AS4 Profile of ebMS V3 Version 1.0

Committee Draft 01 / Public Review Draft 01

20 February 2009

Specification URIs:

This Version:

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile-cd-01.pdf (Authoritative)

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile-cd-01.html

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile-cd-01.odt

Previous Version:

N/A

Latest Version:

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile.pdf

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile.html

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/profiles/200707/AS4-profile.odt

Technical Committee:

OASIS ebXML Messaging Services TC

Chair:

Ian Jones, British Telecommunications plc <ian.c.jones@bt.com>

Editor:

Jacques Durand, Fujitsu Computer Systems <jdurand@us.fujitsu.com>

Related Work:

This specification is related to:

• OASIS ebXML Messaging Services Version 3.0: Part 1, Core Specification

Declared XML Namespace:

http://docs.oasis-open.org/ebxml-msg/ns/ebms/v3.0/profiles/200707

Abstract:

This document is a profile of the ebMS-3 specification [ebMS3]. It defines some conformance profiles that support specific messaging styles or context of use.

Status:

This document was last revised or approved by the ebXML Messaging Services Committee on the above date. The level of approval is also listed above. Check the "Latest Version" or "Latest Approved Version" location noted above for possible later revisions of this document.

Technical Committee members should send comments on this specification to the Technical Committee's email list. Others should send comments to the Technical Committee by using the "Send A Comment" button on the Technical Committee’s web page at
http://www.oasis-open.org/committees/ebxml-msg/

For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page at
http://www.oasis-open.org/committees/ebxml-msg/ipr.php

The non-normative errata page for this specification is located at
http://www.oasis-open.org/committees/ebxml-msg/

Notices

Copyright © OASIS® 2009. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.

OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.

OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.

The names "OASIS", ebXML, ebXML Messaging Services, ebMS are trademarks of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis open.org/who/trademark.php for above guidance.

1 Introduction

The AS4 profile of the ebMS V3 OASIS standard is intended to achieve the same functionality as AS2, while leveraging the features of the recent ebMS V3 standard. The main features of interest are compatibility with Web services standards, message pulling capability, and a built-in Receipt mechanism .

Profiling ebMS V3 means:

• defining of a subset of ebMS V3 options to be supported by the AS4 handler,

• deciding which types of message exchanges must be supported, and how these exchanges should be conducted (level of security, binding to HTTP, etc.)

• deciding of AS4-specific message contents and practices (how to make use of the ebMS message header fields, in an AS4 context).

• deciding of some operational best practices, for the end-user.

The overall goal of a profile for a standard is to ensure interoperability by:

• Establishing particular usage and practices of the standard within a community of users,

• Defining the subset of features in this standard that needs to be supported by an implementation.

Two kinds of profiles are usually to be considered when profiling an existing standard:

1. Conformance Profiles. These define the different ways a product can conform to a standard, based on specific ways to use this standard. A conformance profile is usually associated with a specific conformance clause. Conformance profiles are of prime interest for product managers and developers: they define a precise subset of features to be supported.

2. Usage Profiles (also called Deployment Profiles). These define how a standard should be used by a community of users, in order to ensure best compatibility with business practices and interoperability. Usage profiles are of prime interest for IT end-users: they define how to configure the use of a standard (and related product) as well as how to bind this standard to business applications. A usage profile usually points at required or compatible conformance profile(s).

AS4 is defined as a combination of:

• A couple of AS4 Conformance Profiles (see section 2), that define the subset of ebMS V3 features to be supported by an AS4 implementation.

• An AS4 Usage Profile (section 4) that defines how to use an AS4-compliant implementation in order to achieve similar functions as specified in AS2.

Two AS4 conformance profiles (CP) are defined below:

(1) the AS4 ebHandler CP. This conformance profile supports both Sending and Receiving roles, and for each role both message pushing and message pulling.

