Network Working Group                                          D. Burdett
Request for Comments: 2801                                   Commerce One
Category: Informational                                        April 2000


                 Internet Open Trading Protocol - IOTP
                              Version 1.0

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   The Internet Open Trading Protocol (IOTP) provides an interoperable
   framework for Internet commerce. It is payment system independent and
   encapsulates payment systems such as SET, Secure Channel
   Credit/Debit, Mondex, CyberCoin, GeldKarte, etc. IOTP is able to
   handle cases where such merchant roles as the shopping site, the
   Payment Handler, the Delivery Handler of goods or services, and the
   provider of customer support are performed by different parties or by
   one party.

Table of Contents

   1.  Background .....................................................7
     1.1  Commerce on the Internet, a Different Model .................7
     1.2  Benefits of IOTP ............................................9
     1.3  Baseline IOTP ..............................................10
     1.4  Objectives of Document .....................................10
     1.5  Scope of Document ..........................................11
     1.6  Document Structure .........................................11
     1.7  Intended Readership ........................................13
         1.7.1  Reading Guidelines ...................................13
   2.  Introduction ..................................................14
     2.1  Trading Roles ..............................................16
     2.2  Trading Exchanges ..........................................18
         2.2.1  Offer Exchange .......................................19
         2.2.2  Payment Exchange .....................................21
         2.2.3  Delivery Exchange ....................................24
         2.2.4  Authentication Exchange ..............................26
     2.3  Scope of Baseline IOTP .....................................28



Burdett                      Informational                      [Page 1]


RFC 2801                       IOTP/1.0                       April 2000


   3.  Protocol Structure ............................................31
     3.1  Overview ...................................................32
         3.1.1  IOTP Message Structure ...............................32
         3.1.2  IOTP Transactions ....................................34
     3.2  IOTP Message ...............................................35
         3.2.1  XML Document Prolog ..................................37
     3.3  Transaction Reference Block ................................37
         3.3.1  Transaction Id Component .............................38
         3.3.2  Message Id Component .................................39
         3.3.3  Related To Component .................................41
     3.4  ID Attributes ..............................................42
         3.4.1  IOTP Message ID Attribute Definition .................43
         3.4.2  Block and Component ID Attribute Definitions .........44
         3.4.3  Example of use of ID Attributes ......................46
     3.5  Element References .........................................46
     3.6  Extending IOTP .............................................48
         3.6.1  Extra XML Elements ...................................49
         3.6.2  Opaque Embedded Data .................................50
     3.7  Packaged Content Element ...................................50
         3.7.1  Packaging HTML .......................................52
         3.7.2  Packaging XML ........................................53
     3.8  Identifying Languages ......................................54
     3.9  Secure and Insecure Net Locations ..........................54
     3.10 Cancelled Transactions .....................................55
         3.10.1 Cancelling Transactions ..............................55
         3.10.2 Handling Cancelled Transactions ......................56
   4.  IOTP Error Handling ...........................................56
     4.1  Technical Errors ...........................................57
     4.2  Business Errors ............................................57
     4.3  Error Depth ................................................58
         4.3.1  Transport Level ......................................58
         4.3.2  Message Level ........................................58
         4.3.3  Block Level ..........................................59
     4.4  Idempotency, Processing Sequence, and Message Flow .........61
     4.5  Server Role Processing Sequence ............................62
         4.5.1  Initiating Transactions ..............................62
         4.5.2  Processing Input Messages ............................63
         4.5.3  Cancelling a Transaction .............................70
         4.5.4  Retransmitting Messages ..............................70
     4.6  Client Role Processing Sequence ............................71
         4.6.1  Initiating Transactions ..............................71
         4.6.2  Processing Input Messages ............................72
         4.6.3  Cancelling a Transaction .............................74
         4.6.4  Retransmitting Messages ..............................74
   5.  Security Considerations .......................................74
     5.1  Determining whether to use digital signatures ..............74
     5.2  Symmetric and Asymmetric Cryptography ......................76
     5.3  Data Privacy ...............................................77



Burdett                      Informational                      [Page 2]


RFC 2801                       IOTP/1.0                       April 2000


     5.4  Payment Protocol Security ..................................77
   6.  Digital Signatures and IOTP ...................................77
     6.1  How IOTP uses Digital Signatures ...........................77
         6.1.1  IOTP Signature Example ...............................80
         6.1.2  OriginatorInfo and RecipientInfo Elements ............82
         6.1.3  Using signatures to Prove Actions Complete
                Successfully .........................................83
     6.2  Checking a Signature is Correctly Calculated ...............84
     6.3  Checking a Payment or Delivery can occur ...................85
         6.3.1  Check Request Block sent Correct Organisation ........86
         6.3.2  Check Correct Components present in Request Block ....91
         6.3.3  Check an Action is Authorised ........................91
   7.  Trading Components ............................................93
     7.1  Protocol Options Component .................................96
     7.2  Authentication Request Component ...........................97
     7.3  Authentication Response Component ..........................98
     7.4  Trading Role Information Request Component .................99
     7.5  Order Component ...........................................100
         7.5.1  Order Description Content ...........................101
         7.5.2  OkFrom and OkTo Timestamps ..........................101
     7.6  Organisation Component ....................................102
         7.6.1  Organisation IDs ....................................104
         7.6.2  Trading Role Element ................................105
         7.6.3  Contact Information Element .........................108
         7.6.4  Person Name Element .................................109
         7.6.5  Postal Address Element ..............................110
     7.7  Brand List Component ......................................111
         7.7.1  Brand Element .......................................113
         7.7.2  Protocol Brand Element ..............................115
         7.7.3  Protocol Amount Element .............................116
         7.7.4  Currency Amount Element .............................117
         7.7.5  Pay Protocol Element ................................118
     7.8  Brand Selection Component .................................120
         7.8.1  Brand Selection Brand Info Element ..................122
         7.8.2  Brand Selection Protocol Amount Info Element ........122
         7.8.3  Brand Selection Currency Amount Info Element ........123
     7.9  Payment Component .........................................123
     7.10 Payment Scheme Component ..................................125
     7.11 Payment Receipt Component .................................126
     7.12 Payment Note Component ....................................128
     7.13 Delivery Component ........................................129
         7.13.1 Delivery Data Element ...............................130
     7.14 Consumer Delivery Data Component ..........................132
     7.15 Delivery Note Component ...................................133
     7.16 Status Component ..........................................134
         7.16.1 Offer Completion Codes ..............................137
         7.16.2 Payment Completion Codes ............................138
         7.16.3 Delivery Completion Codes ...........................140



Burdett                      Informational                      [Page 3]


RFC 2801                       IOTP/1.0                       April 2000


         7.16.4 Authentication Completion Codes .....................142
         7.16.5 Undefined Completion Codes ..........................144
         7.16.6 Transaction Inquiry Completion Codes ................144
     7.17 Trading Role Data Component ...............................144
         7.17.1 Who Receives a Trading Role Data Component ..........145
     7.18 Inquiry Type Component ....................................146
     7.19 Signature Component .......................................147
         7.19.1 IOTP usage of signature elements and attributes .....148
         7.19.2 Offer Response Signature Component ..................150
         7.19.3 Payment Receipt Signature Component .................151
         7.19.4 Delivery Response Signature Component ...............152
         7.19.5 Authentication Request Signature Component ..........152
         7.19.6 Authentication Response Signature Component .........153
         7.19.7 Inquiry Request Signature Component .................153
         7.19.8 Inquiry Response Signature Component ................153
         7.19.9 Ping Request Signature Component ....................153
         7.19.10 Ping Response Signature Component...................154
     7.20 Certificate Component .....................................154
         7.20.1 IOTP usage of signature elements and attributes .....154
     7.21 Error Component ...........................................154
         7.21.1 Error Processing Guidelines .........................157
         7.21.2 Error Codes .........................................158
         7.21.3 Error Location Element ..............................162
   8.  Trading Blocks ...............................................163
     8.1  Trading Protocol Options Block ............................166
     8.2  TPO Selection Block .......................................167
     8.3  Offer Response Block ......................................168
     8.4  Authentication Request Block ..............................169
     8.5  Authentication Response Block .............................170
     8.6  Authentication Status Block ...............................171
     8.7  Payment Request Block .....................................171
     8.8  Payment Exchange Block ....................................173
     8.9  Payment Response Block ....................................173
     8.10 Delivery Request Block ....................................175
     8.11 Delivery Response Block ...................................176
     8.12 Inquiry Request Trading Block .............................177
     8.13 Inquiry Response Trading Block ............................177
     8.14 Ping Request Block ........................................179
     8.15 Ping Response Block .......................................179
     8.16 Signature Block ...........................................181
         8.16.1 Signature Block with Offer Response .................182
         8.16.2 Signature Block with Payment Request ................182
         8.16.3 Signature Block with Payment Response ...............182
         8.16.4 Signature Block with Delivery Request ...............182
         8.16.5 Signature Block with Delivery Response ..............182
     8.17 Error Block ...............................................183
     8.18 Cancel Block ..............................................184
   9.  Internet Open Trading Protocol Transactions ..................184



Burdett                      Informational                      [Page 4]


RFC 2801                       IOTP/1.0                       April 2000


     9.1  Authentication and Payment Related IOTP Transactions ......185
         9.1.1  Authentication Document Exchange ....................188
         9.1.2  Offer Document Exchange .............................194
         9.1.3  Payment Document Exchange ...........................203
         9.1.4  Delivery Document Exchange ..........................209
         9.1.5  Payment and Delivery Document Exchange ..............212
         9.1.6  Baseline Authentication IOTP Transaction ............216
         9.1.7  Baseline Deposit IOTP Transaction ...................218
         9.1.8  Baseline Purchase IOTP Transaction ..................220
         9.1.9  Baseline Refund IOTP Transaction ....................222
         9.1.10 Baseline Withdrawal IOTP Transaction ................224
         9.1.11 Baseline Value Exchange IOTP Transaction ............226
         9.1.12 Valid Combinations of Document Exchanges ............230
         9.1.13 Combining Authentication Transactions with other
                Transactions ........................................234
     9.2  Infrastructure Transactions ...............................235
         9.2.1  Baseline Transaction Status Inquiry IOTP Transaction 235
         9.2.2  Baseline Ping IOTP Transaction ......................241
   10. Retrieving Logos .............................................244
     10.1 Logo Size .................................................245
     10.2 Logo Color Depth ..........................................245
     10.3 Logo Net Location Examples ................................246
   11. Brands .......................................................246
     11.1 Brand Definitions and Brand Selection .....................246
         11.1.1 Definition of Payment Instrument ....................247
         11.1.2 Definition of Brand .................................247
         11.1.3 Definition of Dual Brand ............................248
         11.1.4 Definition of Promotional Brand .....................248
         11.1.5 Identifying Promotional Brands ......................249
     11.2 Brand List Examples .......................................251
         11.2.1 Simple Credit Card Based Example ....................252
         11.2.2 Credit Card Brand List Including Promotional Brands..253
         11.2.3 Brand Selection Example .............................254
         11.2.4 Complex Electronic Cash Based Brand List ............255
   12. IANA Considerations ..........................................257
     12.1 Codes Controlled by IANA ..................................257
     12.2 Codes not controlled by IANA ..............................263
   13. Internet Open Trading Protocol Data Type Definition ..........263
   14. Glossary .....................................................277
   15. References ...................................................284
   16. Author's Address .............................................287
   17. Full Copyright Statement .....................................290









Burdett                      Informational                      [Page 5]


RFC 2801                       IOTP/1.0                       April 2000


Table of Figures

   Figure 1 IOTP Trading Roles                                       16
   Figure 2 Offer Exchange                                           19
   Figure 3 Payment Exchange                                         22
   Figure 4 Delivery Exchange                                        25
   Figure 5 Authentication Exchange                                  27
   Figure 6 IOTP Message Structure                                   33
   Figure 7 An IOTP Transaction                                      34
   Figure 8 Example use of ID attributes                             46
   Figure 9 Element References                                       48
   Figure 10 Signature Digests                                       79
   Figure 11 Example use of Signatures for Baseline Purchase         81
   Figure 12 Checking a Payment Handler can carry out a Payment      87
   Figure 13 Checking a Delivery Handler can carry out a Delivery    90
   Figure 14 Trading Components                                      94
   Figure 15 Brand List Element Relationships                       113
   Figure 16 Trading Blocks                                         164
   Figure 17 Payment and Authentication Message Flow Combinations   187
   Figure 18 Authentication Document Exchange                       190
   Figure 19 Brand Dependent Offer Document Exchange                196
   Figure 20 Brand Independent Offer Exchange                       198
   Figure 21 Payment Document Exchange                              204
   Figure 22 Delivery Document Exchange                             210
   Figure 23 Payment and Delivery Document Exchange                 214
   Figure 24 Baseline Authentication IOTP Transaction               217
   Figure 25 Baseline Deposit IOTP Transaction                      219
   Figure 26 Baseline Purchase IOTP Transaction                     221
   Figure 27 Baseline Refund IOTP Transaction                       223
   Figure 28 Baseline Withdrawal IOTP Transaction                   225
   Figure 29 Baseline Value Exchange IOTP Transaction               228
   Figure 30 Baseline Value Exchange Signatures                     230
   Figure 31 Valid Combinations of Document Exchanges               231
   Figure 32 Baseline Transaction Status Inquiry                    238
   Figure 33 Baseline Ping Messages                                 242
















Burdett                      Informational                      [Page 6]


RFC 2801                       IOTP/1.0                       April 2000


1. Background

   The Internet Open Trading Protocol (IOTP) provides an interoperable
   framework for Internet commerce. It is payment system independent and
   encapsulates payment systems such as SET, Mondex, CyberCash,
   DigiCash, GeldKarte, etc. IOTP is able to handle cases where such
   merchant roles as the shopping site, the Payment Handler, the
   Delivery Handler of goods or services, and the provider of customer
   support are performed by different parties or by one party.

   The developers of IOTP seek to provide a virtual capability that
   safely replicates the real world, the paper based, traditional,
   understood, accepted methods of trading, buying, selling, value
   exchanging that has existed for many hundreds of years.  The
   negotiation of who will be the parties to the trade, how it will be
   conducted, the presentment of an offer, the method of payment, the
   provision of a payment receipt, the delivery of goods and the receipt
   of goods. These are events that are taken for granted in the course
   of real world trade. IOTP has been produced to provide the same for
   the virtual world, and to prepare and provide for the introduction of
   new models of trading made possible by the expanding presence of the
   virtual world.

   The other fundamental ideal of the IOTP effort is to produce a
   definition of these trading events in such a way that no matter where
   produced, two unfamiliar parties using electronic commerce
   capabilities to buy and sell that conform to the IOTP specifications
   will be able to complete the business safely and successfully.

   In summary, IOTP supports:

   o Familiar trading models

   o New trading models

   o Global interoperability

   The remainder of this section provides background to why IOTP was
   developed. The specification itself starts in the next chapter.

1.1 Commerce on the Internet, a Different Model

   The growth of the Internet and the advent of electronic commerce are
   bringing about enormous changes around the world in society, politics
   and government, and in business. The ways in which trading partners
   communicate, conduct commerce, are governed have been enriched and
   changed forever.




Burdett                      Informational                      [Page 7]


RFC 2801                       IOTP/1.0                       April 2000


   One of the very fundamental changes about which IOTP is concerned is
   taking place in the way consumers and merchants trade.
   Characteristics of trading that have changed markedly include:

   o  Presence: Face-to-face transactions become the exception, not the
      rule.  Already with the rise of mail order and telephone order
      placement this change has been felt in western commerce.
      Electronic commerce over the Internet will further expand the
      scope and volume of transactions conducted without ever seeing the
      people who are a part of the enterprise with whom one does
      business.

   o  Authentication: An important part of personal presence is the
      ability of the parties to use familiar objects and dialogue to
      confirm they are who they claim to be. The seller displays one or
      several well known financial logos that declaim his ability to
      accept widely used credit and debit instruments in the payment
      part of a purchase. The buyer brings government or financial
      institution identification that assures the seller she will be
      paid. People use intangibles such as personal appearance and
      conduct, location of the store, apparent quality and familiarity
      with brands of merchandise, and a good clear look in the eye to
      reinforce formal means of authentication.

   o  Payment Instruments: Despite the enormous size of bank card
      financial payments associations and their members, most of the
      world's trade still takes place using the coin of the realm or
      barter. The present infrastructure of the payments business cannot
      economically support low value transactions and could not survive
      under the consequent volumes of transactions if it did accept low
      value transactions.

   o  Transaction Values: New meaning for low value transactions arises
      in the Internet where sellers may wish to offer for example, pages
      of information for fractions of currency that do not exist in the
      real world.

   o  Delivery: New modes of delivery must be accommodated such as
      direct electronic delivery. The means by which receipt is
      confirmed and the execution of payment change dramatically where
      the goods or services have extremely low delivery cost but may in
      fact have very high value.  Or, maybe the value is not high, but
      once delivery occurs the value is irretrievably delivered so
      payment must be final and non-refundable but delivery nonetheless
      must still be confirmed before payment.  Incremental delivery such
      as listening or viewing time or playing time are other models that
      operate somewhat differently in the virtual world.




Burdett                      Informational                      [Page 8]


RFC 2801                       IOTP/1.0                       April 2000


1.2 Benefits of IOTP

   ELECTRONIC COMMERCE SOFTWARE VENDORS

   Electronic Commerce Software Vendors will be able to develop e-
   commerce products which are more attractive as they will inter-
   operate with any other vendors' software. However, since IOTP focuses
   on how these solutions communicate, there is still plenty of
   opportunity for product differentiation.

   PAYMENT BRANDS

   IOTP provides a standard framework for encapsulating payment
   protocols.  This means that it is easier for payment products to be
   incorporated into IOTP solutions. As a result the payment brands will
   be more widely distributed and available on a wider variety of
   platforms.

   MERCHANTS

   There are several benefits for Merchants:

   o  they will be able to offer a wider variety of payment brands,

   o  they can be more certain that the customer will have the software
      needed to complete the purchase

   o  through receiving payment and delivery receipts from their
      customers, they will be able to provide customer care knowing that
      they are dealing with the individual or organisation with which
      they originally traded

   o  new merchants will be able to enter this new (Internet) market-
      place with new products and services, using the new trading
      opportunities which IOTP presents

   BANKS AND FINANCIAL INSTITUTIONS

   There are also several benefits for Banks and Financial Institutions:

   o  they will be able to provide IOTP support for merchants

   o  they will find new opportunities for IOTP related services:

      -  providing customer care for merchants
      -  fees from processing new payments and deposits





Burdett                      Informational                      [Page 9]


RFC 2801                       IOTP/1.0                       April 2000


   o  they have an opportunity to build relationships with new types of
      merchants

   CUSTOMERS

   For Customers there are several benefits:

   o  they will have a larger selection of merchants with whom they can
      trade

   o  there is a more consistent interface when making the purchase

   o  there are ways in which they can get their problems fixed through
      the merchant (rather than the bank!)

   o  there is a record of their transaction which can be used, for
      example, to feed into accounting systems or, potentially, to
      present to the tax authorities

1.3 Baseline IOTP

   This specification is Baseline IOTP. It is a Baseline in that it
   contains ways of doing trades on the Internet which are the most
   common, for example purchases and refunds.

   The group that has worked on the IOTP see an extended version being
   developed over time but feel a need to focus on a limited function
   but completely usable specification in order that implementers can
   develop solutions that work now.

   During this period it is anticipated that there will be no changes to
   the scope of this specification with the only changes made being
   limited to corrections where problems are found. Software solutions
   have been developed based on earlier versions of this specification
   (for example version 0.9 published in early 1998 and earlier
   revisions of version 1.0 published during 1999) which prove that the
   IOTP works.

1.4 Objectives of Document

   The objectives of this document are to provide a specification of
   version 1.0 of the Internet Open Trading Protocols which can be used
   to design and implement systems which support electronic trading on
   the Internet using the Internet Open Trading Protocols.







Burdett                      Informational                     [Page 10]


RFC 2801                       IOTP/1.0                       April 2000


   The purpose of the document is:

   o  to allow potential developers of products based on the protocol to
      develop software/hardware solutions which use the protocol

   o  to allow the financial services industry to understand a
      developing electronic commerce trading protocol that encapsulates
      (without modification) any of the current or developing payment
      schemes now being used or considered by their merchant customer
      base

1.5 Scope of Document

   The protocol describes the content, format and sequences of messages
   that pass among the participants in an electronic trade - consumers,
   merchants and banks or other financial institutions, and customer
   care providers.  These are required to support the electronic
   commerce transactions outlined in the objectives above.

   The protocol is designed to be applicable to any electronic payment
   scheme since it targets the complete purchase process where the
   movement of electronic value from the payer to the payee is only one,
   but important, step of many that may be involved to complete the
   trade.

   Payment Scheme which IOTP could support include MasterCard Credit,
   Visa Credit, Mondex Cash, Visa Cash, GeldKarte, eCash, CyberCoin,
   Millicent, Proton, etc.

   Each payment scheme contains some message flows which are specific to
   that scheme. These scheme-specific parts of the protocol are
   contained in a set of payment scheme supplements to this
   specification.

   The document does not prescribe the software and processes that will
   need to be implemented by each participant. It does describe the
   framework necessary for trading to take place.

   This document also does not address any legal or regulatory issues
   surrounding the implementation of the protocol or the information
   systems which use them.

1.6 Document Structure

   The document consists of the following sections:

   o  Section 1 - Background: This section gives a brief background on
      electronic commerce and the benefits IOTP offers.



Burdett                      Informational                     [Page 11]


RFC 2801                       IOTP/1.0                       April 2000


   o  Section 2 - Introduction: This section describes the various
      Trading Exchanges and shows how these trading exchanges are used
      to construct the IOTP Transactions. This section also explains
      various Trading Roles that would participate in electronic trade.

   o  Section 3 - Protocol Structure: This section summarises how
      various IOTP transactions are constructed using the Trading Blocks
      and Trading Components that are the fundamental building blocks
      for IOTP transactions. All IOTP transaction messages are well
      formed XML documents.

   o  Section 4 - IOTP Error Handling: This section describes how to
      process exceptions and errors during the protocol message exchange
      and trading exchange processing. This section provides a generic
      overview of the exception handling. This section should be read
      carefully.

   o  Section 5 - Security Considerations: This section considers from
      an IETF perspective, how IOTP addresses security. It includes: how
      to determine whether to use digital signatures with IOTP, how IOTP
      address data privacy, and how security built into payment
      protocols relate to IOTP security.

   o  Section 6 - Digital Signatures and IOTP: This section provides an
      overview of how IOTP uses digital signatures; how to check a
      signature is correctly calculated and how the various Trading
      Roles that participate in trade should check signatures when
      required.

   o  Section 7 - Trading Components: This section defines the XML
      elements required by Trading Components.

   o  Section 8 - Trading Blocks: This section describes how Trading
      Blocks are constructed from Trading Components.

   o  Section 9 - Internet Open Trading Protocol Transactions: This
      section describes all the IOTP Baseline transactions. It refers to
      Trading Blocks and Trading Components and Signatures. This section
      doesn't directly link error handling during the protocol
      exchanges, the reader is advised to understand Error Handling as
      defined in section before reading this section.

   o  Section 10 - Retrieving Logos: This section describes how IOTP
      specific logos can be retrieved.







Burdett                      Informational                     [Page 12]


RFC 2801                       IOTP/1.0                       April 2000


   o  Section 11 - Brands: This section provides: an overview of Brand
      Definitions and Brand Selection which describe how a Consumer can
      select a Brand from a list provided by the Merchant; as well as
      some examples of Brand Lists.

   o  Section 12 - IANA Considerations: This section describes how new
      values for codes used by IOTP are co-ordinated.

   o  Section 13 - Internet Open Trading Protocol Data Type Definition:
      This section contains the XML Data Type Definitions for IOTP.

   o  Section 14 - Glossary. This describes all the major terminology
      used by IOTP.

   o  Section 15 - A list of the other documents referenced by the IOTP
      specification.

   o  Section 16 - The Author's Address

   o  Section 17 - Full Copyright Statement

1.7 Intended Readership

   Software and hardware developers; development analysts; business and
   technical planners; industry analysts; merchants; bank and other
   payment handlers; owners, custodians, and users of payment protocols.

1.7.1 Reading Guidelines

   This IOTP specification is structured primarily in a sequence
   targeted at people who want to understand the principles of IOTP.
   However from practical implementation experience by implementers of
   earlier of versions of the protocol new readers who plan to implement
   IOTP may prefer to read the document in a different sequence as
   described below.

   Review the transport independent parts of the specification. This
   covers:

   o Section 14 - Glossary

   o Section 1 - Background

   o Section 2 - Introduction

   o Section 3 - Protocol Structure

   o Section 4 - IOTP Error Handling



Burdett                      Informational                     [Page 13]


RFC 2801                       IOTP/1.0                       April 2000


   o Section 5 - Security Considerations

   o Section 9 - Internet Open Trading Protocol Transactions

   o Section 11 - Brands

   o Section 12 - IANA Considerations

   o Section 10 - Retrieving Logos

   Review the detailed XML definitions:

   o Section 8 - Trading Blocks

   o Section 7 - Trading Components

   o Section 6 - Digital Signatures and IOTP

2. Introduction

   The Internet Open Trading Protocols (IOTP) define a number of
   different types of IOTP Transactions:

   o  Purchase. This supports a purchase involving an offer, a payment
      and optionally a delivery

   o  Refund. This supports the refund of a payment as a result of,
      typically, an earlier purchase

   o  Value Exchange. This involves two payments which result in the
      exchange of value from one combination of currency and payment
      method to another

   o  Authentication. This supports one organisation or individual to
      check that another organisation or individual are who they appear
      to be.

   o  Withdrawal. This supports the withdrawal of electronic cash from a
      financial institution

   o  Deposit. This supports the deposit of electronic cash at a
      financial institution

   o  Inquiry. This supports inquiries on the status of an IOTP
      transaction which is either in progress or is complete






Burdett                      Informational                     [Page 14]


RFC 2801                       IOTP/1.0                       April 2000


   o  Ping. This supports a simple query which enables one IOTP aware
      application to determine whether another IOTP application running
      elsewhere is working or not.

   These IOTP Transactions are "Baseline" transactions since they have
   been identified as a minimum useful set of transactions. Later
   versions of IOTP may include additional types of transactions.

   Each of the IOTP Transactions above involve:

   o  a number of organisations playing a Trading Role, and

   o  a set of Trading Exchanges. Each Trading Exchange involves the
      exchange of data, between Trading Roles, in the form of a set of
      Trading Components.

   Trading Roles, Trading Exchanges and Trading Components are described
   below.

































Burdett                      Informational                     [Page 15]


RFC 2801                       IOTP/1.0                       April 2000


2.1 Trading Roles

   The Trading Roles identify the different parts which organisations
   can take in a trade. The five Trading Roles used within IOTP are
   illustrated in the diagram below.

   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

              Merchant Customer Care Provider resolves   ----------
         ---------------------------------------------->| Merchant |
        |          Consumer disputes and problems       |Cust.Care.|
        |                                               | Provider |
        |                                                ----------
        |
                   Payment Handler accepts or makes     ----------
        |    ------------------------------------------>| Payment  |
        |   |             Payment for Merchant          | Handler  |
        |   |                                            ----------
        v   v
    ----------    Consumer makes purchases or obtains    ----------
   | Consumer |<--------------------------------------->| Merchant |
    ----------             refund from Merchant          ----------
        ^
        |         Delivery Handler supplies goods or     ----------
        |---------------------------------------------->|Deliverer |
                       services for Merchant            | Handler  |
                                                         ----------

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                    Figure 1 IOTP Trading Roles




















Burdett                      Informational                     [Page 16]


RFC 2801                       IOTP/1.0                       April 2000


   The roles are:

   o  Consumer. The person or organisation which is to receive and pay
      for the goods or services

   o  Merchant. The person or organisation from whom the purchase is
      being made and who is legally responsible for providing the goods
      or services and receives the benefit of the payment made

   o  Payment Handler. The entity that physically receives the payment
      from the Consumer on behalf of the Merchant

   o  Delivery Handler. The entity that physically delivers the goods or
      services to the Consumer on behalf of the Merchant.

   o  Merchant Customer Care Provider. The entity that is involved with
      customer dispute negotiation and resolution on behalf of the
      Merchant

   Roles may be carried out by the same organisation or different
   organisations. For example:

   o  in the simplest case one physical organisation (e.g., a merchant)
      could handle the purchase, accept the payment, deliver the goods
      and provide merchant customer care

   o  at the other extreme, a merchant could handle the purchase but
      instruct the consumer to pay a bank or financial institution,
      request that delivery be made by an overnight courier firm and to
      contact an organisation which provides 24x7 service if problems
      arise.

   Note that in this specification, unless stated to the contrary, when
   the words Consumer, Merchant, Payment Handler, Delivery Handler or
   Customer Care Provider are used, they refer to the Trading Role
   rather than an actual organisation.

   An individual organisation may take multiple roles. For example a
   company which is selling goods and services on the Internet could
   take the role of Merchant when selling goods or services and the role
   of Consumer when the company is buying goods or services itself.

   As roles occur in different places there is a need for the
   organisations involved in the trade to exchange data, i.e. to carry
   out Trading Exchanges, so that the trade can be completed.






Burdett                      Informational                     [Page 17]


RFC 2801                       IOTP/1.0                       April 2000


2.2 Trading Exchanges

   The Internet Open Trading Protocols identify four Trading Exchanges
   which involve the exchange of data between the Trading Roles. The
   Trading Exchanges are:

   o  Offer. The Offer Exchange results in the Merchant providing the
      Consumer with the reason why the trade is taking place. It is
      called an Offer since the Consumer must accept the Offer if a
      trade is to continue

   o  Payment. The Payment Exchange results in a payment of some kind
      between the Consumer and the Payment Handler. This may occur in
      either direction

   o  Delivery. The Delivery Exchange transmits either the on-line
      goods, or delivery information about physical goods from the
      Delivery Handler to the Consumer, and

   o  Authentication. The Authentication Exchange can be used by any
      Trading Role to authenticate another Trading Role to check that
      they are who they appear to be.

   IOTP Transactions are composed of various combinations of these
   Trading Exchanges.  For example, an IOTP Purchase transaction
   includes Offer, Payment, and Delivery Trading Exchanges.  As another
   example, an IOTP Value Exchange transaction is composed of an Offer
   Trading Exchange and two Payment Trading Exchanges.

   Trading Exchanges consist of Trading Components that are transmitted
   between the various Trading Roles.  Where possible, the number of
   round-trip delays in an IOTP Transaction is minimised by packing the
   Components from several Trading Exchanges into combination IOTP
   Messages.  For example, the IOTP Purchase transaction combines a
   Delivery Organisation Component with an Offer Response Component in
   order to avoid an extra Consumer request and response.

   Each of the IOTP Trading Exchanges is described in more detail below.
   For clarity of description, these describe the Trading Exchanges as
   though they were standalone operations.  For performance reasons, the
   Trading Exchanges are intermingled in the actual IOTP Transaction
   definitions.









Burdett                      Informational                     [Page 18]


RFC 2801                       IOTP/1.0                       April 2000


2.2.1 Offer Exchange

   The goal of the Offer Exchange is for the Merchant to provide the
   Consumer with information about the trade so that the Consumer can
   decide whether to continue with the trade. This is illustrated in the
   figure below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
   Consumer
     |  Merchant
STEP |     |
 1.          Consumer decides to trade and sends information about the
             transaction (requests an offer) to the Merchant e.g.,
             using HTML.

     C --> M Data: Information on what is being purchased (Offer Request)
             - outside scope of IOTP

 2.          Merchant checks the information provided by the Consumer,
             creates an Offer optionally signs it and sends it to the
             Consumer.

     C <-- M OFFER RESPONSE. Components: Status; Organisation(s)
             (Consumer, DelivTo, Merchant, Payment Handler, Customer
             Care); Order; Payment; Delivery; TradingRoleData (optional)
             Offer Response Signature (optional) that signs other
             components

 3.          Consumer checks the information from the Merchant and
             decides whether to continue.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                           Figure 2 Offer Exchange

   An Offer Exchange uses the following Trading Components that are
   passed between the Consumer and the Merchant:

   o  the Status component is used to indicate to other parties that a
      valid Offer Response has been generated

   o  the Organisation Component contains information which describes
      the Organisations which are taking a role in the trade:

      -  the consumer provides information, about who the consumer is
         and, if goods or services are being delivered, where the goods
         or services are to be delivered to




Burdett                      Informational                     [Page 19]


RFC 2801                       IOTP/1.0                       April 2000


      -  the merchant augments this information by providing information
         about the merchant, the Payment Handler, the customer care
         provider and, if goods or services are being delivered, the
         Delivery Handler

   o  the Order Component contains descriptions of the goods or services
      which will result from the trade if the consumer agrees to the
      offer.  This information is sent by the Merchant to the consumer
      who should verify it

   o  the Payment Component generated by the Merchant, contains details
      of how much to pay, the currency and the payment direction, for
      example the consumer could be asking for a refund. Note that there
      may be more than one payment in a trade

   o  the Delivery Component, also generated by the Merchant, is used if
      goods or services are being delivered. This contains information
      about how delivery will occur, for example by post or using e-mail

   o  the Trading Role Data component contains data the Merchant wants
      to forward to another Trading Role such as a Payment Handler or
      Delivery Handler

   o  the "Offer Response" Signature Component, if present, digitally
      signs all of the above components to ensure their integrity.

   The exact content of the information provided by the Merchant to the
   Consumer will vary depending on the type of IOTP Transaction. For
   example:

   o  low value purchases may not need a signature

   o  the amount to be paid may vary depending on the payment brand and
      payment protocol used

   o  some offers may not involve the delivery of any goods

   o  a value exchange will involve two payments

   o  a merchant may not offer customer care.

   Information provided by the consumer to the merchant is provided
   using a variety of methods, for example, it could be provided:

   o  using [HTML] pages as part of the "shopping experience" of the
      consumer.





Burdett                      Informational                     [Page 20]


RFC 2801                       IOTP/1.0                       April 2000


   o  Using the Open Profiling Standard [OPS] which has recently been
      proposed,

   o  in the form of Organisation Components associated with an
      authentication of a Consumer by a Merchant

   o  as Order Components in a later version of IOTP.

2.2.2 Payment Exchange

   The goal of the Payment Exchange is for a payment to be made from the
   Consumer to a Payment Handler or vice versa using a payment brand and
   payment protocol selected by the Consumer. A secondary goal is to
   optionally provide the Consumer with a digitally signed Payment
   Receipt which can be used to link the payment to the reason for the
   payment as described in the Offer Exchange.

   Payment Exchanges can work in a variety of ways. The most general
   case where the trade is dependent on the payment brand and protocol
   used is illustrated in the diagram below. Simpler payment exchanges
   are possible.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
  Consumer  Pay Handler
     |  Merchant |
STEP |     |     |
 1.                 Consumer decides to trade and sends information
                    about the transaction (requests an offer) to the
                    Merchant e.g., using HTML.

     C --> M        Information on what is being paid for (outside
                    scope of IOTP

 2.                 Merchant decides which payment brand, payment
                    protocols and currencies/amounts to offer,
                    places then in a Brand List Component and sends
                    them to the Consumer

     C <-- M        Components: Brand List

 3.                 Consumer selects the payment brand, protocol and
                    currency/amount to use, creates a Brand Selection
                    component and sends it to the Merchant

     C --> M        Component: Brand List Selection






Burdett                      Informational                     [Page 21]


RFC 2801                       IOTP/1.0                       April 2000


 4.                 Merchant checks Brand Selection, creates a Payment
                    Amount information, optionally signs it to
                    authorise payment and sends it to the Consumer

     C <-- M        Component: Payment; Organisation(s) (Merchant and
                    Payment Handler); Optional Offer Response Signature
                    that signs other components

 5.                 Consumer checks the Payment Amount information and
                    if OK requests that the payment starts by sending
                    information to the Payment Handler

     C --------> P  PAYMENT REQUEST. Components: Status, Payment;
                    Organisations (Merchant and Payment Handler);
                    Trading Role Data (optional); Optional Offer
                    Response Signature that signs other components;
                    Pay Scheme Data

 6.                 Payment Handler checks information including
                    optional signature and if OK starts exchanging Pay
                    Scheme Data components for selected payment brand
                    and payment protocol

     C <-------> P  PAYMENT EXCHANGE. Component: Pay Scheme Data

 7.                 Eventually payment protocol messages finish so
                    Payment Handler sends Pay Receipt and optional
                    signature to the Consumer as proof of payment

     C <-------> P  PAYMENT RESPONSE. Components: Status, Pay Receipt;
                    Payment Note; Trading Role Data (optional);
                    Optional Offer Response Signature; Optional
                    Payment Receipt Signature that binds the payment
                    to the Offer

 8.                 Consumer checks Payment Receipt is OK

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                          Figure 3 Payment Exchange

   A Payment Exchange uses the following Trading Components that are
   passed between the Consumer, the Merchant and the Payment Handler:

   o  The Brand List Component contains a list of payment brands (for
      example, MasterCard, Visa, Mondex, GeldKarte), payment protocols
      (for example SET Version 1.0, Secure Channel Credit Debit (SCCD -
      the name used for a credit or debit card payment where



Burdett                      Informational                     [Page 22]


RFC 2801                       IOTP/1.0                       April 2000


      unauthorised access to account information is prevented through
      use of secure channel transport mechanisms such as SSL/TLS) as
      well as currencies/amounts that apply. The Merchant sends the
      Brand List to the Consumer. The consumer compares the payment
      brands, protocols and currencies/amounts on offer with those that
      the Consumer supports and makes a selection.

   o  The Brand Selection Component contains the Consumer's selection.
      Payment brand, protocol, currency/amount and possibly protocol-
      specific information is sent back to the Merchant. This
      information may be used to change information in the Offer
      Exchange. For example, a merchant could choose to offer a discount
      to encourage the use of a store card.

   o  the Status component is used to indicate to the Payment Handler
      that an earlier exchange (e.g., an Offer Exchange) has
      successfully completed and by the Payment Handler to indicate the
      completion status of the Payment Exchange.

   o  The Organisation Components are generated by the Merchant. They
      contain details of the Merchant and Payment Handler Roles:

      -  the Merchant role is required so that the Payment Handler can
         identify which Merchant initiated the payment. Typically, the
         result of the Payment Handler accepting (or making) a payment
         on behalf of the Merchant will be a credit or debit transaction
         to the Merchant's account held by the Payment Handler. These
         transactions are outside the scope of this version of IOTP

      -  the Payment Handler role is required so that the Payment
         Handler can check that it is the correct Payment Handler to be
         used for the payment

   o  The Payment Component contains details of how much to pay, the
      currency and the payment direction

   o  The "Offer Response" Signature Component, if present, digitally
      signs all of the above components to ensure their integrity. Note
      that the Brand List and Brand Selection Components are not signed
      until the payment information is created (step 4 in the diagram)

   o  the Trading Role Data component contains from other roles (e.g., a
      Merchant) that needs to be  forwarded to the Payment Handler

   o  The Payment Scheme Component contains messages from the payment
      protocol used in the Trade. For example they could be SET
      messages, Mondex messages, GeldKarte Messages or one of the other
      payment methods supported by IOTP. The content of the Payment



Burdett                      Informational                     [Page 23]


RFC 2801                       IOTP/1.0                       April 2000


      Scheme Component is defined in the supplements that describe how
      IOTP works with various payment protocols.

   o  The Payment Receipt Component contains a record of the payment.
      The content depends upon the payment protocol used.

   o  The "Payment Receipt" Signature Component provides proof of
      payment by digitally signing both the Payment Receipt Component
      and the Offer Response Signature. The signature on the offer
      digitally signs the Order, Organisation and Delivery Components
      contained in the Offer.  This signature effectively binds the
      payment to the offer.

