The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / rfc / 3 / rfc1865.txt < prev next >

Wrap

Text File | 2003-06-11 | 96.1 KB | 2,300 lines

Network Working Group W. Houser Request for Comments: 1865 Dept. of Veterans Affairs Category: Informational J. Griffin Athena Associates C. Hage C. Hage Associates January 1996 EDI Meets the Internet Frequently Asked Questions about Electronic Data Interchange (EDI) on the Internet Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This memo is targeted towards the EDI community that is unfamiliar with the Internet, including EDI software developers, users, and service providers. The memo introduces the Internet and assumes a basic knowledge of EDI. Table of Contents 1. Introduction ................................................ 4 1.1. What is this document .................................... 4 1.2. What do you mean by electronic data interchange (EDI) ? . 4 1.3. What are the X12 Standards that I should be aware of ? .. 4 1.4. To whom do I send comments and suggestions ? ............. 5 1.5. How can I get a copy of this document? ................... 5 2. General Information ......................................... 6 2.1. What is the Internet ? .................................. 6 2.2. Is there a difference between EDI and electronic commerce (EC) ? ............................... 6 2.3. What makes the Internet useful for EDI ? ................ 6 2.4. Does this means we will now have to coordinate our EC/EDI activities with the Internet? .................... 7 2.5. How do I find the addresses of other Trading partners on the Internet if I don't have to coordinate my EDI activities with a central organization or VAN? .......... 7 2.6. How fast is the Internet? ............................... 7 2.7. What about reliability of the Internet? ................. 7 2.8. What are RFCs and where can I get them ? ................ 8 Houser, et al Informational [Page 1] RFC 1865 EDI Meets the Internet January 1996 2.9. Where can I get general information about the Internet? . 8 3. Getting Connected To The Internet ........................... 9 3.1. What do I need to get to use the Internet? .............. 9 3.2. What software is used to support electronic mail? ....... 9 3.3. What types of client-server or server-server protocols exist on the Internet? ........................ 10 3.4. What methods exist to broadcast information across the Internet? ........................................... 12 3.5. What are the ways to connect to the Internet ? .......... 13 4. Organizational Issues ....................................... 15 4.1. Why is the way we currently do EDI so limiting to its growth? .................................................. 15 4.2. My organization has an internal automated system for processing requisitions and issuing purchase orders, but it does not create the X12 formatted EDI transactions; what should we do ? ........................................... 16 4.3. My organization already has a dial-in bulletin board service (BBS) where we post transactions; should we keep it? .................................................. 16 4.4. My organization currently has a Trading Partner Agreement with each trading partner we're currently doing business with. Can we keep them ? .................. 16 4.5. It would be nice to get more trading partners and/or more competition, but I'm worried about getting too many transactions to be able to handle them. Has this been a problem ? ................................................ 17 4.6. Does this mean that I'll receive more messages ? ......... 17 4.7. If we see a transaction posted on VAN, how do we respond in electronic format ? ........................... 18 4.8. My organization has an established bilateral relationship (such as an existing contract. Can we send these transactions via the Internet ? ............... 18 5. The Role Of Value Added Networks ............................ 18 5.1. What is a VAN? ................... ....................... 18 5.2. What is an Internet Service Provider (ISP)? .............. 19 5.3. How might an ISP be used for EDI? ........................ 19 5.4. Doesn't EDI presume the services of companies called Value Added Networks (VANs)? ............................. 19 5.5. If I can use X12 protocol and my VAN to send transactions, what is the benefit of using the Internet? ............................................ 20 5.6. Can we expect VANs to offer connections to other VANs via the Internet? ........................................ 20 5.7. How can I use the Internet directly for exchanging EDI messages without going through a VAN? .................... 20 5.8. Can the ISA 06 or 08 identify any entity other than the 'end' Trading Partners (i.e. a routing entity) ? ......... 21 Houser, et al Informational [Page 2] RFC 1865 EDI Meets the Internet January 1996 5.9. Can we specify both the recipient's address and their VAN address in the ISA ? ................................ 22 5.10. Are there other options for routing EDI X12 messages ? ............................................... 22 6. US Federal Involvement ...................................... 22 6.1. What is the commitment of the US Federal Government to EDI ? ................................................ 22 6.2. What is the timetable for the Federal effort ? .......... 23 6.3. Will the US Government use the Internet to send EDI transactions ? ...................................... 23 6.4. I heard the US Government prohibited commercial use of the Internet? ........................................ 24 6.5. The US Government is using both Internet and OSI E-mail protocols. What should one consider when choosing which to use ? ................................. 24 6.6. How is the US Government using VANs to distribute business opportunities? ................................. 25 6.7. How would use of the Internet for Federal procurement change this RFQ process? ................................ 25 7. EDI Resources On The Internet ............................... 26 7.1. Are EDI Standards available on the Internet ? ........... 26 7.2. Are EDIFACT Standards available on the Internet ? ....... 28 7.3. The EDI X12 standards are quite complex. How do we decide what X12 transactions to implement and how ? ..... 29 7.4. What Implementation Conventions (ICs) are available over the Internet ? ..................................... 29 7.5. How can a trading partner keep up with all these implementation conventions (ICs) and revisions in X12 and EDIFACT? ......................................... 31 7.6 Where can I get information on EDI translation software ? ............................................... 31 7.7. How do I keep in touch with others pursuing EDI and Electronic Commerce on the Internet ? .................... 32 7.8. Can I get messages that have been previously posted to the EDI mailing lists ? ............................... 35 7.9. How do I make EDI related material available to the Internet community ? .............................. 35 7.10. Where are EDI Archives on the Internet ? ................. 35 8. Security Considerations ..................................... 36 8.1. What security measures are needed to connect to the Internet ? ............................................... 36 8.2. How do we go about protecting our system ? ............... 36 8.3. Is there good publicly available software I can use? ..... 37 8.4. How good are electronic or digital signatures ? Can they be used in court ? .............................. 38 8.5. Are there other US government standards publications I should be aware of? .................................... 38 Houser, et al Informational [Page 3] RFC 1865 EDI Meets the Internet January 1996 9. References .................................................. 39 10. Credits .................................................... 40 11. Authors' Addresses ......................................... 41 1. Introduction 1.1. What is this document This document is informational in nature and attempts to answer frequently asked questions concerning the use of the Internet for Electronic Data Interchange (EDI). The primary audience is the EDI community that is unfamiliar with the Internet, including software developers, users, and service providers. The reader needs some understanding of EDI. Informational RFCs are prepared by the Internet Engineering Task Force (IETF) to improve understanding and effectiveness in the use of the Internet. 1.2. What do you mean by electronic data interchange (EDI) ? Except as noted, the document refers to EDI as the use of the 1) X12 standard developed by the ANSI Accredited Standards Committee X12 or 2) EDIFACT[1] standard United Nations Economic Commission for Europe (UN/ECE), Working Party for the Facilitation of International Trade Procedures (WP.4). The differences between these standards is beyond the scope of this FAQ. Both standards activities are managed in the US by: Data Interchange Standards Association, Inc, 1800 Diagonal Road, Suite 200 Alexandria, Virginia, 22314-2852 Voice: 703-548-7005 FAX: 703-548-5738 There are numerous other standards one could use for EDI, but discussion of them is not in the scope of this document. 1.3. What are the X12 Standards that I should be aware of ? ACCREDITED STANDARDS COMMITTEE (ASC) X12 Standards are available from DISA at the address specified in Question 1. The following is a good starting set of X12 standards. 1. ASC X12S/94-172, An Introduction to Electronic Data Interchange, DISA 1994 Publications Catalog Houser, et al Informational [Page 4] RFC 1865 EDI Meets the Internet January 1996 2. ASC X12.3 Data Element Dictionary 3. ASC X12.5 Interchange Control Structure 4. ASC X12.6 Application Control Structure 5. ASC X12.22 Segment Directory 6. ASC X12.58 Security Structures 1.4. To whom do I send comments and suggestions ? Readers are invited to add questions; please include an answer if you know or want to suggest one. Of course corrections and comments are welcome; send them to the IETF-EDI mail list by subscribing as described in question 7.6. Or a send your comment to houser.walt@forum.va.gov. 1.5. How can I get a copy of this document? Request for Comments documents (RFC) are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd rfc" and then "get rfc1865.txt". A Web address for the RFC is: ftp://ds.internic.net/rfc/rfc1865.txt RFC directories are located at: o Africa at: ftp.is.co.za (196.4.160.2) o Europe: nic.nordu.net (192.36.148.17) o Pacific Rim: munnari.oz.au (128.250.1.21) o US East Coast: ds.internic.net (198.49.45.10) o US West Coast: ftp.isi.edu (128.9.0.32) RFCs are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /rfc/rfc1865.txt" NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Houser, et al Informational [Page 5] RFC 1865 EDI Meets the Internet January 1996 2. General Information 2.1. What is the Internet ? It is the inter-working of existing corporate and government networks using commonly used telecommunications standards. It is not a new physical network, although some new facilities may be needed. Rather, it is based on mutual interests of users to communicate more effectively via electronic message and file transfers. Internet communications may be interpersonal (person-to-person) E-Mail or process-to-process like EDI. Messages may be inquiries to shared databases and responses. Messages may be entire files. 