AS4 NRR draft for Feb 9 discussion

["Moberg Dale" <dmoberg@axway.com>]

AS4 reuses ebMS 3 signal messages for non repudiation of receipt, and uses WSS for signing the receipt.

 

The ebMS 3 signal message, used for either signed or unsigned receipts, is a SOAP version 1.1 or 1.2 header with @mustUnderstand set to “true”.

 

The NonRepudiationInformation contains a sequence of MessagePartNRInformation items for each message part for which evidence of non repudiation of receipt is being provided. In the normal default usage, these message parts are those that have been signed in the original message. Each message part is described with information defined by an XML Digital Signature Reference information item. The following example illustrates the ebMS 3 Signal Message header.

 

<eb3:Messaging S12:mustUnderstand="true">
             <eb3:SignalMessage>
                 <eb3:MessageInfo>
                    <eb3:Timestamp>2009-05-22T14:33:11.735Z</eb3:Timestamp>
                    <eb3:MessageId>orderreceipt@seller.com</eb3:MessageId>
                    <eb3:RefToMessageId>orders123@buyer.com</eb3:RefToMessageId>
                </eb3:MessageInfo>
                 <eb3:Receipt>
                     <ebbp:NonRepudiationInformation>
                         <ebbp:MessagePartNRInformation>
                             <dsig:Reference URI="#5cb44655-5720-4cf4-a772-19cd480b0ad4">
                                 <dsig:Transforms>
                                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                </dsig:Transforms>
                                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                <dsig:DigestValue>o9QDCwWSiGVQACEsJH5nqkVE2s0=</dsig:DigestValue>
                            </dsig:Reference>
                        </ebbp:MessagePartNRInformation>
                         <ebbp:MessagePartNRInformation>
                             <dsig:Reference URI="cid:a1d7fdf5-d67e-403a-ad92-3b9deff25d43@buyer.com">
                                 <dsig:Transforms>
                                    <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform" />
                                </dsig:Transforms>
                                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                <dsig:DigestValue>iWNSv2W6SxbOYZliPzZDcXAxrwI=</dsig:DigestValue>
                            </dsig:Reference>
                        </ebbp:MessagePartNRInformation>
                    </ebbp:NonRepudiationInformation>
                </eb3:Receipt>
            </eb3:SignalMessage>
        </eb3:Messaging>

 

For a signed receipt, a Web Services Security header signing over (at least) the signal header is required. An example WS-Security header is as follows:

 

[pending]