   The example of a Payment Exchange above is the most general case.
   Simpler cases are also possible. For example, if the amount paid is
   not dependent on the payment brand and protocol selected then the
   payment information generated by step 3 can be sent to the Consumer
   at the same time as the Brand List Component generated by step 1.
   These and other variations are described in the Baseline Purchase
   IOTP Transaction (see section 9.1.8).

2.2.3 Delivery Exchange

   The goal of the Delivery Exchange is to cause purchased goods to be
   delivered to the consumer either online or via physical delivery. A
   second goal is to provide a "delivery note" to the consumer,
   providing details about the delivery, such as shipping tracking
   number. The result of the delivery may also be signed so that it can
   be used for customer care in the case of problems with physical
   delivery. The message flow is illustrated in the diagram below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
  CONSUMER  DELIVERY
     |        HANDLER
     |  Merchant |
STEP |     |     |
 1.                 Consumer decides to trade and sends information
                    about what to deliver and who is to take delivery,
                    to the Merchant e.g., using HTML.

     C --> M        Information on what is being delivered (outside
                    scope of IOTP)

 2.                 Merchant checks the information provided by the
                    Consumer, adds information about how the delivery
                    will occur, information about the Organisations
                    involved in the delivery and optionally sings it
                    and sends it to the Consumer



Burdett                      Informational                     [Page 24]


RFC 2801                       IOTP/1.0                       April 2000


     C <-- M        Components: Delivery; Organisations (Delivery
                    Handler, Deliver To); Order, Optional Offer
                    Response Signature

 3.                 Consumer checks delivery information is OK,
                    obtains authorisation for the delivery, for
                    example by making a payment, and sends the
                    delivery information to the Delivery Handler

     C --------> D  DELIVERY REQUEST. Components: Status; Delivery,
                    Organisations: (Merchant, Delivery Handler,
                    DelivTo); Order, Trading Role Data (optional);
                    Optional Offer Response Signature, Optional
                    Payment Receipt Signature (from Payment Exchange)

 4.                 Delivery Handler checks information and
                    authorisation. Starts or schedules delivery and
                    creates and then sends a delivery not tot the
                    Consumer which can optionally be signed.

     C <-------- D  DELIVERY RESPONSE. Components: Status; Delivery
                    Note, Trading Role Data (optional); Optional
                    Delivery Response Signature

 5.                 Consumer checks delivery note is OK and accepts or
                    waits for delivery as described in the the Delivery
                    Note.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                         Figure 4 Delivery Exchange

A Delivery Exchange uses the following Trading Components that are
passed between the Consumer, the Merchant and the Delivery Handler:

   o  the Status component is used to indicate to the Delivery Handler
      that an earlier exchange (e.g., an Offer Exchange or Payment
      Exchange) has successfully completed and by the Delivery Handler
      to indicate the completion status of the Delivery Exchange.

   o  The Organisation Component(s) contain details of the Deliver To,
      Delivery Handler and Merchant Roles:

      -  the Deliver To role indicates where the goods or services are
         to be delivered to






Burdett                      Informational                     [Page 25]


RFC 2801                       IOTP/1.0                       April 2000


      -  the Delivery Handler role is required so that the Delivery
         Handler can check that she is the correct Delivery Handler to
         do the delivery

      -  the Merchant role is required so that the Delivery Handler can
         identify which Merchant initiated the delivery

   o  The Order Component, contains information about the goods or
      services to be delivered

   o  The Delivery Component contains information about how delivery
      will occur, for example by post or using e-mail.

   o  The "Offer Response" Signature Component, if present, digitally
      signs all of the above components to ensure their integrity.

   o  The "Payment Receipt" Signature Component provides proof of
      payment by digitally signing the Payment Receipt Component and the
      Offer Signature. This is used by the Delivery Handler to check
      that delivery is authorised

   o  The Delivery Note Component contains customer care information
      related to a physical delivery, or alternatively the actual
      "electronic goods".  The Consumer's software does not interpret
      information about a physical delivery but should have the ability
      to display the information, both at the time of the delivery and
      later if the Consumer selects the Trade to which this delivery
      relates from a transaction list

   o  The "Delivery Response" Signature Component, if present, provides
      proof of the results of the Delivery by digitally signing the
      Delivery Note and any Offer Response or Payment Response
      signatures that the Delivery Handler received.

2.2.4 Authentication Exchange

   The goal of the Authentication Exchange is to allow one Organisation,
   for example a financial institution, to be able to check that another
   Organisation, for example a consumer, is who they appear to be.

   An Authentication Exchange involves:

   o  an Authenticator - the Organisation which is requesting the
      authentication, and

   o  an Authenticatee - the Organisation being authenticated.





Burdett                      Informational                     [Page 26]


RFC 2801                       IOTP/1.0                       April 2000


   This is illustrated in the diagram below.

 +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
 Organisation 1
 (Authenticatee)
     |   Organisation 2
     |  (Authenticator)
STEP |     |
 1.          First Organisation, e.g., a Consumer, takes an action (for
             example by pressing a button on an HTML page) which
             requires that the Organisation is authenticated

     1 --> 2 Need for Authentication (outside scope of IOTP)

 2.          The second Organisation generates an Authentication
             Request - including challenge data, and a list of the
             algorithms that may be used for the authentication -
             and/or a request for the Organisation information then
             sends it to the first Organisation

     1 <-- 2 AUTHENTICATION REQUEST. Components: Authentication
             Request, Trading Role Information Request

 3.          The first Organisation optionally checks any signature
             associated with the Authentication Request then uses the
             specified authentication algorithm to generate an
             Authentication Response which is sent back to the second
             Organisation together with details of any Organisation
             information requested

     1 --> 2 AUTHENTICATION RESPONSE. Component: Authentication
             Response, Organisation(s)

 4.          The Authentication Response is checked against the
             challenge data to check that the first Organisation is
             who they appear to be and the result recorded in a Status
             Component which is then sent back to the first
             Organisation.

     1 <-- 2 AUTHENTICATION STATUS. Component: Status

 5.          The first Organisation then optionally checks the results
             indicated by the Status and any associated signature and
             takes the appropriate action or stops.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                      Figure 5 Authentication Exchange



Burdett                      Informational                     [Page 27]


RFC 2801                       IOTP/1.0                       April 2000


   An Authentication Exchange uses the following Trading Components that
   are passed between the two Organisations:

   o  the Authentication Request Component that requests an
      Authentication and indicates the authentication algorithm and
      optional challenge data to be used.

   o  A Trading Role Information Request Component that requests
      information about an Organisation, for example a ship to address.

   o  The Authentication Response Component which contains the challenge
      response generated by the recipient of the Authentication Request
      Component.

   o  Organisation Components that contain the result of the Trading
      Role Information Request

   o  the Status Component which contains the results of the second
      party's verification of the Authentication Response.

2.3 Scope of Baseline IOTP

   This specification describes the IOTP Transactions which make up
   Baseline IOTP. As described in the preface, IOTP will evolve over
   time. This section defines the initial conformance criteria for
   implementations that claim to "support IOTP."

   The main determinant on the scope of an IOTP implementation is the
   roles which the solution is designed to support. The roles within
   IOTP are described in more detail in section 2.1 Trading Roles. To
   summarise the roles are: Merchant, Consumer, Payment Handler,
   Delivery Handler and Customer Care Provider.

   Payment Handlers who can be of three types:

   o  those who accept a payment as part of a purchase or make a payment
      as part of a refund,

   o  those who accept value as part of a deposit transaction, or

   o  those that issue value a withdrawal transaction

   The following table defines, for each role, the IOTP Transactions and
   Trading Blocks which must be supported for that role.







Burdett                      Informational                     [Page 28]


RFC 2801                       IOTP/1.0                       April 2000


                       Merchants

                        ECash    ECash
                Store   Value    Value    Consumer  Payment   Delivery
                        Issuer Acquirer             Handler   Handler

 TRANSACTIONS

Purchase        Must                        Must

                       Merchants

                        ECash    ECash
                Store   Value    Value    Consumer  Payment   Delivery
                        Issuer Acquirer             Handler   Handler

Refund          Must                         b)
                                          Depends

Authentication   May     Must     May        b)
                                          Depends

Value Exchange   May                        Must

Withdrawal               Must                b)
                                          Depends

Deposit                          Must        b)
                                          Depends

Inquiry         Must     Must    Must       May       Must      Must

Ping            Must     Must    Must       May       Must      Must

TRADING BLOCKS

TPO             Must     Must    Must       Must

TPO Selection   Must     Must    Must       Must

Auth-Request     a)               a)         a)
               Depends          Depends   Depends

Auth-Reply       a)               a)         a)
               Depends          Depends   Depends

Offer Response  Must     Must    Must       Must




Burdett                      Informational                     [Page 29]


RFC 2801                       IOTP/1.0                       April 2000


Payment                                     Must      Must
Request

Payment                                     Must      Must
Exchange

Payment                                     Must      Must
Response

Delivery                                    Must                Must
Request

Delivery                                    Must                Must
Response

                       Merchants

                        ECash    ECash
                Store   Value    Value    Consumer  Payment   Delivery
                        Issuer Acquirer             Handler   Handler

Inquiry         Must     Must    Must       Must      Must      Must
Request

Inquiry         Must     Must    Must       Must      Must      Must
Response

Ping Request    Must     Must    Must       Must      Must      Must

Ping Response   Must     Must    Must       Must      Must      Must

Signature       Must     Must    Must     Limited     Must      Must

Error           Must     Must    Must       Must      Must      Must

   In the above table:

   o  "Must" means that a Trading Role must support the Transaction or
      Trading Block.

   o  "May" means that an implementation may support the Transaction or
      Trading Block at the option of the developer.

   o  "Depends" means implementation of the Transaction or Trading Block
      depends on one of the following conditions:

      -  if Baseline Authentication IOTP Transaction is supported;




Burdett                      Informational                     [Page 30]


RFC 2801                       IOTP/1.0                       April 2000


      -  if required by a Payment Method as defined in its IOTP
         Supplement document.

   o  "Limited" means the Trading Block must be understood and its
      content manipulated but not in every respect. Specifically, on the
      Signature Block, Consumers do not have to be able to validate
      digital signatures.

   An IOTP solution must support all the IOTP Transactions and Trading
   Blocks required by at least one role (column) as described in the
   above table for that solution to be described as "supporting IOTP".

3. Protocol Structure

   The previous section provided an introduction which explained:

   o  Trading Roles which are the different roles which Organisations
      can take in a trade: Consumer, Merchant, Payment Handler, Delivery
      Handler and Customer Care Provider, and

   o  Trading Exchanges where each Trading Exchange involves the
      exchange of data, between Trading Roles, in the form of a set of
      Trading Components.

   This section describes:

   o  how Trading Components are constructed into Trading Blocks and the
      IOTP Messages which are physically sent in the form of [XML]
      documents between the different Trading Roles,

   o  how IOTP Messages are exchanged between Trading Roles to create an
      IOTP Transaction

   o  the XML definitions of an IOTP Message including a Transaction
      Reference Block - an XML element which identifies an IOTP
      Transaction and the IOTP Message within it

   o  the definitions of the XML ID Attributes which are used to
      identify IOTP Messages, Trading Blocks and Trading Components and
      how these are referred to using Element References from other XML
      elements

   o  how extra XML Elements and new user defined values for existing
      IOTP codes can be used when Extending IOTP,

   o  how IOTP uses the Packaged Content Element to embed data such as
      payment protocol messages or detailed order definitions within an
      IOTP Message



Burdett                      Informational                     [Page 31]


RFC 2801                       IOTP/1.0                       April 2000


   o  how IOTP Identifies Languages so that different languages can be
      used within IOTP Messages

   o  how IOTP handles both Secure and Insecure Net Locations when
      sending messages

   o  how an IOTP Transaction can be cancelled.

3.1 Overview

3.1.1 IOTP Message Structure

   The structure of an IOTP Message and its relationship with Trading
   Blocks and Trading Components is illustrated in the diagram below.





































Burdett                      Informational                     [Page 32]


RFC 2801                       IOTP/1.0                       April 2000


*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

IOTP MESSAGE  <---------- IOTP Message - an XML Document which is
 |                        transported between the Trading Roles
 |-Trans Ref Block <----- Trans Ref Block - contains information which
 |  |                     describes the IOTP Transaction and the IOTP
 |  |                     Message.
 |  |-Trans Id Comp. <--- Transaction Id Component - uniquely
 |  |                     identifies the IOTP Transaction. The Trans Id
 |  |                     Components are the same across all IOTP
 |  |                     messages that comprise a single IOTP
 |  |                     transaction.
 |  |-Msg Id Comp. <----- Message Id Component - identifies and
 |                        describes an IOTP Message within an IOTP
 |                        Transaction
 |-Signature Block <----- Signature Block (optional) - contains one or
 |  |                     more Signature Components and their
 |  |                     associated Certificates
 |  |-Signature Comp. <-- Signature Component - contains digital
 |  |                     signatures. Signatures may sign digests of
 |  |                     the Trans Ref Block and any Trading Component
 |  |                     in any IOTP Message in the same IOTP
 |  |                     transaction.
 |  |-Certificate Comp. < Certificate Component (Optional) Used to check
 |                        the signature.
 |-Trading Block <------- Trading Block - an XML Element within an IOTP
 |  |-Trading Comp.       Message that contains a predefined set of
 |  |-Trading Comp.      Trading Components
 |  |-Trading Comp.
 |  |-Trading Comp. <--- Trading Components - XML Elements within a
 |                        Trading Block that contain a predefined set
 |-Trading Block          of XML elements and attributes containing
 |  |-Trading Comp.       information required to support a Trading
 |  |-Trading Comp.       Exchange
 |  |-Trading Comp.
 |  |-Trading Comp.
 |  |-Trading Comp.

*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                      Figure 6 IOTP Message Structure

   The diagram also introduces the concept of a Transaction Reference
   Block.  This block contains, amongst other things, a globally unique
   identifier for the IOTP Transaction. Also each block and component is
   given an ID Attribute (see section 3.4) which is unique within an
   IOTP Transaction.  Therefore the combination of the ID attribute and




Burdett                      Informational                     [Page 33]


RFC 2801                       IOTP/1.0                       April 2000


   the globally unique identifier in the Transaction Reference Block is
   sufficient to uniquely identify any Trading Block or Trading
   Component.

3.1.2 IOTP Transactions

   A predefined set of IOTP Messages exchanged between the Trading Roles
   constitute an IOTP Transaction. This is illustrated in the diagram
   below.

*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*


     CONSUMER                                              MERCHANT
                                                       Generate first
                                                        IOTP Message
                                   ---                        |
                                  |   |                       v
 Process incoming                 | I |                 -------------
  IOTP Message &   <------------- |   | ------------ | IOTP Message |
generate next IOTP                |   |                 -------------
     Message                      | N |
        |                         |   |
        v                         |   |
  -------------                   | T |              Process incoming
 | IOTP Message |  -------------- |   | ----------->  IOTP Message &
  -------------                   |   |                 generate next
                                  | E |                  IOTP Message
                                  |   |                       |
                                  |   |                       v
 Process incoming                 | R |                 -------------
   IOTP Message    <------------- |   | ------------ | IOTP Message |
generate last IOTP                |   |                 -------------
  Message & stop                  | N |
        |                         |   |
        v                         |   |
  -------------                   | E |                  Process last
 | IOTP Message |  -------------- |   | ------------->  incoming IOTP
  -------------                   |   |                Message & stop
        |                         | T |                       |
        v                         |   |                       v
       STOP                        ---                       STOP

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

                       Figure 7 An IOTP Transaction





Burdett                      Informational                     [Page 34]


RFC 2801                       IOTP/1.0                       April 2000


   In the above diagram the Internet is shown as the transport
   mechanism.  This is not necessarily the case. IOTP Messages can be
   transported using a variety of transport mechanisms.

   The IOTP Transactions (see section 9) in this version of IOTP are
   specifically:

   o  Purchase. This supports a purchase involving an offer, a payment
      and optionally a delivery

   o  Refund. This supports the refund of a payment as a result of,
      typically, an earlier purchase

   o  Value Exchange. This involves two payments which result in the
      exchange of value from one combination of currency and payment
      method to another

   o  Authentication. This supports the remote authentication of one
      Trading Role by another Trading Role using a variety of
      authentication algorithms, and the provision of an Organisation
      Information about the Trading Role that is being authenticated for
      use in, for example, the creation of an offer

   o  Withdrawal. This supports the withdrawal of electronic cash from a
      financial institution

   o  Deposit. This supports the deposit of electronic cash at a
      financial institution

   o  Inquiry This supports inquiries on the status of an IOTP
      transaction which is either in progress or is complete

   o  Ping This supports a simple query which enables one IOTP aware
      application to determine whether another IOTP application running
      elsewhere is working or not.

3.2 IOTP Message

   As described earlier, IOTP Messages are [XML] documents which are
   physically sent between the different Trading Roles that are taking
   part in a trade.

   The XML definition of an IOTP Message is as follows.

   <!ELEMENT IotpMessage
      ( TransRefBlk,
        SigBlk?,
        ErrorBlk?,



Burdett                      Informational                     [Page 35]


RFC 2801                       IOTP/1.0                       April 2000


        ( AuthReqBlk |
          AuthRespBlk |
          AuthStatusBlk |
          CancelBlk |
          DeliveryReqBlk |
          DeliveryRespBlk |
          InquiryReqBlk |
          InquiryRespBlk |
          OfferRespBlk |
          PayExchBlk |
          PayReqBlk |
          PayRespBlk |
          PingReqBlk |
          PingRespBlk |
          TpoBlk |
          TpoSelectionBlk
        )*
      ) >
   <!ATTLIST IotpMessage
     xmlns                     CDATA
     'iotp:ietf.org/iotp-v1.0'

   Content:

   TransRefBlk        This contains information which describes an IOTP
                      Message within an IOTP Transaction (see section
                      3.3 immediately below)

   AuthReqBlk,        These are the Trading Blocks.
   AuthRespBlk,
   DeliveryReqBlk,    The Trading Blocks present within an IOTP Message,
   DeliveryRespBlk    and the content of a Trading Block itself is
   ErrorBlk           dependent on the type of IOTP Transaction being
   InquiryReqBlk,     carried out - see the definition of each
   InquiryRespBlk,    transaction in section 9 Internet Open Trading
   OfferRespBlk,      Protocol Transactions.
   PayExchBlk,
   PayReqBlk,         Full definitions of each Trading Block are
   PayRespBlk,        described in section 8.
   PingReqBlk,
   PingRespBlk,
   SigBlk,
   TpoBlk,
   TpoSelectionBlk

   Attributes:

   xmlns              The [XML Namespace] definition for IOTP messages.



Burdett                      Informational                     [Page 36]


RFC 2801                       IOTP/1.0                       April 2000


3.2.1 XML Document Prolog

   The IOTP Message is the root element of the XML document. It
   therefore needs to be preceded by an appropriate XML Document Prolog.
   For example:

   <?XML Version='1.0'?>
   <!DOCTYPE IotpMessage >
   <IotpMessage>
    ...
   </IotpMessage>

3.3 Transaction Reference Block

   A Transaction Reference Block contains information which identifies
   the IOTP Transaction and IOTP Message. The Transaction Reference
   Block contains:

   o  a Transaction Id Component which globally uniquely identifies the
      IOTP Transaction. The Transaction Id Components are the same
      across all IOTP messages that comprise a single IOTP transaction,

   o  a Message Id Component which provides control information about
      the IOTP Message as well as uniquely identifying the IOTP Message
      within an IOTP Transaction, and

   o  zero or more Related To Components which link this IOTP
      Transaction to either other IOTP Transactions or other events
      using the identifiers of those events.

   The definition of a Transaction Reference Block is as follows:

   <!ELEMENT TransRefBlk (TransId, MsgId, RelatedTo*) >
   <!ATTLIST TransRefBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Transaction Reference Block within the IOTP
                      Transaction (see section 3.4 ID Attributes).

   Content:

   TransId            See 3.3.1 Transaction Id Component immediately
                      below.

   MsgId              See 3.3.2 Message Id Component immediately below.



Burdett                      Informational                     [Page 37]


RFC 2801                       IOTP/1.0                       April 2000


   RelatedTo          See 3.3.3 Related To Component immediately below.

3.3.1 Transaction Id Component

   This contains information which globally uniquely identifies the IOTP
   Transaction. Its definition is as follows:

   <!ELEMENT TransId EMPTY >
   <!ATTLIST TransId
    ID                 ID      #REQUIRED
    Version            NMTOKEN #FIXED '1.0'
    IotpTransId        CDATA   #REQUIRED
    IotpTransType      CDATA   #REQUIRED
    TransTimeStamp     CDATA   #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Transaction Id Component within the IOTP
                      Transaction.

   Version            This identifies the version of IOTP, and therefore
                      the structure of the IOTP Messages, which the IOTP
                      Transaction is using.

   IotpTransId        Contains data which uniquely identifies the IOTP
                      Transaction. It must conform to the rules for
                      Message Ids in [RFC 822].

   IotpTransTyp       This is the type of IOTP Transaction being carried
                      out. For Baseline IOTP it identifies a "standard"
                      IOTP Transaction and implies the sequence and
                      content of the IOTP Messages exchanged between the
                      Trading Roles. The valid values for Baseline IOTP
                      are:
                       o BaselineAuthentication
                       o BaselineDeposit
                       o BaselinePurchase
                       o BaselineRefund
                       o BaselineWithdrawal
                       o BaselineValueExchange
                       o BaselineInquiry
                       o BaselinePing

                      Values of IotpTransType are managed under the
                      procedure described in section 12 IANA
                      Considerations which also allows user defined
                      values of IotpTransType to be defined.



Burdett                      Informational                     [Page 38]


RFC 2801                       IOTP/1.0                       April 2000


                      In later versions of IOTP, this list will be
                      extended to support different types of standard
                      IOTP Transaction. It is also likely to support the
                      type Dynamic which indicates that the sequence of
                      steps within the transaction are non-standard.

   TransTimeStamp     Where the system initiating the IOTP Transaction
                      has an internal clock, it is set to the time at
                      which the IOTP Transaction started in [UTC]
                      format.

                      The main purpose of this attribute is to provide
                      an alternative way of identifying a transaction by
                      specifying the time at which it started.

                      Some systems, for example, hand held devices may
                      not be able to generate a  time stamp. In this
                      case this attribute should contain the value "NA"
                      for Not Available.

3.3.2 Message Id Component

   The Message Id Component provides control information about the IOTP
   Message as well as uniquely identifying the IOTP Message within an
   IOTP Transaction. Its definition is as follows.

   <!ELEMENT MsgId EMPTY >
   <!ATTLIST MsgId
    ID                 ID      #REQUIRED
    RespIotpMsg        NMTOKEN #IMPLIED
    xml:lang           NMTOKEN #REQUIRED
    LangPrefList       NMTOKENS #IMPLIED
    CharSetPrefList    NMTOKENS #IMPLIED
    SenderTradingRoleRef NMTOKEN #IMPLIED
    SoftwareId         CDATA   #REQUIRED
    TimeStamp          CDATA   #IMPLIED >

   Attributes:

   ID                     An identifier which uniquely identifies the
                          IOTP Message within the IOTP Transaction (see
                          section 3.4 ID Attributes). Note that if an
                          IOTP Message is resent then the value of this
                          attribute remains the same.

   RespIotpMsg            This contains the ID attribute of the Message
                          Id Component of the IOTP Message to which this
                          IOTP Message is a response. In this way all



Burdett                      Informational                     [Page 39]


RFC 2801                       IOTP/1.0                       April 2000


                          the IOTP Messages in an IOTP Transaction are
                          unambiguously linked together. This field is
                          required on every IOTP Message except the
                          first IOTP Message in an IOTP Transaction.

   SenderTradingRoleRef   The Element Reference (see section 3.5) of the
                          Trading Role which has generated the IOTP
                          message. It is used to identify the Net
                          Locations (see section 3.9) of the Trading
                          Role to which problems Technical Errors (see
                          section 4.1) with any of Trading Blocks should
                          be reported.

   Xml:lang               Defines the language used by attributes or
                          child elements within this component, unless
                          overridden by an xml:lang attribute on a child
                          element. See section 3.8 Identifying
                          Languages.

   LangPrefList           Optional list of Language codes that conform
                          to [XML] Language Identification. It is used
                          by the sender to indicate, in preference
                          sequence, the languages that the receiver of
                          the message ideally should use when generating
                          a response. There is no obligation on the
                          receiver to respond using one of the indicated
                          languages, but using one of the languages is
                          likely to provide an improved user experience.

   CharSetPrefList        Optional list of Character Set identifiers
                          that conform to [XML] Characters. It is used
                          by the sender to indicate, in preference
                          sequence, the character sets that the receiver
                          of the message ideally should use when
                          generating a response. There is no obligation
                          on the receiver to respond using one of the
                          character sets indicated, but using one of the
                          character sets is likely to provide an
                          improved user experience.

   SoftwareId             This contains information which identifies the
                          software which generated the IOTP Message. Its
                          purpose is to help resolve interoperability
                          problems that might occur as a result of
                          incompatibilities between messages produced by
                          different software. It is a single text string
                          in the language defined by xml:lang. It must
                          contain, as a minimum:



Burdett                      Informational                     [Page 40]


RFC 2801                       IOTP/1.0                       April 2000


                          o the name of the software manufacturer
                          o the name of the software
                          o the version of the software, and
                          o the build of the software

   TimeStamp              Where the device sending the message has an
                          internal clock, it is set to the time at which
                          the IOTP Message was created in [UTC] format.

3.3.3 Related To Component

   The Related To Component links IOTP Transactions to either other IOTP
   Transactions or other events using the identifiers of those events.
   Its definition is as follows.

   <!ELEMENT RelatedTo (PackagedContent) >
   <!ATTLIST RelatedTo
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    RelationshipType   NMTOKEN #REQUIRED
    Relation           CDATA   #REQUIRED
    RelnKeyWords       NMTOKENS #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Related To Component within the IOTP Transaction.

   xml:lang           Defines the language used by attributes or child
                      elements within this component, unless overridden
                      by an xml:lang attribute on a child element. See
                      section 3.8 Identifying Languages.

   RelationshipType   Defines the type of the relationship. Valid values
                      are:

                       o IotpTransaction. in which case the Packaged
                         Content Element contains an IotpTransId of
                         another IOTP Transaction
                       o Reference in which case the Packaged Content
                         Element contains the reference of some other,
                         non-IOTP document.

                      Values of RelationshipType are controlled under
                      the procedures defined in section 12 IANA
                      Considerations which also allows user defined
                      values to be defined.




Burdett                      Informational                     [Page 41]


RFC 2801                       IOTP/1.0                       April 2000


   Relation           The Relation attribute contains a phrase in the
                      language defined by xml:lang which describes the
                      nature of the relationship between the IOTP
                      transaction that contains this component and
                      another IOTP Transaction or other event. The exact
                      words to be used are left to the implementers of
                      the IOTP software.

                      The purpose of the attribute is to provide the
                      Trading Roles involved in an IOTP Transaction with
                      an explanation of the nature of the relationship
                      between the transactions.

                      Care should be taken that the words used to in the
                      Relation attribute indicate the "direction" of the
                      relationship correctly. For example: one
                      transaction might be a refund for another earlier
                      transaction. In this case the transaction which is
                      a refund should contain in the Relation attribute
                      words such as "refund for" rather than "refund to"
                      or just "refund".

   RelnKeyWords       This attribute contains keywords which could be
                      used to help identify similar relationships, for
                      example all refunds. It is anticipated that
                      recommended keywords will be developed through
                      examination of actual usage. In this version of
                      the specification there are no specific
                      recommendations and the keywords used are at the
                      discretion of implementers.

   Content:

   PackagedContent    The Packaged Content (see section 3.7) contains
                      data which identifies the related transaction. Its
                      format varies depending on the value of the
                      RelationshipType.

3.4 ID Attributes

   IOTP Messages, Blocks (i.e. Transaction Reference Blocks and Trading
   Blocks), Trading Components (including the Transaction Id Component
   and the Signature Component) and some of their child elements are
   each given an XML "ID" attribute which is used to identify an
   instance of these XML elements. These identifiers are used so that
   one element can be referenced by another. All these attributes are
   given the attribute name ID.




Burdett                      Informational                     [Page 42]


RFC 2801                       IOTP/1.0                       April 2000


   The values of each ID attribute are unique within an IOTP transaction
   i.e. the set of IOTP Messages which have the same globally unique
   Transaction ID Component. Also, once the ID attribute of an element
   has been assigned a value it is never changed. This means that
   whenever an element is copied, the value of the ID attribute remains
   the same.

   As a result it is possible to use these IDs to refer to and locate
   the content of any IOTP Message, Block or Component from any other
   IOTP Message, Block or Component in the same IOTP Transaction using
   Element References (see section 3.5).

   This section defines the rules for setting the values for the ID
   attributes of IOTP Messages, Blocks and Components.

3.4.1 IOTP Message ID Attribute Definition

   The ID attribute of the Message Id Component of an IOTP Message must
   be unique within an IOTP Transaction. It's definition is as follows:

   IotpMsgId_value  ::= IotpMsgIdPrefix IotpMsgIdSuffix
   IotpMsgIdPrefix  ::= NameChar (NameChar)*
   IotpMsgIdSuffix  ::= Digit (Digit)*

   IotpMsgIdPrefix    Apart from messages which contain: an Inquiry
                      Request Trading Block, an Inquiry Response Trading
                      Block, a Ping Request Trading Block or a Ping
                      Response Trading Block; then the same prefix is
                      used for all messages sent by the Merchant or
                      Consumer role as follows:

                       o "M" - Merchant
                       o "C" - Consumer

                      For messages which contain an Inquiry Request
                      Trading Block or a Ping Request Trading Block, the
                      prefix is set to "I" for Inquiry.

                      For messages which contain an Inquiry Response
                      Trading Block or a Ping Response Trading Block,
                      the prefix is set to "Q".

                      The prefix for the other roles in a trade is
                      contained within the Organisation Component for
                      the role and are typically set by the Merchant.
                      The following is recommended as a guideline and
                      must not be relied upon:




Burdett                      Informational                     [Page 43]


RFC 2801                       IOTP/1.0                       April 2000


                       o "P" - First (only) Payment Handler
                       o "R" - Second Payment Handler
                       o "D" - Delivery Handler
                       o "C" - Deliver To

                      As a guideline, prefixes should be limited to one
                      character.

                      NameChar has the same definition as the [XML]
                      definition of NameChar.

   IotpMsgIdSuffix    The suffix consists of one or more digits. The
                      suffix must be unique within a Trading Role within
                      an IOTP Transaction. The following is recommended
                      as a guideline and must not be relied upon:

                       o the first IOTP Message sent by a trading role
                         is given the suffix "1"
                       o the second and subsequent IOTP Messages sent
                         by the same trading role are incremented by one
                         for each message
                       o no leading zeroes are included in the suffix

                      Put more simply the Message Id Component of the
                      first IOTP Message sent by a Consumer would have
                      an ID attribute of, "C1", the second "C2", the
                      third "C3" etc.

                      Digit has the same definition as the [XML]
                      definition of Digit.

3.4.2 Block and Component ID Attribute Definitions

   The ID Attribute of Blocks and Components must also be unique within
   an IOTP Transaction. Their definition is as follows:

   BlkOrCompId_value ::= IotpMsgId_value "." IdSuffix
   IdSuffix ::= Digit (Digit)*

   IotpMsgId_value    The ID attribute of the Message ID Component of
                      the IOTP Message where the Block or Component is
                      first used.

                      In IOTP, Trading Components and Trading Blocks are
                      copied from one IOTP Message to another. The ID
                      attribute does not change when an existing Trading
                      Block or Component is copied to another IOTP
                      Message.



Burdett                      Informational                     [Page 44]


RFC 2801                       IOTP/1.0                       April 2000


   IdSuffix           The suffix consists of one or more digits. The
                      suffix must be unique within the ID attribute of
                      the Message ID Component used to generate the ID
                      attribute. The following is recommended as a
                      guideline and must not be relied upon:

                       o the first Block or Component sent by a trading
                         role is given the suffix "1"
                       o the ID attributes of the second and subsequent
                         Blocks or Components are incremented by one for
                         each new Block or Component added to an IOTP
                         Message
                       o no leading zeroes are included in the suffix

                      Put more simply, the first new Block or Component
                      added to the second IOTP Message sent, for
                      example, by a consumer would have a an ID
                      attribute of "C2.1", the second "C2.2", the third
                      "C2.3" etc.

                      Digit has the same definition as the [XML]
                      definition of Digit.





























Burdett                      Informational                     [Page 45]


RFC 2801                       IOTP/1.0                       April 2000


3.4.3 Example of use of ID Attributes

   The diagram below illustrates how ID attribute values are used.

*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

      1st  IOTP MESSAGE                          2nd IOTP MESSAGE
    (e.g., from Merchant to                    (e.g., from Consumer to
           Consumer                              Payment Handler)

IOTP MESSAGE                               IOTP MESSAGE *
 |-Trans Ref Block. ID=M1.1                 |-Trans Ref Block.ID=C1.1*
 |  |-Trans Id Comp. ID = M1.2 ------------>|  |-Trans Id Comp.
 |  |                         Copy Element  |  |  ID=M1.2
 |  |-Msg Id Comp. ID = M1                  |  |-Msg Id Comp. ID=C1 *
 |                                          |
 |-Signature Block. ID=M1.8                 |-Signature Block.ID=C1.5*
 |  |-Sig Comp. ID=M1.15 ------------------>|  |-Comp. ID=M1.15
 |                            Copy Element  |
 |-Trading Block. ID=M1.3                   |-Trading Block.ID=C1.2 *
 |  |-Comp. ID=M1.4 -------------------------->|-Comp. ID=M1.4
 |  |                         Copy Element     |
 |  |-Comp. ID=M1.5 -------------------------->|-Comp. ID=M1.5
 |  |                         Copy Element     |
 |  |-Comp. ID=M1.6                            |-Comp. ID=C1.3 *
 |  |-Comp. ID=M1.7                            |-Comp. ID=C1.4 *
 |
 |-Trading Block. ID=M1.9
    |-Comp. ID=M1.10                             * = new elements
    |-Comp. ID=M1.11
    |-Comp. ID=M1.12
    |-Comp. ID=M1.13

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

                   Figure 8 Example use of ID attributes

3.5 Element References

   A Trading Component or one of its child XML elements, may contain an
   XML attribute that refers to another Block (i.e. a Transaction
   Reference Block or a Trading Block) or Trading Component (including a
   Transaction Id and Signature Component). These Element References are
   used for many purposes, a few examples include:

   o  identifying an XML element whose Digest is included in a Signature
      Component,




Burdett                      Informational                     [Page 46]


RFC 2801                       IOTP/1.0                       April 2000


   o  referring to the Payment Handler Organisation Component which is
      used when making a Payment

   An Element Reference always contains the value of an ID attribute of
   a Block or Component.

   Identifying the IOTP Message, Trading Block or Trading Component
   which is referred to by an Element Reference, involves finding the
   XML element which:

   o  belongs to the same IOTP Transaction (i.e. the Transaction Id
      Components of the IOTP Messages match), and

   o  where the value of the ID attribute of the element matches the
      value of the Element Reference.

   Note: The term "match" in this specification has the same definition
   as the [XML] definition of match.

   An example of "matching" an Element Reference is illustrated in the
   example below.






























Burdett                      Informational                     [Page 47]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

         1st  IOTP MESSAGE                          2nd IOTP MESSAGE
       (e.g., from Merchant to                    (e.g., from Consumer to
              Consumer                              Payment Handler)

   IOTP MESSAGE                               IOTP MESSAGE
    |-Trans Ref Block. ID=M1.1     Trans ID    |-Trans RefBlock. ID=C1.1
    |  |-Trans Id Comp. ID = M1.2 <-Components-|->|-TransId Comp.ID=M1.2
    |  |                            must be    |  |
    |  |-Msg Id Comp. ID = M1      Identical   |  |-Msg Id Comp. ID=C1
    |                                  ^       |
    |-Signature Block. ID=M1.8         |       |-Signature Block.ID=C1.5
    |  |-Sig Comp. ID=M1.15            |       |  |-Comp. ID=M1.15
    |                                 AND      |
    |-Trading Block. ID=M1.3           |       |-Trading Block. ID=C1.2
    |  |-Comp. ID=M1.4                 |          |-Comp. ID=M1.4
    |  |                               v          |
    |  |-Comp. ID=M1.5 <-------- -ID Attribute    |-Comp. ID=M1.5
    |  |                          and El Ref      |
    |  |-Comp. ID=M1.6            values must     |-Comp. ID=C1.3
    |  |                             match--------|--> El Ref=M1.5
    |  |-Comp. ID=M1.7                            |-Comp. ID=C1.4
    |
    |-Trading Block. ID=M1.9
       |-Comp. ID=M1.10
       |-Comp. ID=M1.11
       |-Comp. ID=M1.12
       |-Comp. ID=M1.13

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

                           Figure 9 Element References

   Note: Element Reference attributes are defined as "NMTOKEN" rather
   than "IDREF" (see [XML]). This is because an IDREF requires that the
   XML element referred to is in the same XML Document.  With IOTP this
   is not necessarily the case.

3.6 Extending IOTP

   Baseline IOTP defines a minimum protocol which systems supporting
   IOTP must be able to accept. As new versions of IOTP are developed,
   additional types of IOTP Transactions will be defined. In addition to
   this, Baseline and future versions of IOTP will support user
   extensions to IOTP through two mechanisms:





Burdett                      Informational                     [Page 48]


RFC 2801                       IOTP/1.0                       April 2000


   o  extra XML elements, and

   o  new values for existing IOTP codes.

3.6.1 Extra XML Elements

   The XML element and attribute names used within IOTP constitute an
   [XML Namespace] as identified by the xmlns attribute on the
   IotpMessage element. This allows IOTP to support the inclusion of
   additional XML elements within IOTP messages through the use of [XML
   Namespaces].

   Using XML Namespaces, extra XML elements may be included at any level
   within an IOTP message including:

   o  new Trading Blocks

   o  new Trading Components

   o  new XML elements within a Trading Component.