2.2. Is there a difference between EDI and electronic commerce (EC) ? Electronic Data Interchange (EDI) is defined as the inter-process (computer application to computer application) communication of business information in a standardized electronic form. Electronic Commerce includes EDI, but recognizes the need for inter-personal (human to human) communications, the transfer of moneys, and the sharing of common data bases as additional activities that aid in the efficient conduct of business. By incorporating a wide range of technologies, EC is much broader than EDI. However, the focus of this document in on EDI, not electronic commerce. 2.3. What makes the Internet useful for EDI ? The greatest benefits will derive from: o Adoption of common standards and proven inter-operable systems, o Adoption and deployment of a distributed Directory Service capability, so that one can readily contact electronically any other organization in the world. o Explicit commitment by participating organizations to cooperatively route traffic, work to resolve addresses, and meet required standards. o Ubiquitous network coverage from many service providers. This allows the customer to choose the level of service needed. o Layering of applications (such as EDI) over existing, proven, applications. o A standards process with reference implementations which all vendors have equal access. (a.k.a. a level playing field). Houser, et al Informational [Page 6] RFC 1865 EDI Meets the Internet January 1996 o Widely available public domain software including but not limited to applications, protocol/transports and multiple platform development tools. 2.4. Does this means we will now have to coordinate our EC/EDI activities with the Internet? The Internet is not an organization or government agency. You use the Internet to do business like you would use the telephone. The same Internet connection your organization uses to send electronic mail would be the one you use to send EDI transactions. Software developers write EDI translators, packages or templates for your e- mail system so that you can handle your own EDI transactions. Your EDI activities do not need to be coordinated, but your connection to the Internet does. 2.5. How do I find the addresses of other Trading partners on the Internet if I don't have to coordinate my EDI activities with a central organization or VAN? The Internet works by assigning names or "domains" to networks/companies/machines. This is called the Domain Name Service (DNS). It works from a distributed tree structure. The Internet requires registration of your Internet Protocol (IP) address and Domain Name in the Domain Name Service (DNS). Your internet service provider can do this for you or assist you in contacting the right people to get your assigned addresses and domain names. 2.6. How fast is the Internet? For a modest amount of data with a dedicated connection, a message transmission would occur in a matter of seconds, unless the ISP selected one of the trading partners is overloaded. The maximum delay over the internet backbones is at most a few seconds. Like the interstate highway system, speed depends on how close you and your trading partner are to Internet backbones. Unfortunately, some areas may lack the capacity or "bandwidth" to handle the workload your organization requires. Contact your local Internet Service Provider for details on service in your area. Also, the more you are willing to spend, the better the service. The Internet is inexpensive, but (contrary to popular mythology) it is not free. 2.7. What about reliability of the Internet? For high reliability mission critical applications, redundant ISPs may be used (with separate backbones), and redundant mail servers at separate locations can be used. A single internet email or server address can be used to transparently route to any of the redundant Houser, et al Informational [Page 7] RFC 1865 EDI Meets the Internet January 1996 servers or network connections. If a dedicated Internet connection is used to transmit information, e.g., via SMTP (see questions 3.2 and 3.5), then the message is delivered directly to the trading partner's system and delivery is assured. If a part time store and forward connection is used, then the integrity of the message depends on the ISP or other computers used in the forwarding of a message. 2.8. What are RFCs and where can I get them ? RFC stands for Request For Comments. The RFC series of notes covers a broad range of topics related to computer communications. The core topics are the Internet and the TCP/IP protocol suite. There are three categories of RFCs today, Standards Track, Informational, or Experimental. Many of the RFCs describe de-facto standards in the Internet Community. Copies of RFCs are often posted to the USENET newsgroup comp.doc and obtainable from archive sites such as ds.internic.net. ftp://ds.internic.net/rfc/ 2.9. Where can I get general information about the Internet? Your local bookstore probably has one of the many recent introductory publications on the Internet. In addition, look for (or have someone get you) the following bibliographies for free: RFC 1175 Bowers, K., LaQuey, T., Reynolds, J., Roubicek, K., Stahl, M., and A. Yuan, "FYI on Where to Start - A Bibliography of Internetworking Information", 08/16/1990 (FYI 3) ftp://ds.internic.net/rfc/rfc1175.txt RFC 1463 Hoffman, E., and L. Jackson, "FYI on Introducing the Internet -- A Short Bibliography of Introductory Internetworking Readings for the Network Novice", 05/27/93 (FYI 19) ftp://ds.internic.net/rfc/rfc1463.txt The reader may want to look at the Frequently Asked Questions (FAQ) document for the newsgroup alt.internet.services. This FAQ, as well as all Usenet FAQs, can be retrieved via ftp from rtfm.mit.edu in the directory /pub/usenet/news.answers. These FAQs are also available Houser, et al Informational [Page 8] RFC 1865 EDI Meets the Internet January 1996 from ftp.sterling.com in the directory /usenet/news.answers. 3. Getting Connected To The Internet 3.1. What do I need to get to use the Internet? You need to know your existing telecommunications connectivity, address resolution, and routing capabilities. Then you need to establish and operate an Electronic Mail gateway and/or other application gateway, e.g., for the file transfer protocol (FTP). Larger organizations may supply their trading partners with the TCP/IP software and X12 translator interfaced to E-mail or FTP. 3.2. What software is used to support electronic mail? a) Simple Mail Transfer Protocol (SMTP) Servers A dedicated internet connection usually uses SMTP software to send and receive messages. The SMTP server may transfer messages to the "spool" area for incoming email in the file system, may queue the messages for transmission via UUCP, may hold mail in a POP server, or may transfer the message to a proprietary email system. b) Unix-to-Unix Copy (UUCP) Servers A UUCP server is used to transfer messages when a store and forward is used, either between machines within a WAN, or to another machine with a dialup link. c) Post Office Protocol (POP) mail Servers A POP server holds email which can later be retrieved by a client application run by the user, typically on a PC which might not be running 24 hours a day. The TCP/IP protocol is used either over a LAN or dialup SLIP connection to retrieve messages. d) Mail User Agents (Mail Readers) Uses or applications employ client programs to retrieve and display email messages from the file system mail spool area, or from another server computer using POP or some other proprietary protocol (e.g. Microsoft-Mail). This mail user agent (UA) software is also used to compose and send email via a POP server or system email. The mail user agent may also process attached files using a proprietary format within a mail message, using one of the common de-facto standards, or using the Multipurpose Internet Mail Houser, et al Informational [Page 9] RFC 1865 EDI Meets the Internet January 1996 Extensions (MIME) internet standard. Among other things, MIME permits the identification and concatenation of message parts (called "body parts") into a single message that can traverse the Internet using the SMTP protocol. The Work in Progress, "EDI in MIME" provides the necessary standards for MIME compliant user agents to identify EDI body parts. A MIME compliant mail reader can process the contents of the messages and dispatch data to external software. For example, files can be dragged to file system directories, images can be displayed, and audio data can be played. In the case of EDI, a message formatted according to the MIME-EDI specification could be automatically transferred to an EDI processing program. e) Automated Mail Processing A typical Mail User Agents is an interactive application. However there are automated email message processing programs which can sort incoming mail, process forms returned by others, or in the case of EDI data, transfer the message contents to the EDI system. Messages formatted according to the MIME EDI specification can be properly recognized by any MIME compliant mail processing program. 