AS2 secures documents using the Web

Applicability Statement 2 is a draft standard from the IETF for securely exchanging business documents over the Internet, with guarantees in place to ensure a document is not lost.

Applicability Statement 2 is a draft standard from the Internet Engineering Task Force for securely exchanging business documents over the Internet, with guarantees in place to ensure a document is not lost.

AS2 provides the instructions for software at one company to send any type of document (called a payload) to software at another company using HTTP. If you host a Web site and can browse other Web sites, you have all the connectivity required to use AS2.

The current AS2 specification, although technically still a draft, has guided at least a dozen software vendors in building software and testing it with each other for interoperability. Many service providers also have added AS2 gateways to let traditional electronic data interchange mailboxes send documents via AS2 – eliminating the need for their customers to purchase new software to support AS2.

Document exchange requires more than just moving data over a wire. Because business documents are the basis not only of business planning and operations, but also the legal obligations between companies, the documents must be transferred securely, processed quickly and delivered reliably. AS2 is one of a small number of emerging standards that addresses these requirements.

Secure transfer

AS2 offers options for security ranging from sending data over a secure connection (HTTP/S) to package encryption (using a digital certificate to completely encrypt the business document). A document also can be digitally signed, letting a receiver be confident the document is valid.

The fastest way to send a document is to deliver it directly to the recipient with no intermediate routing or mailboxing – and this is exactly what AS2 specifies. AS2-capable software at the sender establishes a connection over the Internet to the receiver’s AS2 software and sends the document. The receiver then gives the sending system a receipt.

Reliable delivery

Because large e-commerce networks use service providers that have long guaranteed reliable document exchange, delivery seldom has been a worry for EDI managers. But as small companies begin exchanging documents over the Internet, all bets are off, and a system of receipts is needed. Fortunately, AS2 offers flexible yet standard receipts usable under many circumstances.

Challenges to implementing AS2

Along with its significant benefits, AS2 presents some new challenges, especially to smaller suppliers that might be called on to implement AS2 to connect to one or more of their large customers.

First, AS2 requires a company to have at least one computer connected to the Internet around the clock.

Second, AS2 requires companies to manage digital certificates, which can be revoked at any time, and which will expire periodically. This means that someone actually must visit each issuing authority and look at the revocation lists. Expired certificates also must be renewed with new certificates, and this burden grows with each partner. Digital certificates must be imported manually to the AS2 software, and there are no commonly used standards to deal with revocation.

Finally, if through some mishap, you lose access to your own certificate (such as forgetting your password), nobody will be able to help you. The encryption really is very, very good.

Many of these challenges can be mitigated by using a larger service provider for AS2, but only if your customer or supplier agrees to the arrangement.

Radko is chief architect of Global Technology Operations for Global eXchange Services (www.gxs.com). He can be reached at John.Radko@gxs.com.