   The following rules apply:

   o  any new XML element must be declared according to the rules for
      [XML Namespaces]

   o  new XML elements which are either Trading Blocks or Trading
      Components must contain an ID attributes with an attribute name of
      ID.

   In order to make sure that extra XML elements can be processed
   properly, IOTP reserves the use of a special attribute,
   IOTP:Critical, which takes the values True or False and may appear in
   extra elements added to an IOTP message.

   The purpose of this attribute is to allow an IOTP aware application
   to determine if the IOTP transaction can safely continue.
   Specifically:

   o  if an extra XML element has an "IOTP:Critical" attribute with a
      value of "True" and an IOTP aware application does not know how to
      process the element and its child elements, then the IOTP
      transaction has a Technical Error (see section 4.1) and must fail.

   o  if an extra XML element has an "IOTP:Critical" attribute with a
      value of "False" then the IOTP transaction may continue if the
      IOTP aware application does not know how to process it. In this
      case:



Burdett                      Informational                     [Page 49]


RFC 2801                       IOTP/1.0                       April 2000


      -  any extra XML elements contained within an XML element defined
         within the IOTP namespace, must be included with that element
         whenever the IOTP XML element is used or copied by IOTP

      -  the content of the extra element must be ignored except that it
         must be included when it is used in the creation of a digest as
         part of the generation of a signature

   o  if an extra XML element has no "IOTP:Critical" attribute then it
      must be treated as if it had an "IOTP:Critical" attribute with a
      value of "True"

   o  if an XML element contains an "IOTP:Critical" attribute, then the
      value of that attribute is assumed to apply to all the child
      elements within that element

   In order to ensure that documents containing "IOTP:Critical" are
   valid, it is declared as part of the DTD for the extra element as:

   IOTP:Critical     (True | False ) 'True'

3.6.2 Opaque Embedded Data

   If IOTP is to be extended using Opaque Embedded Data then a Packaged
   Content Element (see section 3.7) should be used to encapsulate the
   data.

3.7 Packaged Content Element

   The Packaged Content element supports the concept of an embedded data
   stream, transformed to both protect it against misinterpretation by
   transporting systems and to ensure XML compatibility. Examples of its
   use in IOTP include:

   o  to encapsulate payment scheme messages, such as SET messages,

   o  to encapsulate a description of an order, a payment note, or a
      delivery note.

   In general it is used to encapsulate one or more data streams.

   This data stream has three standardised attributes that allow for
   identification, decoding and interpretation of the contents. Its
   definition is as follows.







Burdett                      Informational                     [Page 50]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT PackagedContent (#PCDATA) >
   <!ATTLIST PackagedContent
    Name             CDATA     #IMPLIED
    Content          NMTOKEN   "PCDATA"
    Transform (NONE|BASE64)    "NONE" >

   Attributes:

   Name               Optional. Distinguishes between multiple
                      occurrences of Packaged Content Elements at the
                      same point in IOTP. For example:
                        <ABCD>
                          <PackagedContent Name='FirstPiece'>
                            snroasdfnas934k
                          </PackagedContent>
                          <PackagedContent Name='SecondPiece'>
                            dvdsjnl5poidsdsflkjnw45
                          </PackagedContent>
                        </ABCD>

                      The name attribute may be omitted, for example if
                      there is only one Packaged Content element.

   Content            This identifies what type of data is contained
                      within the Content of the Packaged Content
                      Element. The valid values for the Content
                      attribute are as follows:
                       o PCDATA. The content of the Packaged Content
                         Element can be treated as PCDATA with no
                         further processing.
                       o MIME. The content of the Packaged Content
                         Element is a complete MIME item. Processing
                         should include looking for MIME headers inside
                         the Packaged Content Element.
                       o MIME:mimetype. The content of the Packaged
                         Content Element is MIME content, with the
                         following header "Content-Type: mimetype".
                         Although it is possible to have MIME:mimetype
                         with the Transform attribute set to NONE, it is
                         far more likely to have Transform attribute set
                         to BASE64. Note that if Transform is NONE is
                         used, then the entire content must still
                         conform to PCDATA. Some characters will need to
                         be encoded either as the XML default entities,
                         or as numeric character entities.






Burdett                      Informational                     [Page 51]


RFC 2801                       IOTP/1.0                       April 2000


                       o XML. The content of the Packaged Content
                         Element can be treated as an XML document.
                         Entities and CDATA sections, or Transform set
                         to BASE64, must be used to ensure that the
                         Packaged Content Element contents are
                         legitimate PCDATA.

                      Values of the Content attribute are controlled
                      under the procedures defined in section 12 IANA
                      Considerations which also allows user defined
                      values to be defined.

   Transform          This identifies the transformation that has been
                      done to the data before it was placed in the
                      content. Valid values are:

                       o NONE. The PCDATA content of the Packaged
                         Content Element is the correct representation
                         of the data. Note that entity expansion must
                         occur first (i.e. replacement of &amp; and
                         &#9;) before the data is examined. CDATA
                         sections may legitimately occur in a Packaged
                         Content Element where the Transform attribute
                         is set to NONE.
                       o BASE64. The PCDATA content of the Packaged
                         Content Element represents a BASE64 encoding of
                         the actual content.

   Content:

   PCDATA             This is the actual data which has been embedded.
                      The format of the data and rules on how to decode
                      it are contained in the Content and the Transform
                      attributes

   Note that any special details, especially custom attributes, must be
   represented at a higher level.

3.7.1 Packaging HTML

   The packaged content may contain HTML. In this case the following
   conventions are followed:

   o  references to any documents, images or other things, such as
      sounds or web pages, which can affect the recipient's
      understanding of the data which is being packaged must refer to
      other Packaged Elements contained within the same parent element,
      e.g., an Order Description



Burdett                      Informational                     [Page 52]


RFC 2801                       IOTP/1.0                       April 2000


   o  if more than one Packaged Content element is included within a
      parent element in order to meet the previous requirement, then the
      Name attribute of the top level Packaged Content from which
      references to all other Packaged Elements can be determined,
      should have a value of Main

   o  relative references to other documents, images, etc. from one
      Packaged Content element to another are realised by setting the
      value of the relative reference to the Name attribute of another
      Packaged Content element at the same level and within the same
      parent element

   o  no external references that require the reference to be resolved
      immediately should be used. As this could make the HTML difficult
      or impossible to display completely

   o  [MIME] is used to encapsulate the data inside each Packaged
      Element.  This means that the information in the MIME header used
      to identify the type of data which has been encapsulated and
      therefore how it should be displayed.

   If the above conventions are not followed by, for example, including
   external references which must be resolved, then the recipient of the
   HTML should be informed.

   Note: As an implementation guideline the values of the Name
   Attributes allocated to Packaged Content elements should make it
   possible to extract each Packaged Content into a directory and then
   display the HTML directly

3.7.2 Packaging XML

   Support for XML is recommended. When XML needs to be displayed, for
   example to display the content of an Order Description to a Consumer,
   then implementers should follow the latest recommendations of the
   World Wide Web Consortium.

   Note: At the time of writing this specification, standards are under
   development that specify XML style sheets that show how XML documents
   should be displayed. See:

   o "Extensible Stylesheet Language (XSL) Specification" at
     http://www.w3.org/TR/WD-xsl, and

   o "Associating stylesheets with XML documents" at
     http://www.w3.org/TR/xml-stylesheet.





Burdett                      Informational                     [Page 53]


RFC 2801                       IOTP/1.0                       April 2000


   Once these standards become W3C "Recommendations", then it is
   anticipated that this specification will be amended if practical.

3.8 Identifying Languages

   IOTP uses [XML] Language Identification to specify which languages
   are used within the content and attributes of IOTP Messages.

   The following principles have been used in order to determine which
   XML elements contain an xml:lang Attributes:

   o  a mandatory xml:lang attribute is contained on every Trading
      Component which contains attributes or content which may need to
      be displayed or printed in a particular language

   o  an optional xml:lang attribute is included on child elements of
      these Trading Components. In this case the value of xml:lang, if
      present, overrides the value for the Trading Component.

   xml:lang attributes which follow these principles are included in the
   Trading Components and their child XML elements defined in section 7.

   A sender of a message, typically a Consumer can indicate a preference
   for a language, and a character set by specifying a list of preferred
   languages/character sets in a Message Id Component (see section
   3.3.2).  Note that there is no obligation on the receiver of such a
   message to respond using one of the listed languages/character sets
   as they may not have the technology to be able to do it. It also
   means that the ability to handle these lists is not a requirement for
   conformance to this specification. However the ability to respond,
   for example using one of the stated languages/character sets is
   likely to provide a better user experience.

3.9 Secure and Insecure Net Locations

   IOTP contains several "Net Locations" which identify places where,
   typically, IOTP Messages may be sent. Net Locations come in two
   types:

   o  "Secure" Net Locations which are net locations where privacy of
      data is secured using, for example, encryption methods such as
      [SSL/TLS], and

   o  "Insecure" Net Locations where privacy of data is not assured.

   Note that either a Secure Net Location or an Insecure Net Location or
   both must be present.




Burdett                      Informational                     [Page 54]


RFC 2801                       IOTP/1.0                       April 2000


   If only one of the two Net Locations is present, then the one present
   must be used.

   Where both types of net location are present then either may be used
   depending on the preference of the sender of the message.

3.10 Cancelled Transactions

   Any Trading Role involved in an IOTP transaction may cancel that
   transaction at any time.

3.10.1 Cancelling Transactions

   IOTP Transactions are cancelled by sending an IOTP message containing
   just a Cancel Block with an appropriate Status Component to the other
   Trading Role involved in the Trading Exchange.

   Note: The Cancel Block can be sent asynchronously of any other IOTP
   Message. Specifically it can be sent either before sending or after
   receiving an IOTP Message from the other Trading Role

   If an IOTP Transaction is cancelled during a Trading Exchange (i.e.
   the interval between sending a "request" block and receiving the
   matching "response" block) then the Cancel Block is sent to the same
   location as the next IOTP Message in the Trading Exchange would have
   been sent.

   If a Consumer cancels a transaction after a Trading Exchange has
   completed (i.e. the "response" block for the Trading Exchange has
   been received), but before the IOTP Transaction has finished then the
   Consumer sends a Cancel Block with an appropriate Status Component to
   the net location identified by the SenderNetLocn or
   SecureSenderNetLocn contained in the Protocol Options Component (see
   section 7.1) contained in the TPO Block (see section 8.1) for the
   transaction. This is normally the Merchant Trading Role.

   A Consumer should not send a Cancel Block after the IOTP Transaction
   has completed. Cancelling a complete transaction should be treated as
   a technical error.

   After cancelling the IOTP Transaction, the Consumer should go to the
   net location specified by the CancelNetLocn attribute contained in
   the Trading Role Element for the Organisation that was sent the
   Cancel Block.

   A non-Consumer Trading Role should only cancel a transaction:

   o after a request block has been received and



Burdett                      Informational                     [Page 55]


RFC 2801                       IOTP/1.0                       April 2000


   o before the response block has been sent

   If a non-Consumer Trading Role cancels a transaction at any other
   time it should be treated by the recipient as an error.

3.10.2 Handling Cancelled Transactions

   If a Cancel Block is received by a Consumer at a point in the IOTP
   Transaction when cancellation is allowed, then the Consumer should
   stop the transaction.

   If a Cancel Block is received by a non-Consumer role, then the
   Trading Role should anticipate that the Consumer may go to the
   location specified by the CancelNetLocn attribute contained in the
   Trading Role Element for the Trading Role.

4. IOTP Error Handling

   IOTP is designed as a request/response protocol where each message is
   composed of a number of Trading Blocks which contain a number of
   Trading Components. There are several interrelated considerations in
   handling errors, re-transmissions, duplicates, and the like. These
   factors mean IOTP aware applications must manage message flows more
   complex than the simple request/response model. Also a wide variety
   of errors can occur in messages as well as at the transport level or
   in Trading Blocks or Components.

   This section describes at a high level how IOTP handles errors,
   retries and idempotency. It covers:

   o  the different types of errors which can occur. This is divided
      into:

      -  "technical errors" which are independent of the purpose of the
         IOTP Message,

      -  "business errors" which indicate that there is a problem
         specific to the process (e.g., payment or delivery) which is
         being carried out, and

   o  the depth of the error which indicates whether the error is at the
      transport, message or block/component level

   o  how the different trading roles should handle the different types
      of messages which they may receive.






Burdett                      Informational                     [Page 56]


RFC 2801                       IOTP/1.0                       April 2000


4.1 Technical Errors

   Technical Errors are those which are independent of the meaning of
   the message. This means, they can affect any attempt at IOTP
   communication.  Typically they are handled in a standard fashion with
   a limited number of standard options for the user. Specifically these
   are:

   o retrying the transmission, or

   o cancelling the transaction.

   When communications are operating sufficiently well, a technical
   error is indicated by an Error Component (see section 7.21) in an
   Error Block (see section 8.17) sent by the party which detected the
   error in an IOTP message to the party which sent the erroneous
   message.

   If communications are too poor, a message which was sent may not
   reach its destination. In this case a time-out might occur.

   The Error Codes associated with Technical Errors are recorded in the
   Error Component which lists all the different technical errors which
   can be set.

4.2 Business Errors

   Business Errors may occur when the IOTP messages are "technically"
   correct. They are connected with a particular process, for example,
   an offer, payment, delivery or authentication, where each process has
   a different set of possible business errors.

   For example, "Insufficient funds" is a reasonable payment error but
   makes no sense for a delivery while "Back ordered" is a reasonable
   delivery error but not meaningful for a payment. Business errors are
   indicated in the Status Component (see section 7.16) of a "response
   block" of the appropriate type, for example a Payment Response Block
   or a Delivery Response Block. This allows whatever additional
   response related information is needed to accompany the error
   indication.

   Business errors must usually be presented to the user so that they
   can decide what to do next. For example, if the error is insufficient
   funds in a Brand Independent Offer (see section 9.1.2.2), the user
   might wish to choose a different payment instrument/account of the
   same brand or a different brand or payment system. Alternatively, if





Burdett                      Informational                     [Page 57]


RFC 2801                       IOTP/1.0                       April 2000


   the IOTP based implementation allows it and it makes sense for that
   instrument, the user might want to put more funds into the
   instrument/account and try again.

4.3 Error Depth

   The three levels at which IOTP errors can occur are the transport
   level, the message level, and the block level. Each is described
   below.

4.3.1 Transport Level

   This level of error indicates a fundamental problem in the transport
   mechanism over which the IOTP communication is taking place.

   All transport level errors are technical errors and are indicated by
   either an explicit transport level error indication, such as a "No
   route to destination" error from TCP/IP, or by a time out where no
   response has been received to a request.

   The only reasonable automatic action when faced with transport level
   errors is to retry and, after some number of automatic retries, to
   inform the user.

   The explicit error indications that can be received are transport
   dependent and the documentation for the appropriate IOTP Transport
   supplement should be consulted for errors and appropriate actions.

   Appropriate time outs to use are a function of both the transport
   being used and of the payment system if the request encapsulates
   payment information. The transport and payment system specific
   documentation should be consulted for time out and automatic retry
   parameters.  Frequently there is no way to directly inform the other
   party of transport level errors but they should generally be logged
   and if automatic recovery is unsuccessful and there is a human user,
   the user should be informed.

4.3.2 Message Level

   This level of error indicates a fundamental technical problem with an
   entire IOTP message. For example, the XML is not "Well Formed", or
   the message is too large for the receiver to handle or there are
   errors in the Transaction Reference Block (see section 3.3) so it is
   not possible to figure out what transaction the message relates to.

   All message level errors are technical errors and are indicated by
   Error Components (see section 7.21) sent to the other party. The
   Error Component includes a Severity attribute which indicates whether



Burdett                      Informational                     [Page 58]


RFC 2801                       IOTP/1.0                       April 2000


   the error is a Warning and may be ignored, a TransientError which
   indicates that a retry may resolve the problem or a HardError in
   which case the transaction must fail.

   The Technical Errors (see section 7.21.2 Error Codes) that are
   Message Level errors are:

   o  XML not well formed. The document is not well formed XML (see
      [XML])

   o  XML not valid. The document is not valid XML (see [XML])

   o  block level technical errors (see section 4.3.3) on the
      Transaction Reference Block (see section 3.3) and the Signature
      Block only. Checks on these blocks should only be carried out if
      the XML is valid

   Note that checks on the Signature Block include checking, where
   possible, that each Signature Component is correctly calculated. If
   the Signature is incorrectly calculated then the data that should
   have been covered by the signature can not be trusted and must be
   treated as erroneous. A description of how to check a signature is
   correctly calculated is contained in section 6.2.

4.3.3 Block Level

   A Block level error indicates a problem with a block or one of its
   components in an IOTP message (apart from Transaction Reference or
   Signature Blocks). The message has been transported properly, the
   overall message structure and the block/component(s) including the
   Transaction Reference and Signature Blocks are meaningful but there
   is some error related to one of the other blocks.

   Block level errors can be either:

   o  technical errors, or

   o  business errors

   Technical Errors are further divided into:

   o  Block Level Attribute and Element Checks, and

   o  Block and Component Consistency Checks

   o  Transient Technical Errors





Burdett                      Informational                     [Page 59]


RFC 2801                       IOTP/1.0                       April 2000


   If a technical error occurs related to a block or component, then an
   Error Component is generated for return.

4.3.3.1 Block Level Attribute and Element Checks

   Block Level Attribute and Element Checks occur only within the same
   block. Checks which involve cross-checking against other blocks are
   covered by Block and Component Consistency Checks.

   The Block Level Attribute & Element checks are:

   o  checking that each attribute value within each element in a block
      conforms to any rules contained within this IOTP specification

   o  checking that the content of each element conforms to any rules
      contained within this IOTP specification

   o  if the previous checks are OK, then checking the consistency of
      attribute values and element content against other attribute
      values or element content within any other components in the same
      block.

4.3.3.2 Block and Component Consistency Checks

   Block and Component Consistency Checks consist of:

   o  checking that the combination of blocks and/or components present
      in the IOTP Message are consistent with the rules contained within
      this IOTP specification

   o  checking for consistency between attributes and element content
      within the blocks within the same IOTP message.

   o  checking for consistency between attributes and elements in blocks
      in this IOTP message and blocks received in earlier IOTP messages
      for the same IOTP transaction

   If the block passes the "Block Level Attribute and Element Checks"
   and the "Block and Component Consistency Checks" then it is processed
   either by the IOTP Aware application or perhaps by some "back-end"
   system such as a payment server.

4.3.3.3 Transient Technical Errors

   During the processing of the Block some temporary failure may occur
   that can potentially be recovered by the other trading role re-
   transmitting, at some slightly later time, the original message that
   they sent.  In this case the other role is informed of the Transient



Burdett                      Informational                     [Page 60]


RFC 2801                       IOTP/1.0                       April 2000


   Error by sending them an Error Component (see section 7.21) with the
   Severity Attribute set to TransientError and the MinRetrySecs
   attribute set to some value suitable for the Transport Mechanism
   and/or payment protocol being used (see appropriate Transport and
   payment protocol Supplements).

   Note that transient technical errors can be generated by any of the
   Trading Roles involved in transaction.

4.3.3.4 Block Level Business Errors

   If a business error occurs in a process such as a Payment or a
   Delivery, then the appropriate type of response block is returned
   containing a Status Component (see section 7.16) with the
   ProcessState attribute set to Failed and the CompletionCode
   indicating the nature of the problem.

   Some business errors may be "transient" in that the Consumer role may
   be able to recover and complete the transaction in some other way.
   For example if the Credit Card that a consumer provided had
   insufficient funds for a purchase, then the Consumer may recover by
   using a different credit card.

   Recovery from "transient" business errors is dependent on the
   CompletionCode. See the definition of the Status Component for what
   is possible.

   Note that no Error Component or Error Block is generated for business
   errors.

4.4 Idempotency, Processing Sequence, and Message Flow

   IOTP messages are actually a combination of blocks and components as
   described in 3.1.1 IOTP Message Structure. Especially in future
   extensions of IOTP, a rich variety of combinations of such blocks and
   components can occur. It is important that the multiple
   transmission/receipt of the "same" request for an action that will
   change state does not result in that action occurring more than once.
   This is called idempotency. For example, a customer paying for an
   order would want to pay the full amount only once. Most network
   transport mechanisms have some probability of delivering a message
   more than once or not at all, perhaps requiring retransmission. On
   the other hand, a request for status can reasonably be repeated and
   should be processed fresh each time it is received.







Burdett                      Informational                     [Page 61]


RFC 2801                       IOTP/1.0                       April 2000


   Correct implementation of IOTP can be modelled by a particular
   processing order as detailed below. Any other method that is
   indistinguishable in the messages sent between the parties is equally
   acceptable.

4.5 Server Role Processing Sequence

   "Server roles" are any Trading Role which is not the Consumer role.
   They are "Server roles" since they typically receive a request which
   they must service and then produce a response. However server roles
   can also initiate transactions. More specifically Server Roles must
   be able to:

   o  Initiate a transaction (see section 4.5.1). These are divided
      into:

      -  payment related transactions and

      -  infrastructure transactions

   o  Accept and process a message received from another role (see
      section 4.5.2). This includes:

      -  identifying if the message belongs to a transaction that has
         been received before

      -  handling duplicate messages

      -  generating Transient errors if the servers that process the
         input message are too busy to handle it

      -  processing the message if it is error free, authorised and, if
         appropriate, producing a response to send back to the other
         role

   o  Cancel a current transaction if requested (see section 4.5.3)

   o  Re-transmit messages if a response was expected but has not been
      received in a reasonable time (see section 4.5.4).

4.5.1 Initiating Transactions

   Server Roles may initiate a variety of different types of
   transaction.  Specifically:

   o  an Inquiry Transaction (see section 9.2.1)

   o  a Ping Transaction (see section 9.2.2)



Burdett                      Informational                     [Page 62]


RFC 2801                       IOTP/1.0                       April 2000


   o  an Authentication Transaction (see section 9.1.6)

   o  a Payment Related Transaction such as:

      -  a Deposit (see section 9.1.7)

      -  a Purchase (see section 9.1.8)

      -  a Refund (see section 9.1.9)

      -  a Withdrawal (see section 9.1.10)

      -  a Value Exchange (see section 9.1.11)

4.5.2 Processing Input Messages

   Processing input messages involves the following:

   o  checking the structure and identity of the message

   o  checking for and handling duplicate messages

   o  processing non-duplicate original messages which includes:

      -  checking for errors, then if no errors are found

      -  processing the message to produce an output message if
         appropriate

   Each of these is discussed in more detail below.

4.5.2.1 Checking Structure and Message Identity

   It is critical to check that the message is "well formed" XML and
   that the transaction identifier (IotpTransId attribute on the TransId
   Component) within the IOTP message can be successfully identified
   since an IotpTransId will be needed to generate a response.

   If the input message is not well formed then generate an Error
   Component with a Severity of HardError and ErrorCode of
   XmlNotWellFrmd.

   If the message is well formed but the IotpTransId cannot be
   identified then generate an ErrorComponent with:

   o  a Severity of HardError and an ErrorCode of AttMissing,





Burdett                      Informational                     [Page 63]


RFC 2801                       IOTP/1.0                       April 2000


   o  a PackagedContent containing "IotpTransId" - the missing
      attribute.

   Insert the Error Component inside an Error Block with a new
   TransactionId component with a new IotpTransId and return it to the
   sender of the original message.

4.5.2.2 Checking/Handling Duplicate Messages

   If the input message can be identified as potentially a valid input
   message then check to see if an "identical" input message has been
   received before. Identical means that all blocks, components,
   elements, attribute values and element content in the input message
   are the same.

   Note: The recommended way of checking for identical messages is to
   check for equal values of their [DOM-HASH]

   If an identical message has been received before then check to see if
   the processing of the previous message has completed.

   If processing has not completed then generate an Error Component with
   a Severity of Transient Error and an Error Code of MsgBeingProc to
   indicate the message is being processed and send it back to the
   sender of the Input Message requesting that the original message be
   resent after an appropriate period of time.

   Otherwise, if processing has completed and resulted in an output
   message then retrieve the last message that was sent and send it
   again.

   If the message is not a duplicate then it should be processed.

4.5.2.3 Processing Non-Duplicate Message

   Once it's been established that the message is not a duplicate, then
   it can be processed. This involves:

   o  checking that a server is available to handle the message,
      generating a Transient Error if it is not

   o  checking the Transaction is Not Already in error or cancelled

   o  validating the input message. This includes:

      -  checking for message level errors

      -  checking for block level errors



Burdett                      Informational                     [Page 64]


RFC 2801                       IOTP/1.0                       April 2000


      -  checking any encapsulated data

   o  checking for errors in the sequence that blocks have been received

   o  generating error components for any errors that result

   o  if neither hard errors nor transient errors result, then
      processing the message and generating an output message, if
      required, for return to the sender of the Input Message

   Note: This approach to handling of duplicate input messages means, if
   absolutely "identical" messages are received then absolutely
   "identical" messages are returned. This also applies to Inquiry and
   Ping transactions when in reality the state of a transaction or the
   processing ability of the servers may have changed. If up-to-date
   status of transactions or servers is required, then an IOTP
   transaction with a new value for the ID attribute of the MsgId
   component must be used.

   Each of the above steps is discussed below.

   CHECKING A SERVER IS AVAILABLE

   The process that is handling the input message should check that the
   rest of the system is not so busy that a response in a reasonable
   time cannot be produced.

   If the server is too busy, then it should generate an Error Component
   with a Severity of Transient Error and an Error Code of SystemBusy
   and send it back to the sender of the Input Message requesting that
   the original message be resent after an appropriate period of time.

   Note: Some servers may occasionally become very busy due to
   unexpected increases in workload. This approach allows short peaks in
   workloads to be handled by delaying the input of messages by asking
   the sender of the message to resubmit later.

   CHECKING THE TRANSACTION IS NOT ALREADY IN ERROR OR CANCELLED

   Check that:

   o  previous messages received or sent did not contain or result in
      Hard Errors, and

   o  the Transaction has not been cancelled by either the Consumer or
      the Server Trading Role





Burdett                      Informational                     [Page 65]


RFC 2801                       IOTP/1.0                       April 2000


   If it has then, ignore the message. A transaction with hard errors or
   that has been cancelled, cannot be restarted.

   CHECK FOR MESSAGE AND BLOCK LEVEL ERRORS

   If the transaction is still OK then check for message level errors.
   This involves:

   o  checking the XML is valid

   o  checking that the elements, attributes and content of the
      Transaction Reference Block are without error and conform to this
      specification

   o  checking the digital signature which involves:

      -  checking that the Signature value is correctly calculated, and

      -  the hash values in the digests are correctly calculated where
         the source of the hash value is available.

   Checking for block level errors involves:

   o  checking within each block (apart from the Transaction Reference
      Block) that:

      -  the attributes, elements and element contents are valid

      -  the values of the attributes, elements and element contents are
         consistent within the block

   o  checking that the combination of blocks are valid

   o  checking that the values of the attribute, elements and element
      contents are consistent between the blocks in the input message
      and blocks in earlier messages either sent or received. This
      includes checking that the presence of a block is valid for a
      particular transaction type

   If the message contains any encapsulated data, then if possible check
   the encapsulated data for errors using additional software to check
   the data where appropriate.

4.5.2.4 Check for Errors in Block Sequence

   Note: For reasons of brevity, the following explanations of how to
   check for errors in Block sequence, the phrase "refers to an IOTP
   transaction" is interpreted as "is contained in an IOTP Message where



Burdett                      Informational                     [Page 66]


RFC 2801                       IOTP/1.0                       April 2000


   the Trans Ref Block contains an IotpTransId that refers to". So, for
   example, " If an Error or Cancel Block refers to an IOTP transaction
   that is not recognised then ..."  should be interpreted as " If an
   Error or Cancel Block is contained in an IOTP Message where the Trans
   Ref Block contains an IotpTransId that refers to an IOTP transaction
   that is not recognised then ...

   Errors in the sequence that blocks arrive depends on the block.
   Blocks where checking for sequence is required are:

   o  Error and Cancel Blocks. If an Error or Cancel Block refers to an
      IOTP transaction that is not recognised then it is a Hard Error.
      Do not return an error if Error or Cancel Blocks have been
      received for the IOTP Transaction before to avoid looping.

   o  Inquiry Request and Response Blocks. If an Inquiry Request or an
      Inquiry Response Block refers to an IOTP transaction that is not
      recognised then it is a Hard Error

   o  Authentication Request Block. If an Authentication Request Block
      refers to an IOTP transaction that is recognised it is a Hard
      Error

   o  Authentication Response Block. Check as follows:

      -  if an Authentication Response Block does not refer to an IOTP
         transaction that is recognised it is a Hard Error, otherwise

      -  if the Authentication Response Block doesn't refer to an
         Authentication Request that had been previously sent then it is
         a Hard Error, otherwise

      -  if an Authentication Response for the same IOTP transaction has
         been received before and the Authentication was successful then
         it is a Hard Error.

   o  Authentication Status Block. Check as follows:

      -  if an Authentication Status Block does not refer to an IOTP
         transaction that is recognised it is a Hard Error, otherwise

      -  if the Authentication Status Block doesn't refer to an
         Authentication Response that had been previously sent then it
         is a Hard Error, otherwise

      -  if an Authentication Status for the same IOTP transaction has
         been received before then it is a Warning Error




Burdett                      Informational                     [Page 67]


RFC 2801                       IOTP/1.0                       April 2000


   o  TPO Selection Block (Merchant only). Check as follows:

      -  if the TPO Selection Block doesn't refer to an IOTP Transaction
         that is recognised then it is a Hard Error, otherwise

      -  if the TPO Selection Block refers to an IOTP Transaction where
         a TPO Block and Offer Response (in one message) had previously
         been sent then it is a Hard Error, otherwise

      -  if the TPO Selection Block does not refer to an IOTP
         Transaction where a TPO Block only (i.e. without an Offer
         Response) had previously been sent then it is a Hard Error,
         otherwise

      -  if a TPO Selection Block for the same TPO Block has been
         received before then it is a Hard Error

   o  Payment Request Block (Payment Handler only). Check as follows:

      -  if the Payment Request Block refers to an IOTP Transaction that
         is not recognised then its OK, otherwise

      -  if the Payment Request Block refers to IOTP Transaction that
         was not for a Payment then it is a Hard Error, otherwise

      -  if there was a previous payment that failed with a non-
         recoverable Completion Code then it is a Hard Error, otherwise

      -  if a previous payment is still in progress then it is a Hard
         Error

   o Payment Exchange Block (Payment Handler only). Check as follows:

      -  if the Payment Exchange Block doesn't refer to an IOTP
         Transaction that is recognised then it is a Hard Error,
         otherwise

      -  if the Payment Exchange doesn't refer to an IOTP Transaction
         where a Payment Exchange had previously been sent then it a
         Hard Error

   o  Delivery Request (Delivery Handler Only). If the Delivery Request
      Block refers to an IOTP Transaction that is recognised by the
      Server then it is a Hard Error







Burdett                      Informational                     [Page 68]


RFC 2801                       IOTP/1.0                       April 2000


   If any Error Components have been generated then collect them into an
   Error Block for sending to the sender of the Input message. Note that
   Error Blocks should be sent back to the sender of the message and to
   the ErrorLogNetLocn for the Trading Role of the sender if one is
   specified.

   Note: The above checking on the sequence of Authentication Responses
   and Payment Requests supports the Consumer re-submitting a repeat
   action request since the previous one failed, for example:

   o  because they did not know the correct response (e.g., a password)
      on an authentication or,

   o  they were unable to pay as there were insufficient funds on a
      credit card

   PROCESS THE ERROR FREE INPUT MESSAGE

   If the input message passes the previous checks then it can be
   processed to produce an output message if required. Note that:

   o  Inquiry Requests on Ping Transactions should be ignored

   o  if the Input message contains an Error Block with a Transient
      Error then wait for the required time then resend the previous
      message, if a response to the earlier message has not been
      received

   o  if the input message contains a Error Component with a  HardError
      or a Cancel Block then stop all further processing of the
      transaction. This includes suppressing the sending of any messages
      currently being generated or responding to any new non-duplicate
      messages that are received

   o  processing of encapsulated messages (e.g., Payment Protocol
      Messages) may result in additional transient errors

   o  a digital signature can only safely be generated once all the
      blocks and components have been generated and it is known which
      elements in the message need to be signed.

   If an output message is generated then it should be saved so that it
   can be resent as required if an identical input message is received
   again.  Note that output messages that contain transient errors are
   not saved so that they can be processed afresh when the input message
   is received again.





Burdett                      Informational                     [Page 69]


RFC 2801                       IOTP/1.0                       April 2000


4.5.3 Cancelling a Transaction

   This process is used to cancel a transaction running on an IOTP
   server.  It is initiated by some other process as a result of an
   external request from another system or server that is being run by
   the same Trading Role.  The processing required is as follows:

   o  if the IotpTransId of the transaction to be cancelled is not
      recognised, or complete then fail the request, otherwise

   o  if the IotpTransId refers to a Ping Transaction then fail the
      request, otherwise

   o  determine which Document Exchange to cancel and generate a Cancel
      Block and send it to the other party

   Note: Cancelling a transaction on an IOTP server typically arises for
   a business reason. For example a merchant may have attempted
   authentication several times without success and as a result decides
   to cancel the transaction. Therefore the process that decides to take
   this action needs to send a message from the process/server that made
   the business decision to the IOTP server with the instruction that
   the IOTP transaction should be cancelled.

4.5.4 Retransmitting Messages

   The server should periodically check for transactions where a message
   is expected in return but none has been received after a time that is
   dependent on factors such as:

   o  the Transport Mechanism being used;

   o  the time required to process encapsulated messages (e.g., Payment
      messages) and

   o  whether or not human input is required.

   If no message has been received the original message should be
   resent.  This should occur up to a maximum number of times dependent
   on the reliability of the Transport Mechanism being used.

   If no response is received after the required time then the
   Transaction should be "timed out". In this case, set the process
   state of the transaction to Failed, and a completion code of either:

   o  TimedOutRcvr if the transaction can potentially recovered later,
      or




Burdett                      Informational                     [Page 70]


RFC 2801                       IOTP/1.0                       April 2000


   o  TimedOutNoRcvr if the transaction is non-recoverable

4.6 Client Role Processing Sequence

   The "Client role" in IOTP is the Consumer Trading Role.

   Note: A company or Organisation that is a Merchant, for example, may
   take on the Trading Role of a Consumer when making purchases or
   downloading or withdrawing electronic cash.

   More specifically the Consumer Role must be able to:

   o  Initiate a transaction (see section 4.6.1). These are divided
      into:

      -  payment related transactions and

      -  infrastructure transactions

   o  Accept and process a message received from another role (see
      section 4.6.2). This includes:

      -  identifying if the message belongs to a transaction that has
         been received before

      -  handling duplicate messages

      -  generating Transient errors if the servers that process the
         input message are too busy to handle it

      -  processing the message if it is error free and, if appropriate,
         producing a response to send back to the other role

   o  Cancel a current transaction if requested, for example by the User
      (see section 4.6.3)

   o  Re-transmit messages if a response was expected but has not been
      received in a reasonable time (see section 4.6.4).

4.6.1 Initiating Transactions

   The Consumer Role may initiate a number of different types of
   transaction. Specifically:

   o an Inquiry Transaction (see section 9.2.1)

   o a Ping Transaction (see section 9.2.2)




Burdett                      Informational                     [Page 71]


RFC 2801                       IOTP/1.0                       April 2000


   o an Authentication Transaction (see section 9.1.6)

4.6.2 Processing Input Messages

   Processing of Input Messages for a Consumer Role is the same as for
   an IOTP Server (see section 4.5.2) except in the area of checking for
   Errors in Block Sequence (for an IOTP Server see section 4.5.2.4).
   This is described below

   Note: The description of the processing for an IOTP Server includes
   consideration of multi-threading of input messages and multi-tasking
   of requests. For the Consumer Role - particularly if running on a
   stand-alone system such as a PC - use of multi-threading is a
   decision of the implementer of the consumer role IOTP solution.

4.6.2.1 Check for Errors in Block Sequence

   The handling of the following blocks is the same as for an IOTP
   Server (see section 4.5.2.4) except that the Consumer Role is
   substituted for IOTP Server Role:

   o Error and Cancel Blocks,

   o Inquiry Request and Response Blocks,

   o Authentication Request, Response and Status Blocks.

   For the other blocks a Consumer role might receive, the potential
   errors in the sequence that blocks arrive depends on the block.
   Blocks where checking for sequence is required are:

   o  TPO Block. Check as follows:

      -  if the input message also contains an Authentication Request
         block and an Offer Response Block then there is a Hard Error,
         otherwise

      -  if the input message also contains an Authentication Request
         block and Authentication Status block then there is Hard Error
         otherwise,


      -  if the input message also contains an Authentication Request
         block and the IOTP Transaction is recognised by the Consumer
         role's system, then there is a Hard Error, otherwise






Burdett                      Informational                     [Page 72]


RFC 2801                       IOTP/1.0                       April 2000


      -  if the input message also contains an Authentication Status
         block and the IOTP Transaction is not recognised by the
         Consumer role's system then there is a Hard Error, otherwise

      -  if input message also contains an Authentication Status Block
         and the Authentication Status Block has not been sent after an
         earlier Authentication Response message then there is a hard
         error

      -  if input message also contains an Offer Response Block and the
         IOTP Transaction is recognised by the Consumer role's system
         then there is a Hard Error, otherwise

      -  if the TPO Block occurs on its own and the IOTP Transaction is
         recognised by the Consumer role's system then there is a Hard
         Error

   o Offer Response Block. Check as follows:

      -  if the Offer Response Block is part of a Brand Independent
         Offer Exchange (see section 9.1.2.2) then there is no sequence
         checking as it is part of the first message received, otherwise

      -  if the Offer Response Block is not part of an IOTP Transaction
         that is recognised by the Consumer role then there is a Hard
         Error, otherwise

      -  if the Offer Response Block does not refer to an IOTP
         transaction where a TPO Selection Block was the last message
         sent then there is a Hard Error

   o  Payment Exchange Block. Check as follows:

      -  if the Payment Exchange Block doesn't refer to an IOTP
         Transaction that is recognised by the Consumer role's system
         then there is a Hard Error, otherwise

      -  if the Payment Exchange doesn't refer to an IOTP Transaction
         where either a Payment Request or a Payment Exchange block was
         most recently sent then there is a Hard Error

   o  Payment Response Block. Check as follows:

      -  if the Payment Response Block doesn't refer to an IOTP
         Transaction that is recognised by the Consumer role's system
         then there is a Hard Error, otherwise





Burdett                      Informational                     [Page 73]


RFC 2801                       IOTP/1.0                       April 2000


      -  if the Payment Response doesn't refer to an IOTOP Transaction
         where either a Payment Request or a Payment Exchange block was
         most recently sent then there is a Hard Error

   o  Delivery Response Block. Check as follows:

      -  if the Delivery Response Block doesn't refer to an IOTP
         Transaction that is recognised by the Consumer role's system
         then there is a Hard Error, otherwise

      -  If the Delivery Response doesn't refer to an IOTP Transaction
         where either a Payment Request or a Payment Exchange block was
         most recently sent then there is a Hard Error

4.6.3 Cancelling a Transaction

   This process cancels a current transaction on an Consumer role's
   system as a result of an external request from the user, or another
   system or server in the Consumer's role. The processing is the same
   as for an IOTP Server (see section 4.5.3).

