 allows a multipart to have trailing octets after the close delimiter. In [HTTP] section 3.7.2, it is explicitly noted that multiparts must have null epilogues.4.1.33.1.3 Lengthy message bodies Moberg, Brooks, Drummond[page18][page 16] HTTP Transport for Secure EDIOctober 1999March 1, 2000 In [AS1], section 5.4.1, options for large file processing are discussed for SMTP transport. For HTTP, large files should be handled correctly by the TCP layer. However, [HTTP] sections 3.5 and 3.6 discuss some options for compressing or chunking entities to be transferred. Section 8.1.2.2 discusses a pipelining option that is useful for segmenting large amounts of data.4.23.2 Differences in MIME or other headers or parameters used4.2.13.2.1 Content-Length Because connections are persistent, closing a connection cannot be used to indicate the end of an entity. Therefore, [HTTP] sections 4.4 and 14.14 indicate the need for a Content-Length entity header in a request.4.2.23.2.2 Final and Original Recipient The final and original recipient distinction should not arise for HTTP transport because SMTP aliases and mailing lists should not be used.4.2.33.2.3 Message-Id and Original-Message-Id The Message-Id and Original-Message-Id distinction should not arise for HTTP transport because SMTP MTA alterations should not occur.4.2.43.2.4 Host header The host request header field must be included in the POST request made when sending business data. This field is to allow one server IP address to service multiple hostnames, and potentially conserve IP addresses. See [HTTP], sections 14.23 and 19.5.1.5. Acknowledgments Carl Hage, Karen Rosenfeld, Chuck Fenton, Dick Brooks, and many others have provided valuable suggestions improving this applicability statement. 6. References [MIME] N. Borenstein, N.Freed, "Multipurpose Internet Mail Extensions (MIME) Part One: FormatAppendices A. AS 2 MIME templates Structure ofInternet Message Bodies", RFC 2045, December 02, 1996. N. Borenstein, N.Freed, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, December 02, 1996.an AS2 MIME message - PGP/MIME No encryption, no signature (analog of 4.2.1) -RFC2068/2045 -RFC1767/RFC2376 (application/EDIxxxx or application/xml) No encryption, signature (analog of 4.2.2) -RFC2068/2045 -RFC1847 (multipart/signed) -RFC1767/RFC2376 (application/EDIxxxx or application/xml) -RFC2015 (application/pgp-signature) Moberg, Brooks, Drummond[page19][page 17] HTTP Transport for Secure EDIOctober 1999 N. Borenstein, N.Freed, "Multipurpose Internet MailMarch 1, 2000 Encryption, no signature (analog of 4.2.3) -RFC2068/2045 -RFC1847 (multipart/encrypted) -RFC2015 (application/pgp-encrypted) -"Version: 1" -RFC2015 (application/octet-stream) -RFC1767/RFC2376 (application/EDIxxxx or application/xml) (encrypted) Encryption, signature (analog of 4.2.4) -RFC2068/2045 -RFC1847 (multipart/encrypted) -RFC2015 (application/pgp-encrypted) -"Version: 1" -RFC2015 (application/octet-stream) -RFC1847 (multipart/signed)(encrypted) -RFC1767/RFC2376 (application/EDIxxxx or application/xml)(encrypted) -RFC2015 (application/pgp-signature)(encrypted) Structure of an AS2 MIME message - S/MIME No encryption, no signature (analog of 4.3.1) -RFC2068/2045 -RFC1767/RFC2376 (application/EDIxxxx or application/xml) No encryption, signature (analog of 4.3.2) -RFC2068/2045 -RFC1847 (multipart/signed) -RFC1767/RFC2376 (application/EDIxxxx or application/xml) -RFC2633 (application/pkcs7-signature) Encryption, no signature (analog of 4.3.3) -RFC2068/2045 -RFC2633 (application/pkcs7-mime) -RFC1767/RFC2376 (application/EDIxxxx or application/xml) (encrypted) Encryption, signature (analog of 4.3.4) -RFC2068/2045 -RFC2633 (application/pkcs7-mime) -RFC1847 (multipart/signed) (encrypted) -RFC1767/RFC2376 (application/EDIxxxx or application/xml) (encrypted) -RFC2633 (application/pkcs7-signature) (encrypted) B.AS2 Extensions(MIME) Part Five: Conformance Criteriafor the GISB Protocol andExamples", RFC 2049 , December 02, 1996. [MIMEEDI] D. Crocker, "MIME EncapsulationReport-type GISB AS2 Profile The United States based Gas Industry Standards Board (GISB) is a consortium of companies and individuals that operate in the Gas Industry. The membership is divided into 5 sectors, Producers, Pipelines, Services, End Moberg, Brooks, Drummond [page 18] HTTP Transport for Secure EDIObjects", RFC 1767,March2, 1995. [SMTPMSG] D. Crocker, "Standard for1, 2000 Users, Local Distribution Companies, representing theFormatvarious type ofARPA Internet Text Messages", STD 11, RFC 822, August 13, 1982. (Also RFC 1123 provides important updatesorganizations within the industry. In 1996 GISB initiated a program to move from the expensive Value Added Networks they were using, to the Internet. By October of 1996 GISB had developed and tested a protocol, called GISB Electronic Delivery Mechanism (EDM), which uses HTTP and is based ondateRFC 1867 (Form-based File Upload in HTML). By April 1997 this protocol was being used by Enron andtime formats as wellothers to send/receive live, mission critical business transactions over the Internet. Additional companies followed suit and a large percentage of todays business transactions in the Gas Industry are transmitted over the Internet using the GISB EDM protocol. In 1998 the Automobile Industry Action Group (AIAG) adopted the GISB EDM protocol and in 1999 the local electric companies serving the state of Pennsylvania declared the GISB protocol asemail addresses.) [MIMEPGP] M. Elkins, "MIME Security With Pretty Good Privacy (PGP)", RFC 2015, Sept. 1996. [MDN] R. Fajman, "An Extensible Message Format for Message Disposition Notifications", RFC 2298, March 1998. [SECURITY] J. Galvin, S. Murphy, S. Crocker, N. Freed, "Security Multipartstheir standard forMIME: Multipart/Signedtransmitting business transactions via the Internet. In May of 1999 the AIAG, GISB andMultipart/Encrypted", RFC 1847, Oct. 3, 1995 [SMTP] J. Postel, "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1, 1982. [SMIMEV2] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, L. Repka, "S/MIME Version 2 Message Specification", RFC 2311. [SMIMEV3] B. Ramsdell, "S/MIME Version 3 Message Specification", RFC 2633, June 1999. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 2630, June 1999. [REPORT] G. Vaudreuil, "The Multipart/Report Content Type for the Reportingmembers ofMail System Administrative Messages", RFC 1892, January 15, 1996. [HTTP] R. Fielding, J.Gettys, J. Mogul, H. Frystyk, T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997. [AS1] T. Harding, R. Drummond, "MIME-based Secure EDI", Internet draft: draft-ietf-ediint-as1-10.txt. [TLS] T. Dierks,C. Allen, "The TLS Protocol Version 1.0" RFC 2246, January 1999. [FORMDATA] L. Masinter, "Returning Values from Forms: multipart/form-data", RFC 2388, August, 1998. [HTML] D. Raggett, A. Le Hors, I. Jacobs. "HTML 4.0 Specification", World Wide Web Consortium Technical Report Moberg, Brooks, Drummond [page20] HTTP Transport for Secure EDI October 1999 "REC-html40", December, 1997. <http://www.w3.org/TR/REC-html40/> [GISB] Gas Industry Standards Board, "Electronic Delivery Mechanism Related Standards", Version 1.3 July 31, 1998 [MIME-TYPES] "Media Types," http://www.isi.edu/in-notes/iana/assignments/media-types/media-types. [EDIINT] T. Harding, R. Drummond , "Requirements for Interoperable Internet EDI", Internet draft: draft-ietf-ediint-req06.txt. 7. Authors' Addresses Dale Moberg dale_moberg@stercomm.com Sterling Commerce 4600 Lakehurst Ct. Dublin, OH 43016 USA Dick Brooks Group 8760 110 12th Street North Suite F103 Birmingham, Alabama 35203 Tel: 205-250-8053 E-mail: dick@8760.com Rik Drummond drummond@onramp.net The Drummond Group 5008 Bentwood Ct. Ft. Worth, TX 76132 USA Chuck Shih Appendix A. Example Exchanges. NOTE: Examples are provided as illustration only. If the example conflicts withtheprevious text,IETF EDIINT workgroup initiated an effort to converge their independent specifications, theexampleresult of which iswrong. Example A.1 Sending a multipart signed for trading partner 1 backthis specification. In order totrading partner 2. "#" indicatesbring the GISB EDM into compliance with this specification GISB initiated acomment line. POST https://tp2server.company2.com/cgi-bin/tp1drawer.pl HTTP/1.1 Host: tp2server.company2.com Moberg, Brooks, Drummond [page21] HTTP Transport for Secure EDI October 1999 From: tp1@company1.com To: tp2@company2.com Date: Tue, 06 Nov 2001 12:53:01 UT Subject: Purchase orders for 6 November 2001 Message-Id: <20011106@company1.com> Disposition-Notification-To: tp1@company1.com # continuation lines not used in actual HTTP protocol data unit Content-Type: multipart/signed; boundary="20011106RsXgYlvCNW" ; protocol=application/pkcs7-signature; micalg=rsa-md5 Content-Length: 3056 --20011106RsXgYlvCNW Content-Type: application/edi-x12 Content-Disposition: Attachment; filename=rfc1767.dat Content-Length: 2605 ISA ... # EDI transaction data IEA ... --20011106RsXgYlvCNW Content-Type: application/pkcs7-signature Content-Length: 804 # omitted binaryformal change to the EDM specification. The following information, referred to as the "GISB AS2 Profile", reflects the planned utilization of this specification by the GISB membership. The GISB membership will utilize PGP to meet all P.A.I.N. requirements. All data--20011106RsXgYlvCNW-- Example A.2 Returning aexchanges will utilize the multipart/form-data enveloping method and two generalized receipts, GISB-Acknowledgement-Receipt and GISB-Error-Notification. All original business transactions must be digitally signedMDN(using encapsulated signatures) and encrypted using RSA algorithms. Upon successful transfer of an original business transaction thepreviously established TLS security) from trading partner 2 backreceiver is required totrading partner 1. "#" indicatessend acomment line. HTTP/1.0 200 OK Server: HTTPEDI/1.1 Content-type: multipart/signed; Content-Length: 1200 --boundary1 Content-type: multipart/report Content-length: 1133 --boundary2 Content-type: text/plain Content-length: 85 Message <20011106@company1.com> was authenticated; EDIGISB-Acknowledgement-Receipt indicating that the transfer has completed successfully. If, upon further processingwas initiated. --boundary2 Content-type: message/disposition-notification Content-length: 213 Reporting-UA: Company2UA Moberg, Brooks, Drummond [page22] HTTP Transport for Secure EDI October 1999 Original-Message-Id: <20011106@company1.com> Original-Recipient: tp2@company2.com X-Received-Content-MIC: w7AguNJEmhF/qIjJw6LnnA==,rsa-md5 Disposition: MDN-sent-automatically/processed --boundary2-- --boundary1 Content-Type: application/pkcs7-signature Content-Length: 560 # Signature data omitted --boundary1-- Example A.3 PGP ENCRYPTED/SIGNED EDI Objectof the business document and error is encountered a GISB-Error-Notification is sent to the original sender usingHTTP POST (ref [AS1], section 4.2.4 enveloping using multipart/form-data). The entire payload contained withinthemultipart/encrypted partmultipart/form-data enveloping. It istreated as one opaque object. POST /cgi-bin/receiver.cgi HTTP/1.1expected that companies following the GISB AS2 profile will protect their web sites from unauthorized access through the use of basic authentication (username/passwords), as defined in the HTTP specification. GISB is not "requiring" the use of signed receipts; however, signed receipts are allowed between consenting trading partners. GISB has decided to use the following core headers: FROM: Contains the DUNS number of the sending party TO: Contains the DUNS number of the intended recipient INPUT-FORMAT: Type of data being sent (only x12 and error currently supported) other options can easily be added to this list. INPUT-DATA: The actual payload containing the business transaction or GISB-Error-Notification. If the payload contains a business transaction it is signed and encrypted using PGP. Moberg, Brooks, Drummond [page 19] HTTP Transport for Secure EDI March 1, 2000 Version: The GISB version number (currently 1.3) RECEIPT-DISPOSITION-TO: The DUNS number of the party to receive the GISB-Acknowledgement-Receipt (typically the same DUNS number associated with the From header.) Presence of this field also serves as a flag indicating that an acknowledgement receipt is requested by the sender. The receipt is returned synchronously (on the same session used to send the input-data payload). RECEIPT-REPORT-TYPE: Contains the value GISB-Acknowledgement-Receipt. Optional headers also available: TRANSACTION-SET: Identifies the type of transaction contained in the input-data payload. RECEIPT-SECURITY-SELECTION: This field serves as a flag indicating that a signed receipt is being requested. The contents of this field indicate the algorithm and signature type to use in constructing the signature. Example of a GISB data exchange: The sending party creates an X12 business transaction and concatenates with an RFC 1767 compliant header. The entire package is then encrypted and signed using PGP. The encrypted package is then enveloped with the appropriate headers/values and sent to the trading partner using HTTP POST, the contents of this post appear as folloows: POST c:\execute HTTP/1.0 Referer: http://www.get.a.life/upl.htm Connection: Keep-Alive User-Agent:Group 8760 WinBB (Win98; I)brow v0.1 XYZ Corp. Host:localhost:2600localhost Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,image/png,*/*Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8Content-type: multipart/form-data;boundary=---------------------------222875935764boundary=---------------------------87453838942833 Content-Length:1373 -----------------------------2228759357645379 -----------------------------87453838942833 Content-Disposition: form-data; name="from"FROM1234 -----------------------------222875935764123456789 -----------------------------87453838942833 Content-Disposition: form-data; name="to"TO9876 -----------------------------222875935764 Content-Disposition: form-data; name="input-format" x12 -----------------------------222875935764 Content-Disposition: form-data; name="Receipt-report-type" GISB-acknowledgement-receipt -----------------------------222875935764234567890 -----------------------------87453838942833 Moberg, Brooks, Drummond[page23][page 20] HTTP Transport for Secure EDIOctober 1999March 1, 2000 Content-Disposition: form-data; name="Version" 1.3 -----------------------------87453838942833 Content-Disposition: form-data; name="receipt-disposition-to" 123456789 -----------------------------87453838942833 Content-Disposition: form-data; name="receipt-report-type" GISB-Acknowledgement-Receipt -----------------------------87453838942833 Content-Disposition: form-data; name="input-format" x12 -----------------------------87453838942833 Content-Disposition: form-data; name="input-data";filename="D:\GISBLite\as2testtextfile.aes"filename= c:\temp\smallnom.bin Content-Type: multipart/encrypted; boundary=8760; protocol="application/pgp-encrypted" --8760 Content-Type: application/pgp-encrypted Version: 1 --8760 Content-Type: application/octet-stream -----BEGIN PGP MESSAGE----- Version: PGP 6.5 hQCMAzRG1pEOIOvdAQP+JMr0m/9+8yOL60Z9Vr6fFV81FCExB/o0xmwiMkiwYsHs z0e8sb7ErC340MrNA/dw3taGMjmI+CXYRF/PLEdg1NZE1ZCtNeL4YdIHAMLWwODG lQxhSucz8rMSgQ5mZzcOJwBdWLW70efgsu/9UljuJjYc1uZ6C03eFQv/43fkB+al ATtgydxX4g8QK664ad+Jo/XUICSmWBL66fqJR1KLeLf4wTaqGy174Aq48Wpwvg1E h785zC03UAw0qg0ugMt86dPeyd91e2JigqwDYEf/DYEKD0J9BGiGpS/uAupNKj8O cp2IWClxKOGUbxpVNOnNTqWHS/GntegvDE/7/ewCxDxsnmQS95pOl141QZ1RQbeN aqx2Dq/ra9g65HNchOCzjul5Vi8HHf6Yhg2WnROe+npByyCue6rihqgNVOJwj0cV zpb4JE+gMDf3q4ISUb1Fv7/+SSFHDdnhdC5YTpqf1Bc3B07hiLmtTXqNit31EbX9 UVElObzSa9ZhxbC6/eSl7Nuf5ZTDsh9nrk+QQJ6FeC9W4cqXLj7IZySaRO8Vtff+ 4ktqeuhYusT4kSpnk027aw4O/5jomUkfb22CAe4= =Oiuo -----END PGP MESSAGE-------8760 -----------------------------222875935764-- Example A.4 An Acknowledgement Receipt Indicating Errors.--8760-- -----------------------------87453838942833 Upon receiving the above stream of data the receiving host parses the headers and returns an unsigned GISB-Acknowledgement-Receipt, appearing as follows: Content-Type: multipart/report; report-type="GISB-Acknowledgement-Receipt";boundary="GISB7866" --GISB7866 Content-type: text/html <HTML><HEAD><TITLE>Acknowledgement Receipt Error</TITLE></HEAD> <BODY><P> time-c=19960619082855* request-status=EEDM106: Invalid To Common Code Identifier* server-id=coolhost* trans-id=234423897* </P> </BODY></HTML> --GISB7866 Content-type: text/plain time-c=19960619082855* request-status=EEDM106: Invalid To Common Code Identifier*boundary="GISB7867" --GISB7867 Moberg, Brooks, Drummond[page24][page 21] HTTP Transport for Secure EDIOctober 1999 server-id=coolhost* trans-id=234423897* --GISB7866-- Example A.5 An Acknowledgement Receipt Indicating Success Content-Type: multipart/report; report-type="GISB-Acknowledgement-Receipt"; boundary="GISB7867" --GISB7867March 1, 2000 Content-type: text/html <HTML><HEAD><TITLE>Acknowledgement Receipt Success</TITLE></HEAD> <BODY><P> time-c=19960619082855* request-status=ok* server-id=coolhost* trans-id=234423897* </P> </BODY></HTML> --GISB7867 Content-type: text/plain time-c=19960619082855* request-status=ok* server-id=coolhost* trans-id=234423897* --GISB7867--Example A.6C. Samples of AS 2 Protocol Data Units C.1 The following example illustrates the full HTTP request that sends X12 EDI data from company1 to company2. AGISB Error Notificationsigned receipt is requested; the receipt is to be a MDN report-type, with the pkcs7 signature option, using a signature algorithm of rsa-md5. The receipt is to be sent synchronously (that is, in the reply to this HTTP request), because no special delivery options are indicated. POSTURLhttps://tp2server.company2.com/cgi-bin/tp1drawer.pl HTTP/1.1Referer: http://www.upload.com/upl.htm Connection: Keep-Alive User-Agent: brow v0.1 XYZ Corp.Host:localhost Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Content-type: multipart/form-data; boundary=---------------------------87453838942833tp2server.company2.com To: tp2@company2.com Date: Tue, 06 Nov 2001 12:53:01 UT Subject: Purchase orders for 6 November 2001 Message-Id: <20011106@company1.com> Disposition-Notification-To: tp1@company1.com Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature ; signed-receipt-micalg=optional,rsa-md5 Content-Type: multipart/signed; boundary="20011106RsXgYlvCNW" ; protocol=application/pkcs7-signature; micalg=rsa-md5 Content-Length:1958 -----------------------------87453838942833 