💾 Archived View for gmi.noulin.net › rfc › rfc3504.gmi captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Keywords: commerce, payment, system, merchant, system, xml, extensible, markup, language, security
Network Working Group D. Eastlake Request for Comments: 3504 Motorola Category: Informational March 2003 Internet Open Trading Protocol (IOTP) Version 1, Errata Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Since the publication of the RFCs specifying Version 1.0 of the Internet Open Trading Protocol (IOTP), some errors have been noted. This informational document lists these errors and provides corrections for them. Table of Contents 1. Introduction.................................................... 2 2. DTD Errata...................................................... 2 2.1 PackagedContent Element..................................... 2 2.2 The Element called Attribute................................ 3 3. Other Errata.................................................... 3 3.1 Re: Combining Authentication Transactions with other Transactions................................................ 3 3.2 Type attribute of Element called Attribute.................. 3 4. Security Considerations......................................... 4 5. References...................................................... 4 6. Acknowledgements................................................ 4 7. Author's Address................................................ 5 8. Full Copyright Statement........................................ 6 Eastlake Informational [Page 1] RFC 3504 IOTP v1 Errata March 2003 1. Introduction The Internet Open Trading Protocol (IOTP), Version 1.0, is specified in [RFC 2801, 2802, 2803]. It provides a payment system independent framework for Internet commerce oriented to consumer to business transactions. It provides mechanism for different portions of the business function, such as fulfillment or payment handling, to be distributed or outsourced. It does not require a prior relationship between the consumer and business. Several errors have been noted in the IOTP v1.0 specification, particularly RFC 2801, which was the largest RFC ever issued. These are listed, with their fix, in this document. 2. DTD Errata 2.1 PackagedContent Element Attribute types are swapped. OLD/INCORRECT: !ELEMENT PackagedContent (#PCDATA) > <!ATTLIST PackagedContent Name CDATA #IMPLIED Content NMTOKEN "PCDATA" Transform (NONE|BASE64) "NONE" > NEW/CORRECT: <!ELEMENT PackagedContent (#PCDATA) > <!ATTLIST PackagedContent Name NMTOKEN #IMPLIED Content CDATA "PCDATA" Transform (NONE|BASE64) "NONE" > Eastlake Informational [Page 2] RFC 3504 IOTP v1 Errata March 2003 2.2 The Element called Attribute Incorrect element content specification syntax. OLD/INCORRECT: <!ELEMENT Attribute ( ANY ) > <!ATTLIST Attribute type NMTOKEN #REQUIRED critical ( true | false ) #REQUIRED > NEW/CORRECT <!ELEMENT Attribute ANY > <!ATTLIST Attribute type NMTOKEN #REQUIRED critical ( true | false ) #REQUIRED > 3. Other Errata 3.1 Re: Combining Authentication Transactions with other Transactions Section 9.1.13. page 234, restarted->continued: OLD/INCORRECT: if the Authentication transaction is successful, then the original IOTP Transaction is restarted NEW/CORRECT: if the Authentication transaction is successful, then the original IOTP Transaction is continued 3.2 Type attribute of Element called Attribute Section 7.19.1, Page 150, insufficient list of signature types: OLD/INCORRECT: There must be one and only one Attribute Element that contains a Type attribute with a value of IOTP Signature Type and with content set to either: OfferResponse, PaymentResponse, DeliveryResponse, AuthenticationRequest, AuthenticationResponse, PingReq or PingResponse; depending on the type of the signature. Eastlake Informational [Page 3] RFC 3504 IOTP v1 Errata March 2003 NEW/CORRECT: There must be one and only one Attribute Element that contains a Type attribute with a value of IOTP Signature Type and with content set to either: OfferResponse, PaymentResponse, DeliveryResponse, AuthenticationRequest, AuthenticationResponse, PingReq, PingResponse, AuthenticationStatus, InquiryRequest, or InquiryResponse; depending on the type of the signature. AND a similar change extending the list of values in Section 12.1, Page 262. And at Section 6.1.2, Page 82, add the following: AuthenticationStatus any role InquiryRequest any role InquiryResponse any role 4. Security Considerations The errata listed herein are not particularly security related. Never the less, incorrect implementations due to uncorrected errors in the specification may compromise security. 5. References [RFC 2801] Burdett, D., "Internet Open Trading Protocol - IOTP Version 1.0", RFC 2801, April 2000. [RFC 2802] Davidson, K. and Y. Kawatsura, "Digital Signatures for the v1.0 Internet Open Trading Protocol (IOTP)", RFC 2802, April 2000. [RFC 2803] Maruyama, H., Tamura, K. and N. Uramoto, "Digest Values for DOM (DOMHASH)", RFC 2803, April 2000. 6. Acknowledgements Thanks to the following people for reporting or responding to reports of these errata: Harald Barrera Dubois, Yoshiaki Kawatsura, Chun Ouyang Eastlake Informational [Page 4] RFC 3504 IOTP v1 Errata March 2003 7. Author's Address Donald E. Eastlake 3rd Motorola 155 Beaver Street Milford, MA 01757 USA Phone: +1-508-851-8280 (w) +1-508-634-2066 (h) EMail: Donald.Eastlake@motorola.com Eastlake Informational [Page 5] RFC 3504 IOTP v1 Errata March 2003 8. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Eastlake Informational [Page 6]