4.6.4 Retransmitting Messages

   The process of retransmitting messages is the same as for an IOTP
   Server (see section 4.5.4).

5. Security Considerations

   This section considers, from an IETF perspective how IOTP addresses
   security. The next section (see section 6. Digital Signatures and
   IOTP) describes how IOTP uses Digital Signatures when these are
   needed.

   This section covers:

   o determining whether to use digital signatures

   o data privacy, and

   o payment protocol security.

5.1 Determining whether to use digital signatures

   The use of digital signatures within IOTP are entirely optional. IOTP
   can work successfully entirely without the use of digital signatures.

   Ultimately it is up to the Merchant, or other trading role, to decide
   whether IOTP Messages will include signatures, and for the Consumer



Burdett                      Informational                     [Page 74]


RFC 2801                       IOTP/1.0                       April 2000


   to decide whether carrying out a transaction without signatures is an
   acceptable risk. If Merchants discover that transactions without
   signatures are not being accepted, then they will either:

   o start using signatures,

   o find a method of working which does not need signatures, or

   o accept a lower volume and value of business.

   A non-exhaustive list of the reasons why digital signatures might be
   used follows:

   o  the Merchant (or other trading role) wants to demonstrate that
      they can be trusted. If, for example, a merchant generates an
      Offer Response Signature (see section 7.19.2) using a certificate
      from a trusted third party, known to the Consumer, then the
      Consumer can check the signature and certificate and so more
      reasonably rely on the offer being from the actual Organisation
      the Merchant claims to be. In this case signatures using
      asymmetric cryptography are likely to be required

   o  the Merchant, or other Trading Role, want to generate a record of
      the transaction that is fit for a particular purpose. For example,
      with appropriate trust hierarchies, digital signatures could be
      checked by the Consumer to determine:

      -  if it would be accepted by tax authorities as a valid record of
         a transaction, or

      -  if some warranty, for example from a "Better Business Bureau"
         orsimilar was being provided

   o  the Payment Handler, or Delivery Handler, needs to know that the
      request is unaltered and authorised. For example, in IOTP, details
      of how much to pay is sent to the Consumer in the Offer Response
      and then forwarded to the Payment Handler in a Payment Request. If
      the request is not signed, the Consumer could change the amount
      due by, for example, removing a digit. If the Payment Handler has
      no access to the original payment information in the Offer
      Response, then, without signatures, the Payment Handler cannot be
      sure that the data has not been altered. Similarly, if the payment
      information is not digitally signed, the Payment Handler cannot be
      sure who is the Merchant that is requesting the payment

   o  a Payment Handler or Delivery Handler wants to provide a non-
      refutable record of the completion status of a Payment or
      Delivery. If a Payment Response or Delivery Response is signed,



Burdett                      Informational                     [Page 75]


RFC 2801                       IOTP/1.0                       April 2000


      then the Consumer can later use the record of the Payment or
      Delivery to prove that it occurred.  This could be used, for
      example, for customer care purposes.

   A non-exhaustive list of the reasons why digital signatures might not
   be used follows:

   o  trading roles are combined therefore changes to data made by the
      consumer can be detected. One of the reasons for using signatures
      is so that one trading role can determine if data has been changed
      by the Consumer or some other party. However if the trading roles
      have access to the necessary data, then it might be possible to
      compare, for example, the payment information in the Payment
      Request with the payment information in the Offer Response. Access
      to the data necessary could be realised by, for example, the
      Merchant and Payment Handler roles being carried out by the same
      Organisation on the same system, or the Merchant and Payment
      Handler roles being carried out on different systems but the
      systems can communicate in some way. (Note this type of
      communication is outside the current scope of IOTP)

   o  the processing cost of the cryptography is too high. For example,
      if a payment is being made of only a few cents, the cost of
      carrying out all the cryptography associated with generating and
      checking digital signatures might make the whole transaction
      uneconomic. Co-locating trading roles, could help avoid this
      problem.

5.2 Symmetric and Asymmetric Cryptography

   The advantage of using symmetric keys with IOTP is that no Public Key
   Infrastructure need be set up and just the Merchant, Payment Handler
   and Delivery Handler need to agree on the shared secrets to use.

   However the disadvantage of symmetric cryptography is that the
   Consumer cannot easily check the credentials of the Merchant, Payment
   Handler, etc. that they are dealing with. This is likely to reduce,
   somewhat, the trust that the Consumer will have carrying out the
   transaction.

   However it should be noted that even if asymmetric cryptography is
   being used, the Consumer does not NEED to be provided with any
   digital certificates as the integrity of the transaction is
   determined by, for example, the Payment Handler checking the Offer
   Response Signature copied to the Payment Request.

   Note that symmetric, asymmetric or both types of cryptography may be
   used in a single transaction.



Burdett                      Informational                     [Page 76]


RFC 2801                       IOTP/1.0                       April 2000


5.3 Data Privacy

   Privacy of information is provided by sending IOTP Messages between
   the various Trading Roles using a secure channel such as [SSL/TLS].
   Use of a secure channel within IOTP is optional.

5.4 Payment Protocol Security

   IOTP is designed to be completely blind to the payment protocol being
   used to effect a payment. From the security perspective, this means
   that IOTP neither helps, nor hinders, the achievement of payment
   security.

   If it is necessary to consider payment security from an IOTP
   perspective, then this should be included in the payment protocol
   supplement which describes how IOTP supports that payment protocol.

   However what IOTP is designed to do is to use digital signatures to
   bind together the record, contained in a "response" message, of each
   trading exchange in a transaction. For example IOTP can bind
   together: an Offer, a Payment and a Delivery.

6. Digital Signatures and IOTP

   IOTP can work successfully without using any digital signatures
   although in an open networking environment it will be less secure -
   see 5.  Security Considerations for a description of the factors that
   need to be considered.

   However, this section describes how to use digital signatures in the
   many situations when they will be needed. Topics covered are:

   o  an overview of how IOTP uses digital signatures

   o  how to check a signature is correctly calculated

   o  how Payment Handlers and Delivery Handlers check they can carry
      out payments or deliveries on behalf of a Merchant.

6.1 How IOTP uses Digital Signatures

   In general, signatures when used with IOTP:

   o  are always treated as IOTP Components (see section 7)

   o  contain digests of one or more IOTP Components or Trading Blocks,
      possibly including other Signature Components, in any IOTP message
      within the same IOTP Transaction



Burdett                      Informational                     [Page 77]


RFC 2801                       IOTP/1.0                       April 2000


   o  identify:

      -  which Organisation signed (originated) the signature, and

      -  which Organisation(s) should process the signature in order to
         check that the Action the Organisation should take can occur.

   Digital certificates may be associated with digital signatures if
   asymmetric cryptography is being used. However if symmetric
   cryptography is being used, then the digital certificate will be
   replaced by some identifier of the secret key to use.








































Burdett                      Informational                     [Page 78]


RFC 2801                       IOTP/1.0                       April 2000


   The way in which Signatures Components digest one or more elements is
   illustrated in the figure below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

 IOTP MESSAGE                                  SIGNATURE COMPONENT

 IOTP Message                                   Signature Id = P1.3
  |-Trans Ref Block        digest TransRefBlk   |-Manifest
  |  |      ID=P1.1-----------------------------|->|-Digest of P1.1--
  |  |-Trans Id Comp       digest TransIdComp   |  |                 |
  |  |     ID = M1.2----------------------------|->|-Digest of M1.2--|
  |  |-Msg Id Comp.           digest Signature  |  |                 |
  |  |      ID = P1          -------------------|->|-Digest of M1.5--|
  |                         |   digest element  |  |                 |
  |-Signatures Block        |  -----------------|->|-Digest of M1.7--|
  |  |       ID=P1.2        | |  digest element |  |                 |
  |  |-Signature ID=P1.3    | |  ---------------|->|-Digest of C1.4--|
  |  |-Signature ID=M1.5----  | |               |  |                 |
  |  |-Signature ID=P1.4      | | Points to     |   -RecipientInfo*  |
  |  |-Certificate ID=M1.6<---|-|---------------|------CertRef=M1.6  |
  |  |                        | | Certs to use  |  Sig.ValueRef=P1.4 |
  |  |                        | |               |        |           |
  |  |                        | |               |        |           |
  |-Trading Block. ID=P1.5    | |               |        v           |
  |  |-Comp. ID=M1.7----------  |                -Value* ID=P1.4:    |
  |  |                          |                   JtvwpMdmSfMbhK<--
  |  |-Comp. ID=P1.6            |                   r1Ln3vovbMQttbBI
  |  |                          |                   J8pxLjoSRfe1o6k
  |  |-Comp. ID=C1.4------------                    OGG7nTFzTi+/0<-
  |  |-Comp. ID=C1.5
                             Digital signature of Manifest element
                             using certificate identified by CertRef

   Elements that are digested can be in any IOTP Message
        within the same IOTP Transaction
 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                         Figure 10 Signature Digests












Burdett                      Informational                     [Page 79]


RFC 2801                       IOTP/1.0                       April 2000


   Note: The classic example of one signature signing another in IOTP,
   is when an Offer is first signed by a Merchant creating an "Offer
   Response" signature, which is then later signed by a Payment Handler
   together with a record of the payment creating a "Payment Receipt"
   signature. In this way, the payment in an IOTP Transaction is bound
   to the Merchant's offer.

   Note that one Manifest may be associated with multiple signature
   "Value" elements where each Value element contains a digital
   signature over the same Manifest, perhaps using the same (or
   different) signature algorithm but using a different certificate or
   shared secret key. Specifically it will allow the Merchant to agree
   on different shared secrets keys with their Payment Handler and
   Delivery Handler.

   The detailed definitions of a Signature component are contained in
   section 7.19.

   The remainder of this section contains:

   o  an example of how IOTP uses signatures

   o  how the OriginatorInfo and RecipientInfo elements within a
      Signature Component are used to identify the Organisations
      associated with the signature

   o  how IOTP uses signatures to prove actions complete successfully

6.1.1 IOTP Signature Example

   An example of how signatures are used is illustrated in the figure
   below which shows how the various components and elements in a
   Baseline Purchase relate to one another. Refer to this example in the
   later description of how signatures are used to check a payment or
   delivery can occur (see section 6.3).

   Note: A Baseline Purchase transaction has been used for illustration
   purposes. The usage of the elements and attributes is the same for
   all types of IOTP Transactions.












Burdett                      Informational                     [Page 80]


RFC 2801                       IOTP/1.0                       April 2000


*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

TPO SELECTION BLOCK          TPO BLOCK           IOTPSIGNATURE BLOCK
                                                 | (Offer Response)
 Brand Selection             Organisation<---    |------Signature
   Component                 Component       |   |      Component
      |                       |              |           -Manifest
      |BrandList               -Trading Role |            |
      |  Ref                     Element     | Originator |-Orig.
      v                         (Merchant)    ------------|--Info
    Brand List                                    Ref     |
  >Component                                              |
 | |-Protocol       ------>  Organisation     Recipient   |-Recipient
 | | Amount Elem   |         Component <------------------|--Info
 | |   |           |          |                 Refs      |
 | |Pay|Protocol   |Action     -Trading Role              |
 | |   | Ref       |OrgRef       Element                  |
 | |   v           |          (Payment Handler)           |
 |  -PayProtocol--                                        |
 |    Elem                  ->Organisation    Recipient   |-Recipient
 |                         |  Component <--------------------Info
 |                         |  |                 Refs
 |                         |   -Trading Role
 |                         |     Element
 |                         | (Delivery Handler
 |
 |           OFFER RESPONSE BLOCK
 |                         |
 |BrandListRef             |ActionOrgRef
 |                         |
  --Payment                 ---Delivery
   Component                  Component

The Manifest element in the Signature Component contains digests of:
the Trans Ref Block (not shown); the Transaction ID Component (not
shown); Organisation Components (Merchant, Payment Handler, Delivery
Handler); the Brand List Component; the Order Component, the Payment
Component the Delivery Component and the Brand Selection Component (if a
Brand Dependent Purchase).

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

         Figure 11 Example use of Signatures for Baseline Purchase








Burdett                      Informational                     [Page 81]


RFC 2801                       IOTP/1.0                       April 2000


6.1.2 OriginatorInfo and RecipientInfo Elements

   The OriginatorRef attribute of the OriginatorInfo element in the
   Signature Component contains an Element Reference (see section 3.5)
   that points to the Organisation Component of the Organisation which
   generated the Signature. In this example its the Merchant.

   Note that the value of the content of the Attribute element with a
   Type attribute set to IOTP Signature Type must match the Trading Role
   of the Organisation which signed it. If it does not, then it is an
   error. Valid combinations are given in the table below.

         IOTP Signature Type    Valid Trading Role

         OfferResponse           Merchant

         PaymentResponse         PaymentHandler

         DeliveryResponse        DeliveryHandler

         AuthenticationRequest   any role

         AuthenticationResponse  any role

         PingRequest             any role

         PingResponse            any role

   The RecipientRefs attribute of the RecipientInfo element in the
   Signature Component contains Element References to the Organisation
   Components of the Organisations that should use the signature to
   verify that:

   o  they have a pre-existing relationship with the Organisation that
      generated the signature,

   o  the data which is secured by the signature has not been changed,

   o  the data has been signed correctly, and

   o  the action they are required to undertake on behalf of the
      Merchant is therefore authorised.

   Note that if symmetric cryptography is being used then a separate
   RecipientInfo and Value elements for each different set of shared
   secret keys are likely within the Signature Component.





Burdett                      Informational                     [Page 82]


RFC 2801                       IOTP/1.0                       April 2000


   Alternatively if asymmetric cryptography is being used then the
   RecpientRefs attribute of one RecipientInfo element may refer to
   multiple Organisation Components if they are all using the same
   certificates.

6.1.3 Using signatures to Prove Actions Complete Successfully

   Proving an action completed successfully, is achieved by signing data
   on Response messages. Specifically:

   o  on the Offer Response, when a Merchant is making an Offer to the
      Consumer which can then be sent to either:

      -  a Payment Handler to prove that the Merchant authorises
         Payment, or

      -  a Delivery Handler to prove that Merchant authorises Delivery,
         provided other necessary authorisations are complete (see
         below)

   o  on the Payment Response, when a Payment Handler is generating a
      Payment Receipt which can be sent to either:

      -  a Delivery Handler, in a Delivery Request Block to authorise
         Delivery together with the Offer Response signature, or

      -  another Payment Handler, in a second Payment Request, to
         authorise the second payment in a Value Exchange IOTP
         Transaction

   o  Delivery Response, when a Delivery Handler is generating a
      Delivery Note. This can be used to prove after the event what the
      Delivery Handler said they would do

   o  Authentication Response. One method of authenticating another
      party to a trade is to send an Authentication Request specifying
      that a Digital Signature should be used for authentication

   o  Transaction Status Inquiry. The Inquiry Response Block may be
      digitally signed to attest to the authenticity of the response

   o  Ping. The Ping Response may be digitally signed so that checks can
      be made that the signature can be understood.

   This proof of an action may, in future versions of IOTP, also be used
   to prove after the event that the IOTP transaction occurred. For
   example to a Customer Care Provider.




Burdett                      Informational                     [Page 83]


RFC 2801                       IOTP/1.0                       April 2000


6.2 Checking a Signature is Correctly Calculated

   Checking a signature is correctly calculated is part of checking for
   Message Level Errors (see section 4.3.2). It is included here so that
   all signature and security related considerations are kept together.

   Before a Trading Role can check a signature it must identify which of
   the potentially multiple Signature elements should be checked. The
   steps involved are as follows:

   o  check that a Signature Block is present and it contains one or
      more Signature Components

   o  identify the Organisation Component which contains an OrgId
      attribute for the Organisation which is carrying out the signature
      check. If no or more than one Organisation Component is found then
      it is an error

   o  use the ID attribute of the Organisation Component to find the
      RecipientInfo element that contains a RecipientRefs attribute that
      refers to that Organisation Component. Note there may be no
      signatures to verify

   o  check the Signature Component that contains the identified
      RecipientInfo element as follows:

      -  use the SignatureValueRef and the SignatureAlgorithmRef
         attributes to identify, respectively: the Value element that
         contains the signature to be checked and the Signature
         Algorithm element that describes the signature algorithm to be
         used to verify the Signature, then

      -  if the Signature Algorithm element indicates that asymmetric
         cryptography is being used then use the SignatureCertRef to
         identify the Certificate to be used by the signature algorithm

      -  if Signature Algorithm element indicates that symmetric
         cryptography is being used then the content of the
         RecipientInfo element is used to identify the correct shared
         secret key to use

      -  use the specified signature algorithm to check that the Value
         Element correctly signs the Manifest Element

      -  check that the Digest Elements in the Manifest Element are
         correctly calculated where Components or Blocks referenced by
         the Digest have been received by the Organisation checking the
         signature.



Burdett                      Informational                     [Page 84]


RFC 2801                       IOTP/1.0                       April 2000


6.3 Checking a Payment or Delivery can occur

   This section describes the processes required for a Payment Handler
   or Delivery Handler to check that a payment or delivery can occur.
   This may include checking signatures if this is specified by the
   Merchant.

   In outline the steps are:

   o  check that the Payment Request or Delivery Request has been sent
      to the correct Organisation

   o  check that correct IOTP components are present in the request, and

   o  check that the payment or delivery is authorised

   For clarity and brevity the following terms or phrases are used in
   this section:

   o  a "Request Block" is used to refer to either a Payment Request
      Block (see section 8.7) or a Delivery Request Block (see section
      8.10) unless specified to the contrary

   o  a "Response Block" is used to refer to either a Payment Response
      Block (see section 8.9) or a Delivery Response Block (see section
      8.11)

   o  an "Action" is used to refer to an action which occurs on receipt
      of a Request Block. Actions can be either a Payment or a Delivery

   o  an "Action Organisation", is used to refer to the Payment Handler
      or Delivery Handler that carries out an Action

   o  a "Signer of an Action", is used to refer to the Organisations
      that sign data about an Action to authorise the Action, either in
      whole or in part

   o  a "Verifier of an Action", is used to refer to the Organisations
      that verify data to determine if they are authorised to carry out
      the Action

   o  an ActionOrgRef attribute contains Element References which can be
      used to identify the "Action Organisation" that should carry out
      an Action







Burdett                      Informational                     [Page 85]


RFC 2801                       IOTP/1.0                       April 2000


6.3.1 Check Request Block sent Correct Organisation

   Checking the Request Block was sent to the correct Organisation
   varies depending on whether the request refers to a Payment or a
   Delivery.

6.3.1.1 Payment

   In outline a Payment Handler checks if it can accept or make a
   payment by identifying the Payment Component in the Payment Request
   Block it has received, then using the ID of the Payment Component to
   track through the Brand List and Brand Selection Components to
   identify the Organisation selected by the Consumer and then checking
   that this Organisation is itself.





































Burdett                      Informational                     [Page 86]


RFC 2801                       IOTP/1.0                       April 2000


   The way data is accessed to do this is illustrated in the figure
   below.

   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
                                                     Start
                                                      |
                                                      v
   Brand List<--------------------------+-----------Payment
   Component         BrandListRef       |          Component
    |                                   |
    |-Brand<--------------------------  |
    | Element        BrandRef         | |
    |  |                          Brand Selection
    |  |Protocol                     Component
    |  | AmountRefs                   | |
    |  v                  Protocol    | |
    |-Protocol Amount<----------------  |
    | Element----------  AmountRef      |
    |  |               |                |
    |  |Currency       |Pay             |
    |  | AmountRefs    |Protocol        |
    |  v               |Ref             |
    |-Currency Amount  |                |
    | Element<---------|----------------
    |                  |
     -PayProtocol<-----
      Element---------------------->Organisation
                     Action         Component
                     OrgRef          |
                                      -Trading Role
                                        Element
                                     (Payment Handler)

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

      Figure 12 Checking a Payment Handler can carry out a Payment

   The following describes the steps involved and the checks which need
   to be made:

   o  Identify the Payment Component (see section 7.9) in the Payment
      Request Block that was received.

   o  Identify the Brand List and Brand Selection Components for the
      Payment Component. This involves:






Burdett                      Informational                     [Page 87]


RFC 2801                       IOTP/1.0                       April 2000


      -  identifying the Brand List Component (see section 7.7) where
         the value of its ID attribute matches the BrandListRef
         attribute of the Payment Component. If no or more than one
         Brand List Component is found there is an error.

      -  identifying the Brand Selection Component (see section 7.8)
         where the value of its BrandListRef attribute matches the
         BrandListRef of the Payment Component. If no or more than one
         matching Brand Selection Component is found there is an error.

   o  Identify the Brand, Protocol Amount, Pay Protocol and Currency
      Amount elements within the Brand List that have been selected by
      the Consumer as follows:

      -  the Brand Element (see section 7.7.1) selected is the element
         where the value of its Id attribute matches the value of the
         BrandRef attribute in the Brand Selection. If no or more than
         one matching Brand Element is found then there is an error.

      -  the Protocol Amount Element (see section 7.7.3) selected is the
         element where the value of its Id attribute matches the value
         of the ProtocolAmountRef attribute in the Brand Selection
         Component. If no or more than one matching Protocol Amount
         Element is found there is an error

      -  the Pay Protocol Element (see section 7.7.5) selected is the
         element where the value of its Id attribute matches the value
         of the PayProtocolRef attribute in the identified Protocol
         Amount Element.  If no or more than one matching Pay Protocol
         Element is found there is an error

      -  the Currency Amount Element (see section 7.7.4) selected is the
         element where the value of its Id attribute matches the value
         of the CurrencyAmountRef attribute in the Brand Selection
         Component. If no or more than one matching Currency Amount
         element is found there is an error

   o  Check the consistency of the references in the Brand List and
      Brand Selection Components:

      -  check that an Element Reference exists in the
         ProtocolAmountRefs attribute of the identified Brand Element
         that matches the Id attribute of the identified Protocol Amount
         Element. If no or more than one matching Element Reference can
         be found there is an error






Burdett                      Informational                     [Page 88]


RFC 2801                       IOTP/1.0                       April 2000


      -  check that the CurrencyAmountRefs attribute of the identified
         Protocol Amount element contains an element reference that
         matches the Id attribute of the identified Currency Amount
         element. If no or more than one matching Element Reference is
         found there is an error.

      -  check the consistency of the elements in the Brand List.
         Specifically, the selected Brand, Protocol Amount, Pay Protocol
         and Currency Amount Elements are all child elements of the
         identified Brand List Component. If they are not there is an
         error.

   o  Check that the Payment Handler that received the Payment Request
      Block is the Payment Handler selected by the Consumer. This
      involves:

      -  identifying the Organisation Component for the Payment Handler.
         This is the Organisation Component where its ID attribute
         matches the ActionOrgRef attribute in the identified Pay
         Protocol Element. If no or more than one matching Organisation
         Component is found there is an error

      -  checking the Organisation Component has a Trading Role Element
         with a Role attribute of PaymentHandler. If not there is an
         error

      -  finally, if the identified Organisation Component is not the
         same as the Organisation that received the Payment Request
         Block, then there is an error.






















Burdett                      Informational                     [Page 89]


RFC 2801                       IOTP/1.0                       April 2000


6.3.1.2 Delivery

   The way data is accessed by a Delivery Handler in order to check that
   it may carry out a delivery is illustrated in the figure below.

   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
                            Start
                              |
                              v
                           Delivery
                           Component
                              |
                              |ActionOrgRef
                              |
                              v
                           Organisation
                           Component
                           |
                            -Trading Role
                              Element
                           (Delivery Handler)

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

         Figure 13 Checking a Delivery Handler can carry out a Delivery

   The steps involved are as follows:

   o  Identify the Delivery Component in the Delivery Request Block. If
      there is no or more than one matching Delivery Component there is
      an error

   o  Use the ActionOrgRef attribute of the Delivery Component to
      identify the Organisation Component of the Delivery Handler. If
      there is no or more than one matching Organisation Component there
      is an error

   o  If the Organisation Component for the Delivery Handler does not
      have a Trading Role Element with a Role attribute of
      DeliveryHandler there is an error

   o  Finally, if the Organisation that received the Delivery Request
      Block does not identify the Organisation Component for the
      Delivery Handler as itself, then there is an error.







Burdett                      Informational                     [Page 90]


RFC 2801                       IOTP/1.0                       April 2000


6.3.2 Check Correct Components present in Request Block

   Check that the correct components are present in the Payment Request
   Block (see section 8.7) or in the Delivery Request Block (see section
   8.10).

   If components are missing, there is an error.

6.3.3 Check an Action is Authorised

   The previous steps identified the Action Organisation and that all
   the necessary components are present. This step checks that the
   Action Organisation is authorised to carry out the Action.

   In outline the Action Organisation will identifies the Merchant,
   checks that it has a pre-existing agreement with the Merchant that
   allows it carry out the Action and that any constraints implied by
   that agreement are being followed, then, if signatures are required,
   it checks that they sign the correct data.

   The steps involved are as follows:

   o  Identify the Merchant. This is the Organisation Component with a
      Trading Role Element which has a Role attribute with a value of
      Merchant. If no or more than one Trading Role Element is found,
      there is an error

   o  Check the Action Organisation's agreements with the Merchant
      allows the Action to be carried out. To do this the Action
      Organisation must check that:

      -  the Merchant is known and a pre-existing agreement exists for
         the Action Organisation to be their agent for the payment or
         delivery

      -  they are allowed to take part in the type of IOTP transaction
         that is occurring. For example a Payment Handler may have
         agreed to accept payments as part of a Baseline Purchase, but
         not make payments as part of a Baseline Refund

      -  any constraints in their agreement with the Merchant are being
         followed, for example, whether or not an Offer Response
         signature is required

   o  Check the signatures are correct. If signatures are required then
      they need to be checked. This involves:





Burdett                      Informational                     [Page 91]


RFC 2801                       IOTP/1.0                       April 2000


      -  Identifying the correct signatures to check. This involves the
         Action Organisation identifying the Signature Components that
         contain references to the Action Organisation (see 6.3.1).
         Depending on the IOTP Transaction being carried out (see
         section 9) either one or two signatures may be identified

      -  checking that the Signature Components are correct. This
         involves checking that Digest elements exist within the
         Manifest Element that refer to the necessary Trading Components
         (see section 6.3.3.1).

6.3.3.1 Check the Signatures Digests are correct

   All Signature Components contained within IOTP Messages must include
   Digest elements that refer to:

   o  the Transaction Id Component (see section 3.3.1) of the IOTP
      message that contains the Signature Component. This binds the
      globally unique IotpTransId to other components which make up the
      IOTP Transaction

   o  the Transaction Reference Block (see section 3.3) of the first
      IOTP Message that contained the signature. This binds the
      IotpTransId with information about the IOTP Message contained
      inside the Message Id Component (see section 3.3.2).

   Check that each Signature Component contains Digest elements that
   refer to the correct data required.

   The Digest elements that need to be present depend on the Trading
   Role of the Organisation which generated (signed) the signature:

   o  if the signer of the signature is a Merchant then:

      -  Digest elements must be present for all the components in the
         Request Block apart from the Brand Selection Component which is
         optional

   o  if the signer of the signature is a Payment Handler then Digest
      elements must be present for:

      -  the Signature Component signed by the Merchant, and optionally

      -  one or more Signature Components signed by the previous Payment
         Handler(s) in the Transaction.






Burdett                      Informational                     [Page 92]


RFC 2801                       IOTP/1.0                       April 2000


7. Trading Components

   This section describes the Trading Components used within IOTP.
   Trading Components are the child XML elements which occur immediately
   below a Trading Block as illustrated in the diagram below.














































Burdett                      Informational                     [Page 93]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

             IOTP MESSAGE  <----------- IOTP Message - an XML Document
              |                         which is transported between the
              |                         Trading Roles
              |-Trans Ref Block <-----  Trans Ref Block - contains
              |  |                      information which describes the
              |  |                      IOTP Transaction and the IOTP
                                        Message.
    --------> |  |-Trans Id Comp. <---  Transaction Id Component -
   |          |  |                      uniquely identifies the IOTP
   |          |  |                      Transaction. The Trans Id
   |          |  |                      Components are the same across
   |          |  |                      all IOTP messages that comprise
   |          |  |                      a single IOTP transaction.
   |          |  |-Msg Id Comp. <-----  Message Id Component -
   |          |                         identifies and describes an IOTP
   |          |                         Message within an IOTP
   |          |                         Transaction
   |          |-Signature Block <-----  Signature Block (optional) -
   |          |  |                      contains one or more Signature
   |          |  |                      Components and their associated
   |          |  |                      Certificates
   |     ---> |  |-Signature Comp. <--  Signature Component - contains
   |    |     |  |                      digital signatures. Signatures
   |    |     |  |                      may sign digests of the Trans Ref
   |    |     |  |                      Block and any Trading Component
   |    |     |  |                      in any IOTP Message in the same
   |    |     |  |                      IOTP Transaction.
   |    |     |  |-Certificate Comp. <- Certificate Component. Used to
   |    |     |                         check the signature.
     Trading  |-Trading Block <-------- Trading Block - an XML Element
   Components |  |-Trading Comp.        within an IOTP Message that
   |    |     |  |-Trading Comp.        contains a predefined set of
   |     ---> |  |-Trading Comp.        Trading Components
   |          |  |-Trading Comp.
   |          |  |-Trading Comp. <----- Trading Components - XML
   |          |                         Elements within a Trading Block
   |          |-Trading Block           that contain a predefined set of
    --------> |  |-Trading Comp.        XML elements and attributes
              |  |-Trading Comp.        containing information required
              |  |-Trading Comp.        to support a Trading Exchange
              |  |-Trading Comp.
              |  |-Trading Comp.
   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                          Figure 14 Trading Components




Burdett                      Informational                     [Page 94]


RFC 2801                       IOTP/1.0                       April 2000


   The Trading Components described in this section are listed below in
   approximately the sequence they are likely to be used:

   o  Protocol Options Component

   o  Authentication Request Component

   o  Authentication Response Component

   o  Trading Role Information Request Component

   o  Order Component

   o  Organisation Component

   o  Brand List Component

   o  Brand Selection Component

   o  Payment Component

   o  Payment Scheme Component

   o  Payment Receipt Component

   o  Delivery Component

   o  Delivery Data Component

   o  Delivery Note Component

   o  Signature Component

   o  Certificate Component

   o  Error Component

   Note that the following components are listed in other sections of
   this specification:

   o  Transaction Id Component (see section 3.3.1)

   o  Message Id Component (see section 3.3.2)








Burdett                      Informational                     [Page 95]


RFC 2801                       IOTP/1.0                       April 2000


7.1 Protocol Options Component

   Protocol options are options which apply to the IOTP Transaction as a
   whole. Essentially it provides a short description of the entire
   transaction and the net location which the Consumer role should
   branch to if the IOTP Transaction is successful.

   The definition of a Protocol Options Component is as follows.

   <!ELEMENT ProtocolOptions EMPTY >
   <!ATTLIST ProtocolOptions
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    SenderNetLocn      CDATA   #IMPLIED
    SecureSenderNetLocn CDATA  #IMPLIED
    SuccessNetLocn     CDATA   #REQUIRED >

   Attributes:

   ID                   An identifier which uniquely identifies the
                        Protocol Options Component within the IOTP
                        Transaction.

   Xml:lang             Defines the language used by attributes or child
                        elements within this component, unless
                        overridden by an xml:lang attribute on a child
                        element. See section 3.8 Identifying Languages.

   ShortDesc            This contains a short description of the IOTP
                        Transaction in the language defined by xml:lang.
                        Its purpose is to provide an explanation of what
                        type of IOTP Transaction is being conducted by
                        the parties involved.

                        It is used to facilitate selecting an individual
                        transaction from a list of similar transactions,
                        for example from a database of IOTP transactions
                        which has been stored by a Consumer, Merchant,
                        etc.

   SenderNetLocn        This contains the non secured net location of
                        the sender of the TPO Block in which the
                        Protocol Options Component is contained.

                        It is the net location to which the recipient of
                        the TPO block should send a TPO Selection Block
                        if required.



Burdett                      Informational                     [Page 96]


RFC 2801                       IOTP/1.0                       April 2000


                        The content of this attribute is dependent on
                        the Transport Mechanism see the Transport
                        Mechanism Supplement.

   SecureSenderNetLocn  This contains the secured net location of the
                        sender of the TPO Block in which the Protocol
                        Options Component is contained.

                        The content of this attribute is dependent on
                        the Transport Mechanism see the Transport
                        Mechanism Supplement.

   SuccessNetLocn       This contains the net location that should be
                        displayed after the IOTP Transaction has
                        successfully completed.

                        The content of this attribute is dependent on
                        the Transport Mechanism see the Transport
                        Mechanism Supplement.

   Either SenderNetLocn, SecureSenderNetLocn or both must be present.

7.2 Authentication Request Component

   This Trading Component contains parameter data that is used in an
   Authentication of one Trading Role by another. Its definition is as
   follows.

   <!ELEMENT AuthReq (Algorithm, PackagedContent*)>
   <!ATTLIST AuthReq
    ID                 ID      #REQUIRED
    AuthenticationId   CDATA   #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   If required the Algorithm may use the challenge data, contained in
   the Packaged Content elements within the Authentication Request
   Component in its calculation. The format of the Packaged Contents are
   Algorithm dependent.

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Authentication Request Component within the IOTP
                      Transaction.

   AuthenticationId   An identifier specified by the Authenticator
                      which, if returned by the Organisation that
                      receives the Authentication Request, will enable



Burdett                      Informational                     [Page 97]


RFC 2801                       IOTP/1.0                       April 2000


                      the Authenticator to identify which Authentication
                      is being referred to.

   ContentSoftwareId  See section 14.Glossary

   Content:

   PackagedContent    This contains the challenge data as one or more
                      Packaged Content (see section 3.7) that is to be
                      responded to using the Algorithm defined by the
                      Algorithm element.

   Algorithm          This contains information which describes the
                      Algorithm (see 7.19 Signature Components) that
                      must be used to generate the Authentication
                      Response.

                      The Algorithms that may be used are identified by
                      the Name attribute of the Algorithm element. For
                      valid values see section 12. IANA Considerations.

7.3 Authentication Response Component

   The Authentication Response Component contains the results of an
   authentication request.  It uses the Algorithm contained in the
   Authentication Request Component (see section 7.2) selected from the
   Authentication Request Block (see section 8.4).

   Depending on the Algorithm selected, the results of applying the
   algorithm will either be contained in a Signature Component that
   signs both the Authentication Response and potentially other data, or
   in the Packaged Content elements within the Authentication Response
   Component.  Its definition is as follows.

   <!ELEMENT AuthResp (PackagedContent*) >
   <!ATTLIST AuthResp
    ID                 ID      #REQUIRED
    AuthenticationId   CDATA   #REQUIRED
    SelectedAlgorithmRef NMTOKEN #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                     An identifier which uniquely identifies the
                          Authentication Response Component within the
                          IOTP Transaction.





Burdett                      Informational                     [Page 98]


RFC 2801                       IOTP/1.0                       April 2000


   AuthenticationId       The Authentication identifier specified by the
                          Authenticator that was included in the
                          Authentication Request Component(see section
                          7.2). This will enable the Authenticator to
                          identify the Authentication that is being
                          referred to.

   SelectedAlgorithmRef   An Element Reference that identifies the
                          Algorithm element used to generate the
                          Authentication Response.

   ContentSoftwareId      See section 14.Glossary.

   Content:

   PackagedContent    This may contain the response generated as a
                      result of applying the Algorithm selected from the
                      Authentication Request Component see section 7.2.

                      For example, for a payment specific scheme, it may
                      contain scheme-specific data. Refer to the scheme-
                      specific supplemental documentation for
                      definitions of its content.

7.4 Trading Role Information Request Component

   This Trading Component contains a list of Trading Roles (see section
   2.1) about which information is being requested. The result of a
   Trading Role Request is a set of Organisation Components (see section
   7.6) that describe each of the Trading Roles requested.

   Example usage includes:

   o  a Merchant requesting that a Consumer provides Organisation
      Components for the Consumer and DelivTo Trading Roles

   o  a Consumer requesting from a Merchant, information about the
      Payment Handlers and Delivery Handlers that the Merchant uses.

   Its definition is as follows.

   <!ELEMENT TradingRoleInfoReq EMPTY>
   <!ATTLIST TradingRoleInfoReq
    ID                 ID      #REQUIRED
    TradingRoleList    NMTOKENS #REQUIRED >






Burdett                      Informational                     [Page 99]


RFC 2801                       IOTP/1.0                       April 2000


   Attributes:

   ID                 An identifier which uniquely identifies the
                      Trading Role Information Request Component within
                      the IOTP Transaction.

   TradingRoleList    Contains a list of one or more Trading Roles (see
                      the TradingRole attribute of the Trading Role
                      Element - section 7.6.2) for which information is
                      being requested.

7.5 Order Component

   An Order Component contains information about an order. Its
   definition is as follows.

   <!ELEMENT Order (PackagedContent*) >
   <!ATTLIST Order
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    OrderIdentifier    CDATA   #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    ApplicableLaw      CDATA   #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the Order
                      Component within the IOTP Transaction.

   xml:lang           Defines the language used by attributes or child
                      elements within this component, unless overridden
                      by an xml:lang attribute on a child element. See
                      section 3.8 Identifying Languages.

   OrderIdentifier    This is a code, reference number or other
                      identifier which the creator of the Order may use
                      to identify the order. It must be unique within an
                      IOTP Transaction. If it is used in this way, then
                      it may remove the need to specify any content for
                      the Order element as the reference can be used to
                      look up the necessary information in a database.

   ShortDesc          A short description of the order in the language
                      defined by xml:lang. It is used to facilitate
                      selecting an individual order from a list of



Burdett                      Informational                    [Page 100]


RFC 2801                       IOTP/1.0                       April 2000


                      orders, for example from a database of orders
                      which has been stored by a Consumer, Merchant,
                      etc.

   OkFrom             The date and time in [UTC] format after which the
                      offer made by the Merchant lapses.

   OkTo               The date and time in [UTC] format before which a
                      Value Acquirer may accept the offer made by the
                      Merchant is not valid.

   ApplicableLaw      A phrase in the language defined by xml:lang which
                      describes the state or country of jurisdiction
                      which will apply in resolving problems or
                      disputes.

   ContentSoftwareId  See section 14.Glossary.

   Content:

   PackagedContent    An optional description of the order information
                      as one or more Packaged Contents (see section
                      3.7).

7.5.1 Order Description Content

   The Packaged Content element will normally be required, however it
   may be omitted where sufficient information about the purchase can be
   provided in the ShortDesc attribute. If the full Order Description
   requires it several Packaged Content elements may be used.

   Although the amount and currency are likely to appear in the Packaged
   Content of the Order Description it is the amount and currency
   contained in the payment related trading components (Brand List,
   Brand Selection and Payment) that is authoritative. This means it is
   important that the amount actually being paid (as contained in the
   payment related trading components) is prominently displayed to the
   Consumer.

   For interoperability, implementations must support Plain Text, HTML
   and XML as a minimum so that it can be easily displayed.

7.5.2 OkFrom and OkTo Timestamps

   Note that:

   o  the OkFrom date may be later than the OkFrom date on the Payment
      Component (see section 7.9) associated with this order, and



Burdett                      Informational                    [Page 101]


RFC 2801                       IOTP/1.0                       April 2000


   o  similarly, the OkTo date may be earlier that the OkTo date on the
      Payment Component (see section 7.9).

   Note: Disclaimer. The following information provided in this note
   does not represent formal advice of any of the authors of this
   specification. Readers of this specification must form their own
   views and seek their own legal counsel on the usefulness and
   applicability of this information.

   The merchant in the context of Internet commerce with anonymous
   consumers initially frames the terms of the offer on the web page,
   and in order to obtain the goods or services, the consumer must
   accept them.

   If there is to be a time-limited offer, it is recommended that
   merchants communicate this to the consumer and state in the order
   description in a manner which is clear to the consumer that:

   o  the offer is time limited

   o  the OkFrom and OkTo timestamps specify the validity of the offer

   o  the clock, e.g., the merchant's clock, that will be used to
      determine the validity of the offer

   Also note that although the OkFrom and OkTo dates are likely to
   appear in the Packaged Content of the Order Description it is the
   dates contained in the Order Component that is authoritative. This
   means it is important that the OkFrom and OkTo dates actually being
   used is prominently displayed to the Consumer.

7.6 Organisation Component

   The Organisation Component provides information about an individual
   or an Organisation. This can be used for a variety of purposes. For
   example:

   o to describe the merchant who is selling the goods,

   o to identify who made a purchase,

   o to identify who will take delivery of goods,

   o to provide a customer care contact,

   o to describe who will be the Payment Handler.





Burdett                      Informational                    [Page 102]


RFC 2801                       IOTP/1.0                       April 2000


   Note that the Organisation Components which must be present in an
   IOTP Message are dependent on the particular transaction being
   carried out.  Refer to section 9. Internet Open Trading Protocol
   Transactions, for more details.

   Its definition is as follows.

   <!ELEMENT Org (TradingRole+, ContactInfo?,
        PersonName?, PostalAddress?)>
   <!ATTLIST Org
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    OrgId              CDATA   #REQUIRED
    LegalName          CDATA   #IMPLIED
    ShortDesc          CDATA   #IMPLIED
    LogoNetLocn        CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Organisation Component within the IOTP
                      Transaction.

   xml:lang           Defines the language used by attributes or child
                      elements within this component, unless overridden
                      by an xml:lang attribute on a child element. See
                      section 3.8 Identifying Languages.

   OrgId              A code which identifies the Organisation described
                      by the Organisation Component. See 7.6.1
                      Organisation IDs, below.

   LegalName          For Organisations which are companies this is
                      their legal name in the language defined by
                      xml:lang. It is required for Organisations who
                      have a Trading Role other than Consumer or
                      DelivTo.

   ShortDesc          A short description of the Organisation in the
                      language defined by xml:lang. It is typically the
                      name by which the Organisation is commonly known.
                      For example, if the legal name was "Blue Meadows
                      Financial Services Inc.". Then its short name
                      would likely be "Blue Meadows".

                      It is used to facilitate selecting an individual
                      Organisation from a list of Organisations, for
                      example from a database of Organisations involved



Burdett                      Informational                    [Page 103]


RFC 2801                       IOTP/1.0                       April 2000


                      in IOTP Transactions which has been stored by a
                      consumer.

   LogoNetLocn        The net location which can be used to download the
                      logo for the Organisation.

                      See section 10 Retrieving Logos.

                      The content of this attribute must conform to
                      [RFC1738].

   Content:

   TradingRole        See 7.6.2 Trading Role Element below.

   ContactInfo        See 7.6.3 Contact Information Element below.

   PersonName         See 7.6.4 Person Name below.

   PostalAddress      See 7.6.5 Postal Address below.

7.6.1 Organisation IDs

   Organisation IDs are used by one IOTP Trading Role to identify
   another.  In order to avoid confusion, this means that these IDs must
   be globally unique.

   In principle this is achieved in the following way:

   o  the Organisation Id for all trading roles, apart from the Consumer
      Trading Role, uses a domain name as their globally unique
      identifier,

   o  the Organisation Id for a Consumer Trading Role is allocated by
      one of the other Trading Roles in an IOTP Transaction and is made
      unique by concatenating it with that other roles' Organisation Id,

   o  once a Consumer is allocated an Organisation Id within an IOTP
      Transaction the same Organisation Id is used by all the other
      trading roles in that IOTP transaction to identify that Consumer.

   Specifically, the content of the Organisation ID is defined as
   follows:

   OrgId ::= NonConsumerOrgId | ConsumerOrgId
   NonConsumerOrgId ::= DomainName
   ConsumerOrgId ::= ConsumerOrgIdPrefix (namechar)+ "/" NonConsumerOrgId
   ConsumerOrgIdPrefix ::= "Consumer:"



Burdett                      Informational                    [Page 104]


RFC 2801                       IOTP/1.0                       April 2000


   ConsumerOrgId      The Organisation ID for a Consumer consists of:
                       o a standard prefix to identify that the
                         Organisation Id is for a consumer, followed by

                       o one or more characters which conform to the
                         definition of an XML "namechar". See [XML]
                         specifications, followed by
                       o the NonConsumerOrgId for the Organisation
                         which allocated the ConsumerOrgId. It is
                         normally the Merchant role.

                      Use of upper and lower case is not significant.

   NonConsumerOrgId   If the Role is not Consumer then this contains the
                      Canonical Name for the non-consumer Organisation
                      being described by the Organisation Component. See
                      [DNS] optionally followed by additional
                      characters, if required, to make the
                      NonConsumerOrgId unique.

                      Note that a NonConsumerOrgId may not start with
                      the ConsumerOrgIdPrefix.

                      Use of upper and lower case is not significant.

   Examples of Organisation Ids follow:

   o  newjerseybooks.com - a merchant Organisation id

   o  westernbank.co.uk - a Payment Handler Organisation id

   o  consumer:1000247ABH/newjerseybooks.com - a consumer Organisation
      id allocated by a merchant

7.6.2 Trading Role Element

   This identifies the Trading Role of an individual or Organisation in
   the IOTP Transaction. Note, an Organisation may have more than one
   Trading Role and several roles may be present in one Organisation
   element. Its definition is as follows:

   <!ELEMENT TradingRole EMPTY >
   <!ATTLIST TradingRole
    ID                 ID      #REQUIRED
    TradingRole        NMTOKEN #REQUIRED
    IotpMsgIdPrefix    NMTOKEN #REQUIRED
    CancelNetLocn      CDATA   #IMPLIED
    ErrorNetLocn       CDATA   #IMPLIED



Burdett                      Informational                    [Page 105]


RFC 2801                       IOTP/1.0                       April 2000


    ErrorLogNetLocn    CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Trading Role Element within the IOTP Transaction.

   TradingRole        The trading role of the Organisation. Valid values
                      are:
                       o Consumer. The person or Organisation that is
                         acting in the role of a consumer in the IOTP
                         Transaction.
                       o Merchant. The person or Organisation that is
                         acting in the role of merchant in the IOTP
                         Transaction.
                       o PaymentHandler. The financial institution or
                         other Organisation which is a Payment Handler
                         for the IOTP Transaction
                       o DeliveryHandler. The person or Organisation
                         that is the delivering the goods or services
                         for the IOTP Transaction
                       o DelivTo. The person or Organisation that is
                         receiving the delivery of goods or services in
                         the IOTP Transaction
                       o CustCare. The Organisation and/or individual
                         who will provide customer care for an IOTP
                         Transaction.

                      Values of TradingRole are controlled under the
                      procedures defined in section 12 IANA
                      Considerations which also allows user defined
                      values to be defined.

   IotpMsgIdPrefix    Contains the prefix which must be used for all
                      IOTP Messages sent by the Trading Role in this
                      IOTP Transaction. The values to be used are
                      defined in 3.4.1 IOTP Message ID Attribute
                      Definition.

   CancelNetLocn      This contains the net location of where the
                      Consumer should go to if the Consumer cancels the
                      transaction for some reason. It can be used by the
                      Trading Role to provide a response which is more
                      tailored to the circumstances of a particular
                      transaction.






Burdett                      Informational                    [Page 106]


RFC 2801                       IOTP/1.0                       April 2000


                      This attribute:
                       o must not be present when TradingRole is set to
                         Consumer role or DelivTo,

                       o must be present when TradingRole is set to
                         Merchant, PaymentHandler or DeliveryHandler.

                      The content of this attribute is dependent on the
                      Transport Mechanism see the Transport Mechanism
                      Supplement.

   ErrorNetLocn       This contains the net location that should be
                      displayed by the Consumer after the Consumer has
                      either received or generated an Error Block
                      containing an Error Component with the Severity
                      attribute set to either:
                       o HardError,
                       o Warning but the Consumer decides to not
                         continue with the transaction
                       o TransientError and the transaction has
                         subsequently timed out.

                      See section 7.21.1 Error Processing Guidelines for
                      more details.

                      This attribute:
                       o must not be present when TradingRole is set to
                         Consumer or DelivTo,
                       o must be present when TradingRole is set to
                         Merchant, PaymentHandler or DeliveryHandler.

                      The content of this attribute is dependent on the
                      Transport Mechanism see the Transport Mechanism
                      Supplement.

   ErrorLogNetLocn    Optional. This contains the net location that
                      Consumers should send IOTP Messages that contain
                      Error Blocks with an Error Component with the
                      Severity attribute set to either:
                       o HardError,
                       o Warning but the Consumer decides to not
                         continue with the transaction
                       o TransientError and the transaction has
                         subsequently timed out.

                      This attribute:
                       o must not be present when TradingRole is set to
                         Consumer role,



Burdett                      Informational                    [Page 107]


RFC 2801                       IOTP/1.0                       April 2000


                       o must be present when TradingRole is set to
                         Merchant, PaymentHandler or DeliveryHandler.

                      The content of this attribute is dependent on the
                      Transport Mechanism see the Transport Mechanism
                      Supplement.

                      The ErrorLogNetLocn can be used to send error
                      messages to the software company or some other
                      Organisation responsible for fixing problems in
                      the software which sent the incoming message. See
                      section 7.21.1 Error Processing Guidelines for
                      more details.

7.6.3 Contact Information Element

   This contains information which can be used to contact an
   Organisation or an individual. All attributes are optional however at
   least one item of contact information should be present. Its
   definition is as follows.

   <!ELEMENT ContactInfo EMPTY >
   <!ATTLIST ContactInfo
    xml:lang           NMTOKEN #IMPLIED
    Tel                CDATA   #IMPLIED
    Fax                CDATA   #IMPLIED
    Email              CDATA   #IMPLIED
    NetLocn            CDATA   #IMPLIED >

   Attributes:

   xml:lang           Defines the language used by attributes within
                      this element. See section 3.8 Identifying
                      Languages.

   Tel                A telephone number by which the Organisation may
                      be contacted. Note that this is a text field and
                      no validation is carried out on it.

   Fax                A fax number by which the Organisation may be
                      contacted. Note that this is a text field and no
                      validation is carried out on it.

   Email              An email address by which the Organisation may be
                      contacted. Note that this field should conform to
                      the conventions for address specifications
                      contained in [RFC822].




Burdett                      Informational                    [Page 108]


RFC 2801                       IOTP/1.0                       April 2000


   NetLocn            A location on the Internet by which information
                      about the Organisation may be obtained that can be
                      displayed using a web browser.

                      The content of this attribute must conform to
                      [RFC1738].

7.6.4 Person Name Element

   This contains the name of an individual person. All fields are
   optional however as a minimum either the GivenName or the FamilyName
   should be present. Its definition is as follows.

   <!ELEMENT PersonName EMPTY >
   <!ATTLIST PersonName
    xml:lang           NMTOKEN #IMPLIED
    Title              CDATA   #IMPLIED
    GivenName          CDATA   #IMPLIED
    Initials           CDATA   #IMPLIED
    FamilyName         CDATA   #IMPLIED >

   Attributes:

   xml:lang           Defines the language used by attributes within
                      this element. See section 3.8 Identifying
                      Languages.

   Title              A distinctive name; personal appellation,
                      hereditary or not, denoting or implying office
                      (e.g., judge, mayor) or nobility (e.g., duke,
                      duchess, earl), or used in addressing or referring
                      to a person (e.g., Mr, Mrs, Miss)

   GivenName          The primary or main name by which a person is
                      known amongst and identified by their family,
                      friends and acquaintances. Otherwise known as
                      first name or Christian Name.

   Initials           The first letter of the secondary names (other
                      than the Given Name) by which a person is known
                      amongst or identified by their family, friends and
                      acquaintances.

   FamilyName         The name by which family of related individuals
                      are known. It is typically the part of an
                      individual's name which is passed on by parents to
                      their children.




Burdett                      Informational                    [Page 109]


RFC 2801                       IOTP/1.0                       April 2000


7.6.5 Postal Address Element

   This contains an address which can be used, for example, for the
   physical delivery of goods, services or letters. Its definition is as
   follows.

   <!ELEMENT PostalAddress EMPTY >
   <!ATTLIST PostalAddress
    xml:lang           NMTOKEN #IMPLIED
    AddressLine1       CDATA   #IMPLIED
    AddressLine2       CDATA   #IMPLIED
    CityOrTown         CDATA   #IMPLIED
    StateOrRegion      CDATA   #IMPLIED
    PostalCode         CDATA   #IMPLIED
    Country            CDATA   #IMPLIED
    LegalLocation (True | False) 'False' >

   Attributes:

   xml:lang           Defines the language used by attributes within
                      this element. See section 3.8 Identifying
                      Languages.

   AddressLine1       The first line of a postal address. e.g., "The
                      Meadows"

   AddressLine2       The second line of a postal address. e.g., "Sandy
                      Lane"

   CityOrTown         The city of town of the address. e.g., "Carpham"

   StateOrRegion      The state or region within a country where the
                      city or town is placed. e.g., "Surrey"

   PostalCode        The code known as, for example a post code or zip
                      code, that is typically used by Postal
                      Organisations to organise postal deliveries into
                      efficient sequences. e.g., "KT22 1AA"

   Country            The country for the address. e.g., "UK"

   LegalLocation      This identifies whether the address is the
                      Registered Address for the Organisation. At least
                      one address for the Organisation must have a value
                      set to True unless the Trading Role is either
                      Consumer or DeliverTo.





Burdett                      Informational                    [Page 110]


RFC 2801                       IOTP/1.0                       April 2000


7.7 Brand List Component

   Brand List Components are contained within the Trading Protocol
   Options Block (see section 8.1) of the IOTP Transaction. They
   contains lists of:

   o  payment Brands (see also section 11.1 Brand Definitions and Brand
      Selection),

   o  amounts to be paid in the currencies that are accepted or offered
      by the Merchant,

   o  the payment protocols which can be used to make payments with a
      Brand, and

   o  the net locations of the Payment Handlers which accept payment for
      a payment protocol

   The definition of a Brand List Component is as follows.

   <!ELEMENT BrandList (Brand+, ProtocolAmount+,
    CurrencyAmount+, PayProtocol+) >
   <!ATTLIST BrandList
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    PayDirection (Debit | Credit) #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the Brand
                      List Component within the IOTP Transaction.

   xml:lang           Defines the language used by attributes or child
                      elements within this component, unless overridden
                      by an xml:lang attribute on a child element. See
                      section 3.8 Identifying Languages.

   ShortDesc          A text description in the language defined by
                      xml:Lang giving details of the purpose of the
                      Brand List.  This information must be displayed to
                      the receiver of the Brand List in order to assist
                      with making the selection. It is of particular
                      benefit in allowing a Consumer to distinguish the
                      purpose of a Brand List when an IOTP Transaction
                      involves more than one payment.





Burdett                      Informational                    [Page 111]


RFC 2801                       IOTP/1.0                       April 2000


   PayDirection       Indicates the direction in which the payment for
                      which a Brand is being selected is to be made. Its
                      values may be:
                       o Debit The sender of the Payment Request Block
                         (e.g., the Consumer) to which this Brand List
                         relates will make the payment to the Payment
                         Handler, or
                       o Credit The sender of the Payment Request Block
                         to which this Brand List relates will receive a
                         payment from the Payment Handler.

   Content:

   Brand              This describes a Brand. The sequence of the Brand
                      elements (see section 7.7.1) within the Brand List
                      does not indicate any preference. It is
                      recommended that software which processes this
                      Brand List presents Brands in a sequence which the
                      receiver of the Brand List prefers.

   ProtocolAmount     This links a particular Brand to:
                       o the currencies and amounts in CurrencyAmount
                         elements that can be used with the Brand, and
                       o the Payment Protocols and Payment Handlers,
                         which can be used with those currencies and
                         amounts, and a particular Brand

   CurrencyAmount     This contains a currency code and an amount.

   PayProtocol        This contains information about a Payment Protocol
                      and the Payment Handler which may be used with a
                      particular Brand.

   The relationships between the elements which make up the content of
   the Brand List is illustrated in the diagram below.
















Burdett                      Informational                    [Page 112]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

                    Brand List Component

                      |                   ProtocolAmountRefs
                      |-Brand Element-----------------------------
                      |  |                                        |
                      |   - Protocol Brand Element--------        |
                      |                                   |       |
                      |                         ProtocolId|       |
                      |                                   |       |
                      |-Protocol Amount Element<----------+-------
                      |  |                      |         |
                      |  |                      |         |
                      |  |CurrencyAmountRefs    |Pay      |
                      |  |                      |Protocol |
                      |  v                      |Ref      |
                      |-Currency Amount Element |         |
                      | Element                 |         |
                      |                         |         |
                       -PayProtocolElement<------<--------

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                   Figure 15 Brand List Element Relationships

   Examples of complete Brand Lists are contained in section 11.2 Brand
   List Examples.

7.7.1 Brand Element

   A Brand Element describes a brand that can be used for making a
   payment.  One or more of these elements is carried in each Brand List
   Component that has the PayDirection attribute set to Debit.  Exactly
   one Brand Element may be carried in a Brand List Component that has
   the PayDirection attribute set to Credit.

   <!ELEMENT Brand (ProtocolBrand*, PackagedContent*) >
   <!ATTLIST Brand
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #IMPLIED
    BrandId            CDATA   #REQUIRED
    BrandName          CDATA   #REQUIRED
    BrandLogoNetLocn   CDATA   #REQUIRED
    BrandNarrative     CDATA   #IMPLIED
    ProtocolAmountRefs IDREFS  #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >




Burdett                      Informational                    [Page 113]


RFC 2801                       IOTP/1.0                       April 2000


   Attributes:

   ID                  Element identifier, potentially referenced in a
                       Brand Selection Component contained in a later
                       Payment Request message and uniquely identifies
                       the Brand element within the IOTP Transaction.

   xml:lang            Defines the language used by attributes and
                       content of this element. See section 3.8
                       Identifying Languages.

   BrandId             This contains a unique identifier for the brand
                       (or promotional brand). It is used to match
                       against a list of Payment Instruments which the
                       Consumer holds to determine whether or not the
                       Consumer can pay using the Brand.

                       Values of BrandId are managed under the procedure
                       described in section 12 IANA Considerations.

                       As values of BrandId are controlled under the
                       procedures defined in section 12 IANA
                       Considerations user defined values may be
                       defined.

   BrandName           This contains the name of the brand, for example
                       MasterCard Credit. This is the description of the
                       Brand which is displayed to the consumer in the
                       Consumers language defined by xml:lang. For
                       example it might be "American Airlines Advantage
                       Visa". Note that this attribute is not used for
                       matching against the payment instruments held by
                       the Consumer.

   BrandLogoNetLocn    The net location which can be used to download
                       the logo for the Organisation. See section
                       Retrieving Logos (see section 10).

                       The content of this attribute must conform to
                       [RFC1738].

   BrandNarrative      This optional attribute is designed to be used by
                       the Merchant to indicate some special conditions
                       or benefit which would apply if the Consumer
                       selected that brand. For example "5% discount",
                       "free shipping and handling", "free breakage
                       insurance for 1 year", "double air miles apply",
                       etc.



Burdett                      Informational                    [Page 114]


RFC 2801                       IOTP/1.0                       April 2000


   ProtocolAmountRefs  Identifies the protocols and related currencies
                       and amounts which can be used with this Brand.
                       Specified as a list of ID's of Protocol Amount
                       Elements (see section 7.7.3) contained within the
                       Brand List.

   ContentSoftwareId   See section 14.Glossary.

   Content:

   ProtocolBrand      Protocol Brand elements contain brand information
                      to be used with a specific payment protocol (see
                      section 7.7.2)


   PackagedContent    Optional Packaged Content (see section 3.7)
                      elements containing information about the brand
                      which may be used by the payment protocol. The
                      content of this information is defined in the
                      supplement for a payment protocol which describes
                      how the payment protocol works with IOTP.

   Example Brand Elements are contained in section 11.2 Brand List
   Examples.

7.7.2 Protocol Brand Element

   The Protocol Brand Element contains information that is specific to
   the use of a particular Protocol with a Brand. Its definition is as
   follows.

   <!ELEMENT ProtocolBrand (PackagedContent*) >
   <!ATTLIST ProtocolBrand
    ProtocolId         CDATA   #REQUIRED
    ProtocolBrandId    CDATA   #REQUIRED >


   Attributes:

   ProtocolId         This must match the value of a ProtocolId
                      attribute in a Pay Protocol Element (see section
                      7.7.5).

                      The values of ProtocolId should be unique within a
                      Brand Element otherwise there is an error.






Burdett                      Informational                    [Page 115]


RFC 2801                       IOTP/1.0                       April 2000


   ProtocolBrandId    This is the Payment Brand Id to be used with a
                      particular payment protocol. For example, SET and
                      EMV have their own well defined, yet different,
                      values for the Brand Id to be used with each
                      protocol.

                      The valid values of this attribute are defined in
                      the supplement for the payment protocol identified
                      by ProtocolId that describes how the payment
                      protocol works with IOTP.

   Content:

   PackagedContent    Optional Packaged Content (see section 3.7)
                      elements containing information about the
                      protocol/brand which may be used by the payment
                      protocol. The content of this information is
                      defined in the supplement for a payment protocol
                      which describes how the payment protocol works
                      with IOTP.

7.7.3 Protocol Amount Element

   The Protocol Amount element links a Brand to:

   o  the currencies and amounts in Currency Amount Elements (see
      section 7.7.4) that can be used with the Brand, and

   o  the Payment Protocols and Payment Handlers defined in a Pay
      Protocol Element (see section 7.7.5), which can be used with those
      currencies and amounts.

   Its definition is as follows:

   <!ELEMENT ProtocolAmount (PackagedContent*) >
   <!ATTLIST ProtocolAmount
    ID                 ID      #REQUIRED
    PayProtocolRef     IDREF   #REQUIRED
    CurrencyAmountRefs IDREFS  #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                  Element identifier, potentially referenced in a
                       Brand element; or in a Brand Selection Component
                       contained in a later Payment Request message
                       which uniquely identifies the Protocol Amount
                       element within the IOTP Transaction.



Burdett                      Informational                    [Page 116]


RFC 2801                       IOTP/1.0                       April 2000


   PayProtocolRef      Contains an Element Reference (see section 3.5)
                       that refers to the Pay Protocol Element (see
                       section 7.7.5) that contains the Payment Protocol
                       and Payment Handlers that can be used with the
                       Brand.

   CurrencyAmountRefs  Contains a list of  Element References (see
                       section 3.5) that refer to the Currency Amount
                       Element (see section 7.7.4) that describes the
                       currencies and amounts that can be used with the
                       Brand.

   ContentSoftwareId   See section 14. Glossary.

   Content:

   PackagedContent    Optional Packaged Content (see section 3.7)
                      elements containing information about the protocol
                      amount which may be used by the payment protocol.
                      The content of this information is defined in the
                      supplement for a payment protocol which describes
                      how the payment protocol works with IOTP.

   Examples of Protocol Amount Elements are contained in section 11.2
   Brand List Examples.

7.7.4 Currency Amount Element

   A Currency Amount element contains:

   o a currency code (and its type), and

   o an amount.

   One or more of these elements is carried in each Brand List
   Component.  Its definition is as follows:

   <!ELEMENT CurrencyAmount EMPTY >
   <!ATTLIST CurrencyAmount
    ID                 ID      #REQUIRED
    Amount             CDATA   #REQUIRED
    CurrCodeType       NMTOKEN 'ISO4217-A'
    CurrCode           CDATA   #REQUIRED >

   Attributes:

   ID                 Element identifier, potentially referenced in a
                      Brand element; or in a Brand Selection Component



Burdett                      Informational                    [Page 117]


RFC 2801                       IOTP/1.0                       April 2000


                      contained in a later Payment Request message which
                      uniquely identifies the Currency Amount Element
                      within the IOTP Transaction.

   Amount             Indicates the amount to be paid in whole and
                      fractional units of the currency. For example
                      $245.35 would be expressed "245.35". Note that
                      values smaller than the smallest denomination are
                      allowed. For example one tenth of a cent would be
                      "0.001".

   CurrCodeType       Indicates the domain of the CurrCode. This
                      attribute is included so that the currency code
                      may support non-standard "currencies" such as
                      frequent flyer points, trading stamps, etc. Its
                      values may be:
                       o ISO4217-A (the default) indicates the currency
                         code is a three character alphabetic currency
                         code that conforms to [ISO 4217]
                       o IOTP indicates that values of CurrCode are
                         managed under the procedure described in
                         section 12 IANA Considerations

   CurrCode           A code which identifies the currency to be used in
                      the payment. The domain of valid currency codes is
                      defined by CurrCodeType

                      As values of CurrCodeType are managed under the
                      procedure described in section 12 IANA
                      Considerations user defined values of CurrCodeType
                      may be defined.

   Examples of Currency Amount Elements are contained in section 11.2
   Brand List Examples.

7.7.5 Pay Protocol Element

   A Pay Protocol element specifies details of a Payment Protocol and
   the Payment Handler that can be used with a Brand. One or more of
   these elements is carried in each Brand List.

   <!ELEMENT PayProtocol (PackagedContent*) >
   <!ATTLIST PayProtocol
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #IMPLIED
    ProtocolId         NMTOKEN #REQUIRED
    ProtocolName       CDATA   #REQUIRED
    ActionOrgRef       NMTOKEN #REQUIRED



Burdett                      Informational                    [Page 118]


RFC 2801                       IOTP/1.0                       April 2000


    PayReqNetLocn      CDATA   #IMPLIED
    SecPayReqNetLocn   CDATA   #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                 Element identifier, potentially referenced in a
                      Brand element; or in a Brand Selection Component
                      contained in a later Payment Request message which
                      uniquely identifies the Pay Protocol element
                      within the IOTP Transaction.

   xml:lang           Defines the language used by attributes and
                      content of this element. See section 3.8
                      Identifying Languages.

   ProtocolId         Consists of a protocol name and version. For
                      example "SETv1.0".

                      The values of ProtocolId are defined by the
                      payment scheme/method owners in the document that
                      describes how to encapsulate a payment protocol
                      within IOTP.

   ProtocolName       A narrative description of the payment protocol
                      and its version in the language identified by
                      xml:lang. For example "Secure Electronic
                      Transaction Version 1.0". Its purpose is to help
                      provide information on the payment protocol being
                      used if problems arise.

   ActionOrgRef       An Element Reference (see section 3.5) to the
                      Organisation Component for the Payment Handler for
                      the Payment Protocol.

   PayReqNetLocn      The Net Location indicating where an unsecured
                      Payment Request message should be sent if this
                      protocol choice is used.

                      The content of this attribute is dependent on the
                      Transport Mechanism (such must conform to
                      [RFC1738].

   SecPayReqNetLocn   The Net Location indicating where a secured
                      Payment Request message should be sent if this
                      protocol choice is used.





Burdett                      Informational                    [Page 119]


RFC 2801                       IOTP/1.0                       April 2000


                      A secured payment involves the use of a secure
                      channel such as [SSL/TLS] in order to communicate
                      with the Payment Handler.

                      The content of this attribute must conform to
                      [RFC1738]. See also See section 3.9 Secure and
                      Insecure Net Locations.

   ContentSoftwareId  See section 14. Glossary.

   Content:

   PackagedContent    Optional Packaged Content elements (see section
                      3.7) containing information about the protocol
                      which is used by the payment protocol. The content
                      of this information is defined in the supplement
                      for a payment protocol which describes how the
                      payment protocol works with IOTP. An example of
                      its use could be to include a payment protocol
                      message.

   Examples of Pay Protocol Elements are contained in section 11.2 Brand
   List Examples.

7.8 Brand Selection Component

   A Brand Selection Component identifies the choice of payment brand,
   payment protocol and the Payment Handler.  This element is used:

   o  in Payment Request messages within Baseline Purchase and Baseline
      Value Exchange IOTP Transactions to identify the brand, protocol
      and payment handler for a payment, or

   o  to, optionally, inform a merchant in a purchase of the payment
      brand being used so that the offer and order details can be
      amended accordingly.

   In Baseline IOTP, the integrity of Brand Selection Components is not
   guaranteed.  However, modification of Brand Selection Components can
   only cause denial of service if the payment protocol itself is secure
   against message modification, duplication, and swapping attacks.

   The definition of a Brand Selection Component is as follows.

   <!ELEMENT BrandSelection (BrandSelBrandInfo?,
        BrandSelProtocolAmountInfo?,
        BrandSelCurrencyAmountInfo?) >
   <!ATTLIST BrandSelection



Burdett                      Informational                    [Page 120]


RFC 2801                       IOTP/1.0                       April 2000


    ID                 ID      #REQUIRED
    BrandListRef       NMTOKEN #REQUIRED
    BrandRef           NMTOKEN #REQUIRED
    ProtocolAmountRef  NMTOKEN #REQUIRED
    CurrencyAmountRef  NMTOKEN #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the Brand
                      Selection Component within the IOTP Transaction.

   BrandListRef       The Element Reference (see section 3.5) of the
                      Brand List Component from which a Brand is being
                      selected

   BrandRef           The Element Reference of a Brand element within
                      the Brand List Component that is being selected
                      that is to be used in the payment.

   ProtocolAmountRef  The Element Reference of a Protocol Amount element
                      within the Brand List Component which is to be
                      used when making the payment.

   CurrencyAmountRef  The Element Reference of a Currency Amount element
                      within the Brand List Component which is to be
                      used when making the payment.

   Content:

   BrandSelBrandInfo,           This contains any additional data that
   BrandSelProtocolAmountInfo,  may be required by a particular payment
   BrandSelCurrencyAmountInfo   brand or protocol. See sections 7.8.1,
                                 7.8.2, and 7.8.3.

   The following rules apply:

   o  the BrandListRef must contain the ID of a Brand List Component in
      the same IOTP Transaction

   o  every Brand List Component in the Trading Protocol Options Block
      (see section 8.1) must be referenced by one and only one Brand
      Selection Component

   o  the BrandRef must refer to the ID of a Brand contained within the
      Brand List Component referred to by BrandListRef






Burdett                      Informational                    [Page 121]


RFC 2801                       IOTP/1.0                       April 2000


   o  the ProtocolAmountRef must refer to one of the Element IDs listed
      in the ProtocolAmountRefs attribute of the Brand element
      identified by BrandRef

   o  the CurrencyAmountRef must refer to one of the Element IDs listed
      in the CurrencyAmountRefs attribute of the Protocol Amount Element
      identified by ProtocolAmountRef.

   An example of a Brand Selection Component is included in 11.2 Brand
   List Examples.

7.8.1 Brand Selection Brand Info Element

   The Brand Selection Brand Info Element contains any additional data
   that may be required by a particular payment brand. See the IOTP
   payment method supplement for a description of how and when it used.

   <!ELEMENT BrandSelBrandInfo (PackagedContent+) >
   <!ATTLIST BrandSelBrandInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ContentSoftwareId  See section 14. Glossary.

   Content:

   PackagedContent    Packaged Content elements (see section 3.7) that
                      contain additional data that may be required by a
                      particular payment brand. See the payment method
                      supplement for IOTP for rules on how this is used.

7.8.2 Brand Selection Protocol Amount Info Element

   The Brand Selection Protocol Amount Info Element contains any
   additional data that is payment protocol specific that may be
   required by a particular payment brand or payment protocol. See the
   IOTP payment method supplement for a description of how and when it
   used.

   <!ELEMENT BrandSelProtocolAmountInfo (PackagedContent+) >
   <!ATTLIST BrandSelProtocolAmountInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >






Burdett                      Informational                    [Page 122]


RFC 2801                       IOTP/1.0                       April 2000


   Attributes:

   ContentSoftwareId  See section 14. Glossary.

   Content:

   PackagedContent    Packaged Content elements (see section 3.7) that
                      may contain additional data that may be required
                      by a particular payment brand. See the payment
                      method supplement for IOTP for rules on how this
                      is used.

7.8.3 Brand Selection Currency Amount Info Element

   The Brand Selection Currency Amount Info Element contains any
   additional data that is payment brand and currency specific that may
   be required by a particular payment brand. See the IOTP payment
   method supplement for a description of how and when it used.

   <!ELEMENT BrandSelCurrencyAmountInfo (PackagedContent+) >
   <!ATTLIST BrandSelCurrencyAmountInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ContentSoftwareId  See section 14. Glossary.

   Content:

   PackagedContent    Packaged Content elements (see section 3.7) that
                      contain additional data relating to the payment
                      brand and currency. See the payment method
                      supplement for IOTP for rules on how this is used.

7.9 Payment Component

   A Payment Component contains information used to control how a
   payment is carried out. Its provides information on:

   o  the times within which a Payment with a Payment Handler may be
      started

   o  a reference to the Brand List (see section 7.7) which identifies
      the Brands, protocols, currencies and amounts which can be used to
      make a payment

   o  whether or not a payment receipt will be provided



Burdett                      Informational                    [Page 123]


RFC 2801                       IOTP/1.0                       April 2000


   o  whether another payment precedes this payment.

   Its definition is as follows.

   <!ELEMENT Payment EMPTY >
   <!ATTLIST Payment
    ID                 ID      #REQUIRED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    BrandListRef       NMTOKEN #REQUIRED
    SignedPayReceipt (True | False) #REQUIRED
    StartAfterRefs     NMTOKENS #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Payment Component within the IOTP Transaction.

   OkFrom             The date and time in [UTC] format after which a
                      Payment Handler may accept for processing a
                      Payment Request Block (see section 8.7) containing
                      the Payment Component.

   OkTo               The date and time in [UTC] format before which a
                      Payment Handler may accept for processing a
                      Payment Request Block containing the Payment
                      Component.

   BrandListRef       An Element Reference (see section 3.5) of a Brand
                      List Component (see section 7.7) within the TPO
                      Trading Block for the IOTP Transaction. The Brand
                      List identifies the alternative ways in which the
                      payment can be made.

   SignedPayReceipt   Indicates whether or not the Payment Response
                      Block (see section 8.9) generated by the Payment
                      Handler for the payment must be digitally signed.

   StartAfter         Contains Element References (see section 3.5) of
                      other Payment Components which describe payments
                      which must be complete before this payment can
                      start. If no StartAfter attribute is present then
                      there are no dependencies and the payment can
                      start immediately







Burdett                      Informational                    [Page 124]


RFC 2801                       IOTP/1.0                       April 2000


7.10 Payment Scheme Component

   A Payment Scheme Component contains payment protocol information for
   a specific payment scheme which is transferred between the parties
   involved in a payment for example a [SET] message. Its definition is
   as follows.

   <!ELEMENT PaySchemeData (PackagedContent+) >
   <!ATTLIST PaySchemeData
    ID                 ID      #REQUIRED
    PaymentRef         NMTOKEN #IMPLIED
    ConsumerPaymentId  CDATA   #IMPLIED
    PaymentHandlerPayId CDATA  #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                   An identifier which uniquely identifies the
                        Payment Scheme Component within the IOTP
                        Transaction.

   PaymentRef           An Element Reference (see section 3.5) to the
                        Payment Component (see section 7.9) to which
                        this Payment Scheme Component relates. It is
                        required unless the Payment Scheme Component is
                        part of an Transaction Inquiry Status
                        Transaction (see section 9.2.1).

   ConsumerPaymentId    An identifier specified by the Consumer which,
                        if returned by the Payment Handler in another
                        Payment Scheme Component or by other means, will
                        enable the Consumer to identify which payment is
                        being referred to.

   PaymentHandlerPayId  An identifier specified by the Payment Handler
                        which, if returned by the Consumer in another
                        Payment Scheme Component, or by other means,
                        will enable the Payment Handler to identify
                        which payment is being referred to. It is
                        required on every Payment Scheme Component apart
                        from the one contained in a Payment Request
                        Block.

   ContentSoftwareId    See section 14. Glossary.







Burdett                      Informational                    [Page 125]


RFC 2801                       IOTP/1.0                       April 2000


   Content:

   PackagedContent    Contains payment scheme protocol information as
                      Packaged Content elements (see section 3.7). See
                      the payment scheme supplement for the definition
                      of its content.

                      Note that:
                       o the values of the Name attribute of each
                         packaged content element are defined by the
                         Payment Protocol Supplement
                       o the value of each Name must be unique within a
                         Payment where a Payment is defined as all
                         Payment Scheme or Payment Receipt Components
                         with the same value of the PaymentRef attribute

7.11 Payment Receipt Component

   A Payment Receipt is a record of a payment which demonstrates how
   much money has been paid or received. It is distinct from a purchase
   receipt in that it contains no record of what was being purchased.

   Typically the content of a Payment Receipt Component will contain
   data which describes:

   o  the amount paid and its currency

   o  the date and time of the payment

   o  internal reference numbers which identify the payment to the
      payment system

   o  potentially digital signatures generated by the payment method
      which can be used to prove after the event that the payment
      occurred.

   If the Payment Method being used provides the facility then the
   Payment Receipt Component should contain payment protocol messages,
   or references to messages, which prove the payment occurred.

   The precise definition of the content is Payment Method dependent.
   Refer to the supplement for the payment method being used to
   determine the rules that apply.

   Information contained in the Payment Receipt Component should be
   displayed or otherwise made available to the Consumer.