Content-Disposition: form-data; name="from" 234567890 -----------------------------87453838942833 Content-Disposition: form-data; name="to" 123456789 -----------------------------874538389428333056 --20011106RsXgYlvCNW Content-Type: application/edi-x12 Content-Disposition:form-data; name="input-format"Attachment; filename=rfc1767.dat Content-Length: 2605 [ISA ...EDI transaction data...IEA...] --20011106RsXgYlvCNW Content-Type: application/pkcs7-signature Content-Length: 804 [omitted binary pkcs7 signature data] --20011106RsXgYlvCNW-- C.2 This second example illustrates returning a signed MDN that corresponds to the request for a MDN found in C.1. Moberg, Brooks, Drummond[page25] HTTP Transport for Secure EDI October 1999 error -----------------------------87453838942833 Content-Disposition: form-data; name="input-data"; filename=c:\temp\error.not Content-Type: multipart/report; report-type="GISB-Error-Notification"; boundary="GISB7868" --GISB7868 Content-type: text/html <HTML><HEAD><TITLE>Error Notification</TITLE></HEAD> <BODY><P> orig-from=123456789* orig-to=234567890* orig-input-format=X12* resp-time-c=19960619102855* resp-server-id=coolhost* resp-trans-id=234423897* request-status=EEDM601: Public Key Invalid* comments=Please contact 1-800-555-1212 for correct public key* </P> </BODY></HTML> --GISB7868 Content-Type: text/plain orig-from=123456789* orig-to=234567890* orig-input-format=X12* resp-time-c=19960619102855* resp-server-id=coolhost* resp-trans-id=234423897* request-status=EEDM601: Public Key Invalid* comments=Please contact 1-800-555-1212 for correct public key* --GISB7868-- -----------------------------87453838942833-- Error Notification Standard Error Codes and Messages Codes beginning with EEDM### indicate standard error format with ### representing a numeric value. Codes beginning with WEDM### standard warning format with ### representing a numeric value. The string[page 22] HTTP Transport for Secure EDI March 1, 2000 HTTP/1.0 200 OK Server: HTTPEDI/1.1 Content-type: multipart/signed; Content-Length: 1200 --boundary1 Content-type: multipart/report Content-length: 1133 --boundary2 Content-type: text/plain Content-length: 85 Message <20011106@company1.com> was authenticated; EDI processing was initiated. --boundary2 Content-type: message/disposition-notification Content-length: 213 Reporting-UA: Company2UA Final-Recipient: rfc822; tp2@company2.com Original-Message-Id: <20011106@company1.com> X-Received-Content-MIC: w7AguNJEmhF/qIjJw6LnnA==,rsa-md5 Disposition: MDN-sent-automatically/processed --boundary2-- --boundary1 Content-Type: application/pkcs7-signature Content-Length: 560 [ Signature data omitted] --boundary1-- D. Acknowledgments Carl Hage, Karen Rosenfeld, Chuck Fenton and many others have provided valuable suggestions improving this applicability statement. E. References [MIME] N. Borenstein, N.Freed, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, December 02, 1996. N. Borenstein, N.Freed, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, December 02, 1996. N. Borenstein, N.Freed, "Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance Criteria and Examples", RFC 2049 , December 02, 1996. Moberg, Brooks, Drummond [page 23] HTTP Transport for Secure EDI March 1, 2000 [MIMEEDI] D. Crocker, "MIME Encapsulation of EDI Objects", RFC 1767, March 2, 1995. [XMLTYPES] E. Whitehead, M. Murata, "XML Media Types", RFC 2376, July 1998. [SMTPMSG] D. Crocker, "Standard for the Format of ARPA Internet Text Messages", STD 11, RFC 822, August 13, 1982. (Also RFC 1123 provides important updates on date and time formats as well as email addresses.) [MIMEPGP] M. Elkins, "MIME Security With Pretty Good Privacy (PGP)", RFC 2015, Sept. 1996. [MDN] R. Fajman, "An Extensible Message Format for Message Disposition Notifications", RFC 2298, March 1998. [SECURITY] J. Galvin, S. Murphy, S. Crocker, N. Freed, "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted", RFC 1847, Oct. 3, 1995 [SMTP] J. Postel, "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1, 1982. [SMIMEV2] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, L. Repka, "S/MIME Version 2 Message Specification", RFC 2311. [SMIMEV3] B. Ramsdell, "S/MIME Version 3 Message Specification", RFC 2633, June 1999. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 2630, June 1999. [REPORT] G. Vaudreuil, "The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages", RFC 1892, January 15, 1996. [HTTP] R. Fielding, J.Gettys, J. Mogul, H. Frystyk, T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997. [AS1] T. Harding, R. Drummond, "MIME-based Secure EDI", Internet draft: draft-ietf-ediint-as1-10.txt. [TLS] T. Dierks,C. Allen, "The TLS Protocol Version 1.0" RFC 2246, January 1999. [FORMDATA] L. Masinter, "Returning Values from Forms: multipart/form-data", RFC 2388, August, 1998. [HTML] D. Raggett, A. Le Hors, I. Jacobs. "HTML 4.0 Specification", World Wide Web Consortium Technical Report "REC-html40", December, 1997. <http://www.w3.org/TR/REC-html40/> [GISB] Gas Industry Standards Board, "Electronic Delivery Mechanism Related Standards", Version 1.3 July 31, 1998 [MIME-TYPES] "Media Types," http://www.isi.edu/in-notes/iana/assignments/media-types/media-types. [EDIINT] T. Harding, R. Drummond , "Requirements forthe error or warning should appear in the following format: Validation Code: Description; supplemental message to be defined by the issuing site up to 80 characters. The supplemental message is senders option, only the Validation Code and Description are required.Interoperable Internet EDI", Internet draft: draft-ietf-ediint-req.txt. Moberg, Brooks, Drummond[page26][page 24] HTTP Transport for Secure EDIOctober 1999 Example: EEDM100:Missing from Common from required Code Identifier ListingMarch 1, 2000 F. Security Considerations This entire document is concerned with secure transport ofStandard Error Codes and Messages CODE MESSAGE EEDM100 Missing from Common from required Code Identifier EEDM101 Missing to Common Code to required Identifier EEDM102 Missing input format input-format required EEDM103 Missing data file input-data required EEDM104 Missing transaction set transaction-set mutually agreed EEDM105 Invalid from Common from required Code Identifier EEDM106 Invalid to Common Code to required Identifier EEDM107 Invalid input format input-format required EEDM108 Invalid transaction set transaction-set mutually agreed EEDM109 No parameters supplied parameter required string EEDM601 Public key invalid file itself required - security EEDM602 File not encrypted file itself required - security EEDM603 Encrypted file truncated file itself required - security EEDM604 Encrypted file not signed or signature not matched EEDM699 Decryption Error required for general decryption errors not specifically identified above EEDM999 System error (required for general system errorsbusiness toindicate severe errors in processing at the receiving site) WEDM100 Transaction set sent not transaction-set mutually agreed mutually agreedbusiness data, and considers both privacy and authentication issues. G. Authors' Addresses Dale Moberg dale_moberg@stercomm.com Sterling Commerce 4600 Lakehurst Ct. Dublin, OH 43016 USA Dick Brooks dick@8760.com Group 8760 110 12th Street North Suite F103 Birmingham, Alabama 35203 Tel: 205-250-8053 Rik Drummond drummond@onramp.net The Drummond Group 5008 Bentwood Ct. Ft. Worth, TX 76132 USA ----