Corporate.Net

Safe And Secure Electronic Commerce

These products will implement the basic technologies necessary to conduct secure, protected business-to-business electronic commerce, not just EDI, over the Internet.

The use of the Internet for EDI--that is, for business-to-business document exchanges--could significantly reduce the cost of EDI for both small and large businesses. As businesses make the transition from the value-added networks (VANs) that carried this type of traffic to the Internet, they should see the cost of transmitting data reduced by 90 percent of the typical VAN charges over the short term, increasing slightly in cost as adjustments take place over time.

This transition to the Internet also will allow a more cost-effective movement of large files. As this happens, we will see electronic purchase orders include product descri ptions and graphics and catalog data with images and film clips, all attached to the normal EDI transactions.

But this isn't quite as simple as it sounds. Many believe that because the Internet initially is less expensive than the cost of transmitting data using a VAN, it will enable additional smaller companies to participate in EDI. VAN charges, however, are a relatively minor responsibility for a small business; the real burden is the requirement to implement and maintain an EDI translator.

However, the introduction of Web technology to replace low-end EDI translators will greatly speed the introduction of small companies to electronic commerce.

The Internet Engineering Task Force's Electronic Data Interchange Over Internet working group will explore situations like this and recommend standards to replace the historic message-based VAN EDI with Internet messaging, keeping in mind the Web-based standards necessary to facilitate real-time Electronic Data Interchange.

Message-Based EDI The EDIINT working group is rapidly moving toward standardizing a key component of the messaging area. Most users believe that solving the EDI-Over-Internet issue will resol ve many of the generic electronic commerce issues.

But to achieve interoperability, the working group must define and receive consensus on requirements and standards and test these standards for interoperability. This last part involves CommerceNet, which hosts an interoperability test of products that meets the standards.

The Major Issues Some 300 Internet and EDI experts have identified more than 24 major issues that must be solved before we can conduct reliable and secure business over the Internet. Eleven of these were deemed the highest priority, and they fall into three categories: detection and elimination of duplicate EDI messages; cryptography key management; and security of communications among trading partners.

The detection and elimination of duplicate EDI messages usually comes into play only when parties are transmitt ing, via Simple Mail Transfer Protocol (SMTP), transactions with very short reply requirements. One example is the just-in-time (JIT) processes used by many manu facturers, such as the auto industry. With JIT, stock supplies, for example, are not kept on hand, so manufacturers must have tight communications with suppliers to build and ship products on time. The EDI translators detect this at their own level.

It is not clear whether the SMTP level should be responsible for tracking this function. The EDIINT working group has tabled this requirement for the short term. The group will address it in a subsequent paper, which will examine standards for real-time EDI over the Web. We question SMTP's ability to solve this problem, because of the store-and-forward nature of messaging systems, but we believe the Web can do so.

Many groups--including the National Institute of Standards and Technology (NIST), IETF and the International Organization for Standardization (ISO)--are working on cryptography key management. But several areas, such as certificate revocation, still must be addressed before the standards become completely interoperable.

These efforts are based o n the X.509 certificate--a basic component for interoperable certificates. It's fairly clear how to request, send and issue certificates. However, major issues still are not resolved in terms of how to revoke an existing certificate. Revocation is needed, for instance, when a senior manager with purchasing authority quits.

Secure Communications Among Trading Partners There are four requirements for secure communications: nonrepudiation of delivery/receipt; electronic signature; message confidentiality (encryption); and content integrity. These inhibit general electronic commerce as well, not just EDI (see "Secure Communication Requirements," at left). Electronic commerce experts say they believe that these requirements must be addressed before we can conduct secure EDI transactions over the Internet.

Interestingly enough, there are four exist ing standards that offer solutions to these requirements. The Message Security Protocol (MSP), established by the U.S. government, offers solutions to all four.

The other three standards, Secure Multipurpose Internet Mail Extensions (S/MIME), Pretty Good Privacy/MIME (PGP/MIME) and Multipart Object Security Standard (MOSS), offer solutions to the last three requirements, but not to the first one (see "Encryption Scheme Comparison" on page 120).

A large matrix was developed by the EDIINT working group to compare these four standards over 30 categories (for a condensed version of this matrix, see "Internet Standards Overview," this page). The result of creating the matrix is that two of the four security standards, S/MIME and PGP/MIME, were selected to solve the EDI-Over-Internet worldwide security requirements.