Re: Message Sequence Integrity

[Trevor Richards <trevr@xxxxxxxx>]

At 11:32 AM 2/16/96 -0500, Bob Lyons wrote:
>At 09:06 AM 2/16/96 -0600, Trevor Richards wrote:
>>Let's make sure that we don't impose controls at the communications layer
>>which are not in place in the underlying EDI standards.
> 
>Why? If the EDI standards met all of our security needs for doing EDI over
>the Internet, then there would be very little need for this work group.

I agree wholeheartedly that the current EDI standards leave a lot to be desired!

>If we don't have message sequence integrity, then how will EDI users protect
>themselves from replay attacks and the deletion of messages while in
>transit? To secure your EDI messages as they traverse the Internet, it's not
>enough to encrypt and apply digital signatures.

Do you envisage the responsibility for ensuring delivery being with the
sender, the receiver or both ? Receiving an acknowledgement of receipt from
the receiver for each transmission would satisfy the senders' requirement to
ensure delivery. The only way the receiver could check for either duplicate
transmissions of any EDI format (standard or mutually agreed) or missing
transmissions would be if we provided the option to include a "transmission
control number" (which is sequentially assigned by recipient) outside of the
EDI data being transmitted (as part of the MIME header ?). Is this an issue
that we should raise ?

 Trevor Richards			phone   : (512)345-3981
 Trinary Systems			fax     : (512)345-8705
 Austin, TX				e-mail  : richards@trinary.com