Implementing Fair Non-repudiable Interactions with Web Services Paul Robinson, Nick Cook and Santosh Shrivastava School of Computing Science, University of Newcastle, NE1 7RU, UK {p.robinson, nick.cook, santosh.shrivastava}@ncl.ac.uk Abstract The use of open, Internet-based communications for business-to-business (B2B) interactions requires ac- countability for and acknowledgment of the actions of participants. Accountability and acknowledgment can be achieved by the systematic maintenance of an irrefutable audit trail to render the interaction non-repudiable. To safeguard the interests of each party, the mechanisms used to meet this requirement should ensure fairness. That is, misbehaviour should not disadvantage well-behaved parties. Despite the fact that Web services are increas- ingly used to enable B2B interactions, there is currently no systematic support to deliver such guarantees. This paper introduces a flexible framework to support fair non-repudiable B2B interactions based on a trusted de- livery agent. A Web services implementation is presented. The role of the delivery agent can be adapted to different end user capabilities and to meet different application requirements. Keywords: Inter-enterprise collaboration and virtual enterprises; Middleware standards and systems; Enterprise computing; Security; Non-repudiation; Fair exchange; Web services 1. Introduction The increasing use of open, internet-based communica- tions for business-to-business (B2B) interactions adds ur- gency to the requirements for security and regulation to safeguard the interests of participants. These requirements include: accountability for and acknowledgement of the ac- tions of participants; and the monitoring of interactions for compliance with business contract. Accountability and ac- knowledgement can be achieved by the systematic mainte- nance of an irrefutable audit trail to render B2B interactions non-repudiable. Regulation entails the monitoring of inter- actions to ensure that messages exchanged are consistent with the business contracts that govern the interaction. The above requirements are particularly important in high-value B2B relationships, such as in a virtual organisa- tion (VO). In a VO a number of autonomous organisations collaborate to achieve some mutually beneficial goal. Each organisation requires that their interests are protected in the context of the VO. Specifically, that partner organisations comply with contracts governing the VO; that their own le- gitimate actions (such as delivery of work, commission of service) are recognised; and that partner organisations are accountable for their actions. This implies the recording of activity for audit and the monitoring of activity for com- pliance with the regulatory regime. Further, to protect the interests of well-behaved members of a VO, the interaction should be non-repudiable (no party should be able to deny their participation) and the auditing and monitoring func- tions must be fair (misbehaviour should not disadvantage well-behaved parties). It is increasingly common to standardise B2B interac- tions in terms of message-exchange patterns. The work of the RosettaNet Consortium [1] is a case in point. Roset- taNet define the externally observable aspects of a B2B in- teraction through a set of Partner Interface Processes (PIPs). PIPs standardise the XML-based business messages that should be exchanged between partners to execute some function (such as order processing). Figure 1 shows the de- A B 1. msg 2. ack 3. valid/invalid 4. ack Figure 1. Business message delivery with ac- knowledgements livery of a business message and associated acknowledge- ments in such an interaction. Typically, for each business message, there should be an immediate acknowledgement of receipt — indicating successful delivery of the message. 1