Iia-hash element in Approval Response v2 of a mutually approved IIA in v6

[rolandfrancois]

To upgrade an approval from v1 to v2, it is specified that :

A snapshot of the approved v6 IIA is needed to be able to upgrade to IIA v7 and Approval v2. Such snapshot is stored as an IIA v6 GET API response XML of the approved agreement.

Where do you get such snapshot ? Should my system have stored it when approving the partner's copy ? If so, where is it stated in the specifications ?

I can't use my own copy (v6) of this agreement as it might not be exactly the same as the one stored by the partner.

[mkurzydlowski]

Where do you get such snapshot?

You have to call partner's IIA GET and store the response.

Should my system have stored it when approving the partner's copy? If so, where is it stated in the specifications?

Yes it should, to be able to prove what has been approved by you.

I'm not sure if this is mentioned in the technical specification. I'll check.

I can't use my own copy (v6) of this agreement as it might not be exactly the same as the one stored by the partner.

That's right. It has to be the partner's IIA GET response!

[rolandfrancois]

You have to call partner's IIA GET and store the response.

The partner's IIA GET response will be in v7 and we need to use a snapshot of the approved v6 IIA. This snapshot should have been saved at the same moment the IIA was approved but we don't do that in our system. I can't find anywhere in the specification that it was required.

[mkurzydlowski]

The partner's IIA GET response will be in v7 and we need to use a snapshot of the approved v6 IIA.

That's right, you need to call it before v7 is introduced.

[utilisatrice42]

Hello,

I really hope that every provider introduced the snapshot specification that was never defined anywhere. That and Valère Meus saying during the webinar that every specifications for v7 are defined and stable...

[rolandfrancois]

If it is not mentionned in the specification (my apologies if it is mentionned, but I couldn't find anything about it). How can you expect every provider to have stored this snapshot? If they don't take snapshots of partner's approved IIA before the release of v7, does this mean that the IROs of the affected providers will have to approve these IIAs again?

[janinamincer-daszkiewicz]

It depends on the local implementation what proof of signing the agreement it stores. Probably some providers stored only hash, and some stored both hash and XML. Keeping XML was not required.

The Mandatory Business Requirements document says (in Chapter 11):

The local implementation should keep the approval response from the partner in its system, to demonstrate at any time the agreement was approved.

The approval response contains hash and (optionally) PDF.

Now this XML is needed so that the new hash can be calculated. Hence the need to download them from partners before moving to v7.

P.S. Some time ago we discussed whether hash is strong enough as a proof and even proposed other solutions but eventually the community decided to keep hash.

[demilatof]

Now this XML is needed so that the new hash can be calculated. Hence the need to download them from partners before moving to v7.

There is no warranty that the current XML is still the same that one provider has previously approved. And the specifications say nothing about this point yet, that may be useful even if in future we will upgrade again the version.

What the approval specification should say is something like this:

Every time you approve the partner's IIA you MUST save:

• The full partner's IIA xml
• The partner's IIA hash code
• The partner's IIA xml/namespace version

Every time you receive an approval from your partner, you MUST save:

• Your full IIA xml
• Your IIA hash code
• Your IIA xml/namespace version

You can also use the above snapshot in case of you need to revert from an amendment to your IIA

@rolandfrancois @utilisatrice42 What are you saying is true, I wrote this problem to the provider mailing list the day after the Infrastructure Forum of November; a notice about this has been officially sent only on 30th November, that is four months after the specifications have been declared stable. I think that this is not the only issue we can have, the problem is that the approval process is poor by design if we need to use it even after the first mutual approval.

It's useless discussing about the proof of a mutual approval until the approval contains only the information about a single IIA and not about the two IIAs tied together .