3.3. What types of client-server or server-server protocols exist on the Internet? Internet email is typically used for two party messaging. The FTP, gopher, and HTTP protocols allow many users, possibly anonymous, to retrieve data from a central source. For example, corporate catalogs can be restricted by potential customers. a) File Transfer Protocol (FTP) Companies with existing connectivity to the Internet may use FTP to transfer files to one-another or to their VAN. This solution employs the same TCP/IP used for SMTP. Furthermore, Internet documents such as EDI in MIME Work in Progress are available via FTP on the FTP server "ds.internic.net." b) gopher service protocol. Gopher service is a way of organizing selected documents and files on an Internet server in a simple tree menu, so that users on other Internet computers can find them easily. Most gopher menus are also linked to other gopher menus elsewhere, so that users can easily jump from one Internet server to another. There are thousands of gopher servers in operation worldwide. Houser, et al Informational [Page 10] RFC 1865 EDI Meets the Internet January 1996 c) The Hypertext Transfer Protocol (HTTP) HTTP defines http-server and http-clients that comprise the World Wide Web (WWW). WWW was developed by the European Laboratory for Particle Physics (CERN) as a tool for exchanging multimedia data between researchers. Although there is also no specification for graphics in HTTP, most web browsers are graphical in nature. Mosaic, available free from the National Center for Supercomputer Applications (NCSA), provides a Graphical User Interface (GUI) that facilitates user access to information on the Internet. Mosaic interprets hypertext based information on the WWW, as well as to other linked Index/Directory services such as Archie, FTP, Gopher, and X.500 Directory information. Mosaic also supports on line Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG), Motion Picture Experts Group (MPEG), QuickTime, and other document, image, and audio types. Vendors have developed product catalogues using Mosaic servers. d) WHOIS WHOIS servers generally offer information about the organization to which they belong. There are many WHOIS servers scattered throughout the Internet. To obtain a list of registered WHOIS servers, anonymous FTP to rtfm.mit.edu and get the file /pub/whois/whois-servers.list. You can: o run a client program on your own machine to access the WHOIS server, o telnet to a site which hosts the server, eg: telnet to whois.internic.net and type help to access the full online help o send an email message to retrieve information from the database. eg: send email to mailserv@internic.net with a command in the Subject field. Any information in the body part of message will be ignored. ie. Subject: whois <search string> Therefore, to find information on the Internic Registration Service, the subject should contain: whois internic Moreover, to obtain help information on this service you can send two separate email with the following in their subject line, respectively: Houser, et al Informational [Page 11] RFC 1865 EDI Meets the Internet January 1996 help whois help 3.4. What methods exist to broadcast information across the Internet? There are also some usual methods to broadcast messages to multiple recipients as described below: a) Usenet News Usenet news is a cooperative broadcast of messages to all participants. Messages are organized into categories called newsgroups, and there are over 10,000 newsgroups carried by the major ISPs. Individual customers typically subscribe to some subset of these which is of interest to the organization. Messages are typically held for a week or two, then either archived or discarded. Some newsgroups are free form, i.e. anyone can post a message, while others are "moderated", i.e. require approval prior to posting. Though not currently used for any type of EDI, Usenet news could be used to broadcast RFQs. For example, comp.newprod is used to announce new products, and misc.jobs.wanted is used to announce job openings. b) Mailing Lists If the interest is limited, a mailing list may be used in lieu of a newsgroup. These are typically used for discussion groups or announcements of a particular nature. Mailing lists are typically open, i.e. anyone can "subscribe" by sending an email message to a server. For discussion groups, anyone can send a message to the server which is then rebroadcast to all subscribers. Since Internet email is extremely inexpensive, there is normally no charge for use of a mailing list, except for the content of e-magazines, etc. Sponsors of an email list typically provide the list as a public service. For example, a mailing list could be used to broadcast EDI RFQs, etc. Vendors might subscribe to various lists related to their product or service in order to receive messages sent by potential customers. Mailing lists could be provided by large companies for internal use, by industry organizations, or VANs. For example, a firm or government agency could sponsor various mailing lists for EDI RFQ's, new product announcements, etc. related to procurement. The organization could easily allow other potential customers to use the same mailing lists to contact vendors. All parties would benefit, and the improved access to vendors from an open mailing Houser, et al Informational [Page 12] RFC 1865 EDI Meets the Internet January 1996 list would more than offset the cost to support the mailing list server. Thus service might be available for free. 3.5. What are the ways to connect to the Internet ? The following provides a general overview of connectivity options now available: a) Dedicated Connection Typically a leased telephone line is used to connect a gateway computer or Typically a leased telephone line is used to connect a gateway computer or bridge/router of a corporate LAN/WAN to the router of the Internet Service Provider's (ISP) Point-Of-Presence (POP, not to be confused with the Post Office Protocol). The connection may be of various types and speeds, e.g. modem, ISDN, DS0, or DS1 line. With a dedicated connection, the SMTP protocol is typically used to deliver email directly to a trading partners system. Also, real-time client server applications can be run directly with a trading partners system, including information transferred using the FTP and HTTP protocols. Some ISPs provide optional services even with dedicated connections. For example, store and forward email on an ISP server can be used as a backup for a direct SMTP server operated by a trading partner. The ISP may offer disk space on their FTP and HTTP servers with a high speed connection to the Internet. For example, a trading partner might use a 14.4Kb modem for dedicated email transfers and use a 1.5Mb connection operated by the ISP to distribute FTP and HTTP information. b) On-demand Connection An on-demand connection operates like a dedicated connection, except a dialup ISDN or modem connection is used. If the link remains idle for a certain period of time, the connection is dropped. Some ISPs offer dial-out capability so any inbound or outbound traffic can reestablish the link. However, many ISPs require their customers to dial-in, so only outbound traffic and regular polling will establish the link. In the latter case, store and forward would likely be used for email, and the ISP servers would be used for FTP and HTTP information. Houser, et al Informational [Page 13] RFC 1865 EDI Meets the Internet January 1996 c) Part-time Polled Connection The Unix-to-Unix Copy (UUCP) protocol is typically used for email, news, and (rarely) file transfers. A client organization periodically dials the ISP and transfers email and Usenet news for the organization, then disconnects. Typically, the client polls the ISP at regular intervals, e.g. every 20 minutes, though some ISPs dial out when a message is to be delivered. Outgoing email can be sent immediately, or queued for transmission with a specified maximum delay. A UUCP connection may be used to transfer messages to an arbitrary number of people or automated mail processing programs. A single UUCP connection may also route messages to other systems, e.g. divisions within a corporation. UUCP and store-and-forward are synonymous. Since UUCP is only used to transfer mail and news messages, interactive internet client-server applications like FTP and HTTP are not available, except using a server provided by an ISP. Thus a separate dialup account might be needed to retrieve information from other FTP or HTTP servers. UUCP might be used for automated email transfer, and a on-demand dialup connection would be used for interactive internet client applications. Though UUCP accounts imply a delay (up to the polling interval) in processing a message, many ISPs allow a customer supplied script to process messages immediately on the ISP's machine. Though UUCP can be used to transfer files directly, usually files are transferred by encoding them within an email message. Transmission within internet email messages is much more widely supported and can be gatewayed into proprietary systems. d) Dial-up Shell Account With a dial-up account, a single user with a personal computer running a terminal emulator connects to the ISP's computer. Mail readers, news readers, HTTP browsers, etc. can be run on the ISP machine. Data on the ISP machine can be transferred to the personal computer manually using a protocol like X-Modem, Z-Modem, or Kermit. The ISP's host computer may run one of the usual UNIX command line (shell) programs, or may use a custom BBS or other menu driven user interface. A proprietary client-server program may be used in lieu of a terminal emulator to provide a graphic user interface. Some of the proprietary GUI clients provide access to selected internet applications, e.g. gopher. Houser, et al Informational [Page 14] RFC 1865 EDI Meets the Internet January 1996 A dialup ISP typically has a direct internet connection, however very low cost providers might only have a UUCP connection to the Internet. Some large proprietary networks such as CompuServe do not offer a direct internet connection, and only support UUCP email and, sometimes, Usenet news gateways to the Internet. d) Personal Serial Line Internet Protocol (SLIP) or Point to Point Protocol (PPP) Account A SLIP/PPP account is also available as a cross between the on demand and dial- up. Like the on-demand account, a single user can connect to an ISP and run mail reader, news reader, FTP, HTTP browser, etc. client applications directly from a personal computer. Unlike the on-demand account, the dial-out computer functions as a client only and not a server, and would be used by a single user rather than as a gateway to a LAN. With a SLIP/PPP account, the POP (Post-Office-Protocol) protocol is used for a user's mail reader client to retrieve messages stored in the ISP's server. Unlike, UUCP, the POP servers hold mail for a single user (i.e. individual email address). With a SLIP/PPP connection any standard TCP/IP application is tied directly into the internet. Thus unlike the proprietary GUI software supplied by the ISP, any TCP/IP client application can be used. A program such as TIA (The Internet Adapter) can be run on a shell account which allows a standard UNIX shell account to function as a SLIP/PPP account. However, some ISPs do not support TIA as they charge extra for SLIP. 4. Organizational Issues 4.1. Why is the way we currently do EDI so limiting to its growth? There is a tendency for each organization to establish is own rules and administrative policies, leading to rising costs of dealing with multiple trading partners, each in turn with its own requirements and procedures. However, new technologies and business practices are necessary if EDI is to move beyond the 30 to 40,000 organizations presently using EDI. According to Department of Labor and Internal Revenue Service statistics, there are about 6.2 million entities with employees and about 14 million other "business" entities. A business that wants to sell chairs, for example, would have to check with many different customers to see if they had any requirements. By making it possible for a business to use a common method to look for customers, the barriers entering to the electronic marketplace are Houser, et al Informational [Page 15] RFC 1865 EDI Meets the Internet January 1996 greatly eased. This does not mean that there is only one source that everyone goes to for a list of current business opportunities. Rather, a prospective supplier only needs to go to a single electronic marketplace. To communicate with each other, the various participants in electronic commerce need to harmonize their procedures and processes. Examples include common trading partner registration and the adoption of standard implementation conventions for EDI messages. 