authent.htm100744 765 764 3254 7240101220 11415 0ustar htmlhtml DevCentre

Security and Authentication
The Internet Document Authentication Server will be a server application which stores the Public Keys of individuals. It will be similar to Verisign, but instead of a single company being at the top of a 'trust tree', there will be a network of Authentication Servers. The Authentication Server Application will be open source, and be able to be run by anyone. Its purpose is to have a publicly available store of public keys which you can trust to be correct.

This will allow Internet Documents to be protected by strong encryption, and it will allow Internet Documents to be signed by the sender to ensure authenticity. It means you will not need to pay a company such as verisign in order to achieve this security.
Home Next
b2b.htm100744 765 764 25316 7240105326 10450 0ustar htmlhtml DevCentre

B2B Resources
The following links are provided to other sites related to Business to Business communication.
Electronic Business XML (ebMXL)
Go To Electronic Business XML Web Page

ebXML Mission: To provide an open XML-based infrastructure enabling the global use of electronic business information in an interoperable, secure and consistent manner by all parties.

About ebXML: The United Nations body for Trade Facilitation and Electronic Business (UN/CEFACT) and the Organization for the Advancement of Structured Information Standards (OASIS) have joined forces to initiate a worldwide project to standardize XML business specifications. UN/CEFACT and OASIS have established the Electronic Business XML initiative to develop a technical framework that will enable XML to be utilized in a consistent manner for the exchange of all electronic business data. Industry groups currently working on XML specifications have been invited to participate in the 18-month project. A primary objective of ebXML is to lower the barrier of entry to electronic business in order to facilitate trade, particularly with respect to small- and medium-sized enterprises (SMEs) and developing nations. We welcome your participation in this important effort.
BizTalk
Go To BizTalk.Org Web Page

BizTalk is an industry initiative started by Microsoft and supported by a wide range of organizations, from technology vendors like SAP and CommerceOne to technology users like Ariba and BASDA. BizTalk is not a standards body. Instead, we are a community of standards users, with the goal of driving the rapid, consistent adoption of XML to enable electronic commerce and application integration.
BASDA and eBIS-XML
Go To Basda.Com Web Page
Go To eBIS-XML.Com Web Page

Following the successful launch of its eBIS-XML initiative earlier this year, BASDA (the Business & Accounting Software Developers’ Association) has now introduced its latest eBIS-XML Web Shopping Cart schema which enables companies to transmit orders generated on their websites, directly into their back office, order entry and financial systems.

The BASDA eBIS-XML technology already allows direct exchange of purchase orders and invoices between different business software applications, via e-mail and the Internet. More than 150 national and international business application software developers are implementing the BASDA eBIS-XML interface, which will enable their software to generate and read the XML messages. A number of those companies have already had their software tested to ensure compliance to the BASDA eBIS-XML standard and have launched eBIS-XML enabled products which, in turn, are creating a growing network of users who are automating their supply chains.

Extensible Business Reporting Language (XBRL)
Go To Extensible Business Reporting Language Web Page

What are we doing? XBRL.ORG is developing the eXtensible Business Reporting Language (XBRL) for the preparation and exchange of business reports and data. The initial goal of XBRL is to provide an XML-based framework that the global business information supply chain will use to create, exchange, and analyze financial reporting information including, but not limited to, regulatory filings such as annual and quarterly financial statements, general ledger information, and audit schedules.

XBRL is freely licensed and facilitates the automatic exchange and reliable extraction of financial information among various software applications anywhere in the world.

The XBRL Specification and the first taxonomy for financial reporting of commercial and industrial companies under US GAAP was released on July 31, 2000. This was a major milestone for the XBRL framework.
MEC-EAGLE.ORG
Go To MEC-EAGLE.ORG Web Page

m-e-c eagle is the first open source, OS independent, Java, XML and XSL based B2B integration software, which give you the right tool for it. It has an high basic functionality with many components, which give you a set of integrated tools, which make it possible to create any business solutions for interating different systems with each other.
Open Business Objects for EDI
Go To Open Business Objects for EDI Web Page

OBOE is a EDI and EDI/XML Translator Package.

EDI Document Rules Engine - Reads in a XML and DTD file to build/parse an EDI Document or EDI/XML file. Sample XML File.

EDI Document Formatter and Browser - by utilizing the EDI Object classes with JAVA.AWT classes we've created a simple document browser. If you receive EDI documents in your mail then you can now look at them in a format that is easy to read. The mail program add-on is based on the RFC 1767 MIME Encapsulation of EDI Objects.

For the latest proposed changes MIME-based Secure EDI

EDI Translator - it parses an EDI document into Java objects. The objects are then used to interact with a GUI or database or some other process, e.g. a web page or batch program.

EDI/XML Translator - it parses an EDI/XML file into Java objects. The objects are then used to interact with a GUI or database or some other process, e.g. a web page or batch program.

Envelope builder - it takes the EDI Objects Java objects and builds an EDI document. The EDI document can then be sent via email, to a VAN for transmission, transmitted using a proprietary message delivering system, print out and faxed... etc.

EDI Objects - each transaction set, table, segment data element is defined in a class. The classes defines business logic, relationship rules to other transaction sets, tables, segments and data elements, data element rules validation ... etc.
Electronic Publishing
Go To Electronic Publishing Projects

This page provides the starting point for information on El.pub concerned with the Interactive Electronic Publishing. It provides an on-going overview of the sector, and links to information about the projects being supported through the European Commission's IST and 5th Framework R&D programmes.

The Interactive Electronic Publishing (IEP) sector of the European Commission's Information Society Technologies (IST) Programme is part of Multimedia Content and Tools, Key Action III of the IST Programme, which itself falls within the the 5th Framework RTD Programme. The reserch and development projects funded by the Interactive Electronic Publishing sector focus primarily on generating, managing, personalising creative digital content.
XML/EDI Group
Go To XML/EDI Group

XML and EDI Provide a standard framework to exchange different types of data -- for example, an invoice, healthcare claim, project status -- so that the information be it in a transaction, exchanged via an Application Program Interface (API), web automation, database portal, catalog, a workflow document or message can be searched, decoded, manipulated, and displayed consistently and correctly by first implementing EDI dictionaries and extending our vocabulary via on-line repositories to include our business language, rules and objects. Thus by combining XML and EDI we create a new powerful paradigm different from XML or EDI!
Home
bcase.htm100744 765 764 20740 7240100362 11047 0ustar htmlhtml DevCentre

IDTrans - A Business Case
This project could have a far reaching positive effect on New Zealand business. It could enable a revolution in business communication similar to the effect email has had on personal communications. I have listed below some of the advantages this new technology will bring to companies.
Advantages for Business
Reduces Stationary and Postage costs, as documents can be sent via Internet.
Reduces cost of retyping data received in paper format from suppliers and customers.
Reduces Customer Support costs by increasing accuracy of data in the transfer process.
Reduces Customer Support costs by allowing customers to enquire into accounts electronically.
Improves customer relations due to increases efficiency and information to the customer.
Improves Debt Collection due to increased efficiency of document handling.
Advantages for Internet Service Providers
Increases the number of business users using the Internet in general.
Possibility of providing business services related to transfer of business documents.
Advantages for Accounting System Companies
Adds Additional Functionality without the cost of developing the solution inhouse.
Increases sales due to an increased use of accounting systems in general when standard business document transfers are common.
No ongoing maintenance costs for the additional functionality.
Increases the potential sale value of your product.
Potential to provide business services related to the transfer of business documents.
Advantages for Accountants
Reduces cost of retyping of paper documents.
Reduces cost of communication between you and your clients.
Reduces the number of different computer file formats required to support your clients.
Advantages for Banks
Potential to earn revenue from payments conducted by the software.
Reduces the number of cheque and cash transactions, and therefore the costs associated with them.
Provides incentive to customers with the software to use Bank Accounts with access via the Standard.
Advantages for Government Departments
Will make filing documents much easier.
Will reduce cost of typing data.
Will reduce the number of errors due to mistyping.
Will decrease the processing time for incoming documents.
Will reduce the number of enquiries and complaints due to typing errors.
Home Next
catelog.htm100744 765 764 3377 7240101340 11374 0ustar htmlhtml DevCentre

Complex Catelogs
A Catalog is something supplied by a business to advertise their wares, and possibly their prices and specials. A Internet Catalog is pretty much the same thing. It allows clients, business or consumer, to browse a catalog and create orders offline. It will be based on XML, and may contain HTML and Image files. Typically the Internet Catalog will be compressed into a single file, and downloaded or emailed between client and business.

