search

iho-ohi / S-102-Product-Specification

It is opened to develop S-102 Bathymetric Surface Product Specification. The contents of this repository are not offical publication in force, therefore please check the final version on the IHO website.
Other
26 stars 10 forks source link

Cancellation support clarification #81

Closed skjeves closed 1 month ago

skjeves commented 5 months ago

As a result from PT16 meeting, an action was to register the cancellation topic. Briefly explained, our PS needs amendment to fully implement the support for the fileless cancellation mechanism, as described in S-100 Part 17. There was concensus in PT16 to support only this mechanism, and not the file-based cancellation mechanism.

However, there is an ongoing discussion related to an identified security breach in the fileless cancellation mechanism, namely the inability to digitally sign a fileless cancellation instruction. The topic is up for discussion in WENDWGs February 2024 meeting, and will be monitored to provide further feedback in this issue. Hopefully the outcome will help our PT to make a final decision and implement support for the fileless cancellation mechanism.

Further information on the topic is available in this paper and the accompanying presentation: S102PT16 Cancellation support clarification.pdf S-102PT16_Cancellation support clarification pres.pdf

rmalyankar commented 5 months ago

S-100 Part 17 clause 17-4.4.1 says:

Fileless cancellation may be achieved by using a dataset metadata entry with the filename and original digital signature specifying the resource to be cancelled, and with all other mandatory metadata fields also set to the same values as the original.

"all other mandatory attributes" would cover issueDate too, so the dataset discovery metadata block in the cancelling CATALOG.XML would have to be the date the dataset was originally issued. Two issues arise:

  1. How does the producer indicate the date the cancellation becomes effective?
  2. What is the effective date of cancellation on the end-user system?

The answer to the second should be "when the cancellation is received and applied on the end-user system". Addressing the first may need an S-100 update to allow cancellation blocks to specify an issue date and time no earlier than the original.

skjeves commented 5 months ago

I agree with Raphael, I would expect the cancellation instruction itself to have its own issue date encoded, as that would reflect the date the cancellation becomes effective. The effective date of cancellation on the end-user system would be the date the cancellation instruction reaches the end user system. It is not possible to encode a cancellation instruction specifying a future point in time to become effective.

Another issue is the original digital signature specifying the resource to be cancelled. I cannot see how this makes the process any safer. It would still be possible for a Data Server to issue a cancellation instruction that does not originate from the data producer.

skjeves commented 4 months ago

Short update from WENDWG discussion: WENDWG considered it to be important that a solution is provided for the cancellation traceability issue, and will report back to S100WG, as a consequence the issue will be discussed at TSM10 12-15 of March 2024.

WENDWG Action: image

skjeves commented 3 months ago

Update from S-100 Test Strategy Meeting (S100TSM10): TSM decided on the following decision: image

The impact on S-102PT would then be to follow the consensus from PT16 to support the fileless cancellation mechanism.

Following @rmalyankar comments further above, S-100 5.2.0 will also be changed to allow the cancellation instruction having the issue date encoded. The new text (bold) in S-100 will be: 100 Part 17-4.4.1: Fileless cancellation may be achieved by using a dataset metadata entry with the filename and original digital signature specifying the resource to be cancelled, and with all other mandatory metadata fields also set to the same values as the original , with the exception of the issue date which must be set to the issueDate of the fileless cancellation itself.

(@rmalyankar this change should also be reflected in S-104/S-111)

skjeves commented 3 months ago

To update the S-102 Product Specification, I would suggest amend chapter 11.2.1 Dataset management as described here to avoid calling cancellation a dataset type - as a fileless cancellation is not a dataset:

11.2.1 Dataset management Two types of dataset files may be produced and contained within an exchange set: — New dataset: Initial. — New edition of a dataset: Includes new information. New editions must cover at least the same area as its predecessor.

Cancellation. The dataset is cancelled and no longer available to be displayed or used.
S-102 uses the fileless cancellation method described in S-100 5.2.0 Part 17 clause 17-4.4.1: Fileless cancellation may be achieved by using a dataset metadata entry with the filename and original digital signature specifying the resource to be cancelled, and with all other mandatory metadata fields also set to the same values as the original, with the exception of the issue date which must be set to the issueDate of the fileless cancellation itself.

Another approach could be to look at S-104/S-111 chapter 8.2.4.2 which have more extensive descriptions related to metadata for cancellation (although minor updating of them is needed as well ref previous comment).

hasel001 commented 1 month ago

I have created a pull request, which incorporates harmonization with an advance copy of the S-104 PS as suggested by @rmalyankar. Upon review, approval, and merge, this issue may be closed.

hasel001 commented 1 month ago

The relevant PR has been merged, so this issue will be closed. Thanks to everyone who contributed to this solution.