ISO 19626-2:2021

INTERNATIONAL ISO
STANDARD 19626-2
First edition
Processes, data elements and
documents in commerce, industry
and administration — Trusted
communication platform for
electronic documents —
Part 2:
Applications
PROOF/ÉPREUVE
Reference number
ISO 19626-2:2020(E)
©
ISO 2020

---------------------- Page: 1 ----------------------
ISO 19626-2:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 19626-2:2020(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Relational architecture of TCP . 2
4.1 Overview . 2
4.2 TCP relational architecture . 3
4.3 Functionalities of TCP components . 4
4.3.1 TTP identity directory . 4
4.3.2 TCP communication server. 6
4.3.3 TCP communication client. 8
4.3.4 TCE repository . 9
5 TCP processes .10
5.1 Overview of main processes .10
5.2 Description of each process .12
5.2.1 PR1 (communication server registration process) .12
5.2.2 PR2 (e-identity registration process) .13
5.2.3 PR3 (communication authentication process) .14
5.2.4 PR4 (e-document transmitting process) .15
5.2.5 PR5 (perusal confirmation process) .19
5.2.6 PR6 (TCE preservation process) .20
5.2.7 PR7 (communication verification process) .21
5.2.8 PR8 (spam message handling process) .22
6 TCP APIs .23
6.1 General .23
6.2 Network requirements for APIs .23
6.2.1 General.23
6.2.2 Security requirements .23
6.2.3 Common requirements for protocol .26
6.3 Requirements for service interface .29
6.3.1 APIs of TTP identity directory .29
6.3.2 APIs of communication server .30
6.3.3 APIs of TCE repository .31
Annex A (Informative) Structure of TCE .33
Annex B (Informative) Structure of message header .37
Annex C (Informative) Detailed description for APIs.39
Bibliography .66
© ISO 2020 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO 19626-2:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 154, Processes, data elements and
documents in commerce, industry and administration.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 19626-2:2020(E)

Introduction
This document presents the TCP (trusted communication platform) system for trusted communication
in the open and distributed ICT (information communication technology) environment, as a connected
standard of ISO 19626-1.
The TCP system is a kind of middleware for connecting trusted communication in IoT (internet of
things) or cloud environments, that delivers the information between humans, organizations, and
devices by exchanging the e-documents via the TCP system components and stores the evidence of
executed communication.
This document specifies the functionalities of processes and APIs (application programming interfaces)
between TCP system components.
It intends to be described in the technology-neutral way in order that a TCP system can be implemented
by applying various wire-wireless applied services and communication protocols used in the real world.
The key points that are implicated to this document are as follows.
a) The communication protocol used for inter-connection between TCP components is a core function
of the application service layer in the distributed environment of wire and wireless communication.
The basic function of sending or receiving messages between the TCP system components compose the
common communication interface to deliver message(s) in a distributed computing system of wire and
wireless environment.
b) TCE (trusted communication evidence) can prove the trusted communication of in a TCP.
The TCP communication server executes reliable communication transactions, and create and store
TCE as the proof in a way of non-repudiation between the communication participants.
c) A TCP system can be adequately ported to various kinds of business communication systems.
A TCP system is connected as a transmit or receive module between the e-business systems connected
to be distributed with various work systems of B2B, e-government, and e-trade as well as the simple
electronic communication systems to transmit contents directly using the address of sender or receiver
(URLs, IP, address) such as the e-mail system as a related application system.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 19626-2:2020(E)
Processes, data elements and documents in commerce,
industry and administration — Trusted communication
platform for electronic documents —
Part 2:
Applications
1 Scope
As a connected standard of ISO 19626-1, this document defines the communication interactions
between TCP system components and specifies their detailed interfaces— the processes and the APIs
of the TCP system components.
It provides the common communication interface for deployment and implementation of the system
components, and their functions in a specific technology-neutral way to those who consider applying
and establishing a TCP system.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 19626-1, Processes, data elements and documents in commerce, industry and administration — Trusted
communication platforms for electronic documents — Part 1: Fundamentals
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 19626-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
blacklist
list of e-identities (3.3) of the originators who are proved having ‘malicious intent’
Note 1 to entry: If a message is confirmed as spam (3.5), an e-identity who sent the spam is classified as a sender
having ‘malicious intent’.
Note 2 to entry: An addressee receiving a message from the originator in the blacklist can reject receiving the
message.
3.2
characteristic information
unique identifying information to identify the entity in the offline (real) world such as a resident
registration number, social security number, or identification number of an IoT device
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 6 ----------------------
ISO 19626-2:2020(E)

