idnits 2.17.1 draft-meadors-multiple-attachments-ediint-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 29, 2011) is 4684 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'XML DOCUMENT' is mentioned on line 261, but not defined == Missing Reference: 'PDF DOCUMENT' is mentioned on line 267, but not defined == Missing Reference: 'DIGITAL SIGNATURE' is mentioned on line 274, but not defined Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Individual Submission K. Meadors, Ed. 3 Internet-Draft Drummond Group Inc. 4 Intended status: Informational June 29, 2011 5 Expires: December 31, 2011 7 Multiple Attachments for EDI-INT 8 draft-meadors-multiple-attachments-ediint-14 10 Abstract 12 The EDI-INT AS1, AS2 and AS3 messages were designed specifically for 13 the transport of EDI documents. Since multiple interchanges could be 14 placed within a single EDI document, there was not a need for sending 15 multiple EDI documents in a single message. As adoption of EDI-INT 16 grew, other uses developed aside from single EDI document transport. 17 Some transactions required multiple attachments to be interpreted 18 together and stored in a single message. This informational draft 19 describes how multiple documents, including non-EDI payloads, can be 20 attached and transmitted in a single EDI-INT transport message. The 21 attachments are stored within the MIME Multipart/Related structure. 22 A minimal list of content-types to be supported as attachments is 23 provided. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on December 31, 2011. 42 Copyright Notice 44 Copyright (c) 2011 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 This document may contain material from IETF Documents or IETF 58 Contributions published or made publicly available before November 59 10, 2008. The person(s) controlling the copyright in some of this 60 material may not have granted the IETF Trust the right to allow 61 modifications of such material outside the IETF Standards Process. 62 Without obtaining an adequate license from the person(s) controlling 63 the copyright in such materials, this document may not be modified 64 outside the IETF Standards Process, and derivative works of it may 65 not be created outside the IETF Standards Process, except to format 66 it for publication as an RFC or to translate it into languages other 67 than English. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 72 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 73 2. Using Multiple-Attachments in EDI-INT . . . . . . . . . . . . 4 74 2.1. Multipart/Related Structure . . . . . . . . . . . . . . . 4 75 2.2. EDI-INT Features Header . . . . . . . . . . . . . . . . . 4 76 2.3. MIC Calculation . . . . . . . . . . . . . . . . . . . . . 5 77 2.4. Document Processing . . . . . . . . . . . . . . . . . . . 6 78 2.5. Content-Types to Support . . . . . . . . . . . . . . . . . 6 79 3. Example Message . . . . . . . . . . . . . . . . . . . . . . . 7 80 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 81 5. Normative References . . . . . . . . . . . . . . . . . . . . . 9 82 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 84 1. Introduction 86 The primary work of EDI-INT was to develop a secure means of 87 transporting EDI documents over the Internet. This was described in 88 the three working group developed standards for secure transport over 89 SMTP AS1 [RFC3335], HTTP AS2 [RFC4130] and FTP AS3 [RFC4823]. For 90 most uses of EDI, all relevant information to complete a single 91 business transaction could be stored in a single document. As 92 adoption of EDI-INT grew, new industries and businesses began using 93 AS2 and needing to include multiple documents in a single message to 94 complete a trading partner transaction. These documents were a 95 variety of MIME media types. This informational draft describes how 96 to use the MIME multipart/related body structure within EDI-INT 97 messages to store multiple document attachments. Details of 98 computing the MIC value over this body are covered. A minimum 99 listing of MIME media types to support within the multipart/related 100 body is given along with information on extracting these documents. 102 1.1. Requirements Language 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in RFC 2119 [RFC2119]. 108 2. Using Multiple-Attachments in EDI-INT 110 2.1. Multipart/Related Structure 112 Multiple payload attachments for EDI-INT messages are stored within a 113 multipart/related MIME body [RFC2387]. The multipart/related 114 structure allows an multiple number of MIME attachments or message 115 payloads to be communicated in a single structure and message. 117 The attached payloads can be of any MIME content-type depending on 118 the trading partner agreement, but section 2.4 lists the content- 119 types which MUST be supported. The use and format of the multipart/ 120 related body follows the rules in RFC 2387, including the required 121 type parameter to determine the root body part. The use of the 122 optional start parameter is RECOMMENDED. 124 2.2. EDI-INT Features Header 126 To indicate support for multiple-attachments (MA), an EDI-INT 127 application MUST use the EDI-INT Features header [RFC6017]. The 128 Feature Header indicates the instance application can support various 129 features, such as certification exchange. The header is present in 130 all messages from the instance application, not just those which 131 feature certification exchange. 133 For applications implementing multiple attachments, the MA-Feature- 134 Name MUST be used within the EDI-INT Features header as listed in 135 this ABNF [RFC5234] syntax: 137 MA-Feature-Name = "multiple-attachments" 139 An example of the EDI-INT Features header in a message from an 140 application supporting MA: 142 EDIINT-Features: multiple-attachments 144 2.3. MIC Calculation 146 MIC calculation in an EDI-INT message with multiple attachments is 147 performed in the same manner as for a single EDI payload. The only 148 difference is calculating the message integrity check (MIC) over the 149 whole multipart/related body rather than a single EDI payload. 