Flylib.com

Books Software

 
 
 

Category list


Similar pages

Signature Policy Publication


Buy on amazon.com >>
Doukidis G. Mylonopoulos N. Pouloudi N.
    << Previous page
    Table of contents
    Next page >>

    Signature Policy Publication

    A signature policy can be made available through a plain or secure WWW site publication. Publication can be done by the policy issuer or by a third party through a trusted document repository service. Third-party storage can be made available for signature policy publication provided through a trusted document repository service. Such a repository can be used to generally host industry-specific terms, including signature policies. An early conceptual example of such a repository is the ICC ETERMS repository of the International Chamber of Commerce (Mitrakas, 1997; Mitrakas & Bos, 1998). When communities of users apply signature policies, signature policies have to be published and made available to the users. The source of the information needs to be trusted and ways to authenticate the source of information have to be available. It is required to publish signature policies while they are valid, so that users can have access to their description. The role of a signature policy publication authority may be directly taken by the signature policy issuer or be taken by a different organization.



    Referencing Signature Policies

    A reference to a certain signature policy can replace requirements of the contractual agreement. For example, the transacting parties can agree to provide to each other notices of termination only electronically if certain requirements, as to the creation and validation of an electronic signature, are fulfilled. Referring explicitly to a certain signature policy facilitates the adherence to the formal requirements of the transaction.

    Organizations that represent certain business sectors can also identify and create signature policies that comply with their business needs and explicitly refer to them in their business transactions. These signature policies can be published in a way that can be explicitly referred to by any member of these business sectors, and its use can be made obligatory to all parties that belong to a business sector if all parties agree.

    If the members of a business sector generally adhere to a signature policy, a transaction between the members of the sector will only be considered valid if this signature policy is complied with, unless stated otherwise , by the contracting parties.



    Electronic Invoices: An Application Area

    An example of this approach can be sought in the area of electronic invoices. Article 2 of Directive 01/115/EC permits the usage of advanced electronic signatures to invoke the authenticity of electronic invoices. Another means to this end that the Directive accepts is EDI-based invoices in the meaning of the Commission Recommendation 94/ 820/EC on a European Model EDI Agreement (October 19, 1994). Facilitating the shift of processing electronic invoices in a mass scale requires including safeguards that ensure the validity, verification conditions, transaction constraints, and intended role in order to enhance the level of legal safety in the communication of an invoice.

    The recommended approach could facilitate in practical terms invoice processing centers to migrate into electronic invoice formats that use advanced electronic signatures. This can be done by processing the signature validation and verification data in the context and permissions of the role of the signatories involved. The added benefit for the end user is greater legal safety with respect to the transaction involved and the validation data thereof.

    Electronic Invoicing Example

    Phase A: Invoice Issuer

    Phase B: Invoice Processing Centre

    Phase C: Invoice Recipient

    Invoice Issuer sends signed invoice data to Invoice Processing Centre (IPC)

    Invoice Processing Centre:

    • Validates sender's signature according to constraints on its own signature policy

    • Converts data format to match Recipient's requirements

    Invoice Recipient validates IPC signing certificate

    The table above outlines the suggested approach in a model that allows the usage of signature polices.

    In phase "A," the sender issues an invoice issuance request that he signs by using an electronic certificate. An invoice issuance request contains the invoice data, such as the amount to be invoiced, and is addressed to the outsourced agent who typically handles invoicing for the company of A. According to the electronic invoice Directive, an electronic invoice can be signed electronically . Additional attributes or constraints can be inserted in a signature policy to convey the role under which such signing might be carried out, e.g., "Joe Doe, Accounting Manager." As "Accounting Manager," the issuer is entitled to sign outgoing invoices that he otherwise might be unable to validly do. Authorization attributes can be inserted in the signature policy and possibly also conveyed by means of an attribute certificate.

    In phase "B," the recipient is the processing center that usually handles invoices on behalf of Joe's company. The processing center controls Joe's signature and authorization attributes against a signature policy that it applies in transactions with organizations like Joe's. The signature policy allows the processing center to quickly check, e.g., the validity of the applied electronic signature as well as any associated constraints, such as its signing role, authorization limits, etc.

    Inserting the data received from Joe's organization into its electronic invoice format, the processing center raises the invoice and subsequently signs it.

    In phase "C," the recipient, who is the business partner of the invoice issuer, receives the invoice that the processing center has sent. Since the recipient is a fairly small outfit with limited resources, he does not necessarily have the ability to make many controls on the signatures and roles, so he relies on the signature of the processing center to ensure the origin of the invoice received. Since the processing center is a party known to the recipient, it takes only a small effort to validate the signature that is used under a policy.



    Buy on amazon.com >>
    Doukidis G. Mylonopoulos N. Pouloudi N.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy