RE: Questions about IOTP 1.0

Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com> Mon, 03 May 2004 18:59 UTC

Content-return: allowed
Date: Mon, 03 May 2004 14:58:51 -0400
From: Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>
Subject: RE: Questions about IOTP 1.0
To: 'Cullen Jennings' <fluffy@cisco.com>
Cc: ietf-trade@lists.elistx.com
Message-id: <62173B970AE0A044AED8723C3BCF23810408B43C@ma19exm01.e6.bcs.mot.com>
MIME-version: 1.0
Content-type: text/plain

Here is a quick response.

See at @@@ below

-----Original Message-----
From: Cullen Jennings [mailto:fluffy@cisco.com] 
Sent: Sunday, May 02, 2004 11:19 PM
To: ietf-trade@lists.elistx.com
Subject: Questions about IOTP 1.0

I apologize in advance for these naive questions but I'm just trying to get
up to speed on IOTP. If there is an implementers lists or a better list to
ask them on - please point me that way. I'm looking at this for use with
VoIP applications.

@@@ As far as I am aware, there isn't any other relevant mailing list.

In an OfferRespBlk, you can have a Payment which contains a BrandListRef but
I don't see how to put a BrandList in an OfferRespBlk. The text in section
3.2.1 about offer exchanges indicates that organization such as the Merchant
and Payment Handler can be indicated in the OfferRespBlk but again, I don't
see how to do that. Are both of these solved by putting them in a TpoBlk in
the same IotpMessage?

The DeliveryReqBlk is described in section 2.2.3 as having a Payment Receipt
Signature.  I don't see how to include that. It also seems that the actually
Payment Receipt is needed so that the Delivery service and validate the
signature but I don't see any mention of including a PayReceipt in the
DeliveryReqBlk. Even if signatures are not being used, it seems very
desirable to have the Payment Receipt available in the Delivery Request. Is
there a way to do this?

@@@ There should be others who can answer the above two paragraphs better than I can but if there isn't any other answer within a few days, I'll give it a try.

I'm confused about how HMAC works as a signature algorithm.

@@@ An HMAC is a keyed hash function. Using official definitions of terms, an HMAC isn't a "digital signature" but a MAC (Message Authentication Code) since it uses symmetric keying rather than a public/private key paid. That is, anyone who can verify an HMAC has the key necessary to forge a HMAC for the purported source. But it is much more efficient that a public key signature. Which kind of "signature" to use, if any, is an engineering decision for a particular system.

Are there common interoperation tests folks implementing this do? Interop
events? Common implementations that are good to test against? Open source
implementations? Operational deployments? There seem to be really a lot of
typos in the RFC. Do people recommend to use this in new things or is it
just an historical document?

@@@ As far as I know, there is relatively little activity in deploying IOTP at this time although parts of it have been incoporated into some systems like InterPay. Note that some errata are in RFC 3504.

Many Thanks, Cullen

@@@ Thanks,
@@@ Donald
===========================================================
 Donald E. Eastlake III       Donald.Eastlake@Motorola.com
 Motorola Laboratories               1-508-786-7554 (work)
 111 Locke Drive                     1-508-634-2066 (home)
 Marlboro, MA 01752 USA

RE: Questions about IOTP 1.0 Eastlake III Donald-LDE008
Questions about IOTP 1.0 Cullen Jennings