Burdett                      Informational                    [Page 126]


RFC 2801                       IOTP/1.0                       April 2000


   Note: If the Payment Receipt Component contains Payment Protocol
   Messages, then the Messages will need to be processed by Payment
   Method software to convert it into a format which can be understood
   by the Consumer

    The definition of a Payment Receipt Component is as follows.

   <!ELEMENT PayReceipt (PackagedContent*) >
   <!ATTLIST PayReceipt
    ID                 ID      #REQUIRED
    PaymentRef         NMTOKEN #REQUIRED
    PayReceiptNameRefs NMTOKENS #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                  An identifier which uniquely identifies the
                       Payment Receipt Component within the IOTP
                       Transaction.

   PaymentRef          Contains an Element Reference (see section 3.5)
                       to the Payment Component (see section 7.9) to
                       which this payment receipt applies

   PayReceiptNameRefs  Optionally contains a list of the values of the
                       Name attributes of Packaged Content elements that
                       together make up the receipt. The Packaged
                       Content elements are contained either within:
                        o Payment Scheme Data components exchanged
                          between the Payment Handler and the Consumer
                          roles during the Payment, and/or
                        o the Payment Receipt component itself.
                       Note that:
                        o each payment scheme defines in its supplement
                          the Names of the Packaged Content elements
                          that must be listed in this attribute (if
                          any).
                        o if a Payment Scheme Component contains
                          Packaged Content elements with a name that
                          matches a name within PayReceiptNameRefs, then
                          those Payment Scheme Components must be
                          referenced by Digests in the Payment Response
                          signature component (if such a signature is
                          being used)

                       The client software should save all the
                       components referenced so that the payment receipt
                       can be reconstructed when required.



Burdett                      Informational                    [Page 127]


RFC 2801                       IOTP/1.0                       April 2000


   ContentSoftwareId   See section 14. Glossary.

   Content:

   PackagedContent    Optionally contains payment scheme payment receipt
                      information as Packaged Content elements (see
                      section 3.7). See the payment scheme supplement
                      for the definition of its content.

                      Note that:
                       o the values of the Name attribute of each
                         packaged content element are defined by the
                         Payment Protocol Supplement
                       o the value of each Name must be unique within a
                         Payment where a Payment is defined as all
                         Payment Scheme or Payment Receipt Components,
                         with the same value of the PaymentRef attribute

   Note that either the PayReceiptNameRefs attribute, the
   PackagedContent element, or both must be present.

7.12 Payment Note Component

   The Payment Note Component contains additional, non payment related,
   information which the Payment Handler wants to provide to the
   Consumer.  For example, if a withdrawal or deposit were being made
   then it could contain information on the remaining balance on the
   account after the transfer was complete. The information should
   duplicate information contained within the Payment Receipt Component.

   Information contained in the Payment Note Component should be
   displayed or otherwise made available to the Consumer. For
   interoperability, the Payment Note Component should support, as a
   minimum, the content types of "Plain Text", HTML and XML. Its
   definition is as follows.

   <!ELEMENT PaymentNote (PackagedContent+) >
   <!ATTLIST PaymentNote
     ID                ID      #REQUIRED
     ContentSoftwareId CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Payment Receipt Component within the IOTP
                      Transaction.

   ContentSoftwareId  See section 14. Glossary.



Burdett                      Informational                    [Page 128]


RFC 2801                       IOTP/1.0                       April 2000


   Content:

   PackagedContent    Contains additional, non payment related,
                      information which the Payment Handler wants to
                      provide to the Consumer as one or more Packaged
                      Content elements (see section 3.7).

7.13 Delivery Component

   The Delivery Element contains information required to deliver goods
   or services. Its definition is as follows.

   <!ELEMENT Delivery (DeliveryData?, PackagedContent*) >
   <!ATTLIST Delivery
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    DelivExch          (True | False) #REQUIRED
    DelivAndPayResp    (True | False) #REQUIRED
    ActionOrgRef       NMTOKEN #IMPLIED >

   Attributes:

   ID                  An identifier which uniquely identifies the
                       Delivery Component within the IOTP Transaction.

   xml:lang            Defines the language used by attributes or child
                       elements within this component, unless overridden
                       by an xml:lang attribute on a child element. See
                       section 3.8 Identifying Languages.

   DelivExch           Indicates if this IOTP Transaction includes the
                       messages associated with a Delivery Exchange.
                       Valid values are:
                        o True indicates it does include a Delivery
                          Exchange
                        o False indicates it does not include a
                          Delivery Exchange

                       If set to true then a DeliveryData element must
                       be present. If set to false it may be absent.

   DelivAndPayResp     Indicates if the Delivery Response Block (see
                       section 8.11) and the Payment Response Block (see
                       section 8.9 ) are combined into one IOTP Message.
                       Valid values are:
                        o True indicates both blocks will be in the
                          same IOTP Message, and




Burdett                      Informational                    [Page 129]


RFC 2801                       IOTP/1.0                       April 2000


                        o False indicates each block will be in a
                          different IOTP Message

                       DelivAndPayResp should not be true if DelivExch
                       is False.

                       In practice combining the Delivery Response Block
                       and Payment Response Block is only likely to be
                       practical if the Merchant, the Payment Handler
                       and the Delivery Handler are the same
                       Organisation since:
                        o the Payment Handler must have access to Order
                          Component information so that they know what
                          to deliver, and
                        o the Payment Handler must be able to carry out
                          the delivery

   ActionOrgRef        An Element Reference to the Organisation
                       Component of the Delivery Handler for this
                       delivery.

   Content:

   DeliveryData       Contains details about how the delivery will be
                      carried out. See 7.13.1 Delivery Data Element
                      below.

   PackagedContent    Contains "user" data defined for the Merchant
                      which is required by the Delivery Handler as one
                      or more Packaged Content Elements see section 3.7.

7.13.1 Delivery Data Element

   The DeliveryData element contains information about where and how
   goods are to be delivered. Its definition is as follows.

   <!ELEMENT DeliveryData (PackagedContent*) >
   <!ATTLIST DeliveryData
    xml:lang           NMTOKEN #IMPLIED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    DelivMethod        NMTOKEN #REQUIRED
    DelivToRef         NMTOKEN #REQUIRED
    DelivReqNetLocn    CDATA   #REQUIRED
    SecDelivReqNetLocn CDATA   #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >





Burdett                      Informational                    [Page 130]


RFC 2801                       IOTP/1.0                       April 2000


   Attributes:

   xml:lang            Defines the language used by attributes within
                       this component. See section 3.8 Identifying
                       Languages.

   OkFrom              The date and time in [UTC] format after which the
                       Delivery Handler may accept for processing a
                       Delivery Request Block (see section 8.10).

   OkTo                The date and time in [UTC] format before which
                       the Delivery Handler may accept for processing a
                       Delivery Request Block.

   DelivMethod         Indicates the method by which goods or services
                       may be delivered. Valid values are:
                        o Post the goods will be delivered by post or
                          courier
                        o Web the goods will be delivered
                          electronically in the Delivery Note Component
                        o Email the goods will be delivered
                          electronically by e-mail

                       Values of DelivMethod are managed under the
                       procedure described in section 12 IANA
                       Considerations which allows user defined codes to
                       be defined.

   DelivToRef          The Element Reference (see section 3.4) of an
                       Organisation Component within the IOTP
                       Transaction which has a role of DelivTo. The
                       information in this block is used to determine
                       where delivery is to be made. It must be
                       compatible with DelivMethod. Specifically if the
                       DelivMethod is:
                        o Post, then the there must be a Postal Address
                          Element containing sufficient information for
                          a postal delivery,
                        o Web, then there are no specific requirements.
                          The information will be sent in a web page
                          back to the Consumer
                        o Email, then there must be Contact Information
                          Element with a valid e-mail address

   DelivReqNetLocn     This contains the Net Location to which an
                       unsecured Delivery Request Block (see section
                       8.10) which contains the Delivery Component
                       should be sent.



Burdett                      Informational                    [Page 131]


RFC 2801                       IOTP/1.0                       April 2000


                       The content of this attribute is dependent on the
                       Transport Mechanism and must conform to
                       [RFC1738].

   SecDelivReqNetLocn  This contains the Net Location to which a secured
                       Delivery Request Block (see section 8.10) which
                       contains the Delivery Component should be sent.

                       A secured delivery request involves the use of a
                       secure channel such as [SSL/TLS] in order to
                       communicate with the Payment Handler.

                       The content of this attribute is dependent on the
                       Transport Mechanism must conform to [RFC1738].

                       See also Section 3.9 Secure and Insecure Net
                       Locations.

   ContentSoftwareId   See section 14. Glossary.

   Content:

   PackagedContent    Additional information about the delivery as one
                      or more Packaged Content elements (see section
                      3.7) provided to the Delivery Handler by the
                      merchant.

7.14 Consumer Delivery Data Component

   A Consumer Delivery Data Component is used by a Consumer to specify
   an identifier that can be used by the Consumer to identify the
   Delivery.

   Its definition is as follows:

   <!ELEMENT ConsumerDeliveryData EMPTY >
   <!ATTLIST ConsumerDeliveryData
    ID                 ID      #REQUIRED
    ConsumerDeliveryId CDATA   #REQUIRED>

   Attributes:

   ID                  An identifier which uniquely identifies the
                       Consumer Delivery Data Component within the IOTP
                       Transaction.






Burdett                      Informational                    [Page 132]


RFC 2801                       IOTP/1.0                       April 2000


   ConsumerDeliveryId  An identifier specified by the Consumer which, if
                       returned by the Delivery Handler will enable the
                       Consumer to identify which Delivery is being
                       referred to.

7.15 Delivery Note Component

   A Delivery Note contains delivery instructions about the delivery of
   goods or services or potentially the actual Delivery Information
   itself.  It is information which the person or Organisation receiving
   the Delivery Note can use when delivery occurs.

   For interoperability, the Delivery Note Component Packaged Content
   should support both Plain Text, HTML and XML.

   It's definition is as follows.

   <!ELEMENT DeliveryNote (PackagedContent+) >
   <!ATTLIST DeliveryNote
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    DelivHandlerDelivId CDATA  #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >

   Attributes:

   ID                   An identifier which uniquely identifies the
                        Delivery Note Component within the IOTP
                        Transaction.

   xml:lang             Defines the language used by attributes or child
                        elements within this component, unless
                        overridden by an xml:lang attribute on a child
                        element. See section 3.8 Identifying Languages.

   DelivHandlerDelivId  An optional identifier specified by the Delivery
                        Handler which, if returned by the Consumer in
                        another Delivery Component, or by other means,
                        will enable the Delivery Handler to identify
                        which Delivery is being referred to. It is
                        required on every Delivery Component apart from
                        the one contained in a Delivery Request Block.

                        An example use of this attribute is to contain a
                        delivery tracking number.

   ContentSoftwareId    See section 14. Glossary.




Burdett                      Informational                    [Page 133]


RFC 2801                       IOTP/1.0                       April 2000


   Content:

   PackagedContent    Contains actual delivery note information as one
                      or more Packaged Content elements (see section
                      3.7).

   Note: If the content of the Delivery Message is a Mime message then
   the Delivery Note may trigger an application which causes the actual
   delivery to occur.

7.16 Status Component

   A Status Component contains status information about the business
   success or failure (see section 4.2) of a process.

   Its definition is as follows.

   <!ELEMENT Status EMPTY >
   <!ATTLIST Status
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    StatusType         NMTOKEN #REQUIRED
    ElRef              NMTOKEN #IMPLIED
    ProcessState (NotYetStarted | InProgress |
        CompletedOk | Failed | ProcessError) #REQUIRED
    CompletionCode     NMTOKEN #IMPLIED
    ProcessReference   CDATA   #IMPLIED
    StatusDesc         CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the Status
                      Component within the IOTP Transaction.

   xml:lang           Defines the language used by attributes within
                      this component. See section 3.8 Identifying
                      Languages.

   StatusType         Indicates the type of Document Exchange which the
                      Status is reporting on. It may be set to either
                      Offer, Payment, Delivery, Authentication or
                      Undefined.

                      Undefined means that the type of document exchange
                      could not be identified. This is caused by an
                      error in the initial input message of the
                      exchange.




Burdett                      Informational                    [Page 134]


RFC 2801                       IOTP/1.0                       April 2000


                      Values of StatusType are managed under the
                      procedure described in section 12 IANA
                      Considerations which also allows user defined
                      values of StatusType to be defined.

   ElRef              If the StatusType is not set to Undefined then
                      ElRef contains an Element Reference (see section
                      3.5) to the Component for which the Status is
                      being described. It must refer to either:
                       o an Order Component (see section 7.5), if the
                         StatusType is Offer,
                       o a Payment Component (see section 7.9), if the
                         StatusType is Payment, or
                       o a Delivery Component (see section 7.13), if
                         the StatusType is Delivery
                       o an Authentication Request Component (see
                         section 7.2) if the StatusType is
                         Authentication.

   ProcessState       Contains a State Code which indicates the current
                      state of the process being carried out. Valid
                      values for ProcessState are:
                       o NotYetStarted. A Request Block has been
                         received but the process has not yet started
                       o InProgress. Processing of the Request Block
                         has started but it is not yet complete
                       o CompletedOk. The processing of the Request
                         Block has completed successfully without any
                         errors
                       o Failed. The processing of the Request Block
                         has failed because of a Business Error (see
                         section 4.2)
                       o ProcessError. This value is only used when the
                         Status Component is being used in connection
                         with an Inquiry Request Trading Block (see
                         section 8.12). It indicates there was a
                         Technical Error (see section 4.1) in the
                         Request Block which is being processed or some
                         internal processing error.

                      Note that this code reports on the processing of a
                      Request Block. Further, asynchronous processing
                      may occur after the Response Block associated with
                      the Process has been sent.







Burdett                      Informational                    [Page 135]


RFC 2801                       IOTP/1.0                       April 2000


   CompletionCode     Indicates how the process completed. Valid values
                      for the CompletionCode are given below together
                      with the conditions when it must be present and
                      indications on when recovery from failures are
                      possible.

                      A CompletionCode is a maximum of 14 characters
                      long.

   ProcessReference   This optional attribute holds a reference for the
                      process whose status is being reported. It may
                      hold the following values:
                       o when StatusType is set to Offer, it should
                         contain the OrderIdentifier from the Order
                         Component
                       o when StatusType is set to Payment, it should
                         contain the PaymentHandlerPayId from the
                         Payment Scheme Data Component
                       o when StatusType is set to Delivery, it should
                         contain the DelivHandlerDelivId from the
                         Delivery Note Component
                       o when StatusType is set to Authentication, it
                         should contain the AuthenticationId from the
                         Authentication Request Component

                      This attribute should be absent in the Inquiry
                      Request message when the Consumer has not been
                      given such a reference number by the IOTP Service
                      Provider.

                      This attribute can be used inside an Inquiry
                      Response Block (see section 8.13) to give the
                      reference number for a transaction which has
                      previously been unavailable.

                      For example, the package tracking number might not
                      be assigned at the time a delivery response was
                      received. However, if the Consumer issues a
                      Baseline Transaction Status Inquiry later, the
                      Delivery Handler can put the package tracking
                      number into this attribute in the Inquiry Response
                      message and send it back to the Consumer.

   StatusDesc         An optional textual description of the current
                      status of the process in the language identified
                      by xml:lang.





Burdett                      Informational                    [Page 136]


RFC 2801                       IOTP/1.0                       April 2000


7.16.1 Offer Completion Codes

   The Completion Code is only required if the ProcessState attribute is
   set to Failed. The following table contains the valid values for the
   CompletionCode that may be used and indicates whether or not recovery
   might be possible. It is recommended that the StatusDesc attribute is
   used to provide further explanation where appropriate.

       Value                            Description

   AuthError        Authentication Error. The check of the
                    Authentication Response which was carried out has
                    failed.

                    Recovery may be possible by the Consumer re-
                    submitting a new Authentication Response Block with
                    corrected information.

   ConsCancelled    Consumer Cancelled. The Consumer decides to cancel
                    the transaction for some reason. This code is only
                    valid in a Status Component contained in a Cancel
                    Block or an Inquiry Response Block.

                    No recovery possible.

   MerchCancelled   Offer Cancelled. The Merchant declines to generate
                    an offer for some reason and cancels the
                    transaction. This code is only valid in a Status
                    Component contained in a Cancel Block or an Inquiry
                    Response Block.

                    No recovery possible.

   Unspecified      Unspecified error. There is some unknown problem or
                    error which does not fall into one of the other
                    CompletionCodes.

                    No recovery possible.

   TimedOutRcvr     Recoverable Time Out. Messages were resent but no
                    response received. The document exchange has
                    therefore "Timed Out". This code is only valid on a
                    Transaction Inquiry.

                    Recovery is possible if the last message from the
                    other Trading Role is received again.





Burdett                      Informational                    [Page 137]


RFC 2801                       IOTP/1.0                       April 2000


   TimedOutNoRcvr   Non Recoverable Time Out. Messages were resent but
                    no response received. The document exchange has
                    therefore "Timed Out". This code is only valid on a
                    Transaction Inquiry.

                    No recovery possible.

7.16.2 Payment Completion Codes

   The CompletionCode is only required if the ProcessState attribute is
   set to Failed. The following table contains the valid values for the
   CompletionCode that may be used and indicates where recovery may be
   possible. It is recommended that the StatusDesc attribute is used by
   individual payment schemes to provide further explanation where
   appropriate.

         Value                           Description

   BrandNotSupp       Brand not supported. The payment brand is not
                      supported by the Payment Handler.

                      See below for recovery options.

   CurrNotSupp        Currency not supported. The currency in which the
                      payment is to be made is not supported by either
                      the Payment Instrument or the Payment Handler.

                      If the payment is Brand Independent, then the
                      Consumer may recover by selecting a different
                      currency, if available, or a different brand. Note
                      that this may involve a different Payment Handler.

   ConsCancelled      Consumer Cancelled. The Consumer decides to cancel
                      the payment for some reason. This code is only
                      valid in a Status Component contained in a Cancel
                      Block or an Inquiry Response Block.

                      Recovery is not possible.

   PaymtCancelled     Payment Cancelled. The Payment Handler declines to
                      complete the payment for some reason and cancels
                      the transaction. This code is only valid in a
                      Status Component contained in a Cancel Block or an
                      Inquiry Response Block.

                      See below for recovery options.





Burdett                      Informational                    [Page 138]


RFC 2801                       IOTP/1.0                       April 2000


   AuthError          Authentication Error. The Payment Scheme specific
                      authentication check which was carried out has
                      failed.

                      Recovery may be possible. See the payment scheme
                      supplement to determine what is allowed.

   InsuffFunds        Insufficient funds. There are insufficient funds
                      available for the payment to be made.

                      See below for recovery options.

   InstBrandInvalid   Payment Instrument not valid for Brand. A Payment
                      Instrument is being used which does not correspond
                      with the Brand selected. For example a Visa credit
                      card is being used when MasterCard was selected as
                      the Brand.

                      See below for recovery options.

   InstNotValid       Payment instrument not valid for trade. The
                      Payment Instrument cannot be used for the proposed
                      type of trade, for some reason.

                      See below for recovery options.

   BadInstrument      Bad instrument. There is a problem with the
                      Payment Instrument being used which means that it
                      is unable to be used for the payment.

                      See below for recovery options.

   Unspecified        Unspecified error. There is some unknown problem
                      or error which does not fall into one of the other
                      CompletionCodes. The StatusDesc attribute should
                      provide the explanation of the cause.

                      See below for recovery options.

   TimedOutRcvr       Recoverable Time Out. Messages were resent but no
                      response received. The document exchange has
                      therefore "Timed Out". This code is only valid on
                      a Transaction Inquiry.

                      Recovery is possible if the last message from the
                      other Trading Role is received again.





Burdett                      Informational                    [Page 139]


RFC 2801                       IOTP/1.0                       April 2000


   TimedOutNoRcvr     Non Recoverable Time Out. Messages were resent but
                      no response received. The document exchange has
                      therefore "Timed Out". This code is only valid on
                      a Transaction Inquiry.

                      No recovery possible.

   If the Payment is Brand Independent, then recovery may be possible
   for some values of the Completion Code, by the Consumer selecting
   either a different payment brand or a different payment instrument
   for the same brand. Note that this might involve a different Payment
   Handler. The codes to which this applies are: BrandNotSupp,
   PaymtCancelled, InsuffFunds, InstBrandInvalid, InstNotValid,
   BadInstrument and Unspecified.

   Recovery from Payments associated with Brand Dependent purchases is
   only possible, if the Brand Selection component sent by the Merchant
   to the Consumer does not change. In practice this means that the same
   Brand, Protocol Amount and PayProtocol elements must be used. All
   that can change is the Payment Instrument. Any other change will
   invalidate the Merchant's Offer as a changed selection will
   invalidate the Offer Response.

7.16.3 Delivery Completion Codes

   The following table contains the valid values for the CompletionCode
   attribute for a Delivery. It is recommended that the StatusDesc
   attribute is used to provide further explanation where appropriate.

        Value                           Description

   BackOrdered     Back Ordered. The goods to be delivered are on order
                   but they have not yet been received. Shipping will be
                   arranged when they are received. This is only valid
                   if ProcessState is CompletedOk.

                   Recovery is not possible.

   PermNotAvail    Permanently Not Available. The goods are permanently
                   unavailable and cannot be re-ordered. This is only
                   valid if ProcessState is Failed.

                   Recovery is not possible.

   TempNotAvail    Temporarily Not Available. The goods are temporarily
                   unavailable and may become available if they can be
                   ordered. This is only valid if ProcessState is
                   CompletedOk.



Burdett                      Informational                    [Page 140]


RFC 2801                       IOTP/1.0                       April 2000


                   Recovery is not possible.

   ShipPending     Shipping Pending. The goods are available and are
                   scheduled for shipping but they have not yet been
                   shipped. This is only valid if ProcessState is
                   CompletedOk.

                   Recovery is not possible.

   Shipped         Goods Shipped. The goods have been shipped.
                   Confirmation of delivery is awaited. This is only
                   valid if ProcessState is CompletedOk.

                   Recovery is not possible.

   ShippedNoConf   Shipped - No Delivery Confirmation. The goods have
                   been shipped but it is not possible to confirm
                   delivery of the goods. This is only valid if
                   ProcessState is CompletedOk.

                   Recovery is not possible.

   ConsCancelled   Consumer Cancelled. The Consumer decides to cancel
                   the delivery for some reason. This code is only valid
                   in a Status Component contained in a Cancel Block or
                   an Inquiry Response Block.

                   Recovery is not possible.

   DelivCancelled  Delivery Cancelled. The Delivery Handler declines to
                   complete the Delivery for some reason and cancels the
                   transaction. This code is only valid in a Status
                   Component contained in a Cancel Block or an Inquiry
                   Response Block.

                   Recovery is not possible.

   Confirmed       Confirmed. All goods have been delivered and
                   confirmation of their delivery has been received.
                   This is only valid if ProcessState is CompletedOk.

                   Recovery is not possible.

   Unspecified     Unspecified error. There is some unknown problem or
                   error which does not fall into one of the other
                   CompletionCodes. The StatusDesc attribute should
                   provide the explanation of the cause.




Burdett                      Informational                    [Page 141]


RFC 2801                       IOTP/1.0                       April 2000


                   Recovery is not possible.

   TimedOutRcvr    Recoverable Time Out. Messages were resent but no
                   response received. The document exchange has
                   therefore "Timed Out". This code is only valid on a
                   Transaction Inquiry.

                   Recovery is possible if the last message from the
                   other Trading Role is received again.

   TimedOutNoRcvr  Non Recoverable Time Out. Messages were resent but no
                   response received. The document exchange has
                   therefore "Timed Out". This code is only valid on a
                   Transaction Inquiry.

                   No recovery possible.

   Note: Recovery from failed, or partially completed deliveries is not
   possible. The Consumer should use the Transaction Status Inquiry
   Transaction (see section 9.2.1) to determine up-to- date information
   on the current state.

7.16.4 Authentication Completion Codes

   The Completion Code is only required if the ProcessState attribute is
   set to Failed. The following table contains the valid values for the
   CompletionCode that may be used. It is recommended that the
   StatusDesc attribute is used to provide further explanation where
   appropriate.

        Value                           Description

   AutEeCancel     Authenticatee Cancel. The Organisation being
                   authenticated declines to be authenticated for some
                   reason. This could be, for example because the
                   signature on an Authentication Request was invalid or
                   the Authenticator was not known or acceptable to the
                   Authenticatee.

                   Recovery is not possible.

   AutOrCancel     Authenticator Cancel. The Organisation requesting
                   authentication declines to validate the
                   Authentication Response received for some reason and
                   cancels the transaction.

                   Recovery is not possible.




Burdett                      Informational                    [Page 142]


RFC 2801                       IOTP/1.0                       April 2000


   NoAuthReq       Authentication Request Not Available. The
                   Authenticatee does not have the data that must be
                   provided so that they may be successfully
                   authenticated. For example a password may have been
                   forgotten, the Authenticatee has not yet become a
                   member, or a smart card token is not present.

                   Recovery is not possible

   AuthFailed      Authentication Failed. The Authenticator checked the
                   Authentication Response but the authentication failed
                   for some reason. For example a password may have been
                   incorrect.

                   Recovery may be possible by the Authenticatee re-
                   sending a revised Authentication Response with
                   corrected data.

   TradRolesIncon  Trading Roles Inconsistent. The Trading Roles
                   contained within the TradingRoleList attribute of the
                   Trading Role Information Request Component (see
                   section 7.4) are inconsistent with the Trading Role
                   which the Authenticatee is taking in the IOTP
                   Transaction or is able to take. Examples of
                   inconsistencies include:
                    o asking a PaymentHandler for DeliveryHandler
                     information
                    o asking a Consumer for Merchant information

                   Recovery may be possible by the Authenticator re-
                   sending a revised Authentication Request Block with
                   corrected information.

   Unspecified     Unspecified error. There is some unknown problem or
                   error which does not fall into one of the other
                   CompletionCodes.

                   Recovery is not possible.

   TimedOutRcvr    Recoverable Time Out. Messages were resent but no
                   response received. The document exchange has
                   therefore "Timed Out". This code is only valid on a
                   Transaction Inquiry.

                   Recovery is possible if the last message from the
                   other Trading Role is received again.





Burdett                      Informational                    [Page 143]


RFC 2801                       IOTP/1.0                       April 2000


   TimedOutNoRcvr  Non Recoverable Time Out. Messages were resent but no
                   response received. The document exchange has
                   therefore "Timed Out". This code is only valid on a
                   Transaction Inquiry.

                   No recovery possible.

7.16.5 Undefined Completion Codes

   The Completion Code is only required if the ProcessState attribute is
   set to Failed. The following table contains the valid values for the
   CompletionCode that may be used. It is recommended that the
   StatusDesc attribute is used to provide further explanation where
   appropriate.

        Value                           Description

   InMsgHardError  Input Message Hard Error. The type of Request Block
                   could not be identified or was inconsistent.
                   Therefore no single Document Exchange could be
                   identified. This will cause a Hard Error in the
                   transaction

7.16.6 Transaction Inquiry Completion Codes

   The Completion Code is only required if the ProcessState attribute is
   set to Failed. The following table contains the valid values for the
   CompletionCode that may be used. It is recommended that the
   StatusDesc attribute is used to provide further explanation where
   appropriate.

        Value                           Description

   UnAuthReq       Unauthorised Request. The recipient of the
                   Transaction Status Request declines to respond to the
                   request.

7.17 Trading Role Data Component

   The Trading Role Data Component contains opaque data which needs to
   be communicated between the Trading Roles involved in an IOTP
   Transaction.

   Trading Role Components identify:

   o the Organisation that generated the component, and

   o the Organisation that is to receive it.



Burdett                      Informational                    [Page 144]


RFC 2801                       IOTP/1.0                       April 2000


   They are first generated and included in a "Response" Block, and then
   copied to the appropriate "Request" Block. For example a Payment
   Handler might need to inform a Delivery Handler that a credit card
   payment had been authorised but not captured. There may also be other
   information that the Payment Handler has generated where the format
   is privately agreed with the Delivery Handler which needs to be
   communicated. In another example a Merchant might need to provide a
   Payment Handler with some specific information about a Consumer so
   that consumer can acquire double loyalty points with the payment.

   Its definition is as follows.

   <!ELEMENT TradingRoleData (PackagedContent+) >
   <!ATTLIST TradingRoleData
     ID                ID      #REQUIRED
     OriginatorElRef   NMTOKEN #REQUIRED
     DestinationElRefs NMTOKENS #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Trading Role Data Component within the IOTP
                      Transaction.

   OrginatorElRef     Contains an element reference to the Organisation
                      Component of the Organisation that created the
                      Trading Role Data Component and included it in a
                      "Response" Block (e.g., an Offer Response or a
                      Payment Response Block).

   DestinationElRefs  Contains element references to the Organisation
                      Components of the Organisations that are to
                      receive the Trading Role Data Component in a
                      "Request" Block (e.g., either a Payment Request or
                      a Delivery Request Block).

   Content:

   PackagedContent    This contains the data which is to be sent between
                      the various Trading Roles as one or more
                      PackagedContent elements see section 3.7.

7.17.1 Who Receives a Trading Role Data Component

   The rules for deciding what to do with Trading Role Data Components
   are described below.





Burdett                      Informational                    [Page 145]


RFC 2801                       IOTP/1.0                       April 2000


   o  whenever a Trading Role Data Component is received in a "Response"
      block identify the Organisation Components of the Organisations
      that are to receive it as identified by the DestinationElRefs
      attribute.

   o  whenever a "Request" Block is being sent, check to see if it is
      being sent to one of the Organisations identified by the
      DestinationElRefs attribute. If it is then include in the
      "Request" block:

      -  the Trading Role Data Component as well as,

      -  the Organisation Component of the Organisation identified by
         the OriginatorElRef attribute (if not already present)

7.18 Inquiry Type Component

   The Inquiry Type Component contains the information which indicates
   the type of process that is being inquired upon. Its definition is as
   follows.

   <!ELEMENT InquiryType EMPTY >
   <!ATTLIST InquiryType
    ID                 ID      #REQUIRED
    Type               NMTOKEN #REQUIRED
    ElRef              NMTOKEN #IMPLIED
    ProcessReference   CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Inquiry Type Component within the IOTP
                      Transaction.

   Type               Contains the type of inquiry. Valid values for
                      Type are:
                       o Offer. The inquiry is about the status of an
                         offer and is addressed to the Merchant.
                       o Payment. The inquiry is about the status of a
                         payment and is addressed to the Payment
                         Handler.
                       o Delivery. The inquiry is about the status of a
                         delivery and addressed to the Delivery Handler.

   ElRef              Contains an Element Reference (see section 3.5) to
                      the component to which this Inquiry Type Component
                      applies. That is,
                       o TPO Block when Type is Offer



Burdett                      Informational                    [Page 146]


RFC 2801                       IOTP/1.0                       April 2000


                       o Payment Component when Type is Payment
                       o Delivery Component when Type is Delivery

   ProcessReference   Optionally contains a reference to the process
                      being inquired upon. It should be set if the
                      information is available. For the definition of
                      the values it may contain, see the
                      ProcessReference attribute of the Status Component
                      (see section 7.16).

7.19 Signature Component

   Note: Definitions of the XML structures for signatures and
   certificates are described in the document titled "Digital Signatures
   for the Internet Open Trading Protocol" by Kent Davidson and Yoshiaki
   Kawatsura published at the same time as this document - see
   [IOTPDSIG].

   In the future it is anticipated that future versions of IOTP will
   adopt a whatever method for digitally signing XML becomes the
   standard.

   Each Signature Component digitally signs one or more Blocks or
   Components including other Signature Components.

   The Signature Component:

   o  contains digests of one or more Blocks or Components in one or
      more IOTP Messages within the same IOTP Transaction and places the
      result in a Digest Element

   o  concatenates these Digest elements with other information on the
      type of signature, the originator and potential recipients of the
      signature and details of the signature algorithms being used and
      places them in a Manifest element, and

   o  signs the Manifest element using the optional certificate
      identified in the Certificate element within the Signature Block
      placing the result in a Value element within a Signature Component

   Note that there may be multiple Value elements that contain
   signatures of a Manifest Element.

   A Signature Component can be one of four types either:

   o an Offer Response Signature,

   o a Payment Response Signature,



Burdett                      Informational                    [Page 147]


RFC 2801                       IOTP/1.0                       April 2000


   o a Delivery Response Signature, or

   o an Authentication Response Signature.

   For a general explanation of signatures see section 6 Digital
   Signatures.

7.19.1 IOTP usage of signature elements and attributes

   Definitions of the elements and attributes are contained in
   [IOTPDSIG].  The following contains additional information that
   describes how these elements and attributes are used by IOTP.

   SIGNATURE ELEMENT

   The ID attribute is mandatory.

   MANIFEST ELEMENT

   The optional LocatorHrefBase attribute contains text which should be
   concatenated before the text contained in the LocatorHREF attribute
   of all Digest elements within the Manifest.

   Its purpose is to reduce the size of LocatorHREF attribute values
   since the first part of the LocatorHREF attributes in the same
   signature are likely to be the same.

   Typically, within IOTP, it will contain all the characters in a
   LocatorHref attribute up to the sharp ("#") character (see
   immediately below).

   ALGORITHM AND PARAMETER ELEMENTS

   The algorithm element identifies the algorithms used in generating
   the signature. The type of the algorithm is defined by the value of
   the Type attribute which indicates if it is to be used as a Digest
   algorithm, a Signature algorithm or a Key Agreement algorithm.

   The following Digest algorithms must be implemented:

   o  a [DOM-HASH] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:ibm:dom-hash"

   o  a [SHA1] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:fips:sha1", and

   o  a [MD5] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:rsa:md5"



Burdett                      Informational                    [Page 148]


RFC 2801                       IOTP/1.0                       April 2000


   o  The following Signature algorithms must be implemented:

   o  a [DSA] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:us.gov:dsa"

   o  a [HMAC] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:ibm:hmac"

   It is recommended that the following Signature algorithm is also
   implemented:

   o  a [RSA] algorithm. This is identified by setting the Name
      attribute of the Algorithm element to "urn:rsa:rsa"

   In addition other payment scheme specific algorithms may be used. In
   this case the value of the name attribute to use is specified in the
   payment scheme supplement for that algorithm.

   One algorithm may make use of other algorithms by use of the
   Parameter element, for example:

   <Algorithm ID=A1 type="digest" name="urn:ibm:dom-hash">
     <Parameter type='AlgorithmRef'>A2</Parameter>
   </Algorithm>
   <Algorithm ID=A2 type="digest" name="urn:fips:sha1">
   </Algorithm>
   <Algorithm ID=A3 type="signature" name="urn:ibm:hmac">
       <Parameter type='AlgorithmRef'>A1</Parameter>
   </Algorithm>

   DIGEST ELEMENT

   The LocatorHREF attribute identifies the IOTP element which is being
   digitally signed. Specifically it consists of:

   o  the value of the IotpTransId attribute of the Transaction ID
      Component, followed by:

   o  a sharp character, i.e. "#", followed by

   o  an Element Reference (see section 3.5) to the element within the
      IOTP Transaction which is the subject of the digest.

   Before analysing the structure of the LocatorHREF attribute, it must
   be concatenated with the value of the LocatorHrefBase attribute of
   the Manifest element (see immediately above).





Burdett                      Informational                    [Page 149]


RFC 2801                       IOTP/1.0                       April 2000


   ATTRIBUTE ELEMENT

   There must be one and only one Attribute Element that contains a Type
   attribute with a value of IOTP Signature Type and with content set to
   either: OfferResponse, PaymentResponse, DeliveryResponse,

   AuthenticationRequest, AuthenticationResponse, PingRequest or
   PingResponse; depending on the type of the signature.

   Values of the content of the Attribute element are controlled under
   the procedures defined in section 12 IANA Considerations which also
   allows user defined values to be defined.

   The Critical attribute must be set to true.

   ORIGINATORINFO ELEMENT

   The OriginatorRef attribute of the OriginatorInfo element must always
   be present and contain an Element Reference (see section 3.5) to the
   Organisation Component of the Organisation that generated the
   Signature Component.

   RECIPIENTINFO ELEMENT

   The RecipientRefs attribute contains a list of Element References
   (see section 3.5), that point to the Organisations that might need to
   validate the signature. For details see below.

7.19.2 Offer Response Signature Component

   The Manifest Element of a signature which has a type of OfferResponse
   should contain Digest elements for the following Components:

   o  the Transaction Id Component (see section 3.3.1) of the IOTP
      message that contains the Offer Response Signature

   o  the Transaction Reference Block (see section 3.3) of the IOTP
      Message that contains the Offer Response Signature

   o  from the TPO Block:

      -  the Protocol Options Component

      -  each of the Organisation Components

      -  each of the Brand List Components





Burdett                      Informational                    [Page 150]


RFC 2801                       IOTP/1.0                       April 2000


   o  optionally, all the Brand Selection Components if they were sent
      to the Merchant in a TPO Selection Block

   o  from the Offer Response Block:

      - the Order Component

      - each of the Payment Components

      - the Delivery Component

      - each of the Authentication Request Components

      - any Trading Role Data Components

   The Offer Response Signature should also contain Digest elements for
   the components that describe each of the Organisations that may or
   will need to verify the signature. This involves:

   o  if the Merchant has received a TPO Selection Block containing
      Brand Selection Components, then generate a Digest element for the
      Payment Handler identified by the Brand Selection Component and
      the Delivery Handler identified by the Delivery Component. See
      section 6.3.1 Check Request Block sent Correct Organisation for a
      description of how this can be done.

   o  if the Merchant is not expecting to receive a TPO Selection Block
      then generate a Digest element for the Delivery Handler and all
      the Payment Handlers that are involved.

7.19.3 Payment Receipt Signature Component

   The Manifest Element of the Payment Receipt Signature Component
   should contain Digest Elements for the following Components:

   o  the Transaction Id Component (see section 3.3.1) of the IOTP
      message that contains the Payment Receipt Signature

   o  the Transaction Reference Block (see section 3.3) of the IOTP
      Message that contains the Payment Receipt Signature

   o  the Offer Response Signature Component

   o  the Payment Receipt Component

   o  the Payment Note Component

   o  the Status Component



Burdett                      Informational                    [Page 151]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Brand Selection Component.

   o  any Trading Role Data Components

7.19.4 Delivery Response Signature Component

   The Manifest Element of the Delivery Response Signature Component
   should contain Digest Elements for the following Components:

   o  the Transaction Id Component (see section 3.3.1) of the IOTP
      message that contains the Delivery  Response Signature

   o  the Transaction Reference Block (see section 3.3) of the IOTP
      Message that contains the Delivery Response Signature

   o  the Consumer Delivery Data component contained in the preceding
      Delivery Request (if any)

   o  the Signature Components contained in the preceding Delivery
      Request (if any)

   o  the Status Component

   o  the Delivery Note Component

7.19.5 Authentication Request Signature Component

   The Manifest Element of the Authentication Request Signature
   Component should contain Digest Elements for the following
   Components:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the TPO Block :

      -  the Protocol Options Component

      -  the Organisation Component

   o  the following components of the Authentication Request Block:

      -  the Authentication Request Component(s) (if present)




Burdett                      Informational                    [Page 152]


RFC 2801                       IOTP/1.0                       April 2000


      -  the Trading Role Information Request Component (if present)

7.19.6 Authentication Response Signature Component

   The Manifest Element of the Authentication Response Signature
   Component should contain Digest Elements for the following
   Components:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the Authentication Request Block:

      -  the Authentication Request Component that was used in the
         Authentication (if present)

      -  the Trading Role Information Request Component (if present)

   o  the Organisation Components contained in the Authentication
      Response Block

7.19.7 Inquiry Request Signature Component

   If the Inquiry Request is being signed (see section 9.2.1) the
   Manifest Element of the Inquiry Request Signature Component should
   contain Digest elements of the Inquiry Type Component, and if
   present, the Payment Scheme Component.