4.2. My organization has an internal automated system for processing requisitions and issuing purchase orders, but it does not create the X12 formatted EDI transactions; what should we do ? You could enhance your existing system, for example, by adding EDI translation software. VANs often offer EDI "translation" capabilities that convert flat text files into EDI X12 or EDIFACT format. This translation software may be designed with a particular technical solution in mind; carefully consider how the software would be used and what applications and telecommunications software would need to interact with it. You don't want to inadvertently lock yourself into using only one supplier. 4.3. My organization already has a dial-in bulletin board service (BBS) where we post transactions; should we keep it? Yes, but that puts you in the role of being your own VAN. By acting independently, organizations have established their own dial-up electronic bulletin board system with their own unique, but functionally equivalent, operating rules. Your BBS will be a little different that the next organization's, making it difficult for suppliers to access. By getting transactions from the VANs who specialize in moving information, your organization will get the widest circulation possible. You will be able to reach trading partners you may not even know existed, resulting in more competitive bids. Because of their idiosyncratic nature, BBS are not consistent with the idea of a "single face to industry" espoused by the Federal Government. 4.4. My organization currently has a Trading Partner Agreement with each trading partner we're currently doing business with. Can we keep them ? In the short run you may want to keep some Agreements in place to cover unique circumstances. But be careful not to create conflicting agreements and directions for your trading partners. Follow the procedures common to your particular line of business. In the long run, less is better. Hopefully, the introduction of EDI into common commercial practice will eliminate the need for EDI-specific Houser, et al Informational [Page 16] RFC 1865 EDI Meets the Internet January 1996 agreements. 4.5. It would be nice to get more trading partners and/or more competition, but I'm worried about getting too many transactions to be able to handle them. Has this been a problem ? The answers to this and related questions presupposes a willingness to participate in the open bidding process. While this process is a legal requirement for government agencies, many private organizations choose not to adopt the practice. The technology of the Internet facilitates competition, but the cost of putting these practices in place limit their value. This is a business decision, not a technical one. Will companies competitively procure critical supplies absent a long term relationship with the supplier? For essential inputs that will make or break customer satisfaction and productivity, the benefits of competition may not be worth the risks. Many organizations experience some increase in the number of transactions; for competitive procurements, the winning bid should be significantly better than those received prior to using the electronic system. The impact of an increase in volume needs to be evaluated on a situation by situation basis. For example, your acquisition support system may need to be re-engineered to quickly handle bids by ranking and presenting them to your buyers in low to high order. Your new or enhanced system should make it easy to receive and reply to any inter-personal messages that are sent and linked to a bid (that is, an SMTP/MIME message or the EDI X12.864 text message transaction set). 4.6. Does this mean that I'll receive more messages ? There is a strong likelihood the number of messages will increase as There is a strong likelihood the number of messages will increase as you reach more and more trading partners. After a reasonable trial period, your EDI trading partners should be relying on EDI and disinclined to use alternative forms of communication that don't fit EDI/EC. Once you use EDI/EC to communicate with a trading partner, you should consider discouraging the use of telephone calls or fax messages or other non-EDI/EC messages by pointing out the fact that telephone or fax messages are processed more slowly. By using electronic messaging, you can establish a written and dated audit trail. Your application system can route the message to the buyer and "attach" it to a "case file". However, if your organization does not use automated systems, you will want to adjust your approach to dealing with non-EDI messages. Houser, et al Informational [Page 17] RFC 1865 EDI Meets the Internet January 1996 4.7. If we see a transaction posted on VAN, how do we respond in electronic format ? This function is typically handled by applications software, not by the Internet. For example, a vendor that wishes to bid on a particular Request For Quotation (RFQ) would prepare a bid (X12-843) and send it via their VAN of choice. The identification information in the interchange control header (ISA) and functional group header (GS) will be interpreted by your VAN and forwarded to the buyer's VAN or to the buyer directly, depending on the reply address. VANs may reject messages from unregistered sources; otherwise they are forwarded to (or otherwise made available to) the buyer. If a buyer is using dial-up access to a VAN, then they will have to call-in for their messages. 4.8. My organization has an established bilateral relationship (such as an existing contract. Can we send these transaction via the Internet ? Yes, the Internet can be used to send transaction sets to existing trading partners via SMTP or FTP messages. VANs were typically used for bilateral relationships between companies, whereas the Internet is useful for establishing multilateral relationships. These bilateral relationships are usually quite stable, but both parties had to agree to share the same VAN or get their VANs to interconnect. Multilateral relationships are between organizations that don't necessarily have existing relationships and may be rather ephemeral. The Internet is suited to dynamic multilateral relationships that may later evolve into static bilateral relationships between companies using VANs. Therefore, the issues concerning the Internet (security, availability, etc.) are manageable in the early stages of forming a relationship. If your current VAN is not capable of using the Internet, you may need an alternative route for those messages. Later, as the business relationship matures, the use of VANs may be appropriate as the level of communication becomes more important. For example, unless your system has a directory of all registered trading partners, you lack the capabilities to screen and validate transactions that arrive at your site. 5. The Role Of Value Added Networks 5.1. What is a VAN? The use of EDI over the Internet is in the early stages, although the technology and services are developing remarkably rapidly. In the past, organizations doing EDI typically have relied on specialized firms called Value Added Networks (VANs) for technical assistance. Many of these organizations will look to their VAN for assistance in Houser, et al Informational [Page 18] RFC 1865 EDI Meets the Internet January 1996 using the Internet. VANs specializing in EDI applications provide technical support, help desk and troubleshooting for EDI and telecommunications problems. They assist in configuration of software, upgrades to telecommunications connectivity, data and computer security, auditing and tracing of transactions, recovery of lost data, service reliability and availability. Some EDI specific services can include broadcasting an RFQ to a collection of vendors, or storage of EDI information for later search and retrieval. 5.2. What is an Internet Service Provider (ISP)? VAN services have typically used proprietary network or a network gatewayed with a specific set of other proprietary networks. In contrast an Internet Service Provider (ISP) offers generic network access (i.e. not specific to EDI) for all computers connected to the internet. A direct internet connection permits real time computer- computer communication for client-server applications. Alternatively, a part time internet connection can be used to access internet servers using an on-demand basis, or access another system via email which includes a store and forward method. Internet email may be used as a gateway to proprietary networks if the proprietary network has an email gateway. 5.3. How might an ISP be used for EDI? Internet email can be configured for a dedicated connection with real-time transfers, or a store and forward method (like traditional VANs), or a combination of the two, e.g. where a direct delivery to a trading partners system is used when a link is operational, and a store and forward from an ISP is used as a backup. A large organization can connect their network to the Internet at an internet exchange point, however, most use a commercial ISP, either a major backbone provider, or local resellers of service off one or more backbones. The ISP provides technical assistance and access to local telecommunications links. 5.4. Doesn't EDI presume the services of companies called Value Added Networks (VANs)? EDI only specifies a format for business information; the transmission of the information is covered under other standards. A real world analog is sending a business form from one company to another. The "form" could be sent via US mail, US Registered mail, via private carrier (UPS/FEDEX) or simply faxed between the companies. EDI only requires that the trading partners follow the content standards. Houser, et al Informational [Page 19] RFC 1865 EDI Meets the Internet January 1996 5.5. If I can use X12 protocol and my VAN to send transactions, what is the benefit of using the Internet? The Internet E-mail standards have hierarchical address spaces that are defined and updated in what the Internet calls "domain name servers." Unfortunately, X12 has a flat address space. So, when you send an interchange (not via the Internet) to a partner who is on a different VAN, your VAN must do a table look up to figure out what VAN the receiving party is on. If you use only X12 without the Internet, before you can send a message to this partner, you must first contact the recipient's VAN and have them add you as an entry to his VAN's table. If the ISA contained the VAN ID of the recipient, then you could (in theory) send interchanges to partners via the VAN interconnects without having to notify the recipient's VAN first. However, this theory needs to be worked out in practice. In contrast, thanks to the domain name service, Internet e-mail users (and Postal users) don't have to call up their service provider before sending a message across an "interconnect" to another service provider. 5.6. Can we expect VANs to offer connections to other VANs via the Internet? All VANs connected to the Internet are connected to one another, thus avoiding most of the problems of interconnecting proprietary networks. VANs can then focus on services to their customers such as automatic bid submission, market and business opportunity analysis, and translation software. 5.7. How can I use the Internet directly for exchanging EDI messages without going through a VAN? You and your trading partner must agree on one of the Internet protocols for exchanging messages and then agree upon some details with the exchange. a) Email based messaging The simplest and most widely supported means of exchanging messages is via internet email. Typically, the IETF-MIME encapsulation specification would be used to enclose the EDI data within the email message, and the trading partners would need to agree upon an encryption method for secure email, typically PEM or PGP (see question 8.4). The trading partners would then exchange: 1. The internet email address for EDI messages 2. An internet email address for personal communications Houser, et al Informational [Page 20] RFC 1865 EDI Meets the Internet January 1996 related to EDI 3. Agreement on the encryption and digital signature protocols, including email acknowledgment, e.g. support for the "Return-Receipt-To:" email header, or X.400 extended email header fields. 4. Public Keys for PEM or PGP encryption and digital signatures. (or private keys for DES encryption) 5. Agreement on the format of the message, e.g. IETF MIME/EDI. A convention for naming email addresses might be established, e.g. edi@edi.xyzcorp.com for messages, ediinfo@xyzcorp.com for an automated response for human readable information on establishing internet EDI, and edisupport@xyzcorp.com for a personal contact. b) FTP based messaging To exchange EDI messages via FTP, some setup information must be included in the trading partner agreement. Typically, an account would be created for each trading partner for a FTP login, including a password. Typically, each X12 or EDIFACT message would be stored in a file, and the trading partner agreement would define the conventions for naming files and directories for the messages. The trading partner agreement would include: 1. FTP login name and password 2. Machine(s) from which the login will be accepted 3. Additional security protocols, e.g. Kerberos[?] 4. Directory and file naming conventions 5. File encryption protocols and keys 6. Wrappers around EDI data, e.g. MIME/EDI headers, PEM/PGP wrappers, etc. There are several compression routines and utilities available for virtually any computer system that uses the Internet. Many of these utilities will convert across platforms (say UNIX to Mac, UNIX to PC, and vise versa) and are available for free from one of several ftp archive servers. Use of these compression routines should be used with care when one is employing an encryption technique such as PEM or PGP. 5.8. Can the ISA 06 or 08 identify any entity other than the 'end' Trading Partners (i.e. a routing entity) ? Yes, although the ISA06 and ISA08 elements are supposed to be used to identify the sender and receiver of the interchange, the receiver of the interchange could be a clearinghouse (as well as a VAN) that Houser, et al Informational [Page 21] RFC 1865 EDI Meets the Internet January 1996 processes the interchange and then forwards the data to the ultimate recipient. In this case, you could put the receiver ID of the clearinghouse into the ISA08. The clearinghouse would probably have to determine the ultimate recipient of the message by looking inside the transaction set (or perhaps by using the GS03). Alternatively, you could put the receiver ID of the ultimate recipient into the ISA08 and the clearinghouse would route the interchange based on the ISA08 value (just as a VAN does). 5.9. Can we specify both the recipient's address and their VAN address in the ISA ? There was an X12 DM (data maintenance) request proposed to the X12 standards committee for a change to the ISA segment (X12 header information) that would allow users to specify the recipient's VAN, in addition to the recipient's ID. The intent was to provide a hierarchical address in the ISA. The top level would be the VAN ID, and the next level would be the recipient ID. To date, this DM has not been approved. 5.10. Are there other options for routing EDI X12 messages ? Yes, the GS02 and GS03 data elements can be used for a second level of routing. The GS03 is the application receiver's code. Some EDI users use the GS03 for routing a functional group to a particular department or application within the receiver's corporation. For example, you could use the ISA08 to identify the receiver as "Acme Corporation" and use the GS03 to identify the receiving application as the "Purchasing department (within Acme Corporation)". Many EDI users simply put the same value in the ISA06 and the GS02, and put the same value in the ISA08 and the GS03. Interestingly, there are VANs that will broadcast a message. Other VANs will map the value of the ISA08 into a distribution list VAN mailbox ids maintained by the VAN. Thus, each recipient receives the exact same copy of the interchange and the value of the ISA08 is not changed by the VAN. 6. US Federal Involvement 6.1. What is the commitment of the US Federal Government to EDI ? In the Federal Information Processing Standard (FIPS) 161-1 for Electronic Data Interchange[2], the US Government committed to using EDI X12 and EDIFACT standards in the exchange of business information with trading partners already using EDI. On October 26, 1993, President Clinton signed an Executive memorandum requiring Federal agencies to implement the use of electronic commerce in Federal purchases as quickly as possible. As the initial step the President's Management Council (PMC) Electronic Commerce Task Force Houser, et al Informational [Page 22] RFC 1865 EDI Meets the Internet January 1996 (ECTF), chaired by the Administrator, Office of Federal Procurement Policy (OFPP), chartered the Federal Electronic Commerce Acquisition Team (ECAT) memorandum. The PMC gave ECAT the task of defining the architecture for the government-wide electronic commerce acquisition system and identifying the executive departments or agencies responsible for developing, implementing, operating, and maintaining the Federal electronic system. ECAT has become the Federal Electronic Commerce Program Management Office (ECA-PMO). The National Institute or Science and Technology (NIST) maintains an HTML home page for the ECA-PMO: http://snad.ncsl.nist.gov/dartg/edi/fededi.html 6.2. What is the timetable for the Federal effort ? To implement EC and to achieve his objectives for EC, the President set forth the following four milestones: 1) By March 1994, define the architecture for the government-wide EC acquisition system and identify executive departments or agencies responsible for developing, implementing, operating, and maintaining the Federal electronic system. The ECAT identified the architecture and recommend actions that each agency should take. These documents are available via ftp at ds.internic.net in the directory /pub/ecat.library. ftp://ds.internic.net/pub/ecat.library/ 2) By September 1994, establish an initial EC capability to enable the Federal government and private suppliers to exchange standardized requests for quotations (RFQs), quotes, purchase orders, and notice of awards and begin government-wide implementation. 3) By July 1995, implement a full-scale Federal EC system that expands initial capabilities to include electronic payments, document interchange, and supporting data bases. 4) By January 1997, complete government-wide implementation of EC for appropriate Federal purchases, to the maximum extent possible. 6.3. Will the US Government use the Internet to send EDI transactions ? According to the ECAT, achieving the following objectives are essential for a successful ubiquitous government EDI capability: Houser, et al Informational [Page 23] RFC 1865 EDI Meets the Internet January 1996 1) E-mail systems may be used as the transport medium for EDI transactions. 2) FTP, FTAM, SMTP, X.400, or X.400 compatible substitutes are the preferable transport methods for EDI. 3) EDI functionality must be supported such that the user can choose between the Internet Protocol Suite (IPS) and Open Systems Interconnection (OSI) protocol support. 4) Directory services will be provided through the X.500 model as services become available. 5) Initial implementation of X.400 shall support the user agent services defined in P2 and P22 protocols. 6) By 1996, the X.400 implementations shall contain the services defined in the X.435 specification. 7) The Internet network may be used for EDI transactions when it is capable of providing the essential reliability, security, and privacy needed for business transactions. 6.4. I heard the US Government prohibited commercial use of the Internet? The Internet contains many Internet Service Providers (ISPs), each with its own internal policies governing the conduct of its customers. One of the largest ISPs is the National Science Foundation. At one time, NSF adopted what is called the Acceptable Use Policy of the National Science Foundation (NSF) was intended to prevent commercial uses of the original NSF-sponsored Internet telecommunications backbone. However, the growing number of commercial providers and backbones now part of the Internet have made this policy obsolescent. NSF is currently reducing its direct support in favor of subsidies to universities and other NSF sponsored organizations. Today the US Government is actively encouraging commercial uses of the Internet. 6.5. The US Government is using both Internet and OSI E-mail protocols. What should one consider when choosing which to use ? For more than a decade, Federal policy has been to promote the Open Systems Interconnection (OSI) telecommunications protocols developed by international standards bodies. Despite this policy, Government agencies, like the private sector, have invested far more in Internet than OSI compliant products. Marshall T. Rose's "The Internet Message"[3] compares the two alternative protocol suites and finds Houser, et al Informational [Page 24] RFC 1865 EDI Meets the Internet January 1996 clearly in favor of the IPS for messaging in general. For EDI specifically, the advantages of the IPS are its simplicity, wide availability, and security provided by Privacy Enhanced Mail (PEM, see below). IPS lacks a number of desirable features and incurs something of an efficiency penalty for binary transfers. On the other hand, the OSI standard for messaging handling service (X.400) promises a complete solution for EDI; the X.435 protocol includes responsibility notifications, X.500 directory support, EDI-specific addressing, message store support, message security, and other EDI- specific services. Unfortunately, only a handful of X.435 products have actually reached the market, their interoperability is not assured, and their prices are substantially greater than for their IPS counterparts. X.400 addressing tends to lock the customer into the domain of the service provider, whereas SMTP/MIME addresses are independent of the provider, permitting the customer to take his/her business elsewhere relatively easily. The bottom line is that a lot more organizations do EDI via the Internet than via OSI. 6.6. How is the US Government using VANs to distribute business opportunities? Presently, VANs make EDI request for quotation (RFQ) transactions available to their subscribers (along with other services). For example, a VAN client may ask that all RFQs for chairs be forwarded immediately to them but the client is not interested in being notified about RFQs for paper products. When a VAN sends an RFQ to a specific client mailbox, the VAN modifies the "to address" to that of the client. In this way, a vendor need only subscribe to a VAN that is certified to receive and post the RFQs. The vendor then sees a single source for all RFQs of interest, regardless of which buying organization originated them. The screening and filtering process performed by the VANs prevents the spread of electronic "junk" mail. However, a trading partner could use an email filtering program to filter and sort email, saving on VAN charges. 6.7. How would use of the Internet for Federal procurement change this RFQ process? Initially, very few changes may be apparent. New and existing VANs will use the Internet to collect and disseminate EDI transactions; trading partners may be totally unaware of the change in technology. Prices may fall as VANs share telecommunications resources through Internet Protocols rather than maintain their own costly proprietary telecommunications services. Instead of competing with VANs, the ubiquitous connectivity of the Internet offers VANs even greater business opportunities. General purpose Internet Service Providers (ISPs) do not typically offer EDI specific services, but they can provide an alternative means to transfer EDI messages at a small Houser, et al Informational [Page 25] RFC 1865 EDI Meets the Internet January 1996 fraction of the cost of typical EDI VANs. The impact of an organization's moving EDI onto the Internet, independent of a VAN, is more difficult to assess. In the view of some, the introduction of the Internet in the near term (1-5 years) adds additional interfaces and complexity to the organization's existing EDI environment. This may in the short term increase costs and raise new costs. But a corporate commitment to an open systems environment through the use of Internet Protocols offers the potential for a greater interoperability, integration of application systems, and therefore the promise of higher performance and lower costs. Some organizations will be able to get to these benefits others will pay for a set of largely incompatible services. The return on investment largely depends on one's ability to consider EDI on the Internet as a part of the organization's overall information systems strategy and the organization's plans for a presence on the Internet. 7. EDI Resources On The Internet 7.1. Are EDI Standards available on the Internet ? The Data Interchange Standards Association (DISA) has a World Wide Web server at "http://www.disa.org/" This Web server has considerable information, including a list of new standards, a list of all the X12 transaction sets, meeting minutes, calendar of events, and lists of courses. Unfortunately, as of this date, the X12 standards are not available electronically. [soap ...] Hopefully that will be added soon. [...soap]. DISA has also set up a gopher server (gopher.disa.org) and an FTP server (ftp.disa.org). The principle documents regarding ANSI ASC X12's planned alignment with EDIFACT are available on the World Wide Web. The alignment plan adopted by a mail ballot of X12 in December 1994/January 1995 is at http:/www.disa.org/info/alinplan.html The "floor motion" adopted at the X12 meeting in February 1995 is at: http:/www.disa.org/meetings/alinmotn.html The following mail lists and exploders support X12 and EDIFACT standards development work. Houser, et al Informational [Page 26] RFC 1865 EDI Meets the Internet January 1996 ------------------ X12G Mailing list: ------------------ This is a fully open exploder set up to support X12G. To subscribe send an e-mail message to: x12g-request@snad.ncsl.nist.gov The text of the message should only contain the following: subscribe x12g After you subscribe, you can broadcast your messages to the participants (who have subscribed) via the address x12g@snad.ncsl.nist.gov. --------------------- FED-REG Mailing list: --------------------- This new exploder is concerned with the federal EDI Registry and the implementation of IMPDEF within the registry, the EDI Viewers and Editors, and the use of IMPDEF to upgrade EDI products. The nature of this mailist calls for informal discussion focusing on pragmatic issues. To subscribe send an e-mail message to: fed-reg-request@snad.ncsl.nist.gov The text of the message should only contain the following: subscribe fed-reg Messages intended for the fed-reg list should be sent to: fed-reg@snad.ncsl.nist.gov ------------------------- X12C-IMPDEF Mailing list: ------------------------- This exploder deals with formal discussion in the context of X12 regarding the evolution of IMPDEF. If would expect that discussions in the context of the "fed-reg" exploder result in Houser, et al Informational [Page 27] RFC 1865 EDI Meets the Internet January 1996 formal DMRs submitted to "x12c-impdef" and X12C. Anyway, the process will be defined and controlled by the appropriate X12C authority. To subscribe send an e-mail message to: x12c-impdef-request@snad.ncsl.nist.gov The text of the message should only contain the following: subscribe x12c-impdef Messages intended for the fed-reg list should be sent to: x12c-impdef@snad.ncsl.nist.gov See section 7.7 for additional EDI related mailing lists. 7.2. Are EDIFACT Standards available on the Internet ? You can access the EDIFACT standards via GOPHER from the International Telecommunications Union (gopher://info.itu.ch). Here are the general directions in getting to the standards. 1. Launch the gopher client as gopher info.itu.ch 2. Select entry 11 (UN and international organizations) 3. Select entry 1 (UN EDITRANS, UN/EDIFACT (EDICORE)) 4. Select entry 3 (UN-EDIFACT Standards Database (EDICORE)) 5. Select entry 1, Publications. If you want the actual standards, select 1, Drafts. You will get D93A (which becomes the standard S94a) D94A (which will be next year's standard). If you want the UNTDED, select 2. If you want the UNTDID, select 3. When you get to the lowest level directory in which ever path you choose, press D (i.e. upper case D) to download. Choose the protocol that suits and you are the proud owner of an EDIFACT Standards Directory. For electronic mail retrieval, send your message to itudoc@itu.ch with no subject and the following message body: START GET ITU-1900 END Houser, et al Informational [Page 28] RFC 1865 EDI Meets the Internet January 1996 7.3. The EDI X12 standards are quite complex. How do we decide what X12 transactions to implement and how ? There are a number of generic implementation conventions (ICs) or guidelines; most ICs are prepared on an industry-by-industry basis. Be sure that both you and your current trading partners are working from the same set. The Federal Electronic Commerce for Acquisition Program Management Office has been promoting the 3040 version throughout the government and the private sector. Older versions may be used in accordance with the ASC X12 rules. Certain ICs are published by the Data Interchange Standards Association (DISA); contact DISA at the address above for information about ICs for your applications. Certain ICs as well as the X12 standards may be obtained through: Washington Publishing Company c/o EDI Support Services P.O. Box 203 Chardon, OH 44024-0203 US Phone (800) 334-4912 Non-US Phone (216) 974-7650 Fax (216) 974-7655 7.4. What Implementation Conventions (ICs) are available over the Internet ? The US. Federal Implementation Guidelines for Electronic Commerce for Acquisition are available for free via FTP at ds.internic.net. These cover X12 transaction sets 810, 820, 824, 836, 838, 840, 843, 850, 855, 864, and 997. The path is pub/ecat.library/fed.ic/xxx where xxx can be acrobat.pdf, postscript or ascii file formats. ftp://ds.internic.net/pub/ecat.library/fed.ic/ The SPEEDE/ExPRESS Project, funded by the National Center for Education Statistics of the U.S. Dept. of Ed., publishes an Implementation Guide for X12 transaction sets 130, 131, 146, 147, and 997. The July 1994 versions (each in WordPerfect and in Postscript) may be retrieved by anonymous FTP at admissions.carleton.ca. The WordPerfect 5.1 files are found in /pub/wp_speede_2 while the Postscript files are found in /pub/ps_guide_2. ftp://admissions.carleton.ca/pub/wp_speede_2/ ftp://admissions.carleton.ca/pub/psguide_2/ Complete directions for retrieving these files can be found in the AACRAO gopher at AACRAO-DEC.NCHE.EDU. Choose the SPEEDE/ ExPRESS Houser, et al Informational [Page 29] RFC 1865 EDI Meets the Internet January 1996 menu item, then Publications, and then select a version of the Implementation Guide. Note that guidelines are sometimes referred to by the release/version designation (currently 3040). The Defense Information Systems Agency (DISA) Center for Standards is the designated configuration manager for DoD Electronic Commerce/Electronic Data Interchange (EC/EDI) standards. The DoD EC/EDI Standards repository system, available via anonymous FTP from ftp.sterling.com in the /edi/DoD-edi/ directory, contains DoD EDI ICs separated into two categories, User and Test. ftp://ftp.sterling.com/edi/DoD-edi/ Test conventions are identical to User, except that the condition designator for all applicable transaction sets, data segments and data elements used by that convention are designated as Mandatory for test purposes. Implementation convention files, both user and test versions, can be downloaded either individually or all together in compressed self-extracting files. All the implementation files are available, when decompressed, in both WordPerfect 5.1/5.2 (.WP) file format and Standard Exchange Format (SEF) test files which are for use with EDISIM software or any other EDI software that conforms with the EDISIM .SEF file format. The /DoD-edi/2003_User & _Test directories contain draft DoD Implementation Conventions based on ANSI X12 Version 2 Release 3 (2003): 840 Request for Quotation 843 Response to Request for Quotation 850 Purchase Order 997 Functional Acknowledgement The /DoD-edi/3010_User & _Test directories contain draft DoD Implementation Conventions based on ANSI X12 Version 3 Release 1 (3010): 810 Invoice: 810 Commercial 810 Progress Payment 810 Public Voucher 840 Request for Quotation 843 Response to Request for Quotation 850 Purchase Order 997 Functional Acknowledgement Additional 2003 and 3010 based conventions may be added in the near future. 3010 based conventions will never progress to approved Houser, et al Informational [Page 30] RFC 1865 EDI Meets the Internet January 1996 status but will be used temporarily by various DoD agencies to implement phase I of the DoD Electronic Commerce (EC)/Electronic Data Interchange (EDI) in Contracting Report. The /DoD-edi/3050_User directory contains draft DoD Implementation Conventions based on ANSI X12 Version 3 Release 5 (3050): 840 Request for Quotation 843 Response to Request for Quotation 850 Purchase Order 855 Purchase Order Acknowledgement 860 Purchase Order Change Request - Buyer Initiated 865 Purchase Order Change Acknowledgement/Request - Seller Initiated Note that the ICs in the /DoD-edi/3050_USER directory were developed as a means to express DOD requirements for an ANSI X12 3050 based transaction set. They are not approved for implementation. They have been submitted to the Federal IC configuration management process for adoption throughout the federal government. Since they are subject to Federal review and are based upon a standard not yet released, changes can be anticipated. (See ECA PMO above) 7.5 How can a trading partner keep up with all these implementation conventions (ICs) and revisions in X12 and EDIFACT? The US government is trying to standardize electronic communications internally and with it's 300,000 plus suppliers. This requires standardization of the standards process and cross communication between programs. The IMPDEF message and the NIST Federal IC Registry will place electronic versions of all its ICs on the Registry - both full federal ICs and individual agency ICs - so that any trading partner can download and use them. In combination with message data compliance checking as well, smaller firms should be able to get into EDI and start benefitting both themselves and the government. 7.6. Where can I get information on EDI translation software ? Several commercial trade magazines publish periodic guides to EDI translation software. Under commission by the US Government, the Logistics Management Institute (LMI) of McLean, Va. published "A Guide to EDI Translation Software, 1994 Edition." The guide describes the features and characteristics of EDI software offered by more than 60 vendors. Commercial organizations can get copies for $20 each by sending a check made out to the Logistics Management nstitute. Federal agencies may have up to five free copies by sending requests to Houser, et al Informational [Page 31] RFC 1865 EDI Meets the Internet January 1996 Logistics Management Institute Attn. Library 2000 Corporate Ridge McLean, Virginia, 22102-7805 You can fax a typed request to the LMI library at (703) 917-7597 or send a request to library@lmi.org. Requests for hard copies of the Guide must include the requester's name, organization, address, telephone number, and number of copies desired. All requests should cite Report IR421RD1. If you have questions about the Guide, you can contact the author, Harold Frohman, at (703) 917-7286 or send him an Internet message at hfrohman@lmi.org. A somewhat older LMI report (1992), but still quite relevant, is EDI Planning and Implementation Guide (DL204RD1, August 1992). 7.7. How do I keep in touch with others pursuing EDI and Electronic Commerce on the Internet ? There are several EDI related mailing lists on (and off) the Internet. Information on subscription follows below. ---------------------- IETF-EDI Mailing list: ---------------------- The IETF-EDI list has been established as a forum for discussing methods of operating EDI transactions over the Internet, and for discussing specifications which permit such operation. This list is therefore focused on the technology of Internet usage of EDI, rather than on more general aspects of EDI technology or use. To subscribe, send an e-mail message to: LISTSERV@BYU.EDU. The text of the message should only contain the following: sub ietf-edi <your-name> Messages intended for the ietf-edi list should be sent to: IETF-EDI@BYU.EDU. Houser, et al Informational [Page 32] RFC 1865 EDI Meets the Internet January 1996 ------------------- EDI-L Mailing list: ------------------- The EDI-L list is target towards more general EDI discussions. The edi-l mailing list is also gatewayed to the USENET newsgroup bit.listserv.edi-l. To subscribe, send an e-mail message to: listserv@uccvma.ucop.edu The text of the message should only contain the following: subscribe edi-l <your-name> Messages intended for the edi-l list should be sent to: EDI-l@uccvma.ucop.edu --------------------- EDI-NEW Mailing list: --------------------- This list complements ietf-edi in the sense that it promotes discussion of new approaches to edi and the extension of edi beyond its traditional domains. To subscribe, send an e-mail message to: edi-new-request@tegsun.harvard.edu The text of the message should only contain the following: subscribe edi-new <your-name> Messages intended for the edi-new list should be sent to: edi-new@tegsun.harvard.edu Houser, et al Informational [Page 33] RFC 1865 EDI Meets the Internet January 1996 ---------------------- SPEEDE-L Mailing list: ---------------------- The main purpose of this list is for discussions of Educational EDI Standards. To subscribe, send an e-mail message to: listserv@vtvm1.cc.vt.edu The text of the message should only contain the following: SUBSCRIBE SPEEDE-L firstname lastname Messages intended for the speede-l list should be sent to: speede-l@vtvm1.cc.vt.edu ---------------------- OPEN-EDI Mailing list: ---------------------- The main purpose of this list is for UN/EDIFACT users to review the work of JTC1/SC30. To subscribe, send an e-mail message to: majordomo@utu.premenos.com The text of the message should only contain the following: subscribe open-edi Messages intended for the open-edi list should be sent to: OPEN-EDI@utu.premenos.com ------------------ ECAT Mailing list: ------------------ The Federal Electronic Commerce for Acquisition Team (ECAT) has established an open mail list for those interested in ECAT activities. Houser, et al Informational [Page 34] RFC 1865 EDI Meets the Internet January 1996 Information sent to the forum address is automatically distributed to all forum members. This forum is available 24 hours a day, 7 days a week. Currently, only ASCII text messages up to 250kb are supported. For best results when sending messages to this forum, each line should be limited 70 characters followed by a carriage return. Also, your name and email address should be included in the body of messages sent. To subscribe, send an e-mail message to: listserv@forums.fed.gov The text of the message should only contain the following: subscribe ecat firstname lastname Messages intended for the ECAT list should be sent to: ECAT@forums.fed.gov. 7.8. Can I get messages that have been previously posted to the EDI mailing lists ? Yes. Messages that have appeared on the ecat, edi-l, edi-new, fed- reg, x12c-impdef and ietf-edi list are available via FTP from ftp://ftp.sterling.com/edi/lists/ 7.9. I have EDI related material I'd like to make available to the Internet community. How do I do that ? If you have an existing Internet connected site, you can make the information available via FTP or WWW. If you do not wish to go to the effort, send mail to Kent Landfield at edi-archive@sterling.com Sterling Software is making the archive publicly available to the community. Anyone who wants to distribute EDI related documents may contact Sterling to make your documents publicly available on ftp.sterling.com. For example, the Department of Veterans Affairs has posted numerous studies and training materials on EDI which are available to the public at ftp.sterling.com/edi/va/. 7.10. Where are EDI Archives on the Internet ? Some have been discussed previously while others have not. Here is a very incomplete list of sites that archive EDI related material and Houser, et al Informational [Page 35] RFC 1865 EDI Meets the Internet January 1996 make that information publicly available. o ftp://admissions.carleton.ca/pub/ o ftp://ds.internic.net/ietf/edi/ o ftp://ds.internic.net/pub/ecat.library/ o ftp://ftp.sterling.com/edi/ o ftp://ftp.swin.edu.au/pub/edi/ o ftp://prospero.isi.edu/pub/papers/security/ o ftp://turiel.cs.mu.oz.au/pub/edi/ o http://snad.ncsl.nist.gov/dartg/edi/fededi.html o http://waltz.ncsl.nist.gov/ECIF/ecif.html o http://www.disa.org/ o http://www.acq.osd.mil/ec/ o http://www.ietf.cnri.reston.va.us/ o http://www.premenos.com/standards/EDIStandards.html 8. Security Considerations 8.1. What security measures are needed to connect to the Internet ? Internet security measures can be placed in two broad categories: protecting your system from intruders and protecting the content and integrity of your messages. With respect to the latter, EC/EDI transactions of nominal value and sensitivity do not require special security requirements. However, if the information has any sensitive aspects, you will need to take measures discussed below. Competitors might intercept your bids and undercut your proposal. Or they could monitor your purchases and shipping notices to determine your firm's production capacity. To ensure confidentiality of the message, your e-mail system should offer some means of encrypting the message in a manner only the intended recipient can read. Trading partners are responsible for satisfying existing rules and regulations relating to computer security and privacy. For example, bid data received by government systems is subject to the appropriate controls. Trading partner financial account data is likewise subject to disclosure restrictions. To thwart those who might tamper with a message to divert delivery by changing the "ship-to" address, digital signatures can attest to the integrity of the message. Digital signatures can also authenticate messages, preventing pranksters or rivals from submitting false orders. 8.2. How do we go about protecting our system ? The weakest link in most systems are people and passwords; your current practices for managing both will apply to use of the Internet. Steps you can take include: Houser, et al Informational [Page 36] RFC 1865 EDI Meets the Internet January 1996 o Obtain, study, implement, and enforce the NIST FIPS (112) on passwords. Make the practice of safe computing a condition of continued employment and let your staff know it. o Conduct a risk assessment as described in Appendix M of the Federal Electronic Commerce for Acquisition Team report Streamlining Procurement Through Electronic Commerce. This documents is available via ftp at ds.internic.net in the directory /pub/ecat.library. o Apply the recommendations from NIST Special Publication 800-9, Good Security Practices for Electronic Commerce, Including Electronic Data Interchange as appropriate. o Establish necessary internal and external "Firewalls." See John Wack and Lisa Carnahan, "Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls," NIST Special Publication 800-10, undated. o Review RFC 1281[4] Guidelines for the Secure Operation of the Internet and RFC 1244 Holbrook and Reynolds "Site Security Handbook" o Review Cheswick and Bellovin's "Firewalls and Internet Security - Repelling the Wily Hacker," Addison-Wesley [5] o Consider implementing active countermeasures in your firewalls. See "There Be Dragons" by S. Bellovin, Proceedings of the Third Usenix UNIX Security Symposium, September 1992[6]. You can contact Bellovin at smb@ulysses.att.com. 8.3. Is there good publicly available software I can use? These are several free, publicly available, security tools one can obtain via ftp from one of many good archives. If your company uses UNIX systems to connect to the Internet or has UNIX systems connected to the Internet get and use the following tools: 1. The Purdue University COAST - Security Archive (Computer Operations, Audit, and Security Tools, run by Gene Spafford) is located at coast.cs.purdue.edu and mirrored in a few places, including ftp.sterling.com. 2. COPS available from ftp.cert.org in /pub/tools 3. TIGER available from net.tamu.edu in pub/ These tools are a series of scripts and programs that will alert you to many well-know problems and holes in UNIX systems and how to fix them. Houser, et al Informational [Page 37] RFC 1865 EDI Meets the Internet January 1996 The Computer Emergency Response Team (CERT) at Carnegie Mellon University can assist with computer break-ins as well as provide notices of security activity on the Internet. The US Department of Energy's Computer Incident Advisory Capability (CIAC), located at Lawrence Livermore National Laboratory, can provide assistance at ciac@llnl.gov or at 510-422-8193. CIAC offers software and documents on their anonymous ftp server at ciac.llnl.gov. Both CERT and CIAC are members of the Forum of Incident Response and Security Teams (FIRST), a global organization to foster cooperation and coordination among computer security teams worldwide. 8.4. How good are electronic or digital signatures ? Can they be used in court ? Properly used, these signature systems are better than existing paper based authentication and forgery detection technology. You will find a clear and concise description of how these signatures work in Gary Ratterree's RIPEM Beginner's Guide; contact Ratterree at grayr@cs.tamu.edu. Other references include: ftp://ftp.tis.com/pub/PEM/ for Privacy Enhanced Mail ftp://ftp.rsa.com/ for PEM ftp net-dist.mit.edu:/pub/PGP for Pretty Good Privacy (PGP) An "infrastructure" for public keys is not required to use public key encryption or digital signatures. In the absence of such an infrastructure, the encryption protocol and the public keys would need to be exchanged bilaterally, such as part of the trading partner agreement. A public key infrastructure would provide a secure means to obtain a public key without a need for a manual key exchange. But digital techniques will become more convenient with the arrival of additional infrastructure and support systems. The US government is taking steps to ensure the admissibility in court of such systems. We anticipate that the necessary regulatory and legal infrastructure will be in place about the same time as the necessary directory and certificate services and other supporting systems come on-line. We expect to see expansion of several government pilot programs in the later half of 1994. NIST recently published a report on the Public Key Infrastructure (PKI) and related policy issues; for information contact the NIST Computer Security Division at 301-975-2934. 8.5. Are there other US government standards publications I should be aware of? Yes. Here is a sample of those you will often hear mentioned. Houser, et al Informational [Page 38] RFC 1865 EDI Meets the Internet January 1996 1. Federal Information Processing Standard (FIPS) Publication 46-1, Data Encryption Standard, January 1988. 2. FIPS Publication 65, Guideline for Automated Data Processing Risk Analysis, August 1979. 3. FIPS Publication 113, Computer Data Authentication, May 1985. 4. FIPS Publication 180, Secure Hash Standard - (SHS), May 1993. 5. FIPS Publication 186, Digital Signature Standard - (DSS), May 1994. 6. NIST Special Publication 800-9, Good Security Practices for Electronic Commerce Including Electronic Data Interchange, December 1993. The FIPS standards may be ordered from the U.S. Department of Commerce National Technical Information Service Springfield, VA 22161. 9. References [1] UN/EDIFACT (Electronic Data Interchange for Administration, Commerce and Transport) Syntax Rules (ISO 9735), March 1993, United Nations Economic Commission for Europe (UN/ECE), Working Party for the Facilitation of International Trade Procedures (WP.4) [2] FIPS Publication 161-1, Electronic Data Interchange (EDI), National Institute of Standards and Technology, April 1993. [3] The Internet Message: Closing the book with electronic mail, Marshal T. Rose., Prentice Hall, Englewood Cliffs, New Jersey, 1993. [4] Pethia, R., Crocker, S., and B. Fraser, "Guidelines for the Secure Operation of the Internet", RFC 1281, Software Engineering Institute, Trusted Information Systems, Inc., Software Engineering Institute, November 1991 [5] Firewalls and Internet Security - Repelling the Wily Hacker, by Cheswick and Bellovin, Addison-Wesley, 1994, ISBN 0-201-63357-4 Houser, et al Informational [Page 39] RFC 1865 EDI Meets the Internet January 1996 [6] There Be Dragons, S. Bellovin, Proceedings of the Third Usenix UNIX Security Symposium, Baltimore, Maryland, September 1992. USENIX Association, ISBN 1-880446-46-4 10. Credits James A.(Artch) Griffin <artch@AGRIFFIN.CPCUG.ORG> is credited with co-authorship as he prepared the ECAT FAQ which I used (or perhaps abused) as the base document. Artch was judicious and patient as he watched his original text being rewritten over and over. Carl Hage contributed detailed explanations and clarifications of the various Internet protocols and services and how EDI can employ them. I would like to thank the following people for their comments and specific contributions: Kent Landfield, Mike Bauer, Kit Lueder, Eric Christ, Betsy Bainbridge, Bob Lyons, Kirby Spencer, Sally Hambridge, Ed Levinson, Warren Smith, Steve Bass, Jerry Johnson, Randy VandenBrink, John Pillay, Jim W.C. Smith, Mark Charles, Jean- Philippe Favreau. I apologize if I omitted any one of the many folks who responded to my many calls for comments. I greatly appreciate Kent Landfield for his editorial assistance during final preparation of this document. Sterling Software graciously hosted the work in progress for ftp access and review, saving many bits of Internet SMTP traffic. Finally, I am grateful for the patient cooperation of the IETF Working Group and the participants of the IETF-EDI and EDI-L lists. It's a nice cyberplace to work! WRH, Washington, DC. Houser, et al Informational [Page 40] RFC 1865 EDI Meets the Internet January 1996 11. Authors' Addresses Walter Houser Department of Veterans Affairs 810 Vermont Avenue Washington DC, 20240 Phone: 202-786-9572 EMail: houser.walt@forum.va.gov houser@cpcug.org http://www.va.gov/ James A. (Artch) Griffin President, Athena Associates 18924 High Point Drive Gaithersburg, Maryland 20879 Phone: 301-972-2502 EMail: agriffin@cpcug.org Carl Hage C. Hage Associates 1180 Reed Ave #51 Sunnyvale, CA 94086 EMail: carl@chage.com http://www.chage.com/chage/ Houser, et al Informational [Page 41]