RE: [ubl-security] E-archiving UBL documents with external attachments

["Pim van der Eijk" <pvde@sonnenglanz.net>]

Hello Andrea,

Thanks a lot for the information.  For the packaging,  I
would like to be able to just use the message protocol
packaging (ebMS 2.0 in my case, i.e. SOAP-with-attachments)
and not have to package in the business application.  The
idea is that the integrity and time stamps of the "package"
in an abstract/logical sense is secured using the XML
document signature.  

You're also right that for NRR this is not enough.  This is
covered by protocols like ebMS 2.0 and 3.0 that provide for
signed receipts. These receipts identify the parts in the
received message (using the CID references to payload parts)
and their hash values,  so a partner could just store the
UBL document (which includes the CID references and their
hashes), the other parts (externally referenced CID parts in
the UBL XML) and the signed receipts to establish NRR.  

For non-repudiation of origin an application could extract
and archive the ds:References of the ebMS 2.0 XML Dsig
structure or the WS-Security Dsig structures (in ebMS 3.0)
from the message backup.   

I think these mechanisms, in combination, would obviate the
need to (redundantly) archive the actual messages (which is
important for high-volume applications).  Just as in the
paper world the message envelope is discarded because only
the message content is of interest,  there would be no need
to preserve and archive the "physical" message package. 

I will follow up with the VCD references, thanks again.

Pim 

-----Original Message-----
From: Andrea Caccia [mailto:andrea.caccia@studiocaccia.com] 
Sent: 20 October 2010 23:30
To: Pim van der Eijk
Cc: Oriol Bausà Peris; UBL Security SC; Roberto Cisternino
Subject: Re: [ubl-security] E-archiving UBL documents with
external attachments

Hi Pim,
I'd like to add some thoughts and information.
UBL Security main goal has been to write a profile mainly
targeted to electronically sign an UBL document.
The solution you propose can give the proof that all the
attachment existed at the time the document containing the
references and hashes of the attachments was signed. There
is no delivery proof, for that you have to implement
different solutions.
If your need is to "package" in a single file a set of files
there are a number of standard container formats, e.g.:
- OASIS “Open Document Format for Office Applications
(OpenDocument) Version 1.2 Part 3: Packages”
- IDPF “OEBPS Container Format (OCF) 1.0”
A new ETSI specification is going to be issued by the end of
this year on this.
Also VCD can be an acceptable solution, among the contacts
in the list suggested by Roberto, I suggest you contact
Piero Milani, Infocamere, that is working on VCD electronic
Signature.
For a suitable solution based on PDF in archiving format, a
New Work Item has been proposed in ISO/TC 171/SC 2 these
days for PDF/A-3 (Document management - Electronic document
file format for long-term preservation including embedded
files - Part 3: Use of ISO 32000-1(PDF/A-3)) and, if it will
receive enough positive votes, it will start in a few
months. 

Best regards,
Andrea

Il giorno 20/ott/2010, alle ore 17.36, Roberto Cisternino ha
scritto:

>
http://www.peppol.eu/work_in_progress/wp2-virtual-company-do
ssier/wp-p
> artners
> 
> Best regards
> 
> Roberto
> 
>> 
>> Hello,
>> 
>> Thanks to both of you for good comments, as usual.
>> Do you have a contact person, or a public mailing list,
for the VCD?
>> 
>> Pim
>> 
>> 
>> -----Original Message-----
>> From: Roberto Cisternino [mailto:roberto@javest.com]
>> Sent: 19 October 2010 10:54
>> To: Oriol Bausà Peris
>> Cc: Pim van der Eijk; ubl-security@lists.oasis-open.org
>> Subject: Re: [ubl-security] E-archiving UBL documents
with external 
>> attachments
>> 
>> Hi Pim,
>> 
>> I think every country has its laws, but the most common
law in EU 
>> about archiving is about storing the view of the document
(see 
>> PDF/A-1)
>> 
>> I do not know many other formats sanctioned for legal
archiving.
>> 
>> Pratically every Nation should endorse a new format of
archiving 
>> before using it legally.
>> 
>> The general archiving of course is always possible, but
one should be 
>> able to reproduce a stable view of the document for the
Authorities, 
>> so why
>> PDF/A-1 is enough adopted.
>> 
>> I personally think PDF/A-1 is an "old" archiving format
today as we 
>> are more required to store a structured document than a
raster or PDF 
>> graphic chunks.
>> Maybe PDF/A-2 is in this direction... but I would like to
see UBL 
>> endorsed for legal archiving around the globe (with a
shared 
>> methodology)
>> 
>> The PEPPOL VCD (Virtual Company Dossier) has some
involvments with 
>> these attachments and reference problems, maybe you could
share with 
>> them some of your thoughts.
>> 
>> Technically you could add a PDF/A-1 version into an UBL
document 
>> inside an UBLExtension, but again this practice should be
endorsed by 
>> the relevant Authorities.
>> 
>> As Governments are moving to Open Source I believe
OpenDocument 
>> represent a good sample for solving the archiving issue.
>> 
>> But UBL is a structured document and I am not aware of
existing 
>> specific methodologies to archive structured business
documents.
>> 
>> So my final suggestion is to follow the VCD project as it
will be 
>> endorsed in all EU.
>> 
>> Best regards
>> 
>> Roberto Cisternino
>> 
>>> Hi Pim,
>>> 
>>> The UBL Security SC has focused on defining a way to
>> digitally sign a
>>> UBL document by using UBL Extension capabilities and
>> existant digital
>>> signature standards such as XML Dsig or XAdES.  I think
>> you are going
>>> one step further as your requirement is to sign a
package:
>> A signature
>>> for the UBL document plus the binary attachments.
>>> 
>>> As you suggest, using External References can be a
>> solution for this,
>>> as you are able to add the document hash in the external
>> reference
>>> class, technically you can always sign the main UBL
>> document which
>>> contents the hashes of the external binary objects. I am
>> not a lawyer
>>> though, so maybe other people more knowledgable in legal
>> aspects can
>>> confirm or rebate this point.
>>> 
>>> Best regards,
>>> Oriol
>>> 
>>> El 18/10/2010, a las 18:08, Pim van der Eijk escribió:
>>> 
>>>> How do UBL projects handle this, as many UBL documents
>> need to be
>>>> archived for years for legal reasons? From an
e-archiving
>> point of
>>>> view, is it really important, or even legally required,
>> that a UBL
>>>> document and any externally referenced payloads were
sent
>> as a single
>>>> message?  I would think that being able to send
>> attachments with
>>>> documents in a single MIME envelope is mainly
>> convenience, and that
>>>> in theory it should be possible to send attachments
>> separately, or
>>>> just reference them, as long as they are and remain
>> retrievable, have
>>>> the referenced content-id (or other external reference
>> type), the
>>>> document hash is valid, and the document containing the
>> hash is
>>>> signed or sealed.  Can external references be used with
>> documents and
>>>> attachments that that need to be archived in compliance
>> with relevant laws?
>>> 
>>> 
>> 
>> 
>> --
>> * JAVEST by Roberto Cisternino
>> *
>> * Document Engineering Services Ltd. - Alliance Member
>> * UBL Italian Localization SubCommittee (ITLSC), co-Chair
>> * UBL Online Community editorial board member
(ubl.xml.org)
>> * Italian UBL Advisor
>> 
>>  Roberto Cisternino
>> 
>>  mobile: +39 328 2148123
> begin_of_the_skype_highlighting              +39 328
> 2148123      end_of_the_skype_highlighting
>> begin_of_the_skype_highlighting              +39
>> 328 2148123      end_of_the_skype_highlighting
>>  skype:  roberto.cisternino.ubl-itlsc
>> 
>> [UBL Technical Committee]
>>    http://www.oasis-open.org/committees/ubl
>> 
>> [UBL Online Community]
>>    http://ubl.xml.org
>> 
>> [UBL International Conferences]
>>    http://www.ublconference.org
>> 
>> [UBL Italian Localization Subcommittee]
>>    http://www.oasis-open.org/committees/ubl-itlsc
>> 
>> [Iniziativa divulgativa UBL Italia]
>>    http://www.ubl-italia.org
>> 
>> 
>> 
>>
------------------------------------------------------------
---------
>> To unsubscribe from this mail list, you must leave the
OASIS TC that 
>> generates this mail.  Follow this link to all your TCs in
OASIS at:
>>
https://www.oasis-open.org/apps/org/workgroup/portal/my_work
groups.ph
>> p
>> 
>> 
> 
> 
> --
> * JAVEST by Roberto Cisternino
> *
> * Document Engineering Services Ltd. - Alliance Member
> * UBL Italian Localization SubCommittee (ITLSC), co-Chair
> * UBL Online Community editorial board member
(ubl.xml.org)
> * Italian UBL Advisor
> 
>  Roberto Cisternino
> 
>  mobile: +39 328 2148123
>  skype:  roberto.cisternino.ubl-itlsc
> 
> [UBL Technical Committee]
>    http://www.oasis-open.org/committees/ubl
> 
> [UBL Online Community]
>    http://ubl.xml.org
> 
> [UBL International Conferences]
>    http://www.ublconference.org
> 
> [UBL Italian Localization Subcommittee]
>    http://www.oasis-open.org/committees/ubl-itlsc
> 
> [Iniziativa divulgativa UBL Italia]
>    http://www.ubl-italia.org
> 
> 
> 
>
------------------------------------------------------------
---------
> To unsubscribe from this mail list, you must leave the
OASIS TC that 
> generates this mail.  Follow this link to all your TCs in
OASIS at:
>
https://www.oasis-open.org/apps/org/workgroup/portal/my_work
groups.php
>