EDI over the Internet

March 23, 2004

Joseph ConronInternet Commerce Corp

AGENDA

Definition of EDIEDI StandardsEDI Transactions

EDI NetworksWhat they doHow they work

Internet and EDI (EDIINT) EDI, the Internet, and RFCsAS2 – an application of Internet StandardsImpact – how the Internet transformed EDI services.

Final Thoughts and Questions

What is EDI?

EDI Document

• Computer-to-computer exchange of business documents.

• Documents use standardized format.

• Documents are called transaction sets.

• EDI transaction set is roughly equivalent to a paper business form– purchase order

– Invoice

– shipping notice

• Organizations that exchange EDI transaction sets are called trading partners.

Elelctronic Data Interchange

Why EDI?

The Goal is to move From This:

US Postal Service

EDI NETWORK

To This:

UCC

TradaComs

VICS

Standards take the guesswork out of understandingthe content of a business document

Structure, content, and syntax of EDI transactions areestablished by the governing standards committee

ANSI X12

TDCC

UN/Edifact

What is an EDI Standard?

*American National Standards Institute ANSI X12

*UN Edifact - EDI for the Facilitation of Administration, Commerce, and Transport

Why Standards?

• Hardware Differences• Diverse Business Systems• Different Operating Systems• Programming Languages• File Structures• Different Character Sets

Example: 07/08/2004

Possible Interpretations - August 7, 2004 in Germany July 8, 2004 in the U.S.

Standards Ensure a Commonly Understood Meaning When Computers Exchange Data

Standards Language• Interchange - Envelope• Transaction - Document• Functional Groups - Similar Documents• Segment - Line• Data Elements - Word• Identifier - Code• Delimiters - Punctuation• Syntax - Format

PO850

INV810

EDI StandardsEDI Standards

ISA*00* *00* *01*VAN1 *12*VAN2 *981015*1226*U*00303*000000179*0*P*>…GS*PO*VAN1*VAN2*981015*1226*179*X*003030…ST*850*000001173…BEG*00*NE*739168**981011…DTM*017*981101…N1*ST*VAN1*92*006…PO1*1*6*EA*3.71**SK*332531*ZZ*BLUE WIDGETS 55555…PO1*2*6*EA*2.2**SK*332560*ZZ*RED IDGETS 33945…PO1*3*6*EA*1.25**SK*332586*ZZ*YELLOW WIDGETS 53945…PO1*4*6*EA*.5**SK*333637*ZZ*GREEN WIDGETS1049…PO1*5*6*EA*5.39**SK*333640*ZZ*PURPLE WIDGETS 51041…PO1*6*12*EA*.36**SK*333653*ZZ*BLACK WIDGETS 51000…PO1*7*6*EA*.99**SK*333695*ZZ*WHITE WIDGETS 51042…PO1*8*6*EA*3.15**SK*333718*ZZ*BEIGE WIDGETS 53949…PO1*9*6*EA*2.8**SK*333721*ZZ*ORANGE WIDGETS 51043…PO1*10*6*EA*2.98**SK*333734*ZZ*GRAY WIDGETS 51044…PO1*11*24*EA*.79**SK*333776*ZZ*VIOLET WIDGETS EZ21406…PO1*12*6*EA*1.12**SK*333802*ZZ*MAROON WIDGETS51051…PO1*13*10*EA*.99**SK*333815*ZZ*AQUA WIDGETS51053…CTT*13…SE*19*000001173…ST*850*000001174…BEG*00*NE*739169**981011…DTM*017*981101…N1*ST*VAN1*92*028…PO1*1*24*EA*.62**SK*332667*ZZ*BROWN WIDGETS20501…PO1*2*10*EA*5.8**SK*333624*ZZ*BLUE WIDGETS 13945…PO1*3*6*EA*5.39**SK*333640*ZZ*PURPLE WIDGETS 51041…CTT*3…SE*9*000001174…ST*850*000001175…BEG*00*NE*739170**981011…DTM*017*981101…N1*ST*VAN1*92*031…PO1*1*6*EA*2.2**SK*332560*ZZ*RED WIDGETS 33945…PO1*2*6*EA*1.25**SK*332586*ZZ*YELLOW WIDGETS 53945…PO1*3*10*EA*4.24**SK*332612*ZZ*BROWN WIDGETS 23945…PO1*4*24*EA*.77**SK*332748*ZZ*RED WIDGETS-22201…PO1*5*6*EA*.36**SK*333653*ZZ*BLACK WIDGETS 51000…PO1*6*6*EA*3.15**SK*333718*ZZ*BEIGE WIDGETS 53949…PO1*7*10*EA*.99**SK*333815*ZZ*AQUA WITS 51053…CTT*7…SE*13*000001175…ST*850*000001176…BEG*00*NE*739171**981011…DTM*017*981101…N1*ST*VAN1*92*037…PO1*1*24*EA*1.01**SK*333569*ZZ*VIOLET WIDGETS 21202…PO1*2*10*EA*5.99**SK*333611*ZZ*BROWN WIDGETS-12955…PO1*3*6*EA*.5**SK*333637*ZZ*GREEN WIDGETS 51049…PO1*4*6*EA*5.39**SK*333640*ZZ*PURPLE WIDGETS 51041…PO1*5*6*EA*3.15**SK*333718*ZZ*BEIGE WIDGETS 53949…PO1*6*6*EA*2.8**SK*333721*ZZ*ORANGE WIDGETS 51043…CTT*6…SE*12*000001176…ST*850*000001177…BEG*00*NE*739172**981011…DTM*017*981101…N1*ST*VAN1*92*045…PO1*1*6*EA*3.71**SK*332531*ZZ*BLUE WIDGETS 55555…PO1*2*6*EA*2.12**SK*332573*ZZ*FLO TEMP SOLDER42945…PO1*3*24*EA*.82**SK*332638*ZZ*MASSIVE WIDGETS-20801…PO1*4*24*EA*.62**SK*332667*ZZ*SMART WIDGETS-20501…PO1*5*24*EA*.75**SK*333556*ZZ*VIOLET

Purchase Order

X12 Data String

Documents Used Will Vary by Industry

Product Data &Price Catalog - 832

EDI Transactions

SUPPLIER

CUSTOMER

Purchase Order - 850

Invoice - 810

Purchase Order Acknowledgement - 855

Advance Ship Notice - 856

Remittance Advice - 820

Product Activity Data - 852

Functional Acknowledgements - 997

Company A

Bank

Shipper

VendorA

Before EDI Networks

Initially, Quite Simple

VendorB

Company A

Bank

Shipper

VendorA

Company D

Company C

Company B

Before EDI Networks

But It Got Ugly Real Fast!

VAN

VendorB

Company A

Bank

Shipper

VendorA

Company D

Company C

Company B

Proprietary EDI Networks

Outsource the Headaches to an Intermediary

EDI Networks before Internet

• EDI Services provided by Value Added Networks (VANs)– GE Information Services

– Sterling Commerce

– IBM

• Before Internet, VANS used proprietary software and bisync communications links.

• Many of these links are still in use!

Leased Lines

SNA/BisyncX.25 (X.400)

Your SiteTradingPartner

Site

EDITranslator

EDI VAN EDITranslator

Mainframe/Fault Tolerant Hardware

Async Dial

Bisync Dial-Out

Large Processing, Support, and Network Infrastructure.

EDI Networks before Internet

EDI VANCompetitor

Bisync

TradingPartner

Site

Interconnect

EDI Meets the Internet• Until 1998, all EDI traffic was handled by VANs, and

none of these used the Internet.

• In 1998, Internet Commerce Corp deploys the first Internet based EDI network, now called ICC.net.

• FTP, SMTP, HTTP, PGP are the Internet protocols used for file transfer and document management.

• FTP, SMTP – file transfer of EDI documents

• HTTP – browser applet to manage “mailboxes”

• PGP - security

EDI Meets the Internet

• ICC would continue to be the only EDI network using the Internet for the next two years.

• Major VANS like IBM, Sterling Commerce, and GE Information Systems would take two to three years to catch up.

Question: why did it take a start-up to change the way EDI is transmitted? Why didn’t one of the major players do it?

Answers?

1. Too expensive?

2. Too much invested in existing infrastructure?

3. Perception that the Internet is not secure?

Resistance to the Internet

• EDI world entrenched in proprietary point to point solutions (i.e., CLOSED systems).

• Internet viewed as insecure.

• To solve this problem, EDI world would need:– Privacy (encrypted data)

– Authentication (know your partner!)

– Message Integrity (no message tampering)

– Non-repudiation (sender cannot deny sending a message, nor can receiver deny getting it)

– All of this had to be standardized to allow interoperability (make it easy to transact with any potential trading partner).

A Solution based on Existing Standards

• Security provided by using RFC 2633 (S/MIME)– S/MIME is based on RFC 1521, RFC 1847

• Non-repudiation obtained by using RFC 2298 (MDN)

• Define “Secure Transmission Loop” model

• Formally the solution is given in RFC 3335 (S/MIME + MDN + SMTP)

• Solution extended by AS2 (S/MIME + MDN + HTTP|HTTPS)– Note: “AS” means “Applicability Statement”

S/MIME

• For signing, Multipart/SignedContent-Type: multipart/signed; boundary="as2BouNdary1as2";

protocol="application/pkcs7-signature"; micalg=sha1

• To carry signed, encrypted objectsContent-type: application/pkcs7-mime; smime-type=enveloped-data;

name=smime.p7m

• pkcs7 uses RSA public key cryptography and X.509 certificates.– Encrypt with partner’s public key

– Sign with your own private key

– Requires that partners exchange certificates.

Secure Transmission Loop

• Sender signs and encrypts data using S/MIME.

• Sender transmits message, requesting MDN.

• Receiver decrypts data and authenticates sender.

• Receiver creates and signs MDN and transmits to sender.

Question: How can a sender correlate an MDN with any of the unacknowledged messages?

Synchronous or Asynchronous MDN

• Sender may ask receiver for synchronous or asynchronous MDN– Synchronous MDN is returned on same HTTP session.

– Asynchronous MDN is returned on separate HTTP session initiated by original receiver.

– Most AS2 transactions use synchronous MDNs

– Can you think of reasons why one method is better than the other?

– Which one is harder to manage?

– Why?

Synchronous or Asynchronous MDN

Synchronous AS2-MDN

[C] ----( connect )----> [S]

[C] -----( send )------> [S] [HTTP Request [AS2-Message]]

[C] <---( receive )----- [S] [HTTP Response [AS2-MDN]]

Asynchronous AS2-MDN

[C] ----( connect )----> [S]

[C] -----( send )------> [S] [HTTP Request [AS2-Message]]

[C] <---( receive )----- [S] [HTTP Response]

[C]*<---( connect )----- [S]

[C] <--- ( send )------- [S] [HTTP Request [AS2-MDN]]

[C] ----( receive )----> [S] [HTTP Response]

AS2 Message Identification

• AS2 defines new headers that identify the sender and the receiver:– AS2-from: <as2-name>

– AS2-to: <as2-name>

• From RFC 822 we use the message-id: header to identify this message.

• The message-id: is returned in an MDN as original-message-id: field.

Question: why do we need AS2 sender and receiver Ids? Isn’t the IP address sufficient?

Example AS2 Request(signed but not encrypted)

POST /invoke/wm.EDIINT/receive HTTP/1.1

Host: 208.234.160.12:80

User-Agent: AS2 Company Server

Date: Wed, 31 Jul 2002 13:34:50 GMT

From: mrAS2@as2.com

AS2-Version: 1.1

AS2-From: as2Name

AS2-To: 0123456780000

Subject: G1 Test Case

Message-Id: <200207310834482A70BF63@\"~~foo~~\">

Disposition-Notification-To: mrAS2@as2.com

Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1

These request signed, synchronous MDN

Example AS2 Request (continued)

Content-Type: multipart/signed; boundary="as2BouNdary1as2"; protocol="application/pkcs7-signature"; micalg=sha1

Content-Length: 2464

--as2BouNdary1as2

Content-Type: application/edi-x12

Content-Disposition: Attachment; filename=rfc1767.dat

[ISA ...EDI transaction data...IEA...]

--as2BouNdary1as2

Content-Type: application/pkcs7-signature

[omitted binary pkcs7 signature data]

--as2BouNdary1as2--

Synchronous MDN Example

HTTP/1.1 200 OK

AS2-From: 0123456780000

AS2-To: as2Name

AS2-Version: 1.1

Message-ID: <709700825.1028122454671.JavaMail@ediXchange>

Content-Type: multipart/signed; micalg=sha1;protocol="application/pkcs7-signature"; boundary="----=_Part_57_648441049.1028122454671"

Connection: Close

Content-Length: 1980

Note: the Message-Id is the ID for THIS MDN!

Synchronous MDN Example

------=_Part_56_1672293592.1028122454656

Content-Type: message/disposition-notification

Content-Transfer-Encoding: 7bit

Reporting-UA: AS2 Server

Original-Recipient: rfc822; 0123456780000

Final-Recipient: rfc822; 0123456780000

Original-Message-ID: <200207310834482A70BF63@\"~~foo~~\">

Received-content-MIC: 7v7F++fQaNB1sVLFtMRp+dF+eG4=, sha1

Disposition: automatic-action/MDN-sent-automatically;processed

------=_Part_56_1672293592.1028122454656—

{Followed by a signature multipart}

This is the ID of the message that MDN acknowledges.

AS2 Reality

• In 2002, Wal-Mart decreed that it would accept ONLY AS2 transactions, and ordered all trading partners to switch to AS2.

• Most other major retailers would soon follow suit.• Today, it appears that the retail industry has adopted AS2

as its EDI transport, but other industry segments have yet to commit to AS2.

• Other options in use for secure EDI are:– FTP/S (FTP using TLS).– S/FTP (FTP using IPSEC).– VPN.

• Between interconnects (the VANS), EDI is sent “in the clear” using FTP!

Impact of Internet on EDI

• The migration from proprietary EDI networks to the Internet has dramatically lowered the cost of EDI services.– Before the Internet, costs were typically $.20/KC or

more– Today, costs are under 0.10/KC

• Startup costs are lower because users no longer need special telecom setup.– Just need a PC and an ISP!

• Consequently, EDI is now accessible to many more businesses then ever.

Final Thoughts• Standards are important - they facilitate

interoperability• To become “popular”, any new standard must

present a low “barrier to entry”– Must be easy to implement– Must not require any (significant) changes to current

business practices

• Build “new” technologies by applying existing technologies.

• The Internet and its related protocols are examples of this philosophy.