|
XML SIGNATURE TECHNICAL MEMO |
|
|
|
|
|
Introduction
|
|
|
Change
request CR# 04-000128 “Digital Signature for Simple Invoice
XML Document”
requires the inclusion of a XML Digital Signature in the Simple Invoice
XML Business
Message Standard (BMS). Following due process, the Pay BRG has
formulated and
approved the business requirements for inclusion of a Digital Signature
in the
Simple Invoice message. Correspondingly, based on the business
reqiurements,
the XML Schema(s) for Simple Invoice has a provision for Digital
Signatures
based on the ‘XML-Signature Syntax and Processing’
W3C Recommendation of 12 February 2002 (XMLDSIG
here forth). This technical memo provides the implementer of the Simple
Invoice XML BMS, with some important guidelines for usage of XML
Signatures |
|
|
Guidelines |
|
|
- GS1 has
endorsed XMLDSIG for the
implementation
of XML Signatures within GS1 XML BMS.
- Digital
Signatures may be used
in the Simple Invoice
XML BMS via the use of the optional
‘digitalSignature’ XML
element. This GS1 XML element contains a reference to the
‘Signature’ element from XMLDSIG
specification.
If this element is used then the value of the
‘isDigitalSignatureContained’ attribute
on the ‘simpleInvoice’ document element must have a
value representing ‘true’.
- All XML samples
accompanying the Simple Invoice
XML Schemas are provided for the purpose of exposition of the business
logic
behind a electronic GS1 Simple Invoice. All data contained therein,
inclusive of the signature information, the
certificates, digest values and signature values are not real values.
They are
obtained by applying the corresponding algorithm to the sample data,
and they
should be understood as merely examples of signature elements usage.
- GS1 has
provided a document ‘Security for XML
Messages’ (XMLSEC
here forth) which provides detailed
implementation guidelines for XML Signatures. The reader should note
that this
document is not an GS1 approved standard or implementation guide, but a
draft report based on implementation experiences of some GS1 system
users.
Nonetheless, this document is an excellent reference for understanding
XML
Security concepts and its implementation thereof, for electronic
commerce using GS1 XML BMS. The reader is advised to read this document
if he/she is not
familiar with XML Signature and/or XML Security concepts in general.
- The Simple
Invoice schema provides for the inclusion
of an XML Signature using the ‘enveloped signature’
method. More details on how
enveloped signatures are implemented using XML Signature are provided
in XMLDSIG
and XMLSEC
- XMLDSIG is based on the Public Key
Infrastructure (PKI) system, which is an industry standard framework
for
security of digital data over the Internet. It supports a number of
competing
and collaborating cryptographic techniques and Internet technologies
that maybe
used to secure digital communications over the Internet. For data
exchange one
may use the Symmetric or Asymmetric Cryptographic technique. For hash
or digest
functions some of the popular algorithms used are MD-5, SHA, RIPEMD.
For
digital certificates, ISO X.509 standard is the predominant certificate
format.
|
|
|
The type and
level of security to
be implemented for digital data exchange between 2 trading partners
depends on
various factors:
- Regulatory policy
and compliance
- Trading partner
agreements
- Threat level
- Company security
policy
- Implementation
and operational costs
|
|
|
As such, the
security considerations between 2
trading partners business environments dictates the type and level of
security
that will implemented between them. For example, it may be a legal
requirement
in Spain to digitally sign electronic invoices, but the same is not
true for
USA. The hi-tech industry in USA may use digital certificates obtained
from and
signed by their local trade organization, whereas the hi-tech industry
in
Taiwan may have to use a digital certificate obtained from the regional
government or tax authority. When sending a XML Simple Invoice to
another
department within the same organization, the company may choose to
implement a
lower level of security and different set of digital certificates than
when
sending it to an external trading partner.
XMLDSIG provides
for the
implementation of different security protocols and processing models.
Trading
partners should choose and agree on a security model that meets the
needs of
their individual business requirements and environment, prior to
commencing
electronic business transactions. |
|
|
References |
|
|
- [XMLDSIG] XML-Signature Syntax and
Processing, W3C
Recommendation 12 February 2002
http://www.w3.org/TR/xmldsig-core/
- [XMLSEC] Security For XML
Messages, EAN·UCC Implementation Guidelines, DRAFT Document
|
|
|
XML
TDT
20050126 |
|
|
Security
For XML Messages |
|
|
|
|
|
TOP |
|
|
|
|
|