The advantage of the Internet Catalog is that you can build in logic into it, such as bulk discounts and other business logic specific to that supplier. The order can be created and the price calculated offline. Automatic price comparisions also may be possible. Businesses will be able to keep customers up to date with the latest catelogs automatically.
Home Next
client.htm100744 765 764 3237 7240101016 11227 0ustar htmlhtml DevCentre

Real Software
The Internet Documents Client will use the Internet Document Transfer API to provide an application for consumers and businesses. It will act as a client for sending and receiving orders, invoices and statements. It will also be a standard email client similar in functionality to Outlook Express. It will be a free product, and its purpose will be to get as many people, business and consumers alike, using the new Internet Document standards.

In addition to protecting Internet Documents with strong public key encryption, it will protect emails as well between two Internet Document Clients. The protection will be automatic, not requiring complex manual processes to maintain your private and public keys.
Home Next
dc4.jpg100744 765 764 20211 7255636522 10447 0ustar htmlhtmlJFIF,,C    C   <" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?) =hsN$M8\Sl2 gڀ4褍ih(((((xMҶIEcxGrSGqOҀ5hmW* ( ( ( ( ( ( ( (ƥeYޡsUQISId+O訪j\=AOEtVgf৘!77mq3[:oP[%QH((G`YS;Gm'Ka(fFirS&(']b[V7R =#:ͦŠ((((7S)t FӵOݕƻ-ڊ܌JxRi&FzY8H:p4ۀZ+bO 6iͤ‰wn̻̄X񘚼 *_*Mڏ7Vee(e譁 tنcFA s~"X0^l  ~U حσjC ԯ7-(XgGQנǍeWMTkh깕t'F\7c<oxVNg쑠rp5xOR9Ӛ:jhM$,?g}@Zc$ߏA] ?cYo%(-~;e< Q:sJ3ʲZURQԣ_mjU&3VJp )l=Glj|a98^CsȎ4YBq 8Nj5mh >pG:84>W>]$m7mEj,E|.}&#kni[,77D_E{pge|`#[>;*.?k+c-.#$0xg5Em8WZ跿n}a%.enSԬbxǾwn5VMM+`ԒxrIϭs[vzGg[B͏Qálm@m~:@uio.qilA l͹;?.sϩ/PeTħ pv2kOI}?MY̱ BRQs7Ǻ' ;X'&T]E xۛ:Ήexm`Ba_,~gJ+5߷iVivFx@3l _Pu*x pTmBZKTOO n~UOJ<1]h)8.3 #8kON / k^͖9&rJbk#kmπ.7™u_x8L j95[nWrS+/{nj&ykr0" w#n p3|Cki#Lkɽ;Z-bՔfvAxmnO֟_ctޔqB&P@# Q8(b+PңN^_y[:8iɪ;m[&70e\Wşj&:-C -SFK\)\ V8 Tv$ƽ{ş4O:]򣓬yU?0BÃ5G Nv_4UZZͧukT>::'&0%n|[~񞦞kyys-VWv$a9<6 Xռ=pϡkw]bQCc'g.9bQu~8=lrM;r(ۚ; i\Fw\4ߌ|S,kF%hp[ 7 p+kok+ĺsf&leB?);ӗ ][MŮVO0~6u; Κmֱ_WɆܬ`̤,KyG^x>  -n0e{p=Wf#Q%Or][q։3ZXW.#T;l[hsʠzi^мoͮ2JP'`A#G?t/cXkZdѾ} 7×5[{->7M<H=|5M[U$.gv2·;$2l_P۔|c6|Z"KEr.S}Mi2ͰY/GlVn׻]uOmb}'4cL]R+1v2v8#?l @y~sVRUV3w>Ct0ZY;$ xIZG4I d`NyWkQp{tEt'"}FA׌h_i~!j[61.<X $%@qp)n%EЧۊ|vվ۳iJ4-v~2nHG֕um< 'Ҿ3FI[!2FN'*3\p:OiˎIː7mrx3zmK n#R@ɷƱ ۸\x_/cb#Z+M[}]|rTvW?Fa,?[}Bē(&:~'i5Fk-~;U*Y$dqx'Zx^~*jɯ~5)OV |t8/<^6.X6kF鸫^]RO>"[x[wI'y .0+_(+}珬ֵ__^_Τ\gv>eQ@ @b..oe{ -CNnRGpvpH-rrkg=>Iy];oJB $ml*bkHZO9r+d`pT!KYPԣmvĴ-NRw[񶩥i<5&(!ex s^^Og~?"uTX^#6=koV3muo$ZfVm!@뎀_xcQ MwlU\\q .7`p$\YvѵݕJW>V:&$2m,I 97ZY|WiRxsQIcQh37Lb+KU~`D1)ڰ\i_VԡC~^]֏v?AE(wPGmII Sd0~UfsaO<8)xw>4">X 岶 t'?; z/3ƻںpq[ЧE<e"0yDqԆ\<ܺntT @Wy 7Zr#ӡJQwj[v+Z)Ym{FSNZse֫hW>֚ᤌWDIX0P3?:Ks[^[[Sc("q`sc⾰j 00ִd0Ǹqe$^\mǽo;Z|G . +%K䳔>$hd0Ӿ+]FK N| %īqGu95'Pgd 0Җ#(VRxv56ek{v* 8;*GWrɧCY8U|5>}W]K*s#$8 nO{kFB$G..Nx> I SKc*#.r(!OlA4^Zkq2x_s+ O ׇ']Ҿ˲F)8?<~ ;GF蚜:uZ<{,V2$_/#s3^YsX־Iwt"A!q7}}+/B|J#5F]Z <"I^WI_uY'M72~"t6NI:n%tUBaI8[u;@ifX@svH |gTFd۳|oWo&|eÆP֭%[9%gU*n |!j蚼&MyBz`>^ܜzWtgՠ1zlMe alXw%U9sZ\YY];]VT[_c~Z+{;{VB $rx~||.9jo:vq J#=2g+)屌I,4!MNW3w৒@0Nk%)\] RsoWbRs]>NN0j>vӑ'2Kϼcmo/ k:/48oms$N:deq$>lZǶ_$Z]ww쫎chP7>{Y뤝Keˢw4t_<}Տd(ވwv;G5 <1?CGς> =F"ӦI0|a9:$y!H9Vo-մq<@q[5坚~[8JŮ]?WڦދO=gAms&=8| C%Aj' Y/im.`a\5+ xzUޣ)!Qӥs8W*`Fҝg_2Si(u'~ZjWcx.xWIowHÍGV#uo.~ jƯ^]/- a2@8JH5nWiehԯֳx l*i[JnҵZ-my[_Qң*kKNulx]u=6mUϴUy0O=;6mo[paYqxDq]flq>y3=SrQ2R.iע4/rEWjQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEdiscuss.htm100744 765 764 4467 7153623412 11450 0ustar htmlhtml DevCentre

Internet Commerce Open Standards

Proposal by Peter Harrison

Wouldn't it be great if you could receive your phone bill, electricity bill, bank statement, and any other kind of invoice or statement, by email. Wouldn't it be great if once you receive your invoice you could transfer it to your accounting system. Wouldn't it be great if you could send your customers your invoice, and they could pay it electronically once they receive it. I see a future where most paper documentation is replaced by Internet Standard Documents, and we can all send business documents as easily as we do with email today.

With the rise of the Internet email has now become a required part of business. A vast majority of businesses, and a huge number of consumers have access to email and the Internet. What is surprising is that despite this revolution in communication a vast majority of companies still send physical invoices and bills to each other and to their customers.