150 Section 5.2.1 of AS1 [RFC3335] and section 2 of EDIINT COMPRESSION 151 [RFC5402] describe the MIC calculations used for single payload 152 document within an EDI-INT message. The approach is summerized below 153 for multipart/related. Refer to stated sections above for more 154 details. 156 For a compressed but unsigned message, regardless of encryption, the 157 MIC is calculated over the uncompressed multipart/related body 158 including any applied Content-Transfer-Encoding. The body MUST be 159 canonicalized according to the procedure described in the underlying 160 transport protocol (e.g. HTTP AS2 [RFC4130]) before the MIC is 161 calculated. 163 For an encrypted but unsigned and uncompressed message, the MIC is 164 calculated on the decrypted multipart/related body, including header 165 and all attached documents. The body MUST be canonicalized according 166 to the procedure described in the underlying transport protocol (e.g. 167 HTTP AS2 [RFC4130]) before the MIC is calculated. 169 For an unsigned and unencrypted message, the MIC is calculated over 170 the data inside the multipart/related boundaries prior to Content- 171 Transfer-Encoding. However, unsigned and unencrypted messages SHOULD 172 NOT be sent due to lack of security. 174 If the expected MIC value differs from the calculated MIC value, all 175 attachments MUST be considered invalid and retransmitted. 177 2.4. Document Processing 179 Upon receipt of an EDI-INT message with multiple attachments, the 180 receiving user agent MUST be able to extract the attached payloads 181 from the message rather than only removing the multipart/related body 182 from the message. The storing or processing of the documents as they 183 relate to the pending transaction is implementation dependent. 185 2.5. Content-Types to Support 187 Documents of the following MIME media types MAY be found in a 188 multipart/related body and MUST be accepted by the user agent. 189 However, any media type can be used depending upon industry need, and 190 other media types MAY be accepted depending upon trading partner 191 agreement. 193 application/xml 195 application/pdf 197 application/msword 199 application/vnd.ms-excel, application/x-msexcel 201 application/rtf 203 application/octet-stream 205 application/zip 207 image/bmp 209 image/gif 211 image/tiff 213 image/jpeg 215 text/plain 217 text/html 219 text/rtf 221 text/xml 223 3. Example Message 225 Here is an example AS2 message which uses two attachments. The first 226 attachment is an XML document which is the root attachment, and the 227 second attachment is a PDF document. For both the XML and PDF 228 documents as well as the applied digital signature, their content has 229 been omitted for size consideration. This example is provided as an 230 illustration only and is not considered part of the specification. 231 If the example conflicts with the definitions specified above or in 232 the other referenced RFCs, the example is considered invalid. 234 POST /as2 HTTP/1.1 235 Host: www.example.com:8080 236 Connection: Close, TE 237 Message-ID: <1109712943488@10.65.122.242> 238 Subject: Multiple Attachment Example 239 Date: Tue, 01 Mar 2005 21:37:03 GMT 240 AS2-To: TradingPartner 241 AS2-From: User 242 AS2-Version: 1.2 243 EDIINT-Features: multiple-attachments 244 Disposition-Notification-To: http://www.example.com/as2 245 Disposition-Notification-Options: 246 signed-receipt-protocol=optional,pkcs7-signature; 247 signed-receipt-micalg=optional,sha1 248 Content-type: multipart/signed; 249 protocol="application/pkcs7-signature"; micalg=sha1; 250 boundary="OUTER-BOUNDARY" 251 Content-length: 207440 253 --OUTER-BOUNDARY 254 Content-Type: Multipart/Related; boundary="INNER-BOUNDARY"; 255 start=""; type="application/xml" 257 --INNER-BOUNDARY 258 Content-Type: application/xml 259 Content-ID: 261 [XML DOCUMENT] 263 --INNER-BOUNDARY 264 Content-Type: application/pdf 265 Content-ID: <2nd.attachment> 267 [PDF DOCUMENT] 269 --INNER-BOUNDARY-- 271 --OUTER-BOUNDARY 272 Content-Type: application/pkcs7-signature 274 [DIGITAL SIGNATURE] 276 --OUTER-BOUNDARY-- 278 4. Security Considerations 280 Multiple attachments have very similar security concerns to what is 281 described in the three EDI-INT transport standards. This includes 282 the importance of using strong cryptography and the necessity of 283 using valid certificates and chaining to a trusted CA. Please refer 284 to these standards SMTP AS1 [RFC3335], HTTP AS2 [RFC4130] and FTP AS3 285 [RFC4823] for details of their security considerations. 287 The only additional security consideration is that if the MIC 288 calculation by user agent differs from expected MIC calculation, all 289 the attached documents MUST be considered invalid. Because the MIC 290 calculation is over the multipart/related body, the MIC validates the 291 content-integrity of all the documents. 293 5. Normative References 295 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 296 Requirement Levels", BCP 14, RFC 2119, March 1997. 298 [RFC2387] Levinson, E., "The MIME Multipart/Related Content-type", 299 RFC 2387, August 1998. 301 [RFC3335] Harding, T., Drummond, R., and C. Shih, "MIME-based Secure 302 Peer-to-Peer Business Data Interchange over the Internet", 303 RFC 3335, September 2002. 305 [RFC4130] Moberg, D. and R. Drummond, "MIME-Based Secure Peer-to- 306 Peer Business Data Interchange Using HTTP, Applicability 307 Statement 2 (AS2)", RFC 4130, July 2005. 309 [RFC4823] Harding, T. and R. Scott, "FTP Transport for Secure Peer- 310 to-Peer Business Data Interchange over the Internet", 311 RFC 4823, April 2007. 313 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 314 Specifications: ABNF", STD 68, RFC 5234, January 2008. 316 [RFC5402] Harding, T., "Compressed Data within an Internet 317 Electronic Data Interchange (EDI) Message", RFC 5402, 318 February 2010. 320 [RFC6017] Meadors, K., "Electronic Data Interchange - Internet 321 Integration (EDIINT) Features Header Field", RFC 6017, 322 September 2010. 324 Author's Address 326 Kyle Meadors (editor) 327 Drummond Group Inc. 328 Nashville, Tennessee 37221 329 US 331 Phone: +1 (817) 709-1627 332 Email: kyle@drummondgroup.com