Participants

Alain Rividi  IBM
Andreas Mall  Shell
Benoit Mennes  Johnson & Johnson
Brian Eaton  GE Interbusiness Operations
Dirk Wahlen  Siemens
Geert Van Gils  Johnson & Johnson
Mark Bantager  Coca Cola Enterprises
Maryann Cockle  APACS
Mikael Jonsson  Ericsson
Mike Adcock  APACS
Nicholas Thorpe  GE Capital
Nils Ruud  Norsk Hydro
Patrick De Nys  Coca Cola Enterprises
Terje Thogersen  Norsk Hydro
 

PAYMUL – Review of Stockholm
 

• The slightly revised PAYMUL from the Stockholm meeting was accepted as written
• A discussion was had around the addition of further codes in the PAI segment (C level) to define a payment as treasury urgent (immediate execution) and commercial urgent (as per value date / usually same day)
• Question was raised as to who provides these / how do we find them
• It was indicated that codes already exist in some countries (eg 94 = urgent giro in Finland)
• For now we could raise temporary codes with a Z in front
• Dirk to take the request for 2 generic codes to Taipei to present to the D6 meeting (refer attached document entitled Segment PAI.doc)

Minutes from Stockholm
 

• A discussion was had regarding the request from Yves Gailly to amend the minutes from Stockholm (as follows)

    http://cm.sfs.siemens.de/crg/minutes/mn000619.doc

"The fact that corporates meet together independently of D6 is only linked to the fact their subjects of discussion are not limited to EDIFACT. Otherwise they confirm to be fully part of D6 and their numerous and continuous attendance to this meeting proves it."
 

• It was resolved to reject the comment from Yves as CRG is separate and independent from the D6 and should be seen to remain that way
• There was also comment from Knut Kvalheim (Norway) who suggests to add the following paragraphs at the end of section 5 (Discussion and decision on CRG proposals for PAYMUL):

"The CRG column describes the preferred use of the message for a group of multinational companies constituting the "Corporate Reference Group" (CRG). The CRG is established as a forum for discussions of standardisation issues. The members of the group are
predominantly companies with activities in several countries and a large resource base.”
 

• Further it was resolved to accept the second comment from Knut after some discussions regarding the wording.

On reflection of the above, GE feels strongly that the use of the words “large resource base” could give the impression that the CRG is only for large multi-national companies. The intent of the CRG is to standardize message flows and to make the results available to all corporates, large and small, thus allowing them to implement Edifact strategies in a standardized, easy fashion, thus reducing the capital requirements to implement an EDI solution.

Maintenance Meeting Review
 

• Dirk briefly spoke about the Maintenance Meeting held in May
• The main work done at the meeting was to prepare the MIG’s in final draft for the Taipei meeting
• The MIG’s have been distributed in previous emails to CRG participants

Presentations
 

• Johnson & Johnson (Benoit Mennes and Geert Van Gils) shared with us their EDIFACT strategy for Europe which has been developed in partnership with Burns Open Systems and is being negotiated with their core banks across Europe. The presentation has been distributed separately
• Shell (Andreas Mall) presented an update of their banking strategy within Europe and gave an overview of how they were progressing. A final decision is to be made in the next few weeks for their global banking partner.
• APACS (Mike Adcock) gave a presentation on the BIG (Business Implementation Guidelines) SUE (Simplified Use of Edifact) group and the work that they were doing. Active participation in the group by CRG members was encouraged. (refer attached BIG-SUE-Presentation.ppt and BIG-SUE-Desc.doc)

Communications
 

• A brief discussions on communication methods was had
• Shell made the point that they are moving to using “open internet”
• Norsk Hydro are moving all communications to FTP and away from X400 with the internet as a back up
• Siemens are also using the internet
• Communication methods to be discussed in detail at the next meeting

BANSTA
 

• Current D6 BANSTA was reviewed by the group
• Changes are as per the revised MIG which has been distributed separately
• This is to be taken to the Maintenance Meeting in Taipei and reviewed
• Brief discussion was had on the theory behind the delivery of the BANSTA
• At what point this was generated and when
• Comment was made on receiving +ve BANSTA’s
• The BGM segment of the BANSTA was left as is with the CRG note that a +ve acknowledgement is sometimes required by some corporates in some circumstances
• Comment was made that some banks are generating one BANSTA per failure at the B level
• Comment was also made the some banks are generating multiple BANSTA’s – one at the transaction date and one at the value date

Discussion was mainly technical with a review of the MIG the main topic. Implementation and theory are to be discussed in a different forum.

FINSTA
 

• Current D6 FINSTA was reviewed by the group
• Changes are as per the revised MIG which has been distributed separately
• This is to be taken to the Maintenance Meeting in Taipei and reviewed
• Coca Cola (Patrick De Nys) requested the addition of a “balance before sweeping” to the FINSTA
• This was not discussed in detail and may be discussed in the future

Big FINSTA
 

• APACS (Mike Adcock) raised the issue of the BIG FINSTA
• This contains more details, with all statement lines to contain the same information as the DEBMUL and the CREMUL
• Is anyone interested?

Security
 

• The issue of whether ISO 9796 had been broken was raised – was mentioned by Isabel in Stockholm
• Also rumours that it had been withdrawn as an ISO standard
• This is to be discussed at the next maintenance meeting – Mike Adcocks to get a statement from Steve Thomas on what has happened

**Note **

The following email was sent to the distribution list on Monday the 28th August  by Terje Thogersen in relation to the above:

In London, we discussed some hints we'd received that the ISO-9796-1 algorithm may have been"broken", and that ISO may have retracted the standard. Since this might be discussed in Taipei, we decided to investigate the matter.

I found information of the latter, but I found the information about the "weakness" of IS0-9796, at http://www.rsasecurity.com/rsalabs/bulletins/sigforge.html.

In essence this document (published by a "competitor" to ISO-9796) discusses an attack on an algorithm which is NOT ISO-9796-1, but something similar, a "quasi-ISO 9796-1 format"

Furthermore, this attack is only relevant if you use the algorithm without first applying a hash algorithm to your message, and then signing the hash result, as we do.

Therefore :

* ISO-9796-1 is NOT broken, but a theoretical attack is described on a similar, but different algorithm. (Had they been able to prove the attack on ISO-9796-1, they would have done so.)

* The attack on the algorithm not-quite-like ISO-9796-1 is not relevant in our case, since we hash first, then sign.

* Attacks  on "our" signature algorithm would require the same immense use of CPU power as RSA attacks always have done.
Best regards,
Terje

Other
 

• It was discussed that we should re-visit the bank matrix, detailing who is at what stage with their banking partners and their contacts within the bank
• GE to take the lead on this and distribute the original matrix in the next few weeks
• This is to be completed and discussed at the next meeting in Munich

Next Meeting

The next meeting is to be held on the 7th November in Munich, hosted by Siemens

Draft Agenda is :
 

• Communication
• Bank Relationships
• CREMUL and DEBMUL
• Review of Taipei