This discussion document describes some of the reasons why, and how accounting software houses and banks could jointly develop a solution to these problems to provide a open standards and working products.

Internet Documents Open Standards

The Internet Document API

The Internet Document Client

The Authentication Server

The Internet Catelogue

Summary



ecommerce_article.htm100744 765 764 35053 7247624722 13461 0ustar htmlhtml DevCentre

Secure Email Specification (version 1) Discussion

This message document a discription of what I have so far as a specification for secure business document transmission. There is also a discussion about the proposed specification. Please feel free to email peterha@nothingbutnet if you have any comments to add.

The points discussed will be written into version 2, which will be written in the next couple of weeks. I will also be talking with PGP experts to see if we can use a limited implementation of PGP.
SMTP / POP3
Messages are transmitted via attachments within standard SMTP messages. The Message Bodies themselves are not encrypted, only the attachments. Each Attachment is a Encrypted File. Each attachment potentially can be separatly opened or saved to disk for later decryption. Attachments are via standard MIME.
Encrypted Attachments
Each Encrypted Attachment has a four blocks of information in a fixed sequential order. These blocks are:

FileName
Encrypted Session Key
Signature
Main Data
FileName
The FileName block consists of the filename of the original file being sent. This is sent in order to ensure it is to the correct name on receipt. It is possible that the encrypted file is renamed or otherwise altered in the transmission process, therefore including the filename with the file is a good idea. The actual format of the FileName is :

2 bytes - Short Integer representing FileName Length (n)
n bytes - Ascii representation of the FileName length of n.
Encrypted Session Key
The Encrypted Session Key is a random session key used by the symetric AES algorithm to encrypt and decrypt the main file data. By using RSA to encrypt the session key only the recipient can decrypt the session, and therefore decrypt the main file. The encrypted session key is stored in the following format :

2 bytes - Short Integer representing Encrypted Session Key Length (n)
n bytes - Binary representation of the Encrypted Session Key length of n.

When encrypting a random session key is generated and encrypted with RSA using the public key of the recipient. The receiver uses his private key to decrypt the session key, which is then used for the main data.
Signature
The signature is a MD5 hash of the original data in the file encrypted with RSA using the public key of the sender. On decrypting the main data the recipient can check the hash provided with one calculated from the decrypted main data. If the hash match the recipient can be sure that the file was encrypted by someone with access to the private key that corresponds with the public key on file for the sender. In other words, it ensures the apparent sender of the file is the actual sender of the file. The format of the signature block is in the following format :

2 bytes - Short Integer representing length of Signature (n)
n bytes - Binary representation of the Signature length of n.
Main Data
The Main Data is simply the data of the original file encrypted with the Session Key using the AES algorithm. Its format is simple :

x bytes - All remaining bytes to the end of the file are encrypted data.
Discussion
There are a few design issues I have been thinking about, which I wouldn't
mind some input on:

1. Multiple Recipients. The above format sacrifices flexibility for ease of use. In the above format many of the features are not optional. For example, in PGP you can have multiple recipients by including more than one Encrypted Session Key. You can also elect to only sign, or only encrypt. My solution forces both encryption and signing to be used regardless, while limiting to a single recipient. The reasoning is that I don't want users to need to think about weather to encrypt or sign - it should be automatic and invisible. Also there may be limited application of sending multi-recipient business files?

2. Including Recipients and Senders Email Addresses. In my current implementation the Public Keys are distributed by a web server based on email address. The email address of the sender and recipient defined in each email allow the client to obtain the appropriate keys used for encryption etc. By having the email addresses imbedded into the file itself you could divorce the files totally from the email, so the files can be saved to disk, transmitted by means other than email (FTP?) and still be decrypted at a later date.

3. Compression. Currently there is no compression involved in this process. However, by encrypting data we make it uncompressable. This creates a problem for external systems, such as modems which perform internal compression to aid performance. Take Text for example. Usually text can compress by 90%. With encryption this compression reduces to 0%. It is therefor a good idea to compress files before encryption. Since we are compressing, we might like to compress multiple files - in which case I think the use of zip format would be the most sensible.
Mailing List Comments
from: Grant Black
I think this [encrypted attachments] section needs to be clarified. I think you are saying that you can attach multiple files but then each file (or block) is actually a collection of 4 files. If so how are the files tied together (by name/MIME ID)? Do the files have a type (an extension under win32?). I probably need to refresh my memory when I get home & look at the MIME RFC.

Might have to beware of UniCode and allow for 2 bytes per char filenames, (I have recieved documents from Asia that have unicode names).

I think there is a good case for allowing the sending of multi-recipient files in business. When sending tender and other contract documents it is sometimes important that it is transparent that all parties received the same document at the same time. For instance when preparing bids for projects most companies would want to ensure that they received the same proposal details at the same time as competing companies.

Does it [compression] matter for ID-Trans? I guess I saw the system as passing around business objects like invoices or receipts which tend to be small bits of text/XML - compression seems overkill in these cases. If large files or large groups of files are being exchanged, then that could be an extension of the system to allow for different file formats - after all you don't want to force zipping on a company that might be trading (legally!) MP3/MPeg or JPG's files.
from: Nicholas Hynes
RE: REPLY TO THE DEVCENTRE SECURE E-MAIL SPEC...

had a look at the spec. As you know, I'm not an encryption expert, so I've focussed on some basic design decisions.

Perhaps the standard would benefit from wider discussion. Have you invited comment from any international news groups? It's always interesting to get different points of view, and could lead to wider acceptance.

Okay, my opinion...

1/

Is it wise to advocate the use of un-encrypted e-mail? I know that people CAN use PGP if they want, but are they likely to actually do that? You know what people in business are like, they'll think 'it conforms to the standard, that should be secure enough', and yet eavesdroppers will still have access to: the name of the companies involved, any name/reference number they give the transaction, subject & message body from the unencrypted message.

If this is a must have requirement, then perhaps the standard needs to include rules about what can/must/can't be included in the main message.

2/

Filenames should be of a specified nature - makes it possible to save on multiple platforms, and can help track transactions without the receiver having access to the un-encrypted content. We don't want every attachment to be called 'attachment', because if it gets disassociated with information about how to decrypt it, then there will be no way of tracking it. On the other hand, if the filename gives away too much, it could be used by the evil people.

3/

Perhaps we should make the length indicators 4+ digits. It's a small, small overhead in modern times, and we don't want another Y2K meltdown.

3a/

Perhaps we should stardardize each block of the message (i.e. add a length indicator to the final block). This may make it easier to extend the protocol in the future??? What do other's think??? What about a block id???

4/

How about a protocol version number somewhere. That will allow people to continue using the existing channels, if & when the specification is upgraded. The version number should have, at least, two distinct parts. One for the sent version, one to indicate which versions can reliably decrypt the message.

In reply to your questions...

1. Multiple Recipients.

Can't think of a solution to this. You're right though, encryption & signing should be mandatory, there's no point in having a spec that is foiled by idiot users. Can think of uses for multiple recipients though, there are some business transactions that involve three or more separate legal entities. Each RECEIVING party will need some way of ensuring that all parties have been privy to the same agreement/correspondance.

2. Including Recipients and Senders Email Addresses.

This is a really tricky one. You don't want people to know who is doing business with who. That info is valuable commercial information. Companies are VERY secretive about this sort of information. Even if the e-mail addresses aren't included in the message, the actual transfer medium (SMTP) requires it be included.

Perhaps we need a trusted intermediary, which could recieve a message with two encrypted parts: firstly it has an encrypted header that indicates who the sender & receivers are, secondly it has the original data, encrypted with a different key, which is unknown to the intermediary.

All transactions, from any company, can only be traced as far as 'from X to the intermediary', or 'from intermediary to Y'. Given both bits of information, a company could probably piece together who is talking to who. Perhaps the intermediaries need to bundle/unbundle multiple packets & distribute them accross an IP-tunnel style network... [phew! this is getting huge... sounds like a publicly owned VPN...]

3. Compression. Currently there is no compression involved in this
process. Yep, compression is a good idea. Don't know which algorithm to use though. Waikato Uni. has done a lot of work with encryption. I've e'ed Prof. Ian Witten, and will get back to you.
Home

 

email.htm100744 765 764 4351 7240110776 11053 0ustar htmlhtml DevCentre

Open Standards
Email is a great success. By using standard protocols, and connected in a standard way to a huge network, we are able to transfer information all over the world between organizations and computer systems that are very different in culture, location, and size. The Internet email system is based on simple, standard protocols. Email is a great model for developing further protocols for communication.

The one primary problem preventing communication of the basic business documents today is lack of a standard format for electronic data. Some standards, such as XML are being developed which may aid in developing some standard for transfer of invoices, but currently no specific standard has been implemented across a wide range of systems for basic business documents. I believe there needs to be an initiative to develop standard business document formats, based on XML. There should be standards for Invoices, Statements, and Orders etc.

Several projects are currently developing such standards, and it is my intension to follow and implement the standards as far as practical. There is a list of other B2B XML standards projects on my B2B Resources Page.
Home Next
email_spec.htm100744 765 764 35053 7245652432 12115 0ustar htmlhtml DevCentre

Secure Email Specification (version 1) Discussion

This message document a discription of what I have so far as a specification for secure business document transmission. There is also a discussion about the proposed specification. Please feel free to email peterha@nothingbutnet if you have any comments to add.

The points discussed will be written into version 2, which will be written in the next couple of weeks. I will also be talking with PGP experts to see if we can use a limited implementation of PGP.
SMTP / POP3
Messages are transmitted via attachments within standard SMTP messages. The Message Bodies themselves are not encrypted, only the attachments. Each Attachment is a Encrypted File. Each attachment potentially can be separatly opened or saved to disk for later decryption. Attachments are via standard MIME.
Encrypted Attachments
Each Encrypted Attachment has a four blocks of information in a fixed sequential order. These blocks are:

FileName
Encrypted Session Key
Signature
Main Data
FileName
The FileName block consists of the filename of the original file being sent. This is sent in order to ensure it is to the correct name on receipt. It is possible that the encrypted file is renamed or otherwise altered in the transmission process, therefore including the filename with the file is a good idea. The actual format of the FileName is :

2 bytes - Short Integer representing FileName Length (n)
n bytes - Ascii representation of the FileName length of n.
Encrypted Session Key
The Encrypted Session Key is a random session key used by the symetric AES algorithm to encrypt and decrypt the main file data. By using RSA to encrypt the session key only the recipient can decrypt the session, and therefore decrypt the main file. The encrypted session key is stored in the following format :

2 bytes - Short Integer representing Encrypted Session Key Length (n)
n bytes - Binary representation of the Encrypted Session Key length of n.

When encrypting a random session key is generated and encrypted with RSA using the public key of the recipient. The receiver uses his private key to decrypt the session key, which is then used for the main data.
Signature
The signature is a MD5 hash of the original data in the file encrypted with RSA using the public key of the sender. On decrypting the main data the recipient can check the hash provided with one calculated from the decrypted main data. If the hash match the recipient can be sure that the file was encrypted by someone with access to the private key that corresponds with the public key on file for the sender. In other words, it ensures the apparent sender of the file is the actual sender of the file. The format of the signature block is in the following format :

2 bytes - Short Integer representing length of Signature (n)
n bytes - Binary representation of the Signature length of n.
Main Data
The Main Data is simply the data of the original file encrypted with the Session Key using the AES algorithm. Its format is simple :

x bytes - All remaining bytes to the end of the file are encrypted data.
Discussion
There are a few design issues I have been thinking about, which I wouldn't
mind some input on:

1. Multiple Recipients. The above format sacrifices flexibility for ease of use. In the above format many of the features are not optional. For example, in PGP you can have multiple recipients by including more than one Encrypted Session Key. You can also elect to only sign, or only encrypt. My solution forces both encryption and signing to be used regardless, while limiting to a single recipient. The reasoning is that I don't want users to need to think about weather to encrypt or sign - it should be automatic and invisible. Also there may be limited application of sending multi-recipient business files?

2. Including Recipients and Senders Email Addresses. In my current implementation the Public Keys are distributed by a web server based on email address. The email address of the sender and recipient defined in each email allow the client to obtain the appropriate keys used for encryption etc. By having the email addresses imbedded into the file itself you could divorce the files totally from the email, so the files can be saved to disk, transmitted by means other than email (FTP?) and still be decrypted at a later date.

3. Compression. Currently there is no compression involved in this process. However, by encrypting data we make it uncompressable. This creates a problem for external systems, such as modems which perform internal compression to aid performance. Take Text for example. Usually text can compress by 90%. With encryption this compression reduces to 0%. It is therefor a good idea to compress files before encryption. Since we are compressing, we might like to compress multiple files - in which case I think the use of zip format would be the most sensible.
Mailing List Comments
from: Grant Black
I think this [encrypted attachments] section needs to be clarified. I think you are saying that you can attach multiple files but then each file (or block) is actually a collection of 4 files. If so how are the files tied together (by name/MIME ID)? Do the files have a type (an extension under win32?). I probably need to refresh my memory when I get home & look at the MIME RFC.

Might have to beware of UniCode and allow for 2 bytes per char filenames, (I have recieved documents from Asia that have unicode names).

I think there is a good case for allowing the sending of multi-recipient files in business. When sending tender and other contract documents it is sometimes important that it is transparent that all parties received the same document at the same time. For instance when preparing bids for projects most companies would want to ensure that they received the same proposal details at the same time as competing companies.

Does it [compression] matter for ID-Trans? I guess I saw the system as passing around business objects like invoices or receipts which tend to be small bits of text/XML - compression seems overkill in these cases. If large files or large groups of files are being exchanged, then that could be an extension of the system to allow for different file formats - after all you don't want to force zipping on a company that might be trading (legally!) MP3/MPeg or JPG's files.
from: Nicholas Hynes
RE: REPLY TO THE DEVCENTRE SECURE E-MAIL SPEC...

had a look at the spec. As you know, I'm not an encryption expert, so I've focussed on some basic design decisions.

Perhaps the standard would benefit from wider discussion. Have you invited comment from any international news groups? It's always interesting to get different points of view, and could lead to wider acceptance.

Okay, my opinion...

1/

Is it wise to advocate the use of un-encrypted e-mail? I know that people CAN use PGP if they want, but are they likely to actually do that? You know what people in business are like, they'll think 'it conforms to the standard, that should be secure enough', and yet eavesdroppers will still have access to: the name of the companies involved, any name/reference number they give the transaction, subject & message body from the unencrypted message.

If this is a must have requirement, then perhaps the standard needs to include rules about what can/must/can't be included in the main message.

2/

Filenames should be of a specified nature - makes it possible to save on multiple platforms, and can help track transactions without the receiver having access to the un-encrypted content. We don't want every attachment to be called 'attachment', because if it gets disassociated with information about how to decrypt it, then there will be no way of tracking it. On the other hand, if the filename gives away too much, it could be used by the evil people.

3/

Perhaps we should make the length indicators 4+ digits. It's a small, small overhead in modern times, and we don't want another Y2K meltdown.

3a/

Perhaps we should stardardize each block of the message (i.e. add a length indicator to the final block). This may make it easier to extend the protocol in the future??? What do other's think??? What about a block id???

4/

How about a protocol version number somewhere. That will allow people to continue using the existing channels, if & when the specification is upgraded. The version number should have, at least, two distinct parts. One for the sent version, one to indicate which versions can reliably decrypt the message.

In reply to your questions...

1. Multiple Recipients.

Can't think of a solution to this. You're right though, encryption & signing should be mandatory, there's no point in having a spec that is foiled by idiot users. Can think of uses for multiple recipients though, there are some business transactions that involve three or more separate legal entities. Each RECEIVING party will need some way of ensuring that all parties have been privy to the same agreement/correspondance.

2. Including Recipients and Senders Email Addresses.

This is a really tricky one. You don't want people to know who is doing business with who. That info is valuable commercial information. Companies are VERY secretive about this sort of information. Even if the e-mail addresses aren't included in the message, the actual transfer medium (SMTP) requires it be included.

Perhaps we need a trusted intermediary, which could recieve a message with two encrypted parts: firstly it has an encrypted header that indicates who the sender & receivers are, secondly it has the original data, encrypted with a different key, which is unknown to the intermediary.

All transactions, from any company, can only be traced as far as 'from X to the intermediary', or 'from intermediary to Y'. Given both bits of information, a company could probably piece together who is talking to who. Perhaps the intermediaries need to bundle/unbundle multiple packets & distribute them accross an IP-tunnel style network... [phew! this is getting huge... sounds like a publicly owned VPN...]

3. Compression. Currently there is no compression involved in this
process. Yep, compression is a good idea. Don't know which algorithm to use though. Waikato Uni. has done a lot of work with encryption. I've e'ed Prof. Ian Witten, and will get back to you.
Home

 

email_spec2.htm100744 765 764 17375 7247554560 12213 0ustar htmlhtml DevCentre

Secure Email Specification (version 2) Discussion

This message document a discription of what I have so far as a specification for secure business document transmission. There is also a discussion about the proposed specification. Please feel free to email peterha@nothingbutnet if you have any comments to add.

Notes regarding PGP and S/MIME:
Some people have been wondering why I am implementing my own file format rather than using PGP or S/MIME. While PGP is popular it requires many algorithms and formats for reason of backwards compatibility. I am trying to develop something which is minimalist - with as few options as possible, while PGP is more of a 'hackers' system - in that it allows control over a number of variables. S/MIME makes use of certificates. I am currently developing an alternative to certificates which don't require purchase of certificates. Then again, there is a possibility of co-existance between the Trust Network and Certificate Authority systems.

I am looking at how I can be compatible with either PGP or S/MIME, while still being able to achieve the project objectives.
SMTP / POP3
Messages are transmitted via attachments within standard SMTP messages. The Message Bodies themselves are not encrypted, only the attachments. Each Attachment is a Encrypted File. Each attachment potentially can be separatly opened or saved to disk for later decryption. Attachments are via standard MIME. Text Messages can still be sent however, by including a text file inside the attachment.
Encrypted Attachments
Each Encrypted Attachment has a five types of data 'block':

Version Block

Session Key Block

Directory Block

Signature Block

Data Block
Version Block
The Version Block provides information about which version of the software was used to create the encrypted file.

1 byte - Literally 'V' to signify start of a Version Block.
4 bytes - Size of Version.
n bytes - Description of Version.
Session Key Block
The Encrypted Session Key is a random session key used by the symetric AES algorithm to encrypt and decrypt the main file data. By using RSA to encrypt the session key only the recipient can decrypt the session, and therefore decrypt the main file. The encrypted session key is stored in the following format :

1 byte - Literally 'K' to signify start of a Session Key Block.
4 bytes - Integer representing length of the Recipients Email Address.
n bytes - Wide String representation of Email Address of Recipient.
4 bytes - Integer representing Encrypted Session Key Length (n).
n bytes - Binary representation of the Session Key encrypted to the Recipients Public Key.

When encrypting a random session key is generated and encrypted with RSA using the public key of the recipient. The receiver uses his private key to decrypt the session key, which is then used for the main data. There can be multiple Session Key Blocks, one for each recipient.
Directory Block
The Directory Block consists of the filenames and sizes of the data being sent..

1 byte - Literally 'D' to signify start of a Directory Block.
4 bytes - Integer representing size of Directory.

(All data from this point is encrypted with the session key)
4 bytes - Integer representing Number of files included in Directory.

(below three points recurse through all files in the directory)
4 bytes - Integer representing FileName Length.
n bytes - Wide String representation of the FileName.
4 bytes - Integer representing Length of file in bytes.
Signature Block
The Signature Block is a MD5 hash of the original data in the files, encrypted with RSA using the private key of the sender. On decrypting the main data the recipient can check the hash provided with one calculated from the decrypted main data. If the hashes match the recipient can be sure that the file was encrypted by someone with access to the private key that corresponds with the public key on file for the sender. In other words, it ensures the apparent sender of the file is the actual sender of the file. The format of the signature block is in the following format :

1 byte - Literally 'S' to signify start of a Signature Block.
4 bytes - Integer representing length of Senders Email Address.
n bytes - Wide String representing Senders Email Address.
4 bytes - Integer representing length of Signature.
n bytes - Binary representation of the Signature.
Data Block
The Data Block is simply the data of the original files appended sequencially according to the Directory Block compressed with the Zip algorithm, and encrypted with the Session Key using the Rijndael algorithm. Its format is simple :

1 byte - Literally 'M' to signify start of a Main Data Block
4 bytes - Size of Data Block.
x bytes - All remaining bytes to the end of the file are compressed and encrypted data.
Home

 

id/ 40755 765 764 0 7256336160 7551 5ustar htmlhtmlid/xmlschemas.htm100744 765 764 12324 7265024322 12541 0ustar htmlhtml DevCentre

XML Document Schemas
It is clear that the Internet Documents will be XML. Currently there are a number of Business Document XML projects underway. My desire is to use industry standard XML schemas in order to maintain compatibility with existing implementations, and to ensure the widest possible utilization of this project.
XML Schema Projects
There are many projects developing XML schemas for everything under the sun. However, there are some front runners I believe which I have detailed in my Business to Business Resources.

In addition IDTrans has developed its own XML source code. This is aimed at working with XML with a lightweight code base, rather than the heavyweight approach of Document Object Models. To date this approach has worked very well, although it will need continued work. While initially only available for Delphi, the XML code will be ported to Java and C.
The Role of XML within IDTrans
All Internet Documents will be XML documents. Furthermore those documents will conform to standard definitions that will be incorporated into the software for invoices, statements, orders and other business documents.

There will be minimim requirements for various documents. For example, a invoice will need to contain the sender and receipeint data. It will need to include a Invoice Number, and Invoice Date etc. Every invoice will have common features.

This will ensure that you do not need to obtain a schema from your receipient before you can send them a document. If you send an invoice you know the receipient will be able to parse the invoice.
Children Schemas
My plan is to incorporate inheritance into schemas.

For example, I will distribute a standard Invoice, Statement, Order etc. People will be able to 'inherit' from the standard Invoice to add properties of their own, without redefining the whole invoice schema. If you write in Delphi or Java you will already be familar with the concept.

The advantage of this is that you can send a invoice created from a special invoice schema (ie the schema adds properties to the invoice not normally present in the standard), and the receiver will still be able to make sence of the invoice. They have the option of downloading your inherited schema if they want to parse the additional fields, but they don't need to in order to find the basic invoice data.

Furthermore, all the standard documents would inherit from a single top level document - and you would have a naming convension for people to add their own schemas.ie,

  • org.devcentre.Document -> (Base Document for all Internet Documents)
  • org.devcentre.Invoice -> (Base Document for all Internet Invoices)
  • com.sun.Invoice -> (Specialized Sun version of the Invoice)
  • com.ibm.Invoice -> (Specialized IBM version of the Invoice, inherited from Sun) In other words all schemas become public, and can be used to inherit from in order to create more specialized schemas. Inheritance is not supported by other projects that I am aware of. As a result of this the Schemas can become bloated, as the default schema needs to have fields to support all the fields that may be required. I will probably initially start with simple schemas, and have advanced inherited schemas support the eBIS-XML and ebXML stanadrds.
    • Home
    id/crypto.htm100744 765 764 14025 7265023754 11725 0ustar htmlhtml DevCentre

    Encryption Algorithms
    Over the last few months the project has developed an implementation of IDTrans which depends on two encryption algorithms. Those are Rijndael (AES) and RSA. We may add other algorithms as required, such as a signing algorithm.

    The reason we currently use only two algorithms is simplicity. Adding further algorithms would make the system more complex, but not add anything to the security. Also included on this page is a Specification, now in draft number 2. This provides more detail about the specific implementation being used. This page also provides information about other algorithms under consideration.
    Why do we need encryption?
  • Prevent unauthorized interception of business documents.
  • Prevent unauthorized alterations to business documents.
  • Provide a means to ensure business documents are geniune.
    •
    Requirements
  • Since the project will be Open Source, ideally the Encryption Algorithms used should not be patented.
  • There should be existing libraries for working with the Algorithms, ideally Open Source libraries for the supported languages (Delphi, C, C++, Java).
  • They should be cryptographically well known and trusted.
    •
    Secure Email Specification
    The Secure Email Specification is the current incarnation of a description of the implementation we are currently working towards. It includes the use of Rijndael and RSA.

    Secure Email Specification - version 2
    AES - Rijndael
    In October 2000 the Advanced Encryption Standard was announced in the US by the National Institute of Standards and Technology. The winning encryption algorithm was Rijndael. The Rijndael developers are Belgian cryptographers Joan Daemen and Vincent Rijmen (pronounced Rye'-mun) of Katholieke Universiteit Leuven.

    Rijndael does not have any patents against it or any of the optimized maths required to implement it. It stacks up well against other algorithms in performance, security and scaleability. It has implementations written in at least C, Java and Delphi, all of which are now public domain or shareware.
    Blowfish / Twofish
    Blowfish and Twofish are fast and it is not patented. It is also supported by Open Source libraries already, including Java, Delphi, C++, and C. It is not as old as some more well known systems however. Twofish is a more modern version of Blowfish. I have found free implementations of Blowfish in Java, C, C++, and Delphi.
    MD5
    MD5 is one of the most common hash functions available. It is also very widly implemented in libraries, including Open Source Libraries. I have found implementations of MD5 in C, C++, Delphi and Java.
    ElGamel
    ElGamel is a Public Key Algorithm. It is not patented, which makes it attractive. It has been implemented in C++, Delphi and Java, but the Java code to this is still not stable.
    Elliptic Curve
    Elliptic Curve is a another Public Key Algorithm. Like Elgamel, it is not patented. There is an implementations available in C, C++, Delphi and Java.
    RSA
    RSA is currently the most popular form of public key cryptography. This algorithm was patented until September 2000 when it was released into the Public Domain. There are many implementations of RSA for most languages.
    Home
    id/transport.htm100744 765 764 5235 7265025242 12416 0ustar htmlhtml DevCentre

    Transport Protocols Specification
    The form of Transport used by the Internet Document API will be SMTP and POP3 compliant. In other words we will be using email to transport our documents. This is because there is no compelling reason to develop a separate method of transport.

    However, SMTP and POP3 will probably not be the only protocol required to make the project fully functional. The one specific instance of another form of communication is Public Key Distribution. The Public Key Server will use its own protocol to transmit and verify Public Keys. (see Public Key Server)

    It is possible that the Open Source system called Jabber will be used for some functions. Jabber is an instant messaging system. It could be used to hold public keys, and to transmit XML Documents. Jabber has been developed around transmitting XML.

    Emailed Documents themselves will be MIME attachments inside Emails. This way, even if a non Internet Document mail reader receives an email, the attached file could be saved and later imported into a Internet Document Accounting System. Documents transmitted by Jabber will be encrypted and included inside an XML tag.
    Catelogs
    Catelogs are slightly different to other documents in that they are distributed to a wide number of users, rather than a single recipient. Also Catelogs will generally be large, containing not only text, but images and graphics that are displayed to the user when browsing. Catelogs will still be able to be sent by SMTP/POP3, but will also be able to be retrieved from a web site via HTTP protocol.
    Home
    id/apispec.htm100744 765 764 23646 7265026660 12041 0ustar htmlhtml DevCentre

    Application Programmers Interface Specification
    The Internet Document API will provide all the services for sending and receiving Internet Documents. The following page is just a draft of what it could look like.

    It will be implemented in Java, C, and Delphi. The implementations may differ slightly, as the languages themselves all have different syntax.

    Suggestions about how the API should be implemented would be appreciated. Send any comments or ideas to Peter Harrison

    Outline
    The API is split into two functional areas, the Document Interface and the Transport Interface. The Document Interface will be able to manipulate, load, save and verify XML Documents. Essentially the Document Interface will be a implmentation of DOM. The Transport Interface will be used to transfer any kind of data over via email, taking care of issues such as encryption and signing.
    Document Interface
    The Document Interface is actually a lightweight XML 'Parser'. Its not a validating parser, it is just able to read and write XML documents.

    Class: TIDXml

    Properties:

    XML

    Node

    Methods:

    GetValue( node : String ) : String
    Gets the value of a specific Node.

    GetCount( node : String ) : Integer
    Gets the number of instances that exist of a Tag on a Node.

    AddNode( node, newnode : String )
    Adds a new Node from and existing Node. Note that the root node of all XML documents is 'xml'.

    AddElement( newnode, value : String )
    AddElement adds a new Element under the current Node.

    EditValue( node, value : String )
    EditValue changes the value of the Node to the value supplied.
    Transport Interface
    The primary strength of the Transport Interface is the way I plan to handle Public Keys. One of the biggest problems I see currently is that people need to worry about how to obtain public keys. With this API, the details are more hidden. Once you generate your own Key Pair, and you get the PKServer List, the sending an receiving of encrypted emails is automatic. Any required public keys are downloaded for you.

    GetPKServers();
    This is run in order to obtain the current list of Public Key Servers. It should be called before any batch of documents are transmitted.

    PrivateKey GeneratePrivateKey();
    This is used to generate a Private Key. Is should be called once only for every client. The result should be stored in an encrypted format on the hard drive.

    PublicKey GeneratePublicKey( PrivateKey );
    This is used to generate a Public Key for the Private Key supplied. This is generally called immediatly after GeneratePrivateKey. Once generated it can be sent to a PKServer.

    PKAddress SendPublicKey( Name, Email, PublicKey );
    This function sends a public key to a PKServer. The GetPKServers must have been run recently in order to have an up to date list of PKServers. The PKServer used is chosen at random. The function returns a PKAddress, which is similar to an email address, in that it provides an address which people can use to find your Public Key. The format is similar to email - an example would be name#pkserver.com.

    PublicKey GetPublicKey( PKAddress | emailAddress );
    This function requests a Public Key using the PKAddress or email addressspecified. The PKAddress has the server to connect to in the Address, like a email address. The separator between account and server is a '#' instead of a '@' like in email addresses. If a PKAddress is supplied the PKServer specified is contacted for the Public Key.

    If an email address is supplied each PKServer is contacted in turn and queried. Naturally using email addresses for Public Key resolution is not the prefered means of obtaining a Public Key due to the huge comms overhead.

    PS : Any ideas on how we could make email public key resolution faster?

    PublicKey VerifyPublicKey( PKAddress | emailAddress );
    This function requests a Verification using the PKAddress or email addressspecified. The PKAddress has the server to connect to in the Address, like a email address. The separator between account and server is a '#' instead of a '@' like in email addresses. If a PKAddress is supplied the PKServer specified is contacted for the Public Key.

    If an email address is supplied each PKServer is contacted in turn and queried. Naturally using email addresses for Public Key resolution is not the prefered means of obtaining a Public Key due to the huge comms overhead.

    The Verification consists of a MD5 of the Public Key, instead of the Public Key itself. The MD5 is shorter than the Public Key.

    SetEmailSettings( emailaddress, pop3server, smtpserver, pop3password );
    This function sets up all the details about your email connection

    SendEmailFile( emailaddress, PublicKey, FileName );
    This function sends a file on disk out to the supplied email address. The file is compressed, encrypted using the supplied public key, signed using your private key, and attached as a mime attachment to the email. The email header will also contain your PKAddress.

    SendEmailStream( emailaddress, PublicKey, Stream );
    This function sends a data stream to the supplied email address. The stream is compressed, encrypted using the supplied public key, signed using your private key, and attached as a mime attachment to the email. The email header will also contain your PKAddress.

    GetEmailHeaders();
    This function will receive the headers of all emails waiting for collection.

    GetEMailtoFile( number, Filename );
    This function will receive the email, and unpack the attached file into the specified file. It will automatically handle obtaining the required Public Key by looking up the PKAddress supplied, or at a last resort looking up the email address. It will then use the Public Key of the sender to authenticate the email.

    GetEMailtoStream( number, Stream );
    This function will receive the email, and unpack the attached file into the specified stream. It will automatically handle obtaining the required Public Key by looking up the PKAddress supplied, or at a last resort looking up the email address. It will then use the Public Key of the sender to authenticate the email.

    DeleteEmail( number );
    Deletes the specified Email
    Odds and Ends
    Further things to think about:
  • Confirmations, sending back confirmation that a document that was sent actually arrived.
  • Hooks for Outlook and Outlook Express?
    •
    Home

     

    id/idclient.htm100744 765 764 3343 7265672654 12172 0ustar htmlhtml DevCentre

    Client Application Specification - ODYSSEY
    The client application currently in development is called ODYSSEY. It is a modern email client, and in addition can automatically handle encryption and compression of email. It can also create and send Business Documents, and browse Catalogs.

    It is currently being developed in Delphi, as this is what I know. The API is not language specific, so my decision to write the 'reference implementation' of the client in Delphi should not be a concern. By writing in Delphi and avoiding calls to the Windows API I should be able to have a Kylix port of the Client when Kylix is released. Kylix is the Linux port of Delphi, which promises to make a huge impact on the number of available applications on Linux.

    The first beta release of ODYSSEY should be available in early May 2001.
    Home
    id/keyservice.htm100744 765 764 16371 7265027334 12562 0ustar htmlhtml DevCentre

    The Trust Network - distribution of public keys
    The Trust Network is an important part of the whole system. Its purpose is to store public keys so that they can be retrieved. The problem is that when you send an email to somebody, and if you are using public key crypto, you need to know their public key. Current client software requires you to obtain the public key by some means before encrypted communication can begin.

    By having your Public Key stored on a server people can obtain your public key at any time. And because you can also interrogate your public key yourself at any time you can ensure the public key has not been replaced. Once someone has your public key it is stored on their machine, and verified against the public key server when used. This increases the chance that a man in the middle attack is detected.

    An additional security feature may be signed keys. This is effectivly a certificate. It means that the public key has been signed by the server as geniune. This means that any attempt to replace the key in transit will break the certificate.
    Receiving Keys
    The Server will receive keys by having the client connect to the server go through the following protocol :
  • Client sends a Message with their public key and email address signed by their private key.
  • Server confirms authenticity of public key by checking the signature. If authentic it will send a Confirm Message back to the client. It also sends a email message to the email address supplied informing the user that they have registered their public key.
  • Client receives their email, and replies to the email to activiate the Public Key. If no response comes from the client the Server will not distribute the Public Key.
    • Obtaining / Verifying a Public Key
    The Server will distribute a public key to any client which requests one using the following protocol: Client sends a message requesting the public key of a specific email address in the clear. This is not encrypted as there is no secret information to be protected. Server looks up email address and sends the Public Key signed by the Private Key of the owner of the Public Key. This protocol is the same weather requesting or verifying a Public Key.
    The Trust Network
    Public keys are used for both Encryption and Verification, so ensuring you have the correct public key is vitally important, otherwise your encrypted communications are vunrable, and you cannot be verify where messages come from.

    The traditional way of ensuring distributing public keys was a trust tree, where some organization at the top of the tree signs certificates of organizations below. In turn those organizations might distribute certificates and so on down. The purpose of this is to provide some certainty that the public key you have obtained is really the public key of the intended receipient of a message, and not a spy in the middle.

    The Trust Network is a set of Public Key Servers. Each server on the network has a full list of the other servers.When a new public key is received it sends the public key via secure channel to two servers on the list at random. These two servers will then periodically query the original server to ensure the Public Key has not been tampered with.

    Should tampering be detected by a server, it will send out a message to all the servers on the server list to check the server under suspicion. Each server will then query the Public Keys it has stored against the suspect server.

    Any Public Keys that have been tampered with will generate an additional message to the suspect server informing them of the mismatch, and what the correct key should be. If a server gets corrections from two servers for a Public Key it will change the Public Key stored to the one supplied, assuming the Public Keys from the other servers match.

    If a suspect Public Key is not corrected even when these messages have been sent to a server, the entire server will be marked on the list as 'defective'. A new server will be chosen to host the keys that previously belonged to the defective server, and all Public Keys stored on other servers relating to the defective server will be transmitted to the new server. The new server will only accept Public Keys if it receives two copies from different servers.

    The result of all this is that servers which have been hacked or modified in such a way to allow false Public Keys to be distributed will be discovered, and if the problem is not resolved, will be eliminated from the 'Trust Network'.
    Lightweight Directory Access Protocol
    The LightWeight Directory Access Protocol is already being used in a system much like that described above. In all probability we will end up using this protocol and the open source implementations of it to deliver Public Key Distribution. PGP uses LDAP to distribute keys. Like many of the other standards and protocols I have already found, I am investergating how this can be incorporated into the project.
    Home
    id/docservice.htm100744 765 764 505 7153640766 12475 0ustar htmlhtml DevCentre

    Document Signing Service Specification

    id/catalogspec.htm100744 765 764 3104 7240110750 12630 0ustar htmlhtml DevCentre

    Catalog Package Specification
    The Catalog Package will typically be a compressed archive of files. There will be a single XML file which stores information about the products, prices, and will have links to HTML pages from products. The HTML files will then link to image files.

    This means generation of the HTML and images can be done with standard tools, and rendered on the client side using a standard web browser. The XML will be parsed by the Client internally.

    The initial version of the Catalog will have no business logic in it. However this is an open area, in that business may want to include some kind of business logic script in the catalog to perform bulk discounts and other calculations.
    Home
    id/platforms.htm100744 765 764 6316 7256335462 12402 0ustar htmlhtml DevCentre

    Platforms
    The project will attempt to be as inclusive as possible with supported platforms. The objective is to support the largest number of computer systems as possible with the available resources.
    The Internet Document API
    The Internet Document API will be available for every major programming language. The following is a list of languages which an API will be available for C, C++, Delphi, Java and Visual Basic.

    The API will come in the form of libraries, which can be included in applications in any way the programmer wants, ie as a DLL, statically linked etc. In Java it will usually be implemented as a single jar file. In Delphi it will probably be a component set. To some extent they may have interfaces, however the primary methodology of using the API should be the same between language implementations.
    Server Side Applications
    I intend to write the first implementation of Server Side Applications in Java.

    I don't believe there is much point in writing the Server Side Applications in several languages at the same time. My intention is to concentrate in writing the Server Side applications in one langauge that is currently common on the server side. This implementation can then become the reference implementation so other languages can be ported.
    Client Side Applications
    I intend to write the Client Side Applications in Delphi. This is simply because I know Delphi, and I know that a working product will be very quick to develop compared to the alternatives.

    There will be API's for every language, so although I am writing the Client in Delphi I am not limiting anyone to Delphi. Delphi has the advantage of a large number of component developers who have released source code for free. This includes implementations of cryptography, compression, and TCP/IP communications.
    Home
    id/license.htm100744 765 764 64555 7172305714 12040 0ustar htmlhtml DevCentre
    Open Source License

    After doing some evaluation I feel the following license has the best for for this project. The primary difficulty this license avoids is the difficulty of incorporating GPL source code into commercial products. My intension is to incorporate the source code to the Project into as many accounting systems as possible, and therefore a restrictive license is not desirable.

    The GNU Library General Public License allows a library to be incorporated into a commercial product, and is therefore more appropriate for this project. The full license is posted below.

    GNU LIBRARY GENERAL PUBLIC LICENSE

    Version 2, June 1991

    Copyright (C) 1991 Free Software Foundation, Inc.