(2) the AS4 light Client CP. This conformance profile supports both Sending and Receiving roles, but only message pushing for Sending and message pulling for Receiving. In other words, it does not support incoming HTTP requests, and may have no IP address.

Compatible existing conformance profiles for ebMS V3 are:

• Gateway RM V3 or Gateway RX V3: an MSH product implementing any of these profiles will also be conforming to the AS4 ebHandler CP (the reverse is not true).

NOTE: Full compliance to AS4 actually requires and/or authorizes a message handler to implement a few additional features beyond the above CPs. These features are described in Section 3.

1.1 Terminology

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119.

1.2 Normative References

[ebMS2] OASIS ebXML Message Service Specification Version 2.0, April 1, 2002. http://www.oasis-open.org/committees/ebxml-msg/documents/ebMS_v2_0.pdf

[ebMS3] OASIS ebXML Messaging Services, Version 3.0: Part 1, Core Features, 2007. http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/core/ebms_core-3.0-spec.pdf

[ebMS3-CP] OASIS ebXML Messaging Services, Version 3.0: Conformance Profiles, CD3, 2008. http://www.oasis-open.org/committees/document.php?document_id=29854

[GZIP] GNU Gzip Manual, Free Software Foundation, 2006. http://www.gnu.org/software/gzip/manual/index.html

[RFC2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt

[RFC2045] N Freed, et al, Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, 1996. http://www.ietf.org/rfc/rfc2119.txt

[SOAPATTACH] J. Barton, et al, SOAP Messages with Attachments, 2000 http://www.w3.org/TR/SOAP-attachments

[WSIAP10] WS-I Attachment Profile V1.0, Web-Services Interoperability Consortium, 2007. http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicprofile

[WSIBP20] WS-I Basic Profile V2.0 (draft), Web-Services Interoperability Consortium, 2009. http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicprofile

[WSIBSP11] Abbie Barbir, et al, eds, Basic Security Profile Version 1.1, Web-Services Interoperability Consortium, 2006. http://www.wsi.org/Profiles/BasicSecurityProfile-1.1.html

[ebBP-SIG] OASIS ebXML Business Process TC, ebXML Business Signals Schema, 2006.<http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0>

[WSS11] Anthony Nadalin, et al, eds., Web Services Security: SOAP Message Security 1.1, 2005.http://docs.oasis-open.org/wss/v1.1/

1.3 Non-normative References

[ebMS3-CP] OASIS ebXML Messaging Services, Version 3.0: Conformance Profiles, CD3, 2008. http://www.oasis-open.org/apps/org/workgroup/ebxml-msg/document.php?document_id=29854

[ebCPPA] OASIS, Collaboration-Protocol Profile and Agreement Specification Version 2.0, http://www.oasis-open.org/committees/ebxml-cppa/documents/ebCPP-2_0.pdf, September 23, 2002.

[ebDGT] OASIS, ebXML Deployment Guide Template Specification Version 1.0 (ebXML IIC) http://www.oasis-open.org/apps/org/workgroup/ebxml-iic/download.php/1713/ebMS_Deployment_Guide_Template_10.doc, April 7, 2003.

[BPSS] ebXML, ebXML Business Process Specification Schema Version 1.0.1, http://www.ebxml.org/specs/ebBPSS.pdf, May 11, 2001.

2 AS4 Conformance Profiles for ebMS V3

2.1 The AS4 ebHandler Conformance Profile

The AS4 ebHandler is identified by the URI:

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/cprofiles/200809/as4ebhandler

2.1.1 Features Set

AS4 CP is defined as follows, using the table template and terminology provided in Appendix F (“Conformance”) of the core ebXML Messaging Services V3.0 specification [ebMS3].

2.1.2 WS-I Conformance Profiles

The Web-Services Interoperability consortium has defined guidelines for interoperability of  SOAP messaging implementations. In order to ensure maximal interoperability across different SOAP stacks, MIME and HTTP implementations, this conformance profile requires compliance with the following WS-I profiles:

• Basic Security Profile (BSP) 1.1 [ WSIBSP11]

• Attachment Profile (AP) 1.0, [WSIAP10] with regard to the use of MIME and SwA.

