Electronic Invoice Transmission Infrastructures
This presentation by Fred van Blommestein discusses the challenges and security concerns surrounding electronic invoice transmission infrastructures, particularly focusing on email vulnerabilities, security mechanisms like DNSSEC and SPF, the 4-corner model, Peppol system, and encryption techniques like signing with public and private keys. It also highlights Peppol's security features guaranteeing integrity and authenticity of invoices between access points.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Infrastructures for transmission of electronic invoices E-invoicing Training conference Nicosia, October 30, 2017 Fred van Blommestein This presentationexpressesthe positionof the above mentionedpresenter. Not of CEN.
E-mail Spammers use fake domain names Phishers send fake invoices E-mail in transit can be eavesdropped This happens on a large scale!
E-mail For standard e-mail no guarantee can be given for authenticity and integrity of invoice or invoicer (But can it be given for paper invoices?)
Security is possible DNSSEC, DANE, SPF DKIM and STARTTLS PGP/SMIME (but nobody uses these mechanisms)
The 4-corner model Sender Trading Entity Receiver Trading Entity ERP / ERP / e-invoicing SW/ BSP e-invoicing SW/ BSP Invoice Access Point Access Point Peppol
Peppol SMP Invoice SML/SMP The phone book
Signing Public Key Private Key Certificate Sender Sender Sender ------714A286D976BF3E58D9D671E37CBCF7C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIB6gYJKoZIhvcNAQcCoIIB2zCCAdcCAQExCzAJBgUrDgMCGgUAMAsGCSqGS Ib3DQEHATGCAbYwggGyAgEBMIGcMIGOMQswCQYDVQQGEwJVUzEOMAw GA1UECBMFVGV4YXMxFDASBgNVBAcTC1NhbiBBbnRvbmlvMQ0wCwYDVQ QKEwRVVFNBMQswCQYDVQQLEwJDUzEXMBUGA1UEAxMOYWkuY3MudXR zYS5lZHUxJDAiBgkqhkiG9w0BCQEWFWp1bGlldEBhaS5jcy51dHNhLmVkdQIJ AMvyApGmAWbKMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSq GSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDcwMjEyMjI1ODU4WjAjBgkqhk iG9w0BCQQxFgQUdBfDe/KmnhmYA9DILxfq/zKlvwEwUgYJKoZIhvcNAQkPM UUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEQF bJ+8cZivvgvrjj8l1QbK2o7gWdWBM9yav6NJR2eBVj3hKGaKQ+7JNbygcqtVcM DIo1jSpsZas33BvhocwGOqs= ------714A286D976BF3E58D9D671E37CBCF7C--
Peppol security MDN MDN https
Peppol security PEPPOL guarantees: Integrity of invoices between access points Including delivery confirmation Plus guarantee on authenticity of the sender
Different countries different policies Scandinavia, Spain, Belgium, Poland and many other countries implement Peppol (UBL) Many countries implement a central government hub Some countries route all invoices (incl. B2B) through the tax authorities
ZUGFeRD Germany and France implement ZUGFeRD/Factur-X ZUGFeRD/Factur-X is a standard core invoice In the UN/CEFACT syntax Enveloped in a human readable PDF Sent by e-mail Challenge for service providers to create interoperability between ZUGFeRD/Factur-X and PEPPOL Different protocols Different security Different syntax
