Public Consultation on the eDelivery AS4 profile version 1.15
The Connecting Europe Facility (CEF) eDelivery team is opening a Public Consultation on a new eDelivery Draft Specification of eDelivery AS4. Compared to the current version, this new draft specification updates one existing Profile Enhancement and proposes a new Profile Enhancement. This consultation is open until 28 December 2018.
Update to Dynamic Receiver Profile Enhancement
In the Dynamic Receiver Profile Enhancement, a Receiving MSH is not required to be pre-configured for all possible signing certificates. Instead, the signing certificate, which the Receiving MSH may not have been aware of previously, is carried in the message along with the signature. The Receiving MSH is expected to perform various checks, one which is to ensure that the signing certificate is issued by a trusted anchor certificate. The addition in the new version is that, for interoperability, efficiency, and to ease validation of the signature by the Receiving MSH, the specification now recommends that the full certificate path is included with the signature, rather than just the leaf certificate.
The background to this update is a request from a very large upcoming deployment of eDelivery AS4 that uses the Dynamic Receiver Profile Enhancement. In that deployment, there is a need to support a wide range of trust anchors, rather than a single special-purpose Certification Authority root certificate. In this environment, certificate validation is more complex than in the deployments we have seen previously. The new recommendation supports this.
New Profile Enhancement for Large Message Splitting and Joining
Available implementations of the eDelivery AS4 Common Profile have demonstrated an ability to exchange AS4 messages up to 2 GB in size. This covers the requirements of the vast majority of eDelivery AS4 users. However, some users of eDelivery have expressed a need to exchange very large messages (potentially up to hundreds of gigabytes). This is problematic for many implementations and deployments.
In the former EU e-SENS project, an initial study was done which evaluated a number of approaches to handling large messages. The conclusion of that study was that the ebMS3 Part 2 Large Message Splitting and Joining feature was the approach that best meets user requirements. Building on that work, the CEF eDelivery team has developed a draft new optional eDelivery AS4 Profile Enhancement based on this feature. This Profile Enhancement profile profiles the OASIS specification feature and adapts it to work with eDelivery AS4.
While initial investigation internally by developers in the CEF eDelivery team has not identified any major implementation issues, there are many other implementations of eDelivery AS4.
The European Community is very interested in feedback and comments from the wider user, implementer and vendor community on this new proposed Profile Enhancement.
Please post your comments via the below link or send them to CEF-EDELIVERY-SUPPORT@ec.europa.eu with [eDelivery AS4 profile version 1.15] in the title of the email.
Frequently Asked Questions on Dynamic Receiver Update
Who is impacted by the proposed change to Dynamic Receiver?
Since the change is only a recommendation, no current users of eDelivery AS4 and of the eDelivery Dynamic Receiver Profile Enhancement are affected.
What is the impact of the proposed change to Dynamic Receiver?
To implement the change, AS4 products must be (re)configured to allow the full certificate path to be included on outbound messages, instead of (just) the leaf certificate. On inbound messages, the change greatly simplifies validation of certificates, which is one step in the validation of the signature.
How do I get my WS-Security toolkit to issue PKI Paths?
Implementers that use a toolkit that supports WS-Security Policy can configure that PKI certificate paths are used instead of leaf certificates by setting sp:X509Token/wsp:Policy/sp:WssX509PkiPathV1Token11.
Frequently Asked Questions on Splitting and Joining
Who is impacted by the proposed new Splitting and Joining Enhancement?
Since the proposed Profile Enhancement does not replace any existing part of eDelivery AS4 and is an optional feature, no existing users are affected.
Is Splitting and Joining secure?
Yes, signing and encryption processing is applied to all fragments and reordering or replacing fragments is not possible without detection.
Can I use Splitting and Joining in combination with other Profile Enhancements?
Yes, it can be used with all the existing Profile Enhancements.
How do I know if my counterparty supports Splitting and Joining?
In a statically configured environment, this information needs to be shared among parties.
In an environment that uses Dynamic Sender, a discovery infrastructure is used to publish business and technical capabilities, including the supported messaging protocol profile. A different identifier is proposed that indicates support for eDelivery AS4 with Splitting and Joining.