=Paper=
{{Paper
|id=Vol-2803/paper21
|storemode=property
|title=Mutual recognition mechanism of e-documents and data
exchanging across borders: centralized and decentralized
approaches
|pdfUrl=https://ceur-ws.org/Vol-2803/paper21.pdf
|volume=Vol-2803
|authors=Vladimir N. Kustov,Ekaterina S. Silanteva
}}
==Mutual recognition mechanism of e-documents and data
exchanging across borders: centralized and decentralized
approaches==
https://ceur-ws.org/Vol-2803/paper21.pdf
Mutual recognition mechanism of e-documents and data
exchanging across borders: centralized and decentralized
approaches
Vladimir N. Kustova, Ekaterina S. Silantevab
a
Saint Petersburg Railway Transport University of Emperor Alexander I, 9 Moskovsky Ave., Saint-Petersburg,
190031, Russia
b
LLC New space of trade, 5 Orlikov lane, 2 Build. 9 Fl. 34 Room, Moscow, 107078, Russia
Abstract
An integral part of a company's business processes global digitalization and automation is
the transition to cross-border electronic legally significant document circulation. This
article is devoted to reviewing two different methods of mutual recognition mechanisms:
centralized and decentralized.
Keywords
Mutual recognition mechanism, e-documents, data exchanging, cross-border, centralized,
decentralized, approaches
1. Introduction The structure overgrew, rising ever higher toward
the sky, which made people extremely happy.
Do you remember the biblical legend [1] that tells Simultaneously, with the tower, the World Flood's
how and why people began to speak different things had to wash away - human pride and vanity-
languages, the Babel Tower legend? For the revived and strengthened.
respondent positively to this question, we will God learned about this tower, and he did not like
refresh the memories, but we will briefly describe people's ideas. However, God did not punish people
those who do not know such a tradition1. by death, but punished them differently: one day,
Once upon a time, all people, Noah's clan when they started to work, people suddenly stopped
descendants who escaped during the Flood in the ark understanding each other's speech. They could not
built by himself and found refuge near the Ararat continue tower building because they began to
Mountains, spoke the same language. Gradually, the quarrel, not understanding what the other wants.
human race grew, acquired new knowledge and Watching this, God decided to help people forcing
skills. Besides, having accumulated specific skills them to leave the city and leave. People left the
luggage, people decided to apply them in practice unfinished tower and settled in different earth parts.
and build a city and build a high tower, to the very Over time, they forgot about their relationship, they
heavens seen from everywhere. had their traditions, language, rites, customs, and the
unfinished city, where the tower was erected, was
called Babylon, which means "mixing."
Models and Methods for Researching Information Systems
in Transport, Dec. 11-12, St. Petersburg, Russia
Why did we remember that? The answer is an
EMAIL: kvnvika@mail.ru (A. 1); the_best_kat@mail.ru (A. 2); orientation toward the world (international, cross-
©️ 2020 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0). border) digitalization and automation of many
CEUR Workshop Proceedings (CEUR- business processes. However, despite this, do not
WS.org) forget about the individual states' desire to preserve
150
�and develop their language, writing, traditions, straightforward architecture. Nevertheless, it can be
customs, and digital sovereignty. In keeping part of used in cases when several State Parties of the
this digital sovereignty in global digitalization and Framework Agreement on Facilitation of Cross-
automation conditions, the principal contradiction border Paperless Trade in Asia and Pacific
arises: different states' cryptographic standards (Framework Agreement, FA) agree to use the
incompatibility. From time immemorial, every general CA for paperless trade [9].
people have gone along his development line and do The model of this Architecture is presented in
not plan to retreat from it by the current day. Figure 1.
2. Methods of implementation of the
mutual recognition mechanism
based on the centralized
infrastructure
RFC 5217 «Memorandum for Multi-Domain Figure 1. Simple PKI Architecture
Public Key Infrastructure Interoperability» [8]
provides a terminology framework for operational A simple PKI consists of a single CA with a self-
requirements, which can be used by different Public signed certificate that issues End Entities (EEs)
Key Infrastructure (PKI) authorities for establishing certificates. End entity is the subject of a certificate
trust relationships with each other. that is using, or is permitted and able to use, the
RFC 5217 classifies mechanisms of mutual matching private key only for a purpose or purposes
recognition of Trust services based on an other than signing a certificate.
infrastructure of open keys.
2.2. Different Multiple CA Architectures
2.1. Single Certification Authority (CA)
Architecture Trust relations between Certification Authorities
could be classified on the following basis:
So, let's take a closer look the single CA 1) The common use of crypto algorithms;
architecture. 2) Common Policy of certificates.
In this model, the Mutual Recognition Different Multiple CA Architectures is presented
Mechanism (MRM) is provided with trust to the in Table 1.
common Certification Authority. It is the most
Table 1.
Models of the mutual recognition mechanism
The common use of crypto algorithms
Common
policy of Crypto algorithms are commonly Crypto algorithms of at least one party have
certificates used a limitation on the cross-border distribution
(not common use)
• Hierarchical PKI Architecture
• Mesh PKI Architectures Crypto algorithms of at least one party have a
Common • Hybrid PKI Architectures limitation on the cross-border distribution (not
certificate commonly use)
policy
Different Cross-certification with policy Trusted Third Party (TTP)
certificate mapping
policy
In case when the parties use different CA, but all cryptographic algorithms and certificate policy of
participants of interaction commonly use this CA, mutual recognition could be used:
• Hierarchical PKI Architecture;
151
� • Mesh PKI Architectures; 5. A PKI member may choose to participate in
• Hybrid PKI Architectures. the PKI domain but restrict or deny trust in one or
In case the parties use different CA cryptographic more other members PKIs of that same PKI domain.
algorithms. Certificate policies in the created chains The establishment of trust relationships has a
of certification are various; cross-certification with direct impact on the trust model of relying parties.
policy mapping can be used for mutual recognition. As a result, consideration must be taken to create and
Two or more PKIs may choose to enter into trust maintain PKI domains to prevent building
relationships with each other. Each PKI retains its inadvertent trust relationships.
own set of Certificate Policy Object Identifier PKI Domain Models are:
(Policy OID) and its own Principal CA for these 1. Unifying Trust Point (Unifying Domain)
relationships. In addition to making a business Model.
decision to consider a trust relationship, each PKI 2. Independent Trust Point Models.
determines the level of trust of each external PKI by 3. Direct Cross-Certification Model.
reviewing external PKI Certificate Policy 4. Bridge Model.
Document(s) and any other PKI governance Trust Models External to PKI Relationships
documentation through a process known as policy remains to consider ways to implement the mutual
mapping. Trust relationships are technically recognition mechanism for cases where other
formalized through the issuance of cross-certificates. cryptography is used in PKI domains. Such methods
Such a collection of two or more PKIs is known as a include:
PKI domain. 1. Trust List Models.
PKI domain: A set of two or more PKIs that have 2. Trust Authority Model.
chosen to enter into trust relationships with each 3. Trusted Third Party Model.
other through the use of cross-certificates. Each PKI Here, the option to use a trusted third party as the
that has entered into the PKI domain is considered a most common and most universal one should be
member of that PKI domain. considered in more detail. The remaining models can
A domain Policy Object Identifier (OID) is a be considered in more fact later.
Policy OID that is shared across a PKI domain. Each The trusted security services provided by the
CA in the PKI domain must be operated under the specialized providers can be used to provide security
domain Policy OID. Each CA may also have its in information interaction. Trusted security services
Policy OID(s) in addition to the domain Policy OID. can perform functions similar to notaries, apostille,
In such a case, the CA must comply with both and trusted delivery in paper documents exchange
policies. The domain Policy OID is used to identify flow. The trusted security services operators must be
the PKI domain. the trusted third parties (TTP) of the information
Policy Mapping: A process by which members of exchange parties. The activities of TTP must be
a PKI domain evaluate the Certificate Policies (CPs) governed by the international law of the States-
and other governance documentation of other participants of the information interaction, or
potential PKI domain members to determine the bilateral agreements of the parties of informational
level of trust that each PKI in the PKI domain places interaction.
on certificates issued by each other PKI in the PKI Thus TTP is the electronic equivalent of notaries,
domain. apostille, and trusted delivery institutions. TTP is not
PKI Domain Properties: an entirely new institute; it continues the tradition of
1. A PKI domain may operate a Bridge CA or a confirming the document's integrity and authenticity.
Unifying CA that defines the domain members by From a legal point of view, the electronic document's
issuing cross-certificates to those members. function must pass from the document owner to a
2. A single PKI may simultaneously belong to third party - the operator of TTP. It is a key
two or more PKI domains. specificity of the informational interface.