7.19.8 Inquiry Response Signature Component

   If the Inquiry Response is being signed (see section 9.2.1) the
   Manifest Element of the Inquiry Response Signature Component should
   contain Digest elements of the Trading Response Block and the Status
   Component.

7.19.9 Ping Request Signature Component

   If the Ping Request is being singed (see section 9.2.2), the Manifest
   Element of the Ping Request Signature Component should contain Digest
   elements for all the Organisation Components.







Burdett                      Informational                    [Page 153]


RFC 2801                       IOTP/1.0                       April 2000


7.19.10 Ping Response Signature Component

   If the Ping Response is being singed (see section 9.2.2), the
   Manifest Element of the Ping Response Signature Component should
   contain Digest elements fir all the Organisation Components.

7.20 Certificate Component

   Note: Definitions of the XML structures for signatures and
   certificates are described in the paper "Digital Signatures for the
   Internet Open Trading Protocol", see [IOTPDSIG].

   See note at the start of section 7.19 Signature Component for more
   details.

   A Certificate Component contains a Digital Certificate. They are used
   only when required, for example, when asymmetric cryptography is
   being used and the recipient of the signature that needs to check has
   not already received the Public Key.

   The structure of a Certificate Component is defined in [IOTPDSIG].

7.20.1 IOTP usage of signature elements and attributes

   Detailed definitions of the above elements and attributes are
   contained in [IOTPDSIG]. The following contains additional
   information that describes how these elements and attributes are used
   by IOTP.

   CERTIFICATE COMPONENT

   The ID attribute is mandatory.

   VALUE ELEMENT

   The ID attribute is mandatory.

7.21 Error Component

   The Error Component contains information about Technical Errors (see
   section 4.1) in an IOTP Message which has been received by one of the
   Trading Roles involved in the trade.

   For clarity two phrases are defined which are used in the description
   of an Error Component:

   o  message in error. An IOTP message which contains or causes an
      error of some kind



Burdett                      Informational                    [Page 154]


RFC 2801                       IOTP/1.0                       April 2000


   o  message reporting the error. An IOTP message that contains an
      Error Component that describes the error found in a message in
      error.

   The definition of the Error Component is as follows.

   <!ELEMENT ErrorComp (ErrorLocation+, PackagedContent*) >
   <!ATTLIST ErrorComp
    ID                 NMTOKEN #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ErrorCode          NMTOKEN #REQUIRED
    ErrorDesc          CDATA   #REQUIRED
    Severity (Warning|TransientError|HardError) #REQUIRED
    MinRetrySecs       CDATA   #IMPLIED
    SwVendorErrorRef   CDATA   #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the Error
                      Component within the IOTP Transaction.

   xml:lang           Defines the language used by attributes or child
                      elements within this component, unless overridden
                      by an xml:lang attribute on a child element. See
                      section 3.8 Identifying Languages.

   ErrorCode          Contains an error code which indicates the nature
                      of the error in the message in error. Valid values
                      for the ErrorCode are given in section 7.21.2
                      Error Codes.

   ErrorDesc          Contains a narrative description of the error in
                      the language defined by xml:lang. The content of
                      this attribute is defined by the vendor/developer
                      of the software which generated the Error
                      Component

   Severity           Indicates the severity of the error.  Valid values
                      are:
                       o Warning. This indicates that although there is
                         a message in error the IOTP Transaction can
                         still continue.
                       o TransientError. This indicates that the error
                         in the message in error may be recovered if the
                         message in error  that is referred to by the
                         ErrorLocation element is resent





Burdett                      Informational                    [Page 155]


RFC 2801                       IOTP/1.0                       April 2000


                       o HardError. This indicates that there is an
                         unrecoverable error in the message in error and
                         the IOTP Transaction must stop.

   MinRetrySecs       This attribute should be present if Severity is
                      set to TransientError. It is the minimum number of
                      whole seconds which the IOTP aware application
                      which received the message reporting the error
                      should wait before re-sending the message in error
                      identified by the ErrorLocation element.

                      If Severity is not set to TransientError then the
                      value of this attribute is ignored.

   SwVendorErrorRef   This attribute is a reference whose value is set
                      by the vendor/developer of the software which
                      generated the Error Component. It should contain
                      data which enables the vendor to identify the
                      precise location in their software and the set of
                      circumstances which caused the software to
                      generate a message reporting the error. See also
                      the SoftwareId attribute of the Message Id element
                      in the Transaction Reference Block (section 3.3).

   Content:

   ErrorLocation      This identifies the IOTP Transaction Id of the
                      message in error  and, where possible, the element
                      and attribute in the message in error that caused
                      the Error Component to be generated.

                      If the Severity of the error is not
                      TransientError, more than one ErrorLocation may be
                      specified as appropriate depending on the nature
                      of the error (see section 7.21.2 Error Codes) and
                      at the discretion of  the vendor/developer of the
                      IOTP Aware Application.

   PackagedContent    This contains additional data which can be used to
                      understand the error. Its content may vary as
                      appropriate depending on the nature of the error
                      (see section 7.21.2 Error Codes) and at the
                      discretion of the vendor/developer of the IOTP
                      Aware Application. For a definition of
                      PackagedContent see section 3.7.






Burdett                      Informational                    [Page 156]


RFC 2801                       IOTP/1.0                       April 2000


7.21.1 Error Processing Guidelines

   If there is more than one Error Component in a message reporting the
   error, carry out the actions appropriate for the Error Component with
   the highest severity. In this context, HardError has a higher
   severity than TransientError, which has a higher severity than
   Warning.

7.21.1.1 Severity - Warning

   If an IOTP aware application is generating a message reporting the
   error with an Error Component where the Severity attribute is set to
   Warning, then if the message reporting the error does not contain
   another Error Component with a severity higher than Warning, the IOTP
   Message must also include the Trading Blocks and Trading Components
   that would have been included if no error was being reported.

   If a message reporting the error is received with an Error Component
   where Severity is set to Warning, then:

   o  it is recommended that information about the error is either
      logged, or otherwise reported to the user,

   o  the implementer of the IOTP aware application must either, at
      their or the user's discretion:

      -  continue the IOTP transaction as normal, or

      -  fail the IOTP transaction by generating a message reporting the
         error with an Error Component with Severity set to HardError
         (see section 7.21.1.3).

   If the intention is to continue the IOTP transaction then, if there
   are no other Error Components with a higher severity, check that the
   necessary Trading Blocks and Trading Components for normal processing
   of the transaction to continue are present. If they are not then
   generate a message reporting the error with an Error Component with
   Severity set to HardError.

7.21.1.2 Severity - Transient Error

   If an IOTP Aware Application is generating a message reporting the
   error with an Error Component where the Severity attribute is set to
   TransientError, then there should be only one Error Component in the
   message reporting the error. In addition, the MinRetrySecs attribute
   should be present.





Burdett                      Informational                    [Page 157]


RFC 2801                       IOTP/1.0                       April 2000


   If a message reporting the error is received with an Error Component
   where Severity is set to TransientError then:

   o  if the MinRetrySecs attribute is present and a valid number, then
      use the MinRetrySecs value given. Otherwise if MinRetrySecs is
      missing or is invalid, then:

      -  generate a message reporting the error containing an Error
         Component with a Severity of Warning and send it on the next
         IOTP message (if any) to be sent to the Trading Role which sent
         the message reporting the error with the invalid MinRetrySecs,
         and

      -  use a value for MinRetrySecs which is set by the
         vendor/developer of the IOTP Aware Application.

   o  check that only one ErrorLocation element is contained within the
      Error Component and that it refers to an IOTP Message which was
      sent by the recipient of the Error Component with a Severity of
      TransientError. If more than one ErrorLocation is present then
      generate a message reporting the error with a Severity of
      HardError.

7.21.1.3 Severity - Hard Error

   If an IOTP Aware Application is generating a message reporting the
   error with an Error Component where the Severity attribute set to
   HardError, then there should be only one Error Component in the
   message reporting the error.

   If a message reporting the error is received with an Error Component
   where Severity is set to HardError then terminate the IOTP
   Transaction.

7.21.2 Error Codes

   The following table contains the valid values for the ErrorCode
   attribute of the Error Component. The first sentence of the
   description contains the text that should be used to describe the
   error when displayed or otherwise reported. Individual
   implementations may translate this into alternative languages at
   their discretion.

   An Error Code must not be more that 14 characters long.







Burdett                      Informational                    [Page 158]


RFC 2801                       IOTP/1.0                       April 2000


        Value                           Description

   Reserved        Reserved. This error is reserved by the
                   vendor/developer of the software. Contact the
                   vendor/developer of the software for more information
                   See the SoftwareId attribute of the Message Id
                   element in the Transaction Reference Block(section
                   3.3).

   XmlNotWellFrmd  XML not well formed. The XML document is not well
                   formed. See [XML] for the meaning of "well formed".
                   Even if the XML is not well formed, it should still
                   be scanned to find the Transaction Reference Block so
                   that a properly formed Error Response may be
                   generated.

   XmlNotValid     XML not valid. The XML document is well formed but
                   the document is not valid. See [XML] for the meaning
                   of "valid". Specifically:
                    o the XML document does not comply with the
                     constraints defined in the IOTP document type
                     declaration (DTD) (see section 13 Internet Open
                     Trading Protocol Data Type Definition), and
                    o the XML document does not comply with the
                     constraints defined in the document type
                     declaration of any additional [XML Namespace] that
                     are declared.

                   As for XML not well formed, attempts should still be
                   made to extract the Transaction Reference Block so
                   that a properly formed Error Response may be
                   generated.

   ElUnexpected    Unexpected element. Although the XML document is well
                   formed and valid, an element is present that is not
                   expected in the particular context according to the
                   rules and constraints contained in this
                   specification.

   ElNotSupp       Element not supported. Although the document is well
                   formed and valid, an element is present that:
                    o is consistent with the rules and constraints
                     contained in this specification, but
                    o is not supported by the IOTP Aware Application
                     which is processing the IOTP Message.






Burdett                      Informational                    [Page 159]


RFC 2801                       IOTP/1.0                       April 2000


   ElMissing       Element missing. Although the document is well formed
                   and valid, an element is missing that should have
                   been present if the rules and constraints contained
                   in this specification are followed.

                   In this case set the PackagedContent of the Error
                   Component to the type of the missing element.

   ElContIllegal   Element content illegal. Although the document is
                   well formed and valid, the element Content contains
                   values which do not conform to the rules and
                   constraints contained in this specification.

   EncapProtErr    Encapsulated protocol error. Although the document is
                   well formed and valid, the PackagedContent of an
                   element contains data from an encapsulated protocol
                   which contains errors.

   AttUnexpected   Unexpected attribute. Although the XML document is
                   well formed and valid, the presence of the attribute
                   is not expected in the particular context according
                   to the rules and constraints contained in this
                   specification.

   AttNotSupp      Attribute not supported. Although the XML document is
                   well formed and valid, and the presence of the
                   attribute in an element is consistent with the rules
                   and constraints contained in this specification, it
                   is not supported by the IOTP Aware Application which
                   is processing the IOTP Message.

   AttMissing      Attribute missing. Although the document is well
                   formed and valid, an attribute is missing that should
                   have been present if the rules and constraints
                   contained in this specification are followed.

                   In this case set the PackagedContent of the Error
                   Component to the type of the missing attribute.

   AttValIllegal   Attribute value illegal. The attribute contains a
                   value which does not conform to the rules and
                   constraints contained in this specification.

   AttValNotRecog  Attribute Value Not Recognised. The attribute
                   contains a value which the IOTP Aware Application
                   generating the message reporting the error could not
                   recognise.




Burdett                      Informational                    [Page 160]


RFC 2801                       IOTP/1.0                       April 2000


   MsgTooLarge     Message too large. The message is too large to be
                   processed by the IOTP Aware Application.

   ElTooLarge      Element too large. The element is too large to be
                   processed by the IOTP Aware Application

   ValueTooSmall   Value too small or early. The value of all or part of
                   the Content of an element or an attribute, although
                   valid, is too small.

   ValueTooLarge   Value too large or in the future. The value of all or
                   part of the Content of an element or an attribute,
                   although valid, is too large.

   ElInconsistent  Element Inconsistent. Although the document is well
                   formed and valid, according to the rules and
                   constraints contained in this specification:
                    o the content of an element is inconsistent with the
                     content of other elements or their attributes, or
                    o the value of an attribute is inconsistent with the
                     value of one or more other attributes.

                   In this case create ErrorLocation elements which
                   identify all the attributes or elements which are
                   inconsistent.

   TransportError  Transport Error. This error code is used to indicate
                   that there is a problem with the Transport Mechanism
                   which is preventing the message from being received.
                   It is typically associated with a Transient Error.
                   Explanation of the Transport Error is contained
                   within the ErrorDesc attribute. The values which can
                   be used inside ErrorDesc with a TransportError is
                   specified in the IOTP supplement for the Transport
                   mechanism.

   MsgBeingProc    Message Being Processed. This error code is only used
                   with a Severity of Transient Error. It indicates that
                   the previous message, which may be an exchange
                   message or a request message, is being processed and,
                   if no response is received by the time indicated by
                   the MinRetrySecs attribute, then the original message
                   should be resent.

   SystemBusy      System Busy. This error code is only used with a
                   Severity of Transient Error. It indicates that the
                   server that received a message is currently too busy
                   to handle the message. If no response is received by



Burdett                      Informational                    [Page 161]


RFC 2801                       IOTP/1.0                       April 2000


                   the time indicated by the MinRetrySecs attribute,
                   then the original message should be resent.

   Note: If the server/system handling the Transport Mechanism (e.g.,
   HTTP) is busy then a Transport Specific error message should be used
   instead of an IOTP Error message. This code should be used in
   association with IOTP servers/systems or other servers/systems to
   which the IOTP server is connected.

   UnknownError    Unknown Error. Indicates that the transaction cannot
                   complete for some reason that is not covered
                   explicitly by any of the other errors.  The ErrorDesc
                   attribute should be used to indicate the nature of
                   the problem.

                   This could be used to indicate, for example, an
                   internal error in a backend server or client process
                   of some kind.

7.21.3 Error Location Element

   An Error Location Element identifies an element and optionally an
   attribute in the message in error which is associated with the error.
   It contains a reference to the IOTP Message, Trading Block, Trading
   Component, element and attribute, which is in error.

   <!ELEMENT ErrorLocation EMPTY >
   <!ATTLIST ErrorLocation
    ElementType        NMTOKEN #REQUIRED
    IotpMsgRef         NMTOKEN #IMPLIED
    BlkRef             NMTOKEN #IMPLIED
    CompRef            NMTOKEN #IMPLIED
    ElementRef         NMTOKEN #IMPLIED
    AttName            NMTOKEN #IMPLIED >

   Attributes:

   ElementType        This is the name of the type of the element where
                      the error is located. For example if the element
                      was declared as <!ELEMENT Org ... then its name is
                      "Org".

   IotpMsgRef         This is the value of the ID attribute of the of
                      the Message Id Component (see section 3.3.2) of
                      the message in error to which this Error Component
                      applies.





Burdett                      Informational                    [Page 162]


RFC 2801                       IOTP/1.0                       April 2000


   BlkRef             If the error is associated with a specific Trading
                      Block, then this is the value of the ID attribute
                      of the Trading Block where the error is located.

   CompRef            If the error is associated with a specific Trading
                      Component, then this is the value of the ID
                      attribute of the Trading Component where the error
                      is located.

   ElementRef         If the error is associated with a specific element
                      within a Trading Component then, if the element
                      has an attribute with an "attribute type" (see
                      [XML]) of "ID", then this is the value of that
                      attribute.

   AttName            If the error is associated with the value of an
                      attribute, then this is the name of that
                      attribute. In this case the PackagedContent of the
                      Error Component should contain the value of the
                      attribute.

   Note that as many as the attributes as possible should be included.
   For example if an attribute in a child element of a Trading Component
   contains an incorrect value, then all the attributes of ErrorLocation
   should be present.

8. Trading Blocks

   Trading Blocks are child elements of the top level IOTP Messages that
   are sent in the form of [XML] documents directly between the
   different Trading Roles that are taking part in a trade.

   Each Trading Blocks consist of one or more Trading Components (see
   section 7).  This is illustrated in the diagram below.

















Burdett                      Informational                    [Page 163]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

             IOTP MESSAGE  <-----------IOTP Message - an XML Document
              |                        which is transported between the
              |                        Trading Roles
              |-Trans Ref Block <----- Trans Ref Block - contains
              |  |                     information which describes the
              |  |                     IOTP Transaction and the IOTP
              |  |                     Message.
              |  |-Trans Id Comp. <--- Transaction Id Component -
              |  |                     uniquely identifies the IOTP
              |  |                     Transaction. The Trans Id
              |  |                     Components are the same across
              |  |                     all IOTP messages that comprise a
              |  |                     single IOTP transaction.
              |  |-Msg Id Comp. <----- Message Id Component - identifies
              |                        and describes an IOTP Message
              |                        within an IOTP Transaction
              |-Signature Block <----- Signature Block (optional) -
              |  |                     contains one or more Signature
              |  |                     Components and their associated
              |  |                     Certificates
              |  |-Signature Comp. <-- Signature Component - contains
              |  |                     digital signatures. Signatures
              |  |                     may sign digests of the Trans Ref
              |  |                     Block and any Trading Component
              |  |                     in any IOTP Message in the same
              |  |                     IOTP Transaction.
              |  |-Certificate Comp. <-Certificate Component. Used to
              |                        check the signature. (Optional)
      ------> |-Trading Block <--------Trading Block - an XML Element
     |        |  |-Trading Comp.       within an IOTP Message that
   Trading    |  |-Trading Comp.       contains a predefined set of
   Blocks     |  |-Trading Comp.       Trading Components
     |        |  |-Trading Comp.
     |        |  |-Trading Comp. <-----Trading Components - XML Elements
     |        |                        within a Trading Block that
      ------> |-Trading Block          contain a predefined set of XML
              |  |-Trading Comp.       elements and attributes
              |  |-Trading Comp.       containing information required
              |  |-Trading Comp.       to support a Trading Exchange
              |  |-Trading Comp.
              |  |-Trading Comp.
              |
   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                            Figure 16 Trading Blocks




Burdett                      Informational                    [Page 164]


RFC 2801                       IOTP/1.0                       April 2000


   Trading Blocks are defined as part of the definition of an IOTP
   Message (see section 3.1.1). The definition of an IOTP Message
   element is repeated here:

   <!ELEMENT IotpMessage
      ( TransRefBlk,
        SigBlk?,
        ErrorBlk?,
        ( AuthReqBlk |
          AuthRespBlk |
          AuthStatusBlk |
          CancelBlk |
          DeliveryReqBlk |
          DeliveryRespBlk |
          InquiryReqBlk |
          InquiryRespBlk |
          OfferRespBlk |
          PayExchBlk |
          PayReqBlk |
          PayRespBlk |
          PingReqBlk |
          PingRespBlk |
          TpoBlk |
          TpoSelectionBlk
        )*
      ) >

   The remainder of this section defines the Trading Blocks in this
   version of IOTP. They are:

   o  Authentication Request Block

   o  Authentication Response Block

   o  Authentication Status Block

   o  Cancel Block

   o  Delivery Request Block

   o  Delivery Response Block

   o  Error Block

   o  Inquiry Request Block

   o  Inquiry Response Block




Burdett                      Informational                    [Page 165]


RFC 2801                       IOTP/1.0                       April 2000


   o  Offer Response Block

   o  Payment Exchange Block

   o  Payment Request Block

   o  Payment Response Block

   o  Signature Block

   o  Trading Protocol Options Block

   o  TPO Selection Block

   The Transaction Reference Block is described in section 3.3.

8.1 Trading Protocol Options Block

   The TPO Trading Block contains options which apply to the IOTP
   Transaction. The definition of a TPO Trading Block is as follows.

   <!ELEMENT TpoBlk ( ProtocolOptions, BrandList*, Org* ) >
   <!ATTLIST TpoBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Trading Protocol Options Block within the IOTP
                      Transaction (see section 3.4 ID Attributes).

   Content:

   ProtocolOptions    The Protocol Options Component (see section
                      7.1)defines the options which apply to the whole
                      IOTP Transaction (see section 9).

   BrandList          This Brand List Component contains one or more
                      payment brands and protocols which may be selected
                      (see section 7.7).

   Org                The Organisation Components (see section 7.6)
                      identify the Organisations and their roles in the
                      IOTP Transaction. The roles and Organisations
                      which must be present will depend on the
                      particular type of IOTP Transaction. See the
                      definition of each transaction in section 9.
                      Internet Open Trading Protocol Transactions.



Burdett                      Informational                    [Page 166]


RFC 2801                       IOTP/1.0                       April 2000


   The TPO Block should contain:

   o  the Protocol Options Component

   o  the Organisation Component with the Trading Role of Merchant

   o  the Organisation Component with the Trading Role of Consumer

   o  optionally, the Organisation Component with the Trading Role of
      DeliverTo, if there is a Delivery included in the IOTP Transaction

   o  Brand List Components for each payment in the IOTP Transaction

   o  Organisation Components for all the Payment Handlers involved

   o  optionally, Organisation Components for the Delivery Handler (if
      any) for the transaction

   o  additional Organisation Components that the Merchant may want to
      include. For example

      -  a Customer Care Provider

      -  an Certificate Authority that offers Merchant "Credentials" or
         some other warranty on the goods or services being offered.

8.2 TPO Selection Block

   The TPO Selection Block contains the results of selections made from
   the options contained in the Trading Protocol Options Block (see
   section 8.1).The definition of a TPO Selection Block is as follows.

   <!ELEMENT TpoSelectionBlk (BrandSelection+) >
   <!ATTLIST TpoSelectionBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the TPO
                      Selection Block within the IOTP Transaction.

   Content:

   BrandSelection     This identifies the choice of payment brand and
                      payment protocol to be used in a payment within
                      the IOTP Transaction. There is one Brand Selection
                      Component (see section 7.8) for each payment to be
                      made in the IOTP Transaction.



Burdett                      Informational                    [Page 167]


RFC 2801                       IOTP/1.0                       April 2000


   The TPO Selection Block should contain one Brand Selection Component
   for each Brand List in the TPO Block.

8.3 Offer Response Block

   The Offer Response Block contains details of the goods, services,
   amount, delivery instructions or financial transaction which is to
   take place.  Its definition is as follows.

   <!ELEMENT OfferRespBlk (Status, Order?, Payment*,
                Delivery?, TradingRoleData*) >
   <!ATTLIST OfferRespBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the Offer
                      Response Block within the IOTP Transaction.

   Content:

   Status             Contains status information about the business
                      success (see section 4.2) or failure of the
                      generation of the Offer. Note that in an Offer
                      Response Block, a ProcessState of NotYetStarted or
                      InProgress are illegal values.

   Order              The Order Component contains details about the
                      goods, services or financial transaction which is
                      taking place see section 7.5.

                      The Order Component must be present unless the
                      ProcessState attribute of the Status Component is
                      set to Failed.

   Payment            The Payment Components contain information about
                      the payments which are to be made see section 7.9.

   Delivery           The Delivery Component contains details of the
                      delivery to be made (see section 7.13).

   TradingRoleData    The Trading Role Data Component contains opaque
                      data which is needs to be communicated between the
                      Trading Roles involved in an IOTP Transaction (see
                      section 7.17).

   The Offer Response Block should contain:




Burdett                      Informational                    [Page 168]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Order Component for the IOTP Transaction

   o  Payment Components for each Payment in the IOTP Transaction

   o  the Delivery Component the IOTP Transaction requires (if any).

8.4 Authentication Request Block

   The Authentication Request Block contains the data which is used by
   one Trading Role to obtain information about and optionally
   authenticate another Trading Role.

   In outline it contains:

   o  information about how the authentication itself will be carried
      out, and/or

   o  a request for additional information about the Organisation being
      authenticated.

   Its definition is as follows.

   <!ELEMENT AuthReqBlk (AuthReq*, TradingRoleInfoReq?) >
   <!ATTLIST AuthReqBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Authentication Request Block within the IOTP
                      Transaction.

   Content:

   AuthReq             Each Authentication Request (see section 7.2)
                       component describes an alternative way in which
                       the recipient of the Authentication Request may
                       authenticate themselves by generating an
                       Authentication Response Component (see section
                       7.3).

                       If one Authentication Request Component is
                       present then that Authentication Request
                       Component should be used.







Burdett                      Informational                    [Page 169]


RFC 2801                       IOTP/1.0                       April 2000


                       If more than one Authentication Request Component
                       is present then the recipient should choose one
                       of the components based on personal preference of
                       the recipient or their software.

                       If no Authentication Request Component is present
                       it means that the Authentication Request Block is
                       requesting the return of Organisation Components
                       as specified in the Trading Role Information
                       Request Component.

   TradingRoleInfoReq  The Trading Role Information Request Component
                       (see section 7.4) contains a list of Trading
                       Roles about which information is being requested

   There must be at least one Component (either an Authentication
   Request or a Trading Role Information Request) within the
   Authentication Block otherwise it is an error.

8.5 Authentication Response Block

   The Authentication Response Block contains the response which results
   from processing the Authentication Request Block. Its definition is
   as follows.

   <!ELEMENT AuthRespBlk (AuthResp?, Org*) >
   <!ATTLIST AuthRespBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Authentication Response Block within the IOTP
                      Transaction.

   Content:

   AuthResp           The optional Authentication Response Component
                      which contains the results of processing the
                      Authentication Request Component - see section
                      7.3.

   Org                Optional Organisation Components that contain
                      information corresponding to the Trading Roles as
                      requested by the TradingRoleList attribute of the
                      Trading Role Information Request component.





Burdett                      Informational                    [Page 170]


RFC 2801                       IOTP/1.0                       April 2000


   The components present in the Authentication Response Block must
   match the requirement of the corresponding Authentication Request
   Block otherwise it is an error.

8.6 Authentication Status Block

   The Authentication Status Block indicates the success or failure of
   the validation of an Authentication Response Block by an
   Authenticator. Its definition is as follows.

   <!ELEMENT AuthStatusBlk (Status) >
   <!ATTLIST AuthStatusBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Authentication Status Block within the IOTP
                      Transaction.

   Content:

   Status             Contains status information about the business
                      success (see section 4.2) or failure of the
                      authentication

8.7 Payment Request Block

   The Payment Request Block contains information which requests that a
   payment is started. Its definition is as follows.

   <!ELEMENT PayReqBlk (Status+, BrandList, BrandSelection,
        Payment, PaySchemeData?, Org*, TradingRoleData*) >
   <!ATTLIST PayReqBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Payment Request Block within the IOTP Transaction.

   Content:

   Status             Contains the Status Components (see section 7.13)
                      of the responses of the steps (e.g., an Offer
                      Response and/or a Payment Response) on which this





Burdett                      Informational                    [Page 171]


RFC 2801                       IOTP/1.0                       April 2000


                      step depends. It is used to indicate the success
                      or failure of those steps. Payment should only
                      occur if the previous steps were successful.

   BrandList          The Brand List Component contains a list of one or
                      more payment brands and protocols which may be
                      selected (see section 7.7).

   BrandSelection     This identifies the choice of payment brand, the
                      payment protocol and the Payment Handler to be
                      used in a payment within the IOTP Transaction.
                      There is one Brand Selection Component (see
                      section 7.8) for each payment to be made in the
                      IOTP Transaction.

   Payment            The Payment Components contain information about
                      the payment which is being made see section 7.9.

   PaySchemeData      The Payment Scheme Component contains payment
                      scheme specific data see section 7.10.

   Org                The Organisation Component contains details of
                      Organisations involved in the payment (see section
                      7.6). The Organisations present are dependent on
                      the IOTP Transaction and the data which is to be
                      signed. See section 6 Digital Signatures for more
                      details.

   TradingRoleData    The Trading Role Data Component contains opaque
                      data which is needs to be communicated between the
                      Trading Roles involved in an IOTP Transaction (see
                      section 7.17).

   The Payment Request Block should contain:

   o  the Organisation Component with a Trading Role of Merchant

   o  the Organisation Component with the Trading Role of Consumer

   o  the Payment Component for the Payment

   o  the Brand List Component for the Payment

   o  the Brand Selection Component for the Brand List

   o  the Organisation Component for the Payment Handler of the Payment





Burdett                      Informational                    [Page 172]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Organisation Component (if any) for the Organisation which
      carried out the previous step, for example another Payment Handler

   o  the Organisation Component for the Organisation which is to carry
      out the next step, if any. This may be, for example, either a
      Delivery Handler or a Payment Handler.

   o  the Organisation Components for any additional Organisations that
      the Merchant has included in the Offer Response Block

   o  an Optional Payment Scheme Data Component, if required by the
      Payment Method as defined in the IOTP supplement for the payment
      method

   o  any Trading Role Data Components that may be required (see section
      7.17.1).

8.8 Payment Exchange Block

   The Payment Exchange Block contains payment scheme specific data
   which is exchanged between two of the roles in a trade. Its
   definition is as follows.

   <!ELEMENT PayExchBlk (PaySchemeData+) >
   <!ATTLIST PayExchBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Payment Exchange Block within the IOTP
                      Transaction.

   Content:

   PaySchemeData      This Trading Component contains payment scheme
                      specific data see section 7.10 Payment Scheme
                      Component.

8.9 Payment Response Block

   This Payment Response Block contains a information about the Payment
   Status, an optional Payment Receipt, and an optional payment protocol
   message. Its definition is as follows.







Burdett                      Informational                    [Page 173]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT PayRespBlk (Status, PayReceipt?, PaySchemeData?,
        PaymentNote?, TradingRoleData*) >
   <!ATTLIST PayRespBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Payment Response Block within the IOTP
                      Transaction.

   Content:

   Status             Contains status information about the business
                      success (see section 4.2) or failure of the
                      payment. Note that in a Pay Response Block, a
                      ProcessState of NotYetStarted or InProgress are
                      illegal values.

   PayReceipt         Contains payment scheme specific data which can be
                      used to verify the payment occurred. See section
                      7.11 Payment Receipt Component. It must be present
                      if the ProcessState attribute of the Status
                      Component is set to CompletedOk. PayReceipt is
                      optional for other values as specified by the
                      appropriate Payment Scheme supplement.

   PaySchemeData      Contains payment scheme specific data see section,
                      for example a payment protocol message. See 7.10
                      Payment Scheme Component.

   PaymentNote        Contains additional, non payment related,
                      information which the Payment Handler wants to
                      provide to the Consumer. For example, if a
                      withdrawal or deposit were being made then it
                      could contain information on the remaining balance
                      on the account after the transfer was complete.
                      See section 7.12 Payment Note Component.

   TradingRoleData    The Trading Role Data Component contains opaque
                      data which is needs to be communicated between the
                      Trading Roles involved in an IOTP Transaction (see
                      section 7.17).








Burdett                      Informational                    [Page 174]


RFC 2801                       IOTP/1.0                       April 2000


8.10 Delivery Request Block

   The Delivery Request Block contains details of the goods or services
   which are to be delivered together with a signature which can be used
   to check that delivery is authorised. Its definition is as follows.

   <!ELEMENT DeliveryReqBlk (Status+, Order, Org*, Delivery,
        ConsumerDeliveryData?, TradingRoleData*) >
   <!ATTLIST DeliveryReqBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Delivery Request Block within the IOTP
                      Transaction.

   Content:

   Status                Contains the Status Components (see section
                         7.13) of the responses of the steps (e.g., a
                         Payment Response) on which this step is
                         dependent. It is used to indicate the success
                         or failure of those steps. Delivery should only
                         occur if the previous steps were successful.

   Order                 The Order Component contains details about the
                         goods, services or financial transaction which
                         is taking place see section 7.5.

                         The Organisation Components (see section 7.6)
                         identify the Organisations and their roles in
   Org                   the IOTP Transaction. The roles and
                         Organisations which must be present will depend
                         on the particular type of IOTP Transaction. See
                         the definition of each transaction in section
                         9. Internet Open Trading Protocol Transactions.

   Delivery              The Delivery Component contains details of the
                         delivery to be made (see section 7.13).

   ConsumerDeliveryData  Optional. Contains an identifier specified by
                         the Consumer which, if returned by the Delivery
                         Handler will enable the Consumer to identify
                         which Delivery is being referred to.






Burdett                      Informational                    [Page 175]


RFC 2801                       IOTP/1.0                       April 2000


   TradingRoleData       The Trading Role Data Component contains opaque
                         data which is needs to be communicated between
                         the Trading Roles involved in an IOTP
                         Transaction (see section 7.17).

   The Delivery Request Block contains:

   o  the Organisation Component with a Trading Role of Merchant

   o  the Organisation Component for the Consumer and DeliverTo Trading
      Roles

   o  the Delivery Component for the Delivery

   o  the Organisation Component for the Delivery Handler. Specifically
      the Organisation Component identified by the ActionOrgRef
      attribute on the Delivery Component

   o  the Organisation Component (if any) for the Organisation which
      carried out the previous step, for example a Payment Handler

   o  the Organisation Components for any additional Organisations that
      the Merchant has included in the Offer Response Block

   o  any Trading Role Data Components that may be required (see section
      7.17.1).

8.11 Delivery Response Block

   The Delivery Response Block contains a Delivery Note containing
   details on how the goods will be delivered. Its definition is as
   follows. Note that in a Delivery Response Block a Delivery Status
   Element with a DeliveryStatusCode of NotYetStarted or InProgress is
   invalid.

   <!ELEMENT DeliveryRespBlk (Status, DeliveryNote) >
   <!ATTLIST DeliveryRespBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Delivery Response Block within the IOTP
                      Transaction.

   Content:





Burdett                      Informational                    [Page 176]


RFC 2801                       IOTP/1.0                       April 2000


   Status             Contains status information about the business
                      success (see section 4.2) or failure of the
                      delivery.  Note that in a Delivery Response Block,
                      a ProcessState of NotYetStarted or InProgress are
                      illegal values.

   DeliveryNote       The Delivery Note Component contains details about
                      how the goods or services will be delivered (see
                      section 7.15).

8.12 Inquiry Request Trading Block

   The Inquiry Request Trading Block contains an Inquiry Type Component
   and an optional Payment Scheme Component to contain payment scheme
   specific inquiry messages.

   <!ELEMENT InquiryReqBlk ( InquiryType, PaySchemeData? ) >
   <!ATTLIST InquiryReqBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Inquiry Request Trading Block within the IOTP
                      Transaction.

   Content:

   InquiryType        Inquiry Type Component (see section 7.18) that
                      contains the type of inquiry.

   PaySchemeData      Payment Scheme Component (see section 7.10) that
                      contains payment scheme specific inquiry messages
                      for inquiries on payments. This is present when
                      the Type attribute of Inquiry Type Component is
                      Payment.

8.13 Inquiry Response Trading Block

   The Inquiry Response Trading Block contains a Status Component and an
   optional Payment Scheme Component to contain payment scheme specific
   inquiry messages. Its purpose is to enquire on the current status of
   an IOTP transaction at a server.








Burdett                      Informational                    [Page 177]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT InquiryRespBlk (Status, PaySchemeData?) >
   <!ATTLIST InquiryRespBlk
    ID                 ID      #REQUIRED
    LastReceivedIotpMsgRef NMTOKEN #IMPLIED
    LastSentIotpMsgRef  NMTOKEN #IMPLIED >

   Attributes:

   ID                      An identifier which uniquely identifies the
                           Inquiry Response Trading Block within the
                           IOTP Transaction.

   LastReceivedIotpMsgRef  Contains an Element Reference (see section
                           3.5) to the Message Id Component (see section
                           3.3.2) of the last message this server has
                           received from the Consumer. If there is no
                           previously received message from the Consumer
                           in the pertinent transaction, this attribute
                           should be contain the value Null. This
                           attribute exists for debugging purposes.

   LastSentIotpMsgRef      Contains an Element Reference (see section
                           3.5) to the Message Id Component (see section
                           3.3.2) of the last message this server has
                           sent to the Consumer. If there is no
                           previously sent message to the Consumer in
                           the pertinent transaction, this attribute
                           should contain the value Null. This attribute
                           exists for debugging purposes.

   Content:

   Status             Contains status information about the business
                      success (see section 4.2) or failure of a certain
                      trading exchange (i.e., Offer, Payment, or
                      Delivery).

   PaySchemeData      Payment Scheme Component (see section 7.10) that
                      contains payment scheme specific inquiry messages
                      for inquiries on payments. This is present when
                      the Type attribute of StatusType attribute of the
                      Status Component is set to Payment.









Burdett                      Informational                    [Page 178]


RFC 2801                       IOTP/1.0                       April 2000


8.14 Ping Request Block

   The Ping Request Block is used to determine if a Server is operating
   and whether or not cryptography is compatible.

   The definition of a Ping Request Block is as follows.

   <!ELEMENT PingReqBlk (Org*)>
   <!ATTLIST PingReqBlk
    ID                 ID      #REQUIRED>

   Attributes:

   ID                 An identifier which uniquely identifies the Ping
                      Request Trading Block within the IOTP Transaction.

   Content:

   Org                Optional Organisation Components (see section
                      7.6).

                      If no Organisation Component is present then the
                      Ping Request is anonymous and simply determines if
                      the server is operating.

                      However if Organisation Components are present,
                      then it indicates that the sender of the Ping
                      Request wants to verify that digital signatures
                      can be handled.

                      In this case the sender includes:
                       o an Organisation Component that identifies
                         itself specifying the Trading Role(s) it is
                         taking in IOTP transactions (Merchant, Payment
                         Handler, etc.)
                       o an Organisation Component that identifies the
                         intended recipient of the message.

                      These are then used to generate a signature over
                      the Ping Response Block.

8.15 Ping Response Block

   The Ping Response Trading Block provides the result of a Ping
   Request.

   It contains an Organisation Component that identifies the sender of
   the Ping Response.



Burdett                      Informational                    [Page 179]


RFC 2801                       IOTP/1.0                       April 2000


   If the Ping Request to which this block is a response contained
   Organisation Components, then it also contains those Organisation
   Components.

   <!ELEMENT PingRespBlk (Org+)>
   <!ATTLIST PingRespBlk
    ID                 ID      #REQUIRED
    PingStatusCode (Ok | Busy | Down) #REQUIRED
    SigVerifyStatusCode (Ok | NotSupported | Fail) #IMPLIED
    xml:lang           NMTOKEN #IMPLIED
    PingStatusDesc     CDATA   #IMPLIED>

   Attributes:

   ID                   An identifier which uniquely identifies the Ping
                        Request Trading Block within the IOTP
                        Transaction.

   PingStatusCode       Contains a code which shows the status of the
                        sender software which processes IOTP messages.
                        Valid values are:
                         o Ok. Everything with the service is working
                          normally, including the signature
                          verification.
                         o Busy. Things are working normally but there
                          may be some delays.
                         o Down. The server is not functioning fully but
                          can still provide a Ping response.

   SigVerifyStatusCode  Contains a code which shows the status of
                        signature verification. This is present only
                        when the message containing the Ping Request
                        Block also contains a Signature Block. Valid
                        values are:
                         o Ok. The signature has successfully been
                          verified and proved compatible.
                         o NotSupported The receiver of this Ping
                          Request Block does not support validation of
                          signatures.
                         o Fail. Signature verification failed.

   Xml:lang             Defines the language used in PingStatusDesc.
                        This is present when PingStatusDesc is present.

   PingStatusDesc       Contains a short description of the status of
                        the server which sends this Ping Response Block.
                        Servers, if their designers want, can use this




Burdett                      Informational                    [Page 180]


RFC 2801                       IOTP/1.0                       April 2000


                        attribute to send more refined status
                        information than PingStatusCode which can be
                        used for debugging purposes, for example.

   Content:

   Org                These are Organisation Components (see section
                      7.6).

                      The Organisation Components of the sender of the
                      Ping Response is always included in addition to
                      the Organisation Components sent in the Ping
                      Request.

   Note: Ping Status Code values do not include a value such as Fail,
   since, when the software receiving the Ping Request message is not
   working at all, no Ping Response message will be sent back.

8.16 Signature Block

   The Signature Block contains one or more Signature Components and
   associated Certificates (if required) which sign data associated with
   the IOTP Transaction. For a general discussion and introduction to
   how IOTP uses signatures, see section 6 Digital Signatures. The
   definition of the Signature Component and certificates is contained
   in the paper "Digital Signatures for the Internet Open Trading
   Protocol", see [IOTPDSIG].  Descriptions of how these are used by
   IOTP is contained in sections 7.19 and 7.20.

   The definition of a Signature Block is as follows:

   <!ELEMENT IotpSignatures (Signature+, Certificate*) >
   <!ATTLIST IotpSignatures
     ID                ID      #IMPLIED >

   Attributes:

   ID                 An identifier which uniquely identifies the
                      Signature Block within the IOTP Transaction.

   Content:

   Signature          A Signature Component. See section 7.19.

   Certificate        A Certificate Component. See section 7.20.






Burdett                      Informational                    [Page 181]


RFC 2801                       IOTP/1.0                       April 2000


   The contents of a Signature Block depends on the Trading Block that
   is contained in the same IOTP Message as the Signature Block.

8.16.1 Signature Block with Offer Response

   A Signature Block which is in the same message as an Offer Response
   Block contains just an Offer Response Signature Component (see
   section 7.19.2).

8.16.2 Signature Block with Payment Request

   A Signature Block which is in the same message as a Payment Request
   Block contains:

   o  an Offer Response Signature Component (see section 7.19.2), and

   o  if the Payment is dependent on an earlier step (as indicated by
      the StartAfter attribute on the Payment Component), then the
      Payment Receipt Signature Component (see section 7.19.3) generated
      by the previous step

8.16.3 Signature Block with Payment Response

      A Signature Block which is in the same message as a Payment
      Response Block contains just a Payment Receipt Signature Component
      (see section 7.19.3) generated by the step.

8.16.4 Signature Block with Delivery Request

      A Signature Block which is in the same message as a Delivery
      Request Block contains:

   o  an Offer Response Signature Component (see section 7.19.2), and

   o  the Payment Receipt Signature Component (see section 7.19.3)
      generated by the previous step.

8.16.5 Signature Block with Delivery Response

   A Signature Block which is in the same message as a Delivery Response
   Block contains just a Delivery Response Signature component (see
   section 7.19.4) generated by the step.









Burdett                      Informational                    [Page 182]


RFC 2801                       IOTP/1.0                       April 2000


8.17 Error Block

   The Error Trading Block contains one or more Error Components (see
   section 7.21) which contain information about Technical Errors (see
   section 4.1) in an IOTP Message which has been received by one of the
   Trading Roles involved in the trade.

   For clarity two phrases are defined which are used in the description
   of an Error Trading Block:

   o  message in error. An IOTP message which contains or causes an
      error of some kind

   o  message reporting the error. An IOTP message that contains an
      Error Trading Block that describes the error found in a message in
      error.

   An Error Trading Block may be contained in any message reporting the
   error. The action which then follows depends on the severity of the
   error. See the definition of an Error Component, for an explanation
   of the different types of severity and the actions which can then
   occur.

   in3 Note: Although, an Error Trading Block can report multiple
   different errors using multiple Error Components, there is no
   obligation on a developer of an IOTP Aware Application to do so.

   The structure of an Error Trading Block is as follows.

   <!ELEMENT ErrorBlk (ErrorComp+, PaySchemeData*) >
   <!ATTLIST ErrorBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the Error
                      Trading Block within the IOTP Transaction.

   Content:

   ErrorComp          An Error Components (see section 7.21) that
                      contains information about an individual Technical
                      Error.

   PaySchemeData      An optional Payment Scheme Component (see section
                      7.10) which contains a Payment Scheme Message. See
                      the appropriate payment scheme supplement to




Burdett                      Informational                    [Page 183]


RFC 2801                       IOTP/1.0                       April 2000


                      determine whether or not this component needs to
                      be present and for the definition of what it must
                      contain.

8.18 Cancel Block

   The Cancel Block is used by one Trading Role to inform any other that
   a transaction has been cancelled. Example usage includes:

   o  a Consumer Role informing a non-Consumer role that it no longer
      plans to continue with the transaction. This will allow the server
      to close down the transaction tidily without a waiting for a
      time-out to occur

   o  a non-Consumer Role to inform a Consumer role that the Transaction
      is being stopped. In this case, the Consumer is then unlikely to
      re-send the previous message that was sent in the mistaken
      understanding that the original was not received.

   Its definition is as follows.

   <!ELEMENT CancelBlk (Status) >
   <!ATTLIST CancelBlk
    ID                 ID      #REQUIRED >

   Attributes:

   ID                 An identifier which uniquely identifies the Cancel
                      Block within the IOTP Transaction.

   Content:

   Status             Contains status information indicating that the
                      IOTP transaction has been cancelled.

9. Internet Open Trading Protocol Transactions

   The Baseline Internet Open Trading Protocol supports three types of
   transactions for different purposes. These are

   o  an Authentication IOTP transaction which supports authentication
      of one party in a trade by another and/or requests information
      about another Trading Role








Burdett                      Informational                    [Page 184]


RFC 2801                       IOTP/1.0                       April 2000


   o  IOTP Transactions that involve one or more payments. Specifically:

      -  Deposit

      -  Purchase

      -  Refund

      -  Withdrawal, and

      -  Value Exchange

   o  IOTP Transactions designed to check the correct function of the
      IOTP infrastructure. Specifically:

      -  Transaction Status Inquiry, and

      -  Ping

   Although the Authentication IOTP Transaction can operate on its own,
   authentication can optionally precede any of the "payment"
   transactions.  Therefore, the rest of this section is divided into
   two parts covering:

   o  Authentication and Payment transactions (Authentication, Deposit,
      Purchase, Refund, Withdrawal and Value Exchange)

   o  Infrastructure Transactions (Transaction Status Inquiry and Ping)
      that are designed to support inquiries on whether or not a
      transaction has succeeded or a Trading Role's servers are
      operating correctly, and

9.1 Authentication and Payment Related IOTP Transactions

      The Authentication and Payment related IOTP Transactions consist
      of six Document Exchanges which are then combined in sequence to
      implement a specific transaction.

      Generally, there is a close, but not exact, correspondence between
      a Document Exchange and a Trading Exchange. The main difference is
      that some Document Exchanges implement part or all of two Trading
      Exchanges simultaneously in order to minimise the number of actual
      IOTP Messages which must be sent over the Internet.

      The six Document Exchanges are:

   o  Authentication. This is a direct implementation of the
      Authentication Trading Exchange



Burdett                      Informational                    [Page 185]


RFC 2801                       IOTP/1.0                       April 2000


   o  Brand Dependent Offer. This is the Offer Trading Exchange combined
      with the Brand Selection part of the Payment Trading Exchange. Its
      purpose is to provide the Merchant with information on the Brand
      selected so that the content of the Offer Response may be adapted
      accordingly

   o  Brand Independent Offer. This is also an Offer Trading Exchange.
      However, in this instance, the content of the Offer Response does
      not depend on the Brand selected.

   o  Payment. This is a direct implementation of the Payment part of a
      Payment Trading Exchange

   o  Delivery. This is a direct implementation of the Delivery Exchange

   o  Delivery with Payment. This is an implementation of combined
      Payment and Delivery Trading Exchanges

   These Document Exchanges are combined together in different sequences
   to implement each IOTP Transaction. The way in which they may be
   combined is illustrated by the diagram below.






























Burdett                      Informational                    [Page 186]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

     START -----------------------------------------------------
      |                                                         v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |    |
                       |                     |              |    |
                       |      -------------- | -------------     |
                       v      v              v      v            |
                  -------------------     -----------------      |
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |     |
                 |       OFFER       |   |      OFFER      |     |
                  -------------------     -----------------      |
                        |    |                   |   |           |
                        |     ---------------    |   |           |
                        |                    |   |   |           |
                        |     -------------- | --    |           |
                        v    v               v       v           |
                      ---------           --------------         |
                     | PAYMENT |         | PAYMENT WITH |        |
                     | (first) |         |   DELIVERY   |        |
                      ---------           --------------         |
                          |                      |               |
              -----------------------------      |               |
              v                v           |     |               |
         ----------        ---------       |     |               |
        | DELIVERY |      | PAYMENT |      |     |               |
        |          |      | {second)|      |     |               |
         ----------        ---------       |     |               |
              |                |           |     |               v
               ----------------------------------------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

         Figure 17 Payment and Authentication Message Flow Combinations

   The combinations of Document Exchanges that are valid depend on the
   particular IOTP transaction.

   The remainder of this sub-section describes:

   o  each Document Exchange in more detail including descriptions of
      the content of each Trading Block in the Document Exchanges, and

   o  descriptions of how each IOTP Transaction uses the Document
      Exchanges to effect the desired result.



Burdett                      Informational                    [Page 187]


RFC 2801                       IOTP/1.0                       April 2000


   Note: The descriptions of the Document Exchanges which follow
   describe the ways in which various Business Errors (see section 4.2)
   are handled. No reference is made however to the handling of
   Technical Errors (see section 4.1) in any of the messages since these
   are handled the same way irrespective of the context in which the
   message is being sent. See section 4 for more details.

9.1.1 Authentication Document Exchange

   The Authentication Document Exchange is a direct implementation of
   the Authentication Trading Exchange (see section 2.2.4). It involves:

   o  an Authenticator - the Organisation which is requesting the
      authentication, and

   o  an Authenticatee - the Organisation being authenticated.

   The authentication consists of:

   o  an Authentication Request being sent by the Authenticator to the
      Authenticatee,

   o  an Authentication Response being sent in return by the
      Authenticatee to the Authenticator which is then checked, and

   o  an Authentication Status being sent by the Authenticator to the
      Authenticatee to provide an indication of the success or failure
      of the authentication.

   An Authentication Document Exchange also:

   o  provides an Authenticatee with an Organisation Component which
      describes the Authenticator, and

   o  optionally provides the Authenticator with Organisation Components
      which describe the Authenticatee.

   The Authentication Request may also be digitally signed which allows
   the Authenticatee to verify the credentials of the Authenticator.

   The IOTP Messages which are involved are illustrated by the diagram
   below.









Burdett                      Informational                    [Page 188]


RFC 2801                       IOTP/1.0                       April 2000


 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
 Organisation 1
 (Authenticatee)
     |   Organisation 2
     |  (Authenticator)
STEP |     |
 1.          First Organisation takes an action (for example by
             pressing a button on an HTML page) which requires that
             the Organisation is authenticated

     1 --> 2 Authentication Need (outside scope of IOTP)

 2.          The second Organisation generates: an Authentication
             Request Block containing one or more Authentication
             Request Components and/or a Trading Role Information
             Request Component, then sends it to the first
             Organisation

     1 <-- 2 TPO & AUTHENTICATION REQUEST. IotpMsg: Trans Ref Block;
             Signature Block (optional); TPO Block; Auth Request Block

 3.          IOTP aware application started. If a Signature Block is
             present, the first Organisation may use this to check the
             credentials of the second Organisation. If credentials are
             OK, the first Organisation selects an Authentication
             Request to use (if present and more than one), then uses
             the authentication algorithm selected to generate an
             Authentication Response Block. If present, the Trading
             Role Information Request Component is used to generate
             Organisation Components. Finally a Signature Component is
             created if required and all components are then sent back
             to the second Organisation for validation.

     1 --> 2 AUTHENTICATION RESPONSE. IotpMsg; Trans Ref Block;
             Signature Block (optional) ; Auth Response Block

 4.          The second Organisation checks the Authentication
             Response against the data in the Authentication Request
             Block to check that the first Organisation is who they
             appear to be, and sends an Authentication Status Block to
             the first Organisation to indicate the result then
             stops.

     1 <-- 2 AUTHENTICATION STATUS. IotpMsg: Trans Ref Block;
             Signature Block (optional); Auth Response Block






Burdett                      Informational                    [Page 189]


RFC 2801                       IOTP/1.0                       April 2000


 5.          The first Organisation checks the authentication Status
             Block and optionally keeps information on the IOTP
             transaction for record keeping purposes and stops.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                 Figure 18 Authentication Document Exchange

9.1.1.1 Message Processing Guidelines

   On receiving a TPO & Authentication Request IOTP Message (see below),
   an Authenticatee may either:

   o  generate and send an Authentication Response IOTP Message back to
      the Authenticator, or

   o  indicate failure to comply with the Authentication Request by
      sending a Cancel Block back to the Authenticator containing a
      Status Component with a StatusType of Authentication a
      ProcessState of Failed and the CompletionCode (see section 7.16.4)
      set to either: AutEeCancel, NoAuthReq, TradRolesIncon or
      Unspecified.

   On receiving an Authentication Response IOTP Message (see below), an
   Authenticator should send in return, an Authentication Status IOTP
   Message (see below) containing a Status Block with a Status Component
   where the StatusType is set to Authentication, and:

   o  the ProcessState attribute of the Status Component is set to
      CompletedOk which indicates a successful completion, or

   o  the ProcessState attribute is set to Failed and the CompletionCode
      attribute is set to either: AutOrCancel, AuthFailed or Unspecified
      which indicates a failed authentication,

   On receiving an Authentication Status IOTP Message (see below), the
   Authenticatee should check the Status Component in the Status Block.
   If this indicates:

   o  a successful authentication, then the Authenticatee should either:

      -  continue with the next step in the IOTP Transaction of which
         the Authentication Document Exchange is part (if any), or








Burdett                      Informational                    [Page 190]


RFC 2801                       IOTP/1.0                       April 2000


      -  indicate a failure to continue with the rest of the IOTP
         Transaction, by sending back to the Authenticator a Cancel
         Block containing a Status Component with a StatusType of
         Authentication, a ProcessState of Failed and the CompletionCode
         (see section 7.16.4) set to AutEeCancel.

   o  a failed authentication, then the failure should be reported to
      the Authenticatee and any further processing stopped.

   If the Authenticator receives an IOTP Message containing a Cancel
   block from a Consumer, then the Authenticatee may go to the
   CancelNetLocn specified on the Trading Role Element in the
   Organisation Component for the Authenticator contained in the Trading
   Protocol Options Block.

9.1.1.2 TPO & Authentication Request IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of:

   o a Trading Protocol Options Block (see section 8.1)

   o an Authentication Request Block (see section 8.4), and

   o an optional Signature Block (see section 8.16).

   Each of these are described below.

   TRADING PROTOCOL OPTIONS BLOCK

   The Trading Protocol Options Block (see section 8.1) must contain the
   following Trading Components:

   o  one Protocol Options Component (see Section 7.1) which defines the
      options which apply to the whole Authentication Document Exchange.

   o  one Organisation Component (see section 7.6) which describes the
      Authenticator. The Trading Role on the Organisation Component
      should indicate the role which the Authenticator is taking in the
      Trade, for example a Merchant or a Consumer.

   AUTHENTICATION REQUEST BLOCK

   The Authentication Request Block (see section 8.4) must contain the
   following Trading Components:

   o  one Authentication Request Component (see section 7.2), and




Burdett                      Informational                    [Page 191]


RFC 2801                       IOTP/1.0                       April 2000


   SIGNATURE BLOCK (AUTHENTICATION REQUEST)

   If the Authentication Request is being digitally signed then a
   Signature Block must be included. It contains Digests of the
   following XML elements:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the TPO Block :

      -  the Protocol Options Component

      -  the Organisation Component

   o  the following components of the Authentication Request Block:

      -  the Authentication Request Component

      -  the Trading Role Information Request Component

9.1.1.3 Authentication Response IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of:

   o  an Authentication Response Block (see section 8.5), and

   o  an optional Signature Block (see section 8.16).

   Each of these are described below.

   AUTHENTICATION RESPONSE BLOCK

   The Authentication Response Block must contain the following Trading
   Component:

   o  one Authentication Response Component (see section 7.3)

   o  one Organisation Component for every Trading Role identified in
      the TradingRoleList attribute of the Trading Role Information
      Request Component contained in the Authentication Request Block.





Burdett                      Informational                    [Page 192]


RFC 2801                       IOTP/1.0                       April 2000


   SIGNATURE BLOCK (AUTHENTICATION RESPONSE)

   If the Algorithm element (see section 12. IANA Considerations) within
   the Authentication Request Component contained in the Authentication
   Request Block indicates that the Authentication Response should
   consist of a digital signature then a Signature Block must be
   included in the same IOTP message that contains an Authentication
   Response Block. The Signature Component contains Digest Elements for
   the following XML elements:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the Authentication Request Block:

      -  the Authentication Request Component

      -  the Trading Role Information Request Component

   o  the Organisation Components contained in the Authentication
      Response Block

   Note: It should not be assumed that all trading roles can support the
   signing of data. Particularly it should not be assumed that Consumers
   support the signing of data.

9.1.1.4 Authentication Status IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of:

   o  an Authentication Status Block (see section 8.5), and

   o  an optional Signature Block (see section 8.16).

   Each of these are described below.

   AUTHENTICATION STATUS BLOCK

   The Authentication Status Block (see section 8.6) must contain the
   following Trading Components:

   o  one Status Component (see section 7.16) with a ProcessState
      attribute set to CompletedOk.



Burdett                      Informational                    [Page 193]


RFC 2801                       IOTP/1.0                       April 2000


      SIGNATURE BLOCK (AUTHENTICATION STATUS)

      If the Authentication Status Block is being digitally signed then
      a Signature Block must be included that contains a Signature
      Component with Digest elements for the following XML elements:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the Authentication Status Block:

      -  the Status Component (see section 7.16).

   Note: If the Authentication Document Exchange is followed by an Offer
   Document Exchange (see section 9.1.2) then the Authentication Status
   Block and the Signature Block (Authentication Status) may be combined
   with either:

   o a TPO IOTP Message (see section 9.1.2.3), or

   o a TPO and Offer Response IOTP Message (see section 9.1.2.6)

9.1.2 Offer Document Exchange

   The Offer Document Exchange occurs in two basic forms:

   o  Brand Dependent Offer Exchange. Where the content of the offer,
      e.g., the order details, amount, delivery details, etc., are
      dependent on the payment brand and protocol selected by the
      consumer, and

   o  Brand Independent Offer Exchange. Where the content of the offer
      is not dependent on the payment brand and protocol selected.

      Each of these types of Offer Document Exchange may be preceded by
      an Authentication Document Exchange (see section 9.1.1).

9.1.2.1 Brand Dependent Offer Document Exchange

      In a Brand Dependent Offer Document Exchange the TPO Block and the
      Offer Response Block are sent separately by the Merchant to the
      Consumer, i.e.:





Burdett                      Informational                    [Page 194]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Brand List Component is sent to the Consumer in a TPO Block,

   o  the Consumer selects a Payment Brand, Payment Protocol and
      optionally a Currency and amount from the Brand List Component

   o  the Consumer sends the selected brand, protocol and
      currency/amount back to the Merchant in a TPO Selection Block, and

   o  the Merchant uses the information received to define the content
      of and then send the Offer Response Block to the Consumer.









































Burdett                      Informational                    [Page 195]


RFC 2801                       IOTP/1.0                       April 2000


 This is illustrated by the diagram below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
   Consumer
     |  Merchant
STEP |     |
 1.          Consumer decides to trade and sends to the Merchant
             information (e.g., using HTML) that enables the Merchant
             to create an offer,

     C --> M Offer information - outside scope of IOTP

 2.          Merchant decides which payment brand protocols,
             currencies and amounts apply, places then in a Brand List
             Component inside a TPO Block and sends to Consumer

     C <-- M TPO. IotpMsg: Trans Ref Block; TPO Block

 3.          IOTP aware application started. Consumer selects the
             payment brand, payment protocol and currency/amount to
             use. Records selection in a Brand Selection Component and
             sends back to Merchant.

     C --> M TPO SELECTION. IotpMsg: Trans Ref Block; TPO Selection
             Block

 4.          Merchant uses selected payment brand, payment protocol,
             currency/amount and the offer information to create an
             Offer Response Block containing details about the IOTP
             Transaction including price, etc. Optionally signs it and
             sends to the Consumer

     C <-- M OFFER RESPONSE. IotpMsg: Trans Ref Block; Signature Block
             (optional); Offer Response Block

 5.          Consumer checks the Offer is OK, then combines components
             from the TPO Block, the TPO Selection Block and the Offer
             Response Block to create the next IOTP Message for the
             Transaction and sends it together with the Signature
             block if present to the required Trading Role

     CONTINUED ...

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

              Figure 19 Brand Dependent Offer Document Exchange





Burdett                      Informational                    [Page 196]


RFC 2801                       IOTP/1.0                       April 2000


   Note, a Consumer identifies a Brand Dependent Offer Document
   Exchange, by the absence of an Offer Response Block in the first IOTP
   Message.

   MESSAGE PROCESSING GUIDELINES

   On receiving a TPO IOTP Message (see below), the Consumer may either:

   o  generate and send a TPO Selection IOTP Message back to the
      Merchant, or

   o  indicate failure to continue with the IOTP Transaction by sending
      a Cancel Block back to the Merchant containing a Status Component
      with a StatusType of Offer, a ProcessState of Failed and the
      CompletionCode (see section 7.16.4) set to either: ConsCancelled
      or Unspecified.

   On receiving a TPO Selection IOTP Message (see below) the Merchant
   may either:

   o  generate and send an Offer Response IOTP Message back to the
      Consumer, or

   o  indicate failure to continue with the IOTP Transaction by sending
      a Cancel Block back to the Consumer containing a Status Component
      with a StatusType of Offer, a ProcessState of Failed and the
      CompletionCode (see section 7.16.4) set to either: MerchCancelled
      or Unspecified.

   On receiving an Offer Response IOTP Message (see below) the Consumer
   may either:

   o  generate and send the next IOTP Message in the IOTP transaction
      and send it to the required Trading Role. This is dependent on the
      IOTP Transaction, or

   o  indicate failure to continue with the IOTP Transaction by sending
      a Cancel Block back to the Merchant containing a Status Component
      with a StatusType of Offer, a ProcessState of Failed and the
      CompletionCode (see section 7.16.4) set to either: ConsCancelled
      or Unspecified.

   If the Merchant receives an IOTP Message containing a Cancel block,
   then the Consumer is likely to go to the CancelNetLocn specified on
   the Trading Role Element in the Organisation Component for the
   Merchant.





Burdett                      Informational                    [Page 197]


RFC 2801                       IOTP/1.0                       April 2000


   If the Consumer receives an IOTP Message containing a Cancel block,
   then the information contained in the IOTP Message should be reported
   to the Consumer but no further action taken.

9.1.2.2 Brand Independent Offer Document Exchange

   In a Brand Independent Offer Document Exchange the TPO Block and the
   Offer Response Block are sent together by the Merchant to the
   Consumer, i.e. there is one IOTP Message that contains both a TPO
   Block, and an Offer Response Block.

   The message flow is illustrated by the diagram below:

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
 Consumer
     |  Merchant
STEP |     |
 1.          Consumer decides to trade and sends to the Merchant
             information (e.g., using HTML) that enables the Merchant
             to create an offer,

     C --> M Offer information - outside scope of IOTP

 2.          Merchant decides which payment brand protocols,
             currencies and amounts apply, places then in a Brand List
             Component inside a TPO Block, creates an Offer Response
             containing details about the IOTP Transaction including
             price, etc., optionally signs it  and sends to Consumer

     C <-- M TPO & OFFER RESPONSE. IotpMsg: Trans Ref Block; Signature
             Block; TPO Block; Offer Response Block

 3.          IOTP aware application started. Consumer selects the
             payment brand, payment protocol and currency/amount to
             use. Records selection in a Brand Selection Component,
             checks offer is OK, combines the Brand Selection
             Component with information from the TPO Block and Offer
             Response Block to create the next IOTP Message for the
             Transaction and sends it together with the Signature
             Block if present to the required Trading Role.

     CONTINUED ...

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                 Figure 20 Brand Independent Offer Exchange





Burdett                      Informational                    [Page 198]


RFC 2801                       IOTP/1.0                       April 2000


   Note that a Brand Independent Offer Document Exchange always occurs
   when only one payment brand, protocol and currency/amount is being
   offered to the Consumer by the Merchant. It is also likely to, but
   will not necessarily, occur when multiple brands are being offered,
   the Payment Handler is the same, and all brands use the same set of
   protocols.

   Note that the TPO Block and the Offer Response Block can be sent in
   separate IOTP messages (see Brand Dependent Offer Document Exchange)
   even if the Offer Response Block does not change. However this
   increases the number of messages in the transaction and is therefore
   likely to increase transaction response times.

   IOTP aware applications supporting the Consumer Trading Role must
   check for the existence of an Offer Response Block in the first IOTP
   Message to determine whether the Offer Document Exchange is brand
   dependent or not.

   MESSAGE PROCESSING GUIDELINES

   On receiving a TPO and Offer Response IOTP Message (see below), the
   Consumer may either:

   o  generate and send the next IOTP Message in the IOTP transaction
      and send it to the required Trading Role. This is dependent on the
      IOTP Transaction, or

   o  indicate failure to continue with the IOTP Transaction by sending
      a Cancel Block back to the Merchant containing a Status Component
      with a StatusType of Offer, a ProcessState of Failed and the
      CompletionCode (see section 7.16.1) set to either: ConsCancelled
      or Unspecified.

   If the Merchant receives an IOTP Message containing a Cancel block,
   then the Consumer is likely to go to the CancelNetLocn specified on
   the Trading Role Element in the Organisation Component for the
   Merchant.

9.1.2.3 TPO IOTP Message

   The TPO IOTP Message is only used with a Brand Dependent Offer
   Document Exchange. Apart from a Transaction Reference Block (see
   section 3.3), this message consists of just a Trading Protocol
   Options Block (see section 8.1) which is described below.







Burdett                      Informational                    [Page 199]


RFC 2801                       IOTP/1.0                       April 2000


   TPO (TRADING PROTOCOL OPTIONS) BLOCK

   The Trading Protocol Options Block (see section 8.1) must contain the
   following Trading Components:

   o  one Protocol Options Component which defines the options which
      apply to the whole IOTP Transaction. See Section 7.1.

   o  one Brand List Component (see section 7.7) for each Payment in the
      IOTP Transaction that contain one or more payment brands and
      protocols which may be selected for use in each payment

   o  Organisation Components (see section 7.6) with the following
      roles:

      -  Merchant who is making the offer

      -  Consumer who is carrying out the transaction

      -  the PaymentHandler(s) for the payment. The "ID" of the Payment
         Handler Organisation Component is contained within the PhOrgRef
         attribute of the Payment Component

   If the IOTP Transaction includes a Delivery then the TPO Block must
   also contain:

   o  Organisation Components with the following roles:

      -  DeliveryHandler who will be delivering the goods or services

      -  DelivTo i.e. the person or Organisation which is to take
         delivery

   AUTHENTICATION STATUS AND SIGNATURE BLOCKS

   If the Offer Document Exchange was preceded by an Authentication
   Document Exchange, then the TPO IOTP Message may also contain:

   o  an Authentication Status Block (see section 8.6), and

   o  an optional Signature Block (Authentication Status) Signature
      Block

   See section 9.1.1.4 Authentication Status IOTP Message for more
   details.






Burdett                      Informational                    [Page 200]


RFC 2801                       IOTP/1.0                       April 2000


9.1.2.4 TPO Selection IOTP Message

   The TPO Selection IOTP Message is only used with a Brand Dependent
   Offer Document Exchange. Apart from a Transaction Reference Block
   (see section 3.3), this message consists of just a TPO Selection
   Block (see section 8.1) which is described below.

   TPO SELECTION BLOCK

   The TPO Selection Block (see section 8.2) contains:

   o  one Brand Selection Component (see section 7.8) for use in a
      later Payment Exchange. It contains the results of the consumer
      selecting a Payment Brand, Payment Protocol and currency/amount
      from the list provided in the Brand List Component.

9.1.2.5 Offer Response IOTP Message

   The Offer Response IOTP Message is only used with a Brand Dependent
   Offer Document Exchange. Apart from a Transaction Reference Block
   (see section 3.3), this message consists of:

   o  an Offer Response Block (see section 8.1) and

   o  an optional Signature Block (see section 8.16).

   OFFER RESPONSE BLOCK

   The Offer Response Block (see section 8.3) contains the following
   components:

   o  one Status Component (see section 7.16) which indicates the status
      of the Offer Response. The ProcessState attribute should be set to
      CompletedOk

   o  one Order Component (see section 7.5) which contains details about
      the goods and services which are being purchased or the financial
      transaction which is taking place

   o  one or more Payment Component(s) (see section 7.9) for each
      payment which is to be made

   o  zero or one Delivery Components (see section 7.13) containing
      details of the delivery to be made if the IOTP Transaction
      includes a delivery

   o  zero or more Trading Role Data Components (see section 7.17) if
      required by the Merchant.



Burdett                      Informational                    [Page 201]


RFC 2801                       IOTP/1.0                       April 2000


   SIGNATURE BLOCK (OFFER RESPONSE)

   If the Authentication Status Block is being digitally signed then a
   Signature Block must be included that contains a Signature Component
   (see section 7.19) with Digest Elements for the following XML
   elements:

   If the Offer Response is being digitally signed then a Signature
   Block must be included that contains a Signature Component (see
   section 7.19) with Digest Elements for the following XML elements:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message that contains information that describes the IOTP Message
      and IOTP Transaction

   o  the Transaction Id Component (see section 3.3.1) which globally
      uniquely identifies the IOTP Transaction

   o  the following components of the TPO Block :

      -  the Protocol Options Component, and

      -  the Brand List Component

      -  all the Organisation Components present

   o  the following components of the Offer Response Block:

      -  the Order Component

      -  all the Payment Components present

      -  the Delivery Component if present

      -  any Trading Role Data Components present

9.1.2.6 TPO and Offer Response IOTP Message

   The TPO and Offer Response IOTP Message is only used with a Brand
   Independent Offer Document Exchange. Apart from a Transaction
   Reference Block (see section 3.3), this message consists of:

   o  a Trading Protocol Options Block (see section 8.1)

   o  an Offer Response Block (see section 8.1) and

   o  an optional Signature Block (see section 8.16).




Burdett                      Informational                    [Page 202]


RFC 2801                       IOTP/1.0                       April 2000


   TPO (TRADING PROTOCOL OPTIONS) BLOCK

   This is the same as the Trading Protocol Options Block described in
   TPO IOTP Message (see section 9.1.2.3).

   OFFER RESPONSE BLOCK

   This the same as the Offer Response Block in the Offer Response IOTP
   Message (see section 9.1.2.5).

   AUTHENTICATION STATUS

   If the Offer Document Exchange was preceded by an Authentication
   Document Exchange, then the TPO and Offer Response IOTP Message may
   also contain an Authentication Status Block (see section 8.6).

   SIGNATURE BLOCK

   This is the same as the Signature Block in the Offer Response IOTP
   Message (see section 9.1.2.5) with the addition that:

   o  if the Offer Document Exchange is Brand Dependent then the
      Signature Component in the Signature Block additionally contains a
      Digest Element for the Brand Selection Component contained in the
      TPO Selection Block

   o  if the Offer Document Exchange was preceded by an Authentication
      Document Exchange then the Signature Component in the Signature
      Block additionally contains a Digest Element for the
      Authentication Status Block.

9.1.3 Payment Document Exchange

   The Payment Document Exchange is a direct implementation of the last
   part of a Payment Trading Exchange (see section 2.2.2) after the
   Brand has been selected by the Consumer. A Payment Exchange consists
   of:

   o  the Consumer requesting that a payment starts by generating
      Payment Request IOTP Message using information from previous IOTP
      Messages in the Transaction and then sending it to the Payment
      Handler

   o  the Payment Handler and the Consumer then swapping Payment
      Exchange IOTP Messages encapsulating payment protocol messages
      until the payment is complete, and finally





Burdett                      Informational                    [Page 203]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Payment Handler sending a Payment Response IOTP Message to the
      Consumer containing a receipt for the payment.

   The IOTP Messages which are involved are illustrated by the diagram
   below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
   Consumer
     |  Payment
     |  Handler
STEP |     |
 1.          Consumer generates Pay Request Block encapsulating a
             payment protocol message if required and sends to Payment
             Handler with the Signature Block if present

     C --> P PAYMENT REQUEST. IotpMsg: Trans Ref Block; Signature
             Block (optional); Pay Request Block

 2.          Payment Handler processes Pay Request Block, checks
             optional signature and starts exchanging payment protocol
             messages encapsulated in a Pay Exchange Block, with the
             Consumer

     C <-> P PAYMENT EXCHANGE. IotpMsg: Trans Ref Block; Pay Exchange
             Block

 3.          Consumer and Payment Handler keep on exchanging Payment
             Exchange blocks until eventually payment protocol
             messages finish so Payment Handler creates a Pay Receipt
             Component inside a Pay Response Block, and an optional
             Signature Component inside a Signature Block, sends them
             to the Consumer and stops.

     C <-- P PAYMENT RESPONSE. IotpMsg: Trans Ref Block; Signature
             Block (optional); Pay Response Block

 4.          Consumer checks Payment Response is OK. Optionally keeps
             information on IOTP Transaction for record keeping
             purposes and either stops or creates the next IOTP
             message for the Transaction and sends it together with
             the Signature Block, if present, to the required Trading
             Role

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                     Figure 21 Payment Document Exchange





Burdett                      Informational                    [Page 204]


RFC 2801                       IOTP/1.0                       April 2000


9.1.3.1 Message Processing Guidelines

   On receiving a Payment Request IOTP Message, the Payment Handler
   should check that they are authorised to carry out the Payment (see
   section 6 Digital Signatures). They may then either:

   o  generate and send a Payment Exchange IOTP Message back to the
      Consumer, if more payment protocol messages need to be exchanged,
      or

   o  generate and send a Payment Response IOTP Message if the exchange
      of payment protocol messages is complete, or

   o  indicate failure to continue with the Payment by sending a Cancel
      Block back to the Consumer containing a Status Component with a
      StatusType of Payment, a ProcessState of Failed and the
      CompletionCode (see section 7.16.4) set to either: BrandNotSupp,
      CurrNotSupp, PaymtCancelled, AuthError, InsuffFunds,
      InstBrandInvalid, InstNotValid, BadInstrument or Unspecified.

   On receiving a Payment Exchange IOTP Message, the Consumer may
   either:

   o  generate and send a Payment Exchange Message back to the Payment
      Handler or

   o  indicate failure to continue with the Payment by sending a Cancel
      Block back to the Payment Handler containing a Status Component
      with a StatusType of Payment, a ProcessState of Failed and the
      CompletionCode (see section 7.16.2) set to either: ConsCancelled
      or Unspecified.

   On receiving a Payment Exchange IOTP Message, the Payment Handler may
   either:

   o  generate and send a Payment Exchange IOTP Message back to the
      Consumer, if more payment protocol messages need to be exchanged,
      or

   o  generate and send a Payment Response IOTP Message if the exchange
      of payment protocol messages is complete, or

   o  indicate failure to continue with the Payment by sending a Cancel
      Block back to the Consumer containing a Status Component with a
      StatusType of Payment, a ProcessState of Failed and the
      CompletionCode (see section 7.16.2) set to either: PaymtCancelled
      or Unspecified.




Burdett                      Informational                    [Page 205]


RFC 2801                       IOTP/1.0                       April 2000


   On receiving a Payment Response IOTP Message, the Consumer may
      either:

   o  generate and send the next IOTP Message in the IOTP transaction
      and send it to the required Trading Role. This is dependent on the
      IOTP Transaction,

   o  stop, since the IOTP Transaction has ended, or

   o  indicate failure to continue with the IOTP Transaction by sending
      a Cancel Block back to the Merchant containing a Status Component
      with a StatusType of Payment, a ProcessState of Failed and the
      CompletionCode (see section 7.16.1) set to either: ConsCancelled
      or Unspecified.

   If the Consumer receives an IOTP Message containing a Cancel block,
   then the information contained in the IOTP Message should be reported
   to the Consumer but no further action taken.

   If the Payment Handler receives an IOTP Message containing a Cancel
   block, then the Consumer is likely to go to the CancelNetLocn
   specified on the Trading Role Element in the Organisation Component
   for the Payment Handler from which any further action may take place.

   If the Merchant receives an IOTP Message containing a Cancel block,
   then the Consumer should have completed the payment but not
   continuing with the transaction for some reason. In this case the
   Consumer is likely to go to the CancelNetLocn specified on the
   Trading Role Element in the Organisation Component for the Merchant
   from which any further action may take place.

9.1.3.2 Payment Request IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of:

   o  a Payment Request Block, and

   o  an optional Signature Block

   PAYMENT REQUEST BLOCK

   The Payment Request Block (see section 8.7) contains:

   o  the following components copied from the Offer Response Block from
      the preceding Offer Document Exchange:

      -  the Status Component



Burdett                      Informational                    [Page 206]


RFC 2801                       IOTP/1.0                       April 2000


      -  the Payment Component for the payment which is being carried
         out

   o  the following components from the TPO Block:

      -  the Organisation Components with the roles of Merchant and for
         the PaymentHandler that is being sