AS2 is an Internet Draft security standard defined by the IETF (Internet Engineering Task Force) and designed to allow business transactions to move securely over the Internet. The standard that is defined is referred to as AS2.
The AS2 specification describes how applications communicate Electronic Data Interchange (EDI) transaction data over the Internet using HTTP, in a secure and interoperable manner. AS2 emphasizes the following key aspects of data security:
Nonrepudiation of origin and receipt
AS2 specifies the means to connect and to deliver, validate, and reply to data, securely and reliably. The purpose of this chapter is to assist you in developing an AS2-compliant eXchange system deployment that is interoperable with other implementations used by your TPs.
AS2 is an extension to Applicability Statement 1 (AS1), the standard for secure message transport based on the Simple Mail Transfer Protocol (SMTP). The extension from AS1 to AS2 consists mainly of compatibility with HTTP(S ), that is, HTTP with the Secure Sockets Layer (SSL), and S/Multipurpose Internet Mail Extensions (S/MIME).
EDI-INT is an Internet Engineering Task Force (IETF) Working Group that exists to document the requirements and best practices for secure, interoperable EDI. The EDI-INT Requirements document contains sufficient background material to give the EDI community an explanation of any Internet-related issues.
The EDI-INT Requirements and Applicability Statements are general in nature, so they can be applied to all types of eBusiness transfers across nonsecure networks. The message payload itself does not have to be EDI. The data being transferred can be in the form of Extensible Markup Language (XML) business documents or any other data format.
AS1 is an Applicability Statement that described how then-current Internet standards could be leveraged to achieve EDI-INT using SMTP transport technologies. AS1 was published by the IETF EDI-INT Working Group.
AS2 is also an IETF EDI-INT Working Group specification. It extends AS1 to include real-time EDI based on S/MIME and HTTP(S ). AS2 security constructs are the same as AS1, with the addition of session-based cryptographic features and authentication.
HTTP header package: RFC2616/RFC2045
Encryption package: RFC2633 (application/pkcs7-mime)
Digitally signed package: RFC1847 (multipart/signed) (encrypted)
Message payload: RFC2376 (application/xml) (encrypted)
Digital signature: RFC2633 (application/pkcs7-signature) (encrypted)
The HTTP header is the outermost package, which is supplemented by the headers of the encryption package, which envelopes the signed multipart, which in turn binds the payload and signature parts.
Figure 1–1 shows a diagram of the basic AS2 protocol message format.
The following list details references for the packaging layers for S/MIME signed, encrypted messages: