AS4 Key Concepts
This page lists some the AS4 key aspects and the sources of that.
When compression, signature and encryption are required, any attached payload(s) MUST be compressed prior to being signed and/or encrypted. (Source: AS4 1.0 specification, chapter 3.1)
When both signature and encryption are required of the MSH, the message MUST be signed prior to being encrypted. (Source: ebMS Core 3.0 specification, chapter 7.6)
AS4 MSH implementations are REQUIRED to use Detached Signatures as defined by the XML Signature Specification when signing AS4 user or signal messages. (Source: AS4 1.0 specification, chapter 5.1.4)
AS4 MSH implementations are REQUIRED to include the entire eb:Messaging SOAP header block and
the (possibly empty) SOAP Body in the signature. (Source: AS4 1.0 specification, chapter 5.1.4)
AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building
application payloads using SOAP with Attachments.
(Source: AS4 1.0 specification, chapter 5.1.5)
AS4 MSH implementations are REQUIRED to include the entire eb:Messaging header block and all
MIME body parts of included payloads in the signature.
(Source: AS4 1.0 specification, chapter 5.1.5)
If an AS4 user message is to be encrypted, AS4 MSH implementations MUST encrypt ALL payload parts.
However, AS4 MSH implementations SHALL NOT encrypt the eb:Messaging header.
(Source: AS4 1.0 specification, chapter 5.1.6)
If an AS4 user message is to be encrypted and the user-specified payload data is to be packaged in the SOAP Body, AS4 MSH implementations are REQUIRED to encrypt the SOAP Body. (Source: AS4 1.0 specification, chapter 5.1.6)
If an AS4 user message is to be encrypted ... AS4 MSH implementations are REQUIRED to encrypt the MIME Body parts of included payloads. (Source: AS4 1.0 specification, chapter 5.1.7)
When a Receipt is to be used for Non Repudiation of Receipt, the content of the eb:Receipt element
MUST be a valid ebbpsig:NonRepudiationInformation element.
(Source: AS4 1.0 specification, chapter 5.1.8)
When a Receipt is to be used for Non Repudiation of Receipt (NRR), the sender of the Receipt MUST
use ds:Reference elements containing digests of the original message parts for which NRR is
required. Message parts MUST NOT be identified using ebbpsig:MessagePartIdentifier elements.
(Source: AS4 1.0 specification, chapter 5.1.8)
When a Receipt is to be used for Non Repudiation of Receipt (NRR), the sender of the Receipt MUST
sign the AS4 receipt Signal Message
(Source: AS4 1.0 specification, chapter 5.1.8)
An AS4 message that has been digitally signed MUST be acknowledged with a message containing an
eb:Receipt signal that itself is digitally signed.
(Source: AS4 1.0 specification, chapter 5.1.8)
- Peppol AS4 specification: https://docs.peppol.eu/edelivery/as4/specification/
- Based on EC eDelivery 1.14 specification: https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eDelivery+AS4+-+1.14
Use only Message Exchange Pattern One-Way/Push.
(Source Peppol AS4 specification, chapter 4.1)
Receiving access points MUST support TLS according to section 3.2.6 of CEF eDelivery AS4. Versions newer than TLS v1.2 might be used upon mutual agreement via the TLS handshake. Port 443 MUST be used for TLS. (Source Peppol AS4 specification, chapter 4.2)
All transmissions in the Peppol network MUST package content as an integrated part using SBDH according to [PEPPOL-Envelope] (Source Peppol AS4 specification, chapter 4.9)
The Access Point MUST include all payloads as MIME attachments (Source Peppol AS4 specification, chapter 4.10)
The PMode[].Security.X509.Signature.HashFunction parameter MUST be set to
http://www.w3.org/2001/04/xmlenc#sha256. The PMode[].Security.X509.Signature.Algorithm
parameter MUST be set to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
(Source EC eDelivery specification, chapter 3.2.6)
The parameter PMode[].Security.X509.Encryption.Algorithm MUST be set to
http://www.w3.org/2009/xmlenc11#aes128-gcm.
(Source EC eDelivery specification, chapter 3.2.6)
For encryption algorithm, http://www.w3.org/2009/xmlenc11#rsa-oaep. This is the
algorithm used as value for the Algorithm attribute of xenc:EncryptionMethod on xenc:EncryptedKey.
(Source EC eDelivery specification, chapter 3.2.6)
As mask generation function, http://www.w3.org/2009/xmlenc11#mgf1sha256. This is
the algorithm used as value for the Algorithm attribute of xenc:MGF in xenc:EncryptionMethod.
(Source EC eDelivery specification, chapter 3.2.6)
As digest generation function, http://www.w3.org/2001/04/xmlenc#sha256. This is the algorithm
used as value for the Algorithm attribute on ds:DigestMethod in xenc:EncryptionMethod.
(Source EC eDelivery specification, chapter 3.2.6)