Notes:

• Compliance with AP1.0 would normally require compliance with BP1.1, which in turn requires the absence of SOAP Envelope in the HTTP response of a One-Way (R2714). However, recent BP versions such as BP1.2 [WSIBP12] override this requirement. Consequently, the AS4 ebHandler conformance profile does not require conformance to these deprecated requirements inherited from BP1.1 (R2714, R1143) regarding the use of HTTP.

• The above WS-I profiles must be complied with within the scope of features exhibited by the AS4 ebHandler conformance profile. For example, since only SOAP 1.2 is required by AS4 ebHandler, the requirements from BSP 1.1 that depend on SOAP 1.1 would not apply. Similarly, none of the requirements for DESCRIPTION (WSDL) or REGDATA (UDDI) apply here, as these are not used.

This conformance profile may be refined in a future version to require conformance to the following WS-I profiles, once approved and published by WS-I:

• Basic Profile 2.0 (BP2.0)

2.1.3 Processing Mode Parameters

Summary of P-Mode parameters that must be supported by an implementation conforming to this profile. Fore each parameter, either:

• full support is required: an implementation is supposed to support the possible options for this parameter.

• Support for a subset of values is required.

• No support is required: an implementation is not required to support the features controlled by this parameter, and therefore not required to understand this parameter.

0. General PMode parameters:

• (PMode.ID: support not required)

• (PMode.Agreement: support not required)

• PMode.MEP: support for: http://www.oasis-open.org/committees/ebxml-msg/one-way

• PMode.MEPbinding: support for: http://www.oasis-open.org/committees/ebxml-msg/{ push, pull}

• PMode.Initiator.Party: support required.

• PMode.Initiator.Role: support required.

• PMode.Initiator.Authorization.username and PMode.Initiator.Authorization.password: support for: wsse:UsernameToken.

• PMode.Responder.Party: support required.

• PMode.Responder.Role: support required.

• PMode.Responder.Authorization.username and PMode.Responder.Authorization.password: support for: wsse:UsernameToken.

1. PMode[1].Protocol:

• PMode[1].Protocol.Address: support for “http” scheme.

• PMode[1].Protocol.SOAPVersion: support for SOAP 1.2.

2.PMode[1].BusinessInfo:

• PMode[1].BusinessInfo.Service: support required.

• PMode[1].BusinessInfo.Action: support required.

• PMode[1].BusinessInfo.Properties[]: support required.

• (PMode[1].BusinessInfo.PayloadProfile[]:not required)

• (PMode[1].BusinessInfo.PayloadProfile.maxSize: not required)

3. PMode[1].ErrorHandling:

• (PMode[1].ErrorHandling.Report.SenderErrorsTo: support not required)

• PMode[1].ErrorHandling.Report.ReceiverErrorsTo: support required (for address of the MSH sending the message in error or for third-party).

• PMode[1].ErrorHandling.Report.AsResponse: support required (true/false).

• (PMode[1].ErrorHandling.Report.ProcessErrorNotifyConsumer support not required)

• PMode[1].ErrorHandling.Report.ProcessErrorNotifyProducer: support required (true/false)

• PMode[1].ErrorHandling.Report.DeliveryFailuresNotifyProducer: support required (true/false)

4. PMode[1].Reliability:

none.

5. PMode[1].Security:

• PMode[1].Security.WSSVersion: support required for: {1.1 }

• PMode[1].Security.X509.Sign: support required.

• PMode[1].Security.X509.Signature.Certificate: support required.

• PMode[1].Security.X509.Signature.HashFunction: support required.

• PMode[1].Security.X509.Signature.Algorithm: support required.

• PMode[1].Security. X509.Encryption.Encrypt: support required.

• PMode[1].Security.X509.Encryption.Certificate: support required.

• PMode[1].Security.X509.Encryption.Algorithm: support required.

• (PMode[1].Security.X509.Encryption.MinimumStrength: support not required)

• PMode[1].Security.UsernameToken.username: support required.

• PMode[1].Security.UsernameToken.password: support required.

• PMode[1].Security.UsernameToken.Digest: support required (true/false)

• (PMode[1].Security.UsernameToken.Nonce: not required)

• PMode[1].Security.UsernameToken.Created: support required.

• PMode[1].Security.PModeAuthorize: support required (true/false)

• PMode[1].Security.SendReceipt: support required (true/false)

• Pmode[1].Security.SendReceipt.ReplyPattern: support required (both “response” and “callback”))

2.2 The AS4 Light Client Conformance Profile

The AS4 light Client  is identified by the URI:

http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/cprofiles/200809/as4lightclient

2.2.1 Feature Set

2.2.2 WS-I Conformance Requirements

This conformance profile will require compliance with the following WS-I profile, once formally approved by WS-I (currently in Board approval draft status):

• Basic Profile 2.0 [WSIBP20]

Note: the above WS-I profile must be complied with within the scope of features exhibited by the AS4 Light Client ebMS conformance profile.

2.3 Conformance Profiles Compatibility

The AS4 profile is compatible with the following ebMS V3 conformance profiles, defined in [ebMS3-CP]:

• Gateway RM V2/3

• Gateway RM V3

• Gateway RX V2/3

• Gateway RX V3

AS4 may be deployed on any MSH that conforms to one of the above conformance profiles.

3 AS4 Additional Features

This section defines features that were not specified in ebMS V3 and therefore out of scope for the previous conformance profiles (ebHandler CP and Light Client CP). These features should be considered as additional capabilities that are either required by or made optional to AS4 implementations.

The profiling tables below can be used for adding user-defined profiling requirements to be adopted within a business community. Whenever the feature – or its profiling - is mandatory, the right-side column (Profile Requirement) will specify it.

3.1 Compression

Application payloads that are built in conformance with the SOAP Messages with Attachments [SOAPATTACH] specification may be compressed. Support for compression MUST then be provided by AS4 implementations. Compression of the SOAP envelope and/or payload containers within the SOAP Body of an ebMS Message is not supported.

To compress the payload(s) of a message build in conformance with the SOAP Messages with Attachments [SOAPATTACH] specification the GZIP [GZIP] compression algorithm MUST be used. Compression MUST be applied before payloads are attached to the SOAP Message.

The eb:PartInfo element in the message header that relates to the compressed message part, MUST have an eb:Property element with @name =“Compressed”:

 <eb:Property name="Compressed"/>

The content type of the compressed attachment MUST be "application/gzip".

These are indicators to the receiver that compression has been used on this part.

When compression, signature and encryption are required of the MSH, the message MUST be compressed prior to being signed and/or encrypted.

Packaging requirements:

• A eb:PartInfo/eb:PartProperties/eb:Property/@name="MimeType" value is RECOMMENDED to identify the mimetype of the payload before compression was applied.

• A eb:PartInfo/eb:PartProperties/eb:Property/@name="CharacterSet" value is RECOMMENDED to identify the character set of the payload before compression was applied.
  
  
  

Example:

<eb:PartInfo href="cid=foo@example.com" <mailto:cid=foo@example.com> >
<eb:PartProperties>
<eb:Property name="MimeType">application/xml</eb:Property>
<eb:Property name="CharacterSet">utf-8</eb:Property>

<eb:Property name="Compressed"/>
</eb:PartProperties>

<eb:PartInfo>

An additional PMode parameter is defined:

• PMode[1].PayloadService.Compression: {true / false}

True: some attached payload(s) may be compressed over this MEP segment.

False (default): no compression is used over this MEP segment.

NOTE: the requirement for Compression feature applies to both conformance profiles (AS4 ebHandler and AS4 light Client)

3.2 Reception Awareness features and Duplicate Detection

These capabilities are making use of the eb:Receipt as the sole type of acknowledgement that must be supported. Duplicate detection only relies on the eb:MessageInfo/eb:MessageId.

NOTE: these requirements apply to both conformance profiles (AS4 ebHandler and AS4 light Client)

Four additional PMode parameters are defined:

• PMode[1].ReceptionAwareness: (true / false)

• PMode[1].ReceptionAwareness.Replay: (true / false)

• PMode[1].ReceptionAwareness.Replay.Parameters:. (contains a composite string specifying: (a) maximum number of retries or some timeout, (b) frequency of retries or some retry rule). The string contains a sequence of parameters of the form: name=value, separated by either comas or ‘;’. Example: “maxretries=10,period=3000”, in case the retry period is 3000 ms.

• PMode[1].ReceptionAwareness.DuplicateDetection: (true / false)

• PMode[1].ReceptionAwareness.DetectDuplicates.Parameters: (contains a composite string specifying either (a) maximum size of message log over which duplicate detection is supported, (b) maximum time window over which duplicate detection is supported). The string contains a sequence of parameters of the form: name=value, separated by either comas or ‘;’. Example: “maxsize=10Mb,checkwindow=7D”, in case the duplicate check window is guaranteed of 7 days minimum.

3.3 Alternative Pull Authorization

In addition to the two authorization options described in the AS4 Conformance Profile (section 2.1.1), an implementation MAY optionally decide to support a third authorization technique, based on transient security (SSL or TLS).

SSL/TLS can provide certificate-based client authentication.  Once the identity of the Pulling client is established, the Security module may pass this identity to the ebms module, which can then associate it with the right authorization entry, e.g. the set of MPCs this client is allowed to pull from.

This third authorization option – compatible with AS4 although not specified in ebMS Core V3 - relies on the ability of the ebms module to obtain the client credentials. This capability represents an (optional) new feature.

Pull request authentication service, there may be no need for any WS-Security headers in the Pull request at all.

3.4 Semantics of Receipt in AS4

The notion of Receipt in ebMS V3 is not associated with any particular semantics. However, when combined with security (signing), it is intended to support Non Repudiation of Receipt (NRR).

In AS4, the eb:Receipt message serves both as a business receipt (its content is profiled in Section 2), and as a reception indicator, being a key element of the reception awareness feature. No particular delivery semantics can be assumed however: the sending of an eb:Receipt only means the following, from a message processing viewpoint:

1. The related ebMS user message has been received and is well-formed.

2. The Receiving MSH is taking responsibility for processing this user message, However, no guarantee can be made that this user message will be ultimately delivered to its Consumer application (this responsibility lays however now on the Receiver side).

The meaning of NOT getting an expected Receipt, for the sender of a related user message, is one of the following:

1. The user message was lost and never received by the Receiving MSH.

2. The user message was received, but the eb:Receipt was never generated, e.g. due to a faulty configuration (PMode).

3. The user message was received, the eb:Receipt was sent back but was lost on the way.

See section 4.1.8 for AS4 usage rules about Receipts.

4 AS4 Usage Profile of ebMS 3.0

While the previous sections were describing messaging handler requirements for AS4 compliance (i.e. mostly intended for product developers), this section is about configuration and usage options.

This section is split in two major subsections:

• The AS4 Usage Rules: this section is stating the rules for using messaging features in an AS4-compliant way.

• The AS4 Usage Agreements: this section is reminding the users of what are the main options left open by the AS4 profiles, that they have to agree on in order to interoperate.

Both sections are about features that are under responsibility of the user when using an AS4-compliant product.

4.1 AS4 Usage Rules

4.1.1 Core Components / Modules to be Used

This table summarizes which functional modules in the ebMS V3 specification are required to be implemented by the AS4 profile, and whether or not these modules are actually profiled for AS4.

4.1.2 Bundling rules

4.1.3 Security Element

4.1.4 Signing Messages

4.1.5 Signing SOAP with Attachments Messages

4.1.6 Encrypting Messages

4.1.7 Encrypting SOAP with Attachments Messages

4.1.8 Generating Receipts

4.1.9 MIME Header and Filename information

4.2 AS4 Usage Agreements

This section defines the operational aspect of the profile: configuration aspects that users have to agree on, mode of operation, etc.

All the user agreement options related to a specific type of message exchange instance (e.g. related to a specific type of business transaction) are controlled by the Processing Mode (PMode) parameters defined in the ebMS Core V3 specification. This section only lists the parameters that are particularly relevant to AS4.

4.2.1 Controlling Content and Sending of Receipts

4.2.2 Error Handling Options

4.2.3 Securing the PullRequest

4.2.4 Reception Awareness Parameters

4.2.5 Default Values of Some PMode Parameters

4.2.6 HTTP Confidentiality and Security

4.2.7 Deployment and Processing requirements for CPAs

4.2.8 Message Payload and Flow Profile

4.2.9 Additional Deployment or Operational Requirements

1. Sample Messages

Receipts Samples

When the NonRepudiationInformation element is used in a Receipt, it contains a sequence of MessagePartNRInformation items for each message part for which evidence of non repudiation of receipt is being provided. In the normal default usage, these message parts are those that have been signed in the original message. Each message part is described with information defined by an XML Digital Signature Reference information item. The following example illustrates the ebMS V3 Signal Message header.

<eb3:Messaging Soap12:mustUnderstand="true" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id=”ValueOfMessagingHeader”>
<eb3:SignalMessage>
<eb3:MessageInfo>
<eb3:Timestamp>2009-11-06T08:00:09Z</eb3:Timestamp>
<eb3:MessageId>orderreceipt@seller.com</eb3:MessageId>
<eb3:RefToMessageId>orders123@buyer.com</eb3:RefToMessageId>
</eb3:MessageInfo>
<eb3:Receipt>
<ebbp:NonRepudiationInformation>
<ebbp:MessagePartNRInformation>
<dsig:Reference URI="#5cb44655-5720-4cf4-a772-19cd480b0ad4">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>o9QDCwWSiGVQACEsJH5nqkVE2s0=</dsig:DigestValue>
</dsig:Reference>
</ebbp:MessagePartNRInformation>
<ebbp:MessagePartNRInformation>
<dsig:Reference URI="cid:a1d7fdf5-d67e-403a-ad92-3b9deff25d43@buyer.com">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>iWNSv2W6SxbOYZliPzZDcXAxrwI=</dsig:DigestValue>
</dsig:Reference>
</ebbp:MessagePartNRInformation>
</ebbp:NonRepudiationInformation>
</eb3:Receipt>
</eb3:SignalMessage>
</eb3:Messaging>

For a signed receipt, a Web Services Security header signing over (at least) the signal header is required. An example WS-Security header is as follows :

<wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
 xmlns:s="http://www.w3.org/2003/05/soap-envelope">
  <wsu:Timestamp wsu:Id="_1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2009-11-06T08:00:10Z</wsu:Created>
<wsu:Expires>2009-11-06T08:50:00Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="_2"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIFADCCBGmgAwIBAgIEOmitted</wsse:BinarySecurityToken>
<ds:Signature Id="_3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#ValueOfMessagingHeader">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="xsd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZXnOmitted=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rxaP4of8JCpUkOmitted=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:Reference URI="#_2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>

2. Acknowledgments

The following individuals were members of the committee during the development of this specification or of a previous version of it:

Timothy Bennett, Drummond Group Inc. <timothy@drummondgroup.com>

Ian Jones, British Telecommunications plc <ian.c.jones@bt.com>

Jacques Durand, Fujitsu <jdurand@us.fujitsu.com>

Dale Moberg, Axway <dmoberg@axway.com>

Richard Emery, Axway <remery@us.axway.com>

John Voss, CISCO <jovoss@cisco.com>

3. Revision History