3. A PKI domain may contain PKI domains The trust is supported by a warranty of
within its membership. authenticity of electronic documents, financial
4. Two or more PKI domains may enter into a liability for the electronic documents' actuality. It is
trust relationship with each other, creating a new the basic principle relevant for legally significant
PKI domain. They may choose to retain the existing transboundary electronic document circulation when
PKI domains and the new PKI domain or collapse the contractors are far apart and in different
the existing PKI domains into the new PKI domain. jurisdictions.
152
� It is a classic solution for providing secure Validation of Digitally Signed (VDS) Document
transmission of information via a non-trusted service is used when a signed document's validity is
channel. asserted.
TTP description was provided in ITU-T The DVCS verifies [3]:
Recommendation X.842 «Information technology – 1. All signatures attached to the signed
Security techniques – Guidelines for the use and document using all appropriate status information
management of trusted third party services.» [4] and public key certificates;
Following this document, а TTP is an organization 2. The mathematical correctness of all
or its agent that provides one or more security signatures attached to the document and checks
services and is trusted by other entities concerning whether the signing entities can be trusted by
these security services' activities. The same validating the full certification path from the signing
document contains the most general description of entities to a trusted point (e.g., the DVCS's CA or the
the TTP services' architecture from different PKI root CA in a hierarchy).
domains. The DVCS may be able to rely on relevant CRLs
One of the most well-known implementations of or may need to supplement this with access to more
the trusted third-party model is Data Validation and current status information from the CAs, for
Certification Server (DVCS) by the example, by accessing an OCSP service, a trusted
recommendations RFC 3029 «Internet X.509 Public directory service, or other DVCS services.
Key Infrastructure. Data Validation and Certification The DVCS will perform verification of all
Server Protocols» [2]. It can be used as one signatures attached to the signed document. A failure
component in building reliable non-repudiation to verify one of the signatures does not necessarily
services. fail the entire validation, and vice versa. A global
One of the protocols realized by the DVCS failure may occur if the document has an insufficient
service is intended for verification of the electronic number of signatures.
documents signed with the digital signature. The
Validation
Validation Signed receipt Authority B
Authority A 5
4
Certificate 1
issuing
Validation
1 request Certificate
3 issuing
Signed receipt Certification
Certification Authority B
Authority A Validation
request
1
1
6 Certificate
Certificate issuing
issuing
2
Legal significant State B
State A document (Sender)
(recipient)
Figure 2. The Diagram of the functioning of MRM based on DVCS for supporting the trust in case of cross-
border exchange of electronic trade-related legal and significant documents
The Diagram of the functioning of MRM based Processing of a request of DVCS received from
on DVCS for supporting the trust in case of cross- user 1 includes the following stages (according to
border exchange of electronic trade-related legal and Figure 2):
significant documents (the sender and the receiver 1. Participants of information interaction are
residents of the different states) is shown in Figure 2. included in their public key infrastructure; that is,
153
�they create their key pairs and receive certificates in 5. The various national and international
their Certification Authorities (CAs). requirements to the Certification Authorities may be
2. User B (the resident of the state B) signs the considered as an analogy.
ED of the EDS created according to the national To provide Mutual recognition of trade-related
legislation requirements and sends it to User A. electronic information when PKIs use different,
3. The user A (through a private office (web incompatible between each other Cryptography
interface) or using a special software sends a request measures or their domains have separate legal bases,
to the validation authority A. we should use DVCS functioning by RFC 3029
4. Validation Authority A executes «Internet X.509 Public Key Infrastructure. Data
determination of the cryptographic algorithm using Validation and Certification Server Protocols».
which the EDS is created (the certificate of a key of DVCS receipt allows providing trust between
verification of the EDS is issued) according to the different PKI domains in the case when their cross-
object identifier specified in the certificate of a key certification technically or legally is impossible.
of verification of the EDS and will readdress it to the For correlation of the certificates policy, the
Validation Authority B located in the state B. On it receipt of DVC service can map the Policy in the
using the execution of the sequence of cryptography same manner as it is mapped in cross-certification
conversions check of the received request is procedures.
executed. Following the completed checks, the DVC In the extension of policy mapping, the
receipt signed with the EDS of Validation Authority intermediate Certification Authority guarantees to
B is created. the user of the certificate that it will fulfill general
5. The DVC receipt signed with Validation guarantees and obligations, even although the other
Authority B with the check results is transferred to users of the certification chain work in the different
Validation Authority A. policy areas.
6. Validation Authority A checks the Certification Authority (CA) of the integration
correctness of the DVC receipt accepted from segment should include one or several mappings for
Validation Authority B. At the same time, there is an each set of the policies according to which it has
appeal to the server of service TSP for adding of a issued TTP certificates. This CA shouldn't include
stamp of time in the receipt created by results of mappings for other policies. Thus, the group of
verification of the DVC receipt created by Certification Authority of an integration segment and
Validation Authority B and also check of the status the TTP services using certificates of this CA fulfill
of the certificate of a key of the EDS of Validation the TTE role between domains with the various
Authority B using the appeal to service of check of levels of reliability.
the relevant status of the certificate (OCSP) or According to which Sender of Certification
certificate revocation lists of CAs which issued the authority acts, suppose one or several Certificate
certificate of a key of the EDS of Validation policies are identical to those, by which Certification
Authority B is executed. Validation Authority A Authority of TTP integration segment operates. In
creates the report signed with the certificate of a key that case, these identifiers should be excluded from
of check of Validation Authority A and transfers him the extension of policy mapping but included in the
to User A. extension of certificate policies. Policy mapping has
The requirements for TTP should be the the effect of transforming all policy identifiers in the
following: sender domain's certificates to the identifier of
1. TTP has absolute credibility among the equivalent Policy recognized by the user of the
information exchange participants. certificate (recipient). In this schema identifier of
2. TTP uses the mechanisms of evaluation and equivalent, Policy is described in the receipt of TTP
compensation of damages. service.
3. TTP uses the methods of conflict resolution;
4. TTP provides the necessary guarantees.
154
� Figure 3. TTP for the domain with different levels of trust
A distributed network is a type of computer
3. Methods of the mutual recognition network that is spread over different networks. It
provides a single data communication network,
mechanism implementation based which can be managed jointly or separately. Besides
on the decentralized structure shared communication within the network, a
distributed network often also distributes processing.
3.1. Blockchain technology In a distributed network, the responsibilities for data
transactions and computations are not given to any
The required trust level may also be supported by specific node. On the contrary, they are spread
the trust infrastructure, built on a decentralized across the web, which is responsible as a whole for
model. One of the technologies allowing to the results of a given process, like in some biological
implement of a decentralized model is the ecosystems, such as an ant community, where the
blockchain. The idea of blockchain technology is construction of an ants' nest is the result of
simple. Its broader and more encompassing form, independent contributions by each ant. Blockchain
blockchain can be defined as a technology to technology guarantees that the distributed network's
develop trusted processes and data transactions on an overall behavior, programmed to execute a particular
open and distributed network via decentralized process, is trustworthy. In this context, blockchain
consensus among computer systems. tries to respond to contemporary real-world
In its more common, widely used form, «a scenarios' complexity by offering technology and a
blockchain is essentially a distributed database of methodology for designing distributed applications
records or public ledger of all transactions or digital that operate with private data in an openly verifiable
events that have been executed and shared among way.
participating parties.» Each transaction in the public A distributed transactions system based on
ledger is verified by the consensus of most of the blockchain technology by its nature implements a
participants in the system. And, once entered, ledger. This concept is at the core of the regulatory
information can never be erased. The blockchain activities carried out by a wide range of authorities,
contains a certain and verifiable record of every institutions, and businesses. A more transparent,
single transaction ever made. trusted, and globally recognized accounting
155
�mechanism of this kind could dramatically facilitate using blockchain technology, creating clear and open
and harmonize processes in e-Business and cross- conditions for their use.
broader trade scenarios. Even if, at the current stage This platform contains various blocks that allow
of development, blockchain technology hasn't served to track-and-trace goods from farm to retailer.
the purpose of trade facilitation directly, it is already These parts are:
clear that, in the next decade, its contribution could • The source of the crop or the
be substantial. These positive expectations shouldn't agricultural process
prevent us from evaluating the limitations of an • Lab Testing information.
international trade approach enabled by blockchain • Organic and Halal Certificates.
technology, for example, in the context of legally • Dispatch Details and Logistics
binding agreements among traders. provider details starting to add value.
• Recording of receipt from the
3.2. Case study: Transparent e-documents and
agricultural source.
data exchange with the use of blockchain • Lab Testing and reports on receipt.
• Halal or Organic certifications or
Blockchain technology in the supply chain can be any other accreditations.
used to monitor costs, labor, losses, and emissions at • Lot or batch numbers and processing
each point in the supply chain. A distributed registry information.
can also be used for verification of authenticity or
• Any contamination reports and
compliance with fair trade rules by providing
holding actions.
information on the origin of the goods. The delivery
• Storage information (temperature
information can be a transaction every time you
and humidity control).
interact with a shipment.
A related technology called «Smart Contract» can • Batch release info and id codes.
be embedded in a block and triggered when a certain • Logistics release info and logistics
condition is met. For example, a payment transfer provider.
can occur automatically when a shipment reaches the • Crop yield, Dietary info for live
customer's location. animals, mortality rates.
• Tagging of live animals.
3.3 PKI and Blockchain: Key study for • Crop Harvesting information and
agriculture value chain (AVC) data tagging, with batch, date of release.
In this article, the authors would like to present • Suppose we are exporting any
the key study for agriculture value chain (AVC) shipping details. Bills of Lading / Airway
based on the combination of PKI and blockchain bills and destination Final Value add to
technologies. the Supply Chain and the most vulnerable to
First, we will start from the decentralized abuse.
approach based on the digital blockchain platform. • Goods in from source or primary
The most convenient way to implement processor.
blockchain technology is to create a digital platform • Recipe formulations and ingredients
that organizes interaction between different groups traceability.
of participants who need to know certain information • Production batch codes and
about each other's activities. The ability to organize production dates.
interaction is essential for forming long-term • Nutritional Information.
productive business relations between the • Storage Information
participants of the agricultural value chain. The idea • Certifications.
of this platform was provided by Evoteq Company. • Issued Barcodes or other identifiers.
The digital platform [5] (see Figure 4) is open to • Expiry date information.
interaction and integration through the cloud, • Logistics Information.
making it accessible to all agricultural value chain • Shipping details dispatch date and
participants. The digital platform architecture can destination.
significantly scale up without loss in quality and • Goods out info.
efficiency that will expand it to new product groups • Vehicle Temperature monitoring.
and new participants of the platform. The platform
provides a high level of trust between participants
156
� Figure 4. Blockchain use in the value chain
• Delivery confirmation. 5. Protects the integrity of the products and
• Protecting the consumer. provides the possibility of recalling the
• Goods in and Temperature check. manufacturer's goods to correct defects.
• Expiry date check (remaining 6. Allows checking for compliance with
shelf life complies). special needs (diabetic, organic, Halal goods).
• Storage details. 7. Allows suppliers to track products on the
• EPOS Data. market.
Blockchain platform gives a possibility to 8. Allows users to check the supply chain.
provide supplier managed inventory service and 9. Allows inspectors to verify the validity
develop a complete dietary information database. and acceptability of goods.
The consumer can check the product through 10. Protects the supply chain from
barcoding information. counterfeiting.
Allows the consumer to know where a product The introduction of blockchain technology into
is sold. the track&trace system will enable manufacturers,
The digital platform of the agricultural value importers, and distributors to track their internal
chain can be connected and interact with the processes better.
digital platform of the EAEU. The introduction of a digital track&trace
The economic benefits offered by this cloud platform, according to experts estimates, will
solution can improve the efficiency of the entire achieve 99% accuracy of inventory data compared
value chain. It solves the following tasks: to 40-70% accuracy as it currently stands, which
1. Allows downloading product data at any will optimize production and imports and
stage of the value chain. significantly affect the reduction of the cost of
2. Provides continuous access to data. goods [6].
3. Ensures the integrity and security of the During a pilot program conducted with
supply chain. Walmart, the testing showed that by using
4. Ensures that only proven, legally blockchain to track food, you could reduce the
compliant products are available on store shelves. time it takes to track mango packaging from farm
to store in just two seconds instead of days and
157
�weeks. During the pilot, more than 100,000 to build a business network, where the business
mangoes from a Queensland supplier in Northern entity can choose the partner, make deals, find
Australia were withdrawn by Biosecurity SA after investments, etc. These two systems are fully
fruit fly larvae were discovered in mangoes in compatible and provide mutual recognition of e-data
Adelaide's foothills. The responsiveness of the and e-documents via the whole AVC.
recall allowed the organization to maintain its
reputation [7].
So, within a supply chain, blockchain References
technology could be used to monitor costs, labor,
waste, and emissions at every point of the supply [1] Genesis Book. (11: 1-9). URL:
chain, verify the authenticity or fair trade status of http://bibliya-online.ru/chitat-bytie-glava-11/.
products by tracking them from their origin, [2] RFC 3029 "Internet X.509 Public Key
shipping details could constitute a transaction at Infrastructure Data Validation and
every interaction with a shipment – and Certification Server Protocols". URL:
customer(s) would know about it, trigger an action http://www.faqs.org/rfcs/rfc3029.html.
automatically. [3] Product description "TTPS "Litoria DVCS".
However, there is a question: how can we URL:
combine decentralized and centralized http://www.gaz-is.ru/produkty/dokumentoobo
approaches? The answer is - we will use business rot/gis-dvcs.html.
tools: a digital platform for track-and-trace AVC [4] Information technology - Security
and a social network for trusted e-documents techniques - Guidelines for the use and
exchange. management of trusted third party services
A business network is based on a social (X.842). URL:
network plus trusted cross-border e-document https://www.itu.int/rec/T-REC-X.842-200010
flow, based on PKI [8], that allows a customer to -I/en.
build a business network, choose the partner, and [5] Smarttrack. Global supply platform to ensure
make deals, find investments, etc. This network is global supply chain integrity. URL:
fully compatible with AVC based on the https://evoteq.com/en/our-projects/smarttrack.
blockchain system. [6] M. L. Simanovskaya, E. S. Silanteva, The use
Both these systems make AVC transparent and of digital technologies to increase the
business processes simpler. competitiveness of small and medium-sized
businesses in the food sector / / State
4 Conclusion Management: Russia in Global Politics,
Proceedings of the XVII International
The authors reviewed two potential approaches Conference (May 16-May 18, 2019),
to the mutual recognition mechanism: centralized University Book Faculty of Public
and distributed. Suppose Trust services engaged in Administration of Lomonosov Moscow State
document lifecycle (incl. the chain of inter-domain University, Moscow Russia, 2019, pp. 159-
gateways between the document's issuer and 165.
recipient) have different qualification levels. In that [7] Case Study: How Walmart brought
case, the overall level of qualification may be equal unprecedented transparency to the food
to the lowest of them. The level of trust could be supply chain with Hyperledger Fabric. URL:
provided in two different ways: transboundary trust https://www.hyperledger.org/learn/publication
environment and blockchain ecosystem.
s/walmart-case-study.
We discussed a case study on the agriculture
[8] RFC 5217 - Memorandum for Multi-Domain
value chain example. Within a supply chain,
blockchain technology could be used to monitor
Public Key Infrastructure Interoperability».
costs, labor, waste, and emissions at every point of URL: https://tools.ietf.org/html/rfc5217.
the supply chain, verify the authenticity or fair-trade [9] Framework Agreement on Facilitation of
status of products by tracking them from their origin, Cross-border Paperless Trade in Asia and
shipping details could constitute a transaction at Pacific (Framework Agreement, FA) agree to
every interaction with a shipment – and customer(s) use the general CA for paperless trade. URL:
would know about it, trigger an action automatically. https://www.unescap.org/resources/framewor
Social network plus trusted cross-border k-agreement
e-document flow, based on PKI, allows a customer
158
�facilitation-cross-border-paperless-trade-asia-
and-pacific-0.
159
