Re: [ubl-security] E-archiving UBL documents with external attachments

[Andrea Caccia <andrea.caccia@studiocaccia.com>]

Hi Pim,
I'd like to add some thoughts and information.
UBL Security main goal has been to write a profile mainly targeted to electronically sign an UBL document.
The solution you propose can give the proof that all the attachment existed at the time the document containing the references and hashes of the attachments was signed. There is no delivery proof, for that you have to implement different solutions.
If your need is to "package" in a single file a set of files there are a number of standard container formats, e.g.:
- OASIS “Open Document Format for Office Applications (OpenDocument) Version 1.2 Part 3: Packages”
- IDPF “OEBPS Container Format (OCF) 1.0”
A new ETSI specification is going to be issued by the end of this year on this.
Also VCD can be an acceptable solution, among the contacts in the list suggested by Roberto, I suggest you contact Piero Milani, Infocamere, that is working on VCD electronic Signature.
For a suitable solution based on PDF in archiving format, a New Work Item has been proposed in ISO/TC 171/SC 2 these days for PDF/A-3 (Document management - Electronic document file format for long-term preservation including embedded files - Part 3: Use of ISO 32000-1(PDF/A-3)) and, if it will receive enough positive votes, it will start in a few months. 

Best regards,
Andrea

Il giorno 20/ott/2010, alle ore 17.36, Roberto Cisternino ha scritto:

> http://www.peppol.eu/work_in_progress/wp2-virtual-company-dossier/wp-partners
> 
> Best regards
> 
> Roberto
> 
>> 
>> Hello,
>> 
>> Thanks to both of you for good comments, as usual.
>> Do you have a contact person, or a public mailing list, for
>> the VCD?
>> 
>> Pim
>> 
>> 
>> -----Original Message-----
>> From: Roberto Cisternino [mailto:roberto@javest.com]
>> Sent: 19 October 2010 10:54
>> To: Oriol Bausà Peris
>> Cc: Pim van der Eijk; ubl-security@lists.oasis-open.org
>> Subject: Re: [ubl-security] E-archiving UBL documents with
>> external attachments
>> 
>> Hi Pim,
>> 
>> I think every country has its laws, but the most common law
>> in EU about archiving is about storing the view of the
>> document (see PDF/A-1)
>> 
>> I do not know many other formats sanctioned for legal
>> archiving.
>> 
>> Pratically every Nation should endorse a new format of
>> archiving before using it legally.
>> 
>> The general archiving of course is always possible, but one
>> should be able to reproduce a stable view of the document
>> for the Authorities, so why
>> PDF/A-1 is enough adopted.
>> 
>> I personally think PDF/A-1 is an "old" archiving format
>> today as we are more required to store a structured document
>> than a raster or PDF graphic chunks.
>> Maybe PDF/A-2 is in this direction... but I would like to
>> see UBL endorsed for legal archiving around the globe (with
>> a shared methodology)
>> 
>> The PEPPOL VCD (Virtual Company Dossier) has some
>> involvments with these attachments and reference problems,
>> maybe you could share with them some of your thoughts.
>> 
>> Technically you could add a PDF/A-1 version into an UBL
>> document inside an UBLExtension, but again this practice
>> should be endorsed by the relevant Authorities.
>> 
>> As Governments are moving to Open Source I believe
>> OpenDocument represent a good sample for solving the
>> archiving issue.
>> 
>> But UBL is a structured document and I am not aware of
>> existing specific methodologies to archive structured
>> business documents.
>> 
>> So my final suggestion is to follow the VCD project as it
>> will be endorsed in all EU.
>> 
>> Best regards
>> 
>> Roberto Cisternino
>> 
>>> Hi Pim,
>>> 
>>> The UBL Security SC has focused on defining a way to
>> digitally sign a
>>> UBL document by using UBL Extension capabilities and
>> existant digital
>>> signature standards such as XML Dsig or XAdES.  I think
>> you are going
>>> one step further as your requirement is to sign a package:
>> A signature
>>> for the UBL document plus the binary attachments.
>>> 
>>> As you suggest, using External References can be a
>> solution for this,
>>> as you are able to add the document hash in the external
>> reference
>>> class, technically you can always sign the main UBL
>> document which
>>> contents the hashes of the external binary objects. I am
>> not a lawyer
>>> though, so maybe other people more knowledgable in legal
>> aspects can
>>> confirm or rebate this point.
>>> 
>>> Best regards,
>>> Oriol
>>> 
>>> El 18/10/2010, a las 18:08, Pim van der Eijk escribió:
>>> 
>>>> How do UBL projects handle this, as many UBL documents
>> need to be
>>>> archived for years for legal reasons? From an e-archiving
>> point of
>>>> view, is it really important, or even legally required,
>> that a UBL
>>>> document and any externally referenced payloads were sent
>> as a single
>>>> message?  I would think that being able to send
>> attachments with
>>>> documents in a single MIME envelope is mainly
>> convenience, and that
>>>> in theory it should be possible to send attachments
>> separately, or
>>>> just reference them, as long as they are and remain
>> retrievable, have
>>>> the referenced content-id (or other external reference
>> type), the
>>>> document hash is valid, and the document containing the
>> hash is
>>>> signed or sealed.  Can external references be used with
>> documents and
>>>> attachments that that need to be archived in compliance
>> with relevant laws?
>>> 
>>> 
>> 
>> 
>> --
>> * JAVEST by Roberto Cisternino
>> *
>> * Document Engineering Services Ltd. - Alliance Member
>> * UBL Italian Localization SubCommittee (ITLSC), co-Chair
>> * UBL Online Community editorial board member (ubl.xml.org)
>> * Italian UBL Advisor
>> 
>>  Roberto Cisternino
>> 
>>  mobile: +39 328 2148123
> begin_of_the_skype_highlighting              +39 328
> 2148123      end_of_the_skype_highlighting
>> begin_of_the_skype_highlighting              +39
>> 328 2148123      end_of_the_skype_highlighting
>>  skype:  roberto.cisternino.ubl-itlsc
>> 
>> [UBL Technical Committee]
>>    http://www.oasis-open.org/committees/ubl
>> 
>> [UBL Online Community]
>>    http://ubl.xml.org
>> 
>> [UBL International Conferences]
>>    http://www.ublconference.org
>> 
>> [UBL Italian Localization Subcommittee]
>>    http://www.oasis-open.org/committees/ubl-itlsc
>> 
>> [Iniziativa divulgativa UBL Italia]
>>    http://www.ubl-italia.org
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>> 
>> 
> 
> 
> -- 
> * JAVEST by Roberto Cisternino
> *
> * Document Engineering Services Ltd. - Alliance Member
> * UBL Italian Localization SubCommittee (ITLSC), co-Chair
> * UBL Online Community editorial board member (ubl.xml.org)
> * Italian UBL Advisor
> 
>  Roberto Cisternino
> 
>  mobile: +39 328 2148123
>  skype:  roberto.cisternino.ubl-itlsc
> 
> [UBL Technical Committee]
>    http://www.oasis-open.org/committees/ubl
> 
> [UBL Online Community]
>    http://ubl.xml.org
> 
> [UBL International Conferences]
>    http://www.ublconference.org
> 
> [UBL Italian Localization Subcommittee]
>    http://www.oasis-open.org/committees/ubl-itlsc
> 
> [Iniziativa divulgativa UBL Italia]
>    http://www.ubl-italia.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>