3.3
e-identity
sole object to identify the entity who is the actual subject of communication activity under a TCP system
Note 1 to entry: In a TCP, it is the object which expresses the entity who is the actual subject of all activities
including transmission, reception, and perusal (viewing or reading), etc. of e-documents after the electronic
verification of identity.
3.4
e-identity ID
name that refers to an e-identity (3.3) identifying a value an e-identity gives itself for identification
Note 1 to entry: With the ID, the e-identity expresses itself and distinguishes itself from other e-identities.
3.5
spam
unsolicited email, which can carry malicious contents and/or scam messages
[SOURCE: ISO/IEC 27033-1:2015, 3.37, modified — "unsolicited emails" has been replaced with
"unsolicited email".]
3.6
whitelist
list of trusted communication servers in a TCP
Note 1 to entry: If a communication server is proved that the one is secure technically and politically and
complies with a standard and policy of the TCP, then TTP (trusted third party) directory server adds the one to
its whitelist.
4 Relational architecture of TCP
4.1 Overview
ISO 19626-1 presents 2 types of ‘TCP main’ and ‘TCP client’ in system architecture. As a connected
standard, this document enhances its relational architecture at the view of the interface.
As shown in Figure 1, once a transmitting entity (i.e, a sender) makes a delivery request to a receiving
entity (i.e. a receiver), each of the components can be linked to one another through linkage interfaces,
and the communication server is enabled to form an entrusted chain with a relying party. The pair-
linked communication servers implement communication that can be entrusted, and through their
interactions, generate TCE and can possess evidence in the TCE repository.
Figure 1 — TCP relational architecture
2 PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 19626-2:2020(E)

4.2 TCP relational architecture
Even if some communities intend to establish a TCP, they could not implement it in case their business
and technical environments are different.
The particular authentication level, applied technology and communication protocol, etc. in each
linkage need to be arranged properly by designing after classifying ‘TCP main’ and ‘TCP client’ even
under various existing legacy system environments (refer to the ISO 19626-1:2020, 5.2). Figure 1 shows
two interfaces.
a) TCP client interface
‘TCP client interface’ refers to an area inter-linked between a TCP communication client and a TCP
communication server. Apart from various existing legacy system environments, a TCP communication
client chooses and delegates a TCP communication server as its agent for trusted communication. At this
point, ‘TCP client interface’ should be agreed and linked by the SLA (service level agreement) suggested
by the communication server. Thus, in this interface, the communication server can function an agent
of the communication client to transmit the requested e-document(s) in a trusted manner under a TCP
architecture.
A TCP requires a standard interface for common linkage that a communication client and a server
shall comply with. Then there are advantages of being able to provide convenience or efficiency of TCP
operation to the communication clients. If a communication client wants to change its agent into the
other communication server in a TCP, the communication client is able to change easily with it without
being dependent on the proprietary interface of a specific communication server.
1) Client linkage: between a TCP communication client and a TCP communication server
— Once the entity gets to register its own e-identity by going through the process of verifying it
from the TTP identity directory, this entity becomes a participant as a TCP communication client.
— A TCP communication client can participate in trusted communication after signing a service
agreement provided by the communication server. This means the communication client doesn’t
perform the direct communication with the other communication client(s).
— A TCP communication client can delegate trusted communication after authentication of the TCP
communication server in the PR3 (communication authentication process).
b) TCP main interface
‘TCP main interface’ refers to an area which performs practical trusted communication through three
linkages that shall comply with a communication interface specification (see 6). ‘TCP main’ has the
following types of linkage:
1) Main1 linkage: between a TCP communication server and a TTP identity directory
— For the communication server to send or receive e-documents on the behalf of communication
client, information on the TCP communication server shall be registered in the TTP identity
directory in the PR1 (communication server registration process).
— The newly registered TCP communication server shall get added to the whitelist as a trusted list
in the identity directory. Then the identity directory shall notify the changed whitelist to the
other registered communication servers in the PR2 (e-identity registration process).
— Communication server shall query to the identity directory in order to acquire and verify infor-
mation on the relying party of reception in the PR4 (e-document transmitting process).
2) Main2 linkage: between TCP communication servers
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 8 ----------------------
ISO 19626-2:2020(E)

— When a communication server transmits e-documents by inter-linking with the communication
server of relying party, this communication server acts as a transmitting server.
— When a communication server has received the e-document, this communication server acts as
a receiving server by processing it in the PR4 (e-document transmission process).
3) Main3 linkage: between a TCP communication server and a TCE repository
— Communication server(s) shall store the TCE generated after sending or receiving an e-document
as evidence on the transactions of sending or receiving in the TCE repository in the PR6 (TCE
preservation process).
— If verification on the communication of sending or receiving the e-document is necessary, TCE
repository can verify the communication based on the stored TCE in the process of communi-
cation server verification.
4.3 Functionalities of TCP components
4.3.1 TTP identity directory
4.3.1.1 General
TTP identity directory provides a service to store and retrieve e-identity information on the entity
after identifying and authenticating the entity participating in the trusted communication in a reliable
method. The entity becomes a member of TCP as a communication client after registering an e-identity
in the TTP identity directory. In one TCP, only one TTP identity directory that has e-identity information
on all communication clients shall exist logically. In other words, even if the e-identity information
is physically distributed or replicated information exists in various places, there should be only one
integrated e-identity information logically and one shall be able to obtain the same information no
matter when or by whom the information is searched or retrieved.
TTP identity directory provides the 5 functions defined in 4.3.1.2 to 4.3.1.6.
4.3.1.2 To register and manage trusted list of TCP communication server
— A TCP communication server shall perform the function to transmit or receive e-documents by
receiving the request of the communication client. For doing it, this server shall be registered in the
TTP identity directory.
— Before the TTP identity directory registers a TCP communication server, methods or procedures
to verify functional security requirements, conformity of standards and interoperability shall be
determined according to ‘TCP main’ policy. However, such a policy of the TTP identity directory
shall reach a mutual agreement between the participants of TCP.
— After the communication server goes through verification on whether the concerned server is
implemented by conforming to the standard and whether the necessary functional requirements
are implemented, the network address of communication server and the information necessary for
security, etc. shall be registered at the trusted list in the TTP identity directory.
— The trusted list of registered communication servers is managed as the whitelist and only the
communication server listed in the whitelist can participate in the trusted communication. The
whitelist consists of a trusted list of TCP communication servers in the process of communication
server registration.
4.3.1.3 To identify entity
— TTP identity directory shall check and authenticate whether the information provided by the entity
is identical to its actual information in the real world (e.g. if the entity is a person or an organization,
4 PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 19626-2:2020(E)

name or unique ID of the entity such as resident registration number, social security number or
DUNS number, etc. and in case of a IoT device, it includes device ID, IP number and etc.) in the process
of registering, modifying or deleting e-identity information.
— Criteria or methods for verifying the identity of an entity are determined according to the policy of
the TTP identity directory and these shall be agreed between the participants who are performing
trusted communication under the concerned TCP system.
4.3.1.4 To register and manage information of entity
— To perform trusted communication under a TCP system, the entity shall register e-identity
information to the TTP identity directory.
— The entity may be a person or a conceptual subject such as a company, an organization, or IoT
device, etc.
— For the entity to register its information, information on which communication server is used
for sending or receiving e-documents in trusted mode is also necessary in addition to the basic
information on the entity such as unique ID which represents an e-identity, entity name, and an ID
commonly used in the real world (offline).
— In TCP, an entity is represented as an e-identity; and only an entity that has registered its e-identity
may participate in the trusted communication of e-documents as a TCP communication client.
4.3.1.5 To search e-identity information
— If the transmitting client intends to send an e-document to a receiving client in TCP, the transmitting
server which receives a request of sending an e-document from the transmitting client shall query
to the TTP identity directory in order to obtain information on the receiving server which receives
e-documents on the behalf of the receiving client.
— For this, the transmitting server requests to retrieve information which includes the network
address of the receiving server used by the receiving client to the TTP identity directory using
the e-identity ID value of the receiving client. After retrieving the requested information, the TTP
identity directory returns the retrieved information to the transmitting server.
— Also, in order to verify whether the transmitting server that has sent the message is the legitimate
communication server performing the role as an agent of transmission for the transmitting client
at the time of receiving the message, the receiving server shall query on this to the TTP identity
directory.
4.3.1.6 To handle spam messages, blacklist and whitelist
— Once the received message is determined as a spam message, the receiving client reports this
message as a spam message to the TTP identity directory through the receiving server. The identity
directory shall review the spam message status of this message after receiving the report of the
spam message.
— Once the TTP identity directory determines the reported message as the spam message, the TTP
identity directory shall add the originator (i.e., the e-identity of transmitting client) of the concerned
message in blacklist and shall notify the updated blacklist to all communication servers in TCP.
Unlike the whitelist managed as a list of communication servers, the blacklist is registered and
managed as a list of e-identities.
— Criteria or procedures to decide whether the submitted report of the spam message is appropriate
are determined according to the policy of the TTP identity directory and shall be agreed between
TCPSPs (TCP service providers) who are performing trusted communication under the concerned
TCP system.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 5

---------------------- Page: 10 ----------------------
ISO 19626-2:2020(E)

4.3.2 TCP communication server
4.3.2.1 General
TCP communication server provides a service to send or receive e-documents using a trusted method
by receiving a request of communication clients under a TCP system. All communication servers in one
TCP shall be implemented according to mutually agreed transmission or reception protocols inside
the TCP. Accordingly, all communication servers shall be verified in advance on whether the system
operates by conforming to the standards agreed in TCP main and whether it is interoperable with other
components in order to participate in TCP.
Methods or procedures to verify conformity with standards or interoperability on the communication
server shall be determined by mutual agreement between the TCPSPs.
TCP communication server shall provide the functions defined in 4.3.2.2 to 4.3.2.11.
4.3.2.2 To register and manage TCP communication client
— TCP communication client shall sign on an agreement about the use of trusted transmission or
reception service of e-documents provided by the TCP communication server to delegate actions of
the trusted communication to the communication server.
— For doing this, the communication server shall provide a function for the communication client to
apply for the use of services and a function to manage the information of communication clients
with whom the communication server makes an agreement on the use of services.
— For the communication client to apply for the use of services to the communication server, a client
shall be registered as an e-identity to the TTP identity directory and shall present a unique ID (i.e.
e-identity ID) representing the e-identity registered to the identity directory when applying for the
use of services.
— The communication server shall go through the process of verifying whether the connecting
communication client currently is a legitimate owner of the e-identity ID presented by a
communication client when applying for the use of services.
— After being registered to the TCP communication server properly, a TCP communication client
will be able to use the trusted transmission or reception service of
...