    59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

    Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

    [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.]

    Preamble

    The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

    This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too.

    When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

    To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it.

    For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

    Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library.

    Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations.

    Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

    Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license.

    The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such.

    Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better.

    However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries.

    The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library.

    Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one.

    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

    0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above) ; and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. one line to give the library's name and an idea of what it does. Copyright (C) year name of author This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. signature of Ty Coon, 1 April 1990 Ty Coon, President of Vice That's all there is to it! Return to GNU's home page. FSF & GNU inquiries & questions to gnu@gnu.org. Other ways to contact the FSF. Comments on these web pages to webmasters@www.gnu.org, send other questions to gnu@gnu.org. Copyright notice above. Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA Updated: 18 Jun 2000 mhatta
    Home
    idproject.htm100744 765 764 2162 7157373714 11757 0ustar htmlhtml DevCentre

    The Internet Document Project

    The following pages are the official planning and respository pages for the Internet Document Project

    Platforms

    XML Schemas

    Encryption Algorithms

    Transport Protocols

    Application Programmers Interface

    Internet Document Client

    Public Key Service

    Catalog Packages

    index.htm100744 765 764 22330 7265672474 11127 0ustar htmlhtml DevCentre

    News Resources

    Odyssey Email - The Client

    Odyssey Email is the name of the email client which is currently in development. The first release of a beta should be ready by May. Its primary feature improvements over Outlook Express will be 'invisible' encryption - so easy to use you don't know you are, and the ability to send and receive invoices and orders.

    The source code is already available via CVS, and the project is always looking for developers to aid in the development of this and other technologies in the project.

    IDTrans CVS Repository
    14 April 2001

    Lightweight XML System

    Frustration in finding a lightweight, easy to use XML parser over several months lead me to write my own 'paser', which is now part of the IDTrans project. The lightweight parser allows easy writing and access to XML documents without heavyweight object models such as DOM, but retaining the random access features of DOM. The source for this is currently in CVS.

    Source Released on SoureForge

    SourceForge Logo SourceForge provides services to Open Source developers. It has provided its services to the IDTrans Project, hosting this web site, and other developer services such as downloads, CVS, issue tracking. The IDTrans binaries and source code can be downloaded.

    Download Available Here

    Secure Email Specification Discussion

    Thanks to several helpfull emails I have made some modifications to my original specification for secure email.

    Secure Email Specification - version 2

    Open Source License Available

    The License that will be used for all source code developed for the project is now available. The license is not the GPL as this would have had implications for working with the commercial developers that the project intended to work with. Instead the license allows unrestricted copy and modification.

    IDTrans Project License

    ComputerWorld on the Project

    ComputerWorld recently ran a story about the project. Feedback from the article has been very good, and I hope to build on this success. I am now talking with several companies about joining the project. Profax Accounting has already joined, and will no doubt be looking to incorporate the project code into Profax next year.

    ComputerWorld on the DevCentre Project
    26/11/2000

    		 SourceForge - Summary
    Provides access to all IDTrans pages on SourceForge.

    SourceForge - Forum
    Public Forum to discuss the IDTrans Project.

    SourceForge - Downloads
    Public Access to Download Files that have been publically released by IDTrans.

    SourceForge - Tracker
    Bugs, Requested Features, and Support for IDTrans.

    Documents

    Objectives
    The objectives of IDTrans

    Business Case
    Making a business case for supporting the development of IDTrans.

    Open Standards
    The importantance of developing standards for transmitting business documents.

    Real API
    Why is having a real implementation of a B2B system nessasary?

    Real Software
    Why is demonstrating the technology nessasary for uptake of new standards?

    Security
    How is IDTrans addressing Data Security? How will IDTrans make data security easy?

    Catalogs
    What are Catalogs, and how will they be incorporated into IDTrans?

    Summary

    This site hosted by:
    SourceForge Logo
    Technical Documents DevCentre.Org

    Platforms
    What hardware and software platforms will IDTrans Operate?

    XML Schemas
    What part will XML play in the IDTrans Project?

    Encryption Algorithms
    What encryption technologies are being considered for the IDTrans Project?

    Transport Protocols
    What transport protocols are being considered by the IDTrans Project?

    Application Programmers Interface
    What will the Programmers API look like? Will it support the language I write in?

    Internet Document Client
    What will the Internet Document Client look like, and what functionality will it have?

    Public Key Service
    What is a Public Key Service? What is a Trust Network? Why do we need them?

    Catalog Packages
    What is a Catalog? How will we use Catalogs?

    		 DevCentre.Org is a resource for developers of Open Source projects. The site is primarily related to technologies for enabling Business Communication over the Internet.

    www.devcentre.org
    email  
    license.htm100744 765 764 6241 7232376516 11415 0ustar htmlhtml DevCentre

    License for IDTrans Source Code
    Copyright (c) 2000, Internet Document Transport Project (IDTrans)

    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
    • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
    • No personal names or organizations names associated with the IDTrans project may be used to endorse or promote products derived from this software without specific prior written permission of the specific individual or organization.


    THIS SOFTWARE IS PROVIDED BY THE INTERNET DOCUMENT TRANSFER PROJECT "AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    Note : This License covers source code written as part of the IDTrans Project only. Other source code used in the project, such as encryption and communication libraries have their own license. All source code included in the project is able to be copied and modified however, as any source code that excludes these terms is not used.
    Home
    objectives.htm100744 765 764 6311 7240077766 12132 0ustar htmlhtml DevCentre

    Wouldn't it be great...
    Wouldn't it be great if you could receive your phone bill, electricity bill, bank statement, and any other kind of invoice or statement, by email. Wouldn't it be great if once you receive your invoice you could transfer it to your accounting system. Wouldn't it be great if you could send your customers your invoice, and they could pay it electronically once they receive it. I see a future where most paper documentation is replaced by Internet Standard Documents, and we can all send business documents as easily as we do with email today.

    With the rise of the Internet email has now become a required part of business. A vast majority of businesses, and a huge number of consumers have access to email and the Internet. What is surprising is that despite this revolution in communication a vast majority of companies still send physical invoices and bills to each other and to their customers.

    This projects primary goal is to introduce a method of transmitting business documents between different organizations without a requirement to coordinate the format of documents prior to transmission. In other words, you can send an invoice without the worry of the receipient not being able to import the invoice.
    Project Objectives
    The DevCentre Project has some very specific objectives:
  • Development of functionality to transmit an receive business documents.
  • Development of security and authentication functionality of business documents.
  • Development of a free public key infrastructure.
  • Promote the use of the software in ALL accounting systems.

    The project as a whole has the following principles:

  • All source code in the project is freely available.
  • All source code will be free of paid licence or patents.
  • All major programming languages will be supported. The project is vendor impartial.
    • Home
    sponsors.htm100744 765 764 2442 7240102242 11636 0ustar htmlhtml DevCentre

    Project Sponsors

    DevCentre thanks the following sponsors for their support of the project to date. Without the help of our sponsors this project would not be possible.
    Home
    summary.htm100744 765 764 4056 7256334716 11474 0ustar htmlhtml DevCentre

    Summary
    This brief discussion document is intended to provoke thought about how we can make the most of the Internet in business. By working together to create standards and Open Source tools based on those standards we can all intergrate our financial systems better than ever before.

    This document is simply a jumping off point. On this site you will find more detailed specifications and research. This includes Open Source resources which will make a major part of the project. Over the coming months you can also expect to see discussions, source code, and working product.

    The goal we have set is not an easy one. We need help to achieve the goals. Our aim is to approach accounting system companies, banks, and other organizations who would benefit from this project in order to fund the project.

    If you think you would benefit from this project, or would like to be involved in its development, please Register your interest by clicking Register Below.
    Home Register
    yellowbutton1.gif100744 765 764 435 7071424440 12546 0ustar htmlhtmlGIF89a ̙f33"!This animated gif is believed to be in the public domain. If you are the copyright owner of this image and want it removed from our archives please contact us at http://www.arttoday.com.!, #X \$7 碆@S;