E-archiving UBL documents with external attachments

["Pim van der Eijk" <pvde@sonnenglanz.net>]

 

Hello,

 

I'm in a project where we are exchanging XML documents that use a structure for externally referenced attachments that is similar to the UBL ExternalReference element (see below).  The XML documents and attachments are exchanged as MIME parts in a MIME envelope (an ebMS 2.0 envelope in fact, but I think the principle applies to SOAP-with-attachments generally and similar protocols like MTOM).  The XML document references the attachments using the MIME content id reference.     The attachments are large binary documents, we do not want to include them as Base64 encoded parts as the MIME structure facilitates combinations of XML and non-XML payloads so well.  The protocol supports digitally signing the envelope including all payloads/attachments. The message service handler (MSH), when receiving a message, verifies the signature, decrypts any (message-level encrypted) payloads and unpacks the message envelope.  The parts that are passed to the business application are submitted as a collection of related parts, but the only proof that these parts were submitted and delivered as a unit is in the logs and message store of the MSH.  Typically, these MSH logs and backups are purged periodically, and only the delivered payloads are stored, by the business application.

 

One of the partners in my project now argues that, even if the XML is signed, and even if the signed XML document has a document hash, unique part identifier (like a CID) and a hash algorithm method,  there is a loss of information:  in the archive, the fact that the XML document and the externally referenced attachments were in the same envelope is not recorded and cannot be proven.  The message store of the MSH supports this, but we do not want to have to back-up and archive the MIME messages in addition to the XML document and its payloads.  

 

How do UBL projects handle this, as many UBL documents need to be archived for years for legal reasons? From an e-archiving point of view, is it really important, or even legally required, that a UBL document and any externally referenced payloads were sent as a single message?  I would think that being able to send attachments with documents in a single MIME envelope is mainly convenience, and that in theory it should be possible to send attachments separately, or just reference them, as long as they are and remain retrievable, have the referenced content-id (or other external reference type), the document hash is valid, and the document containing the hash is signed or sealed.  Can external references be used with documents and attachments that that need to be archived in compliance with relevant laws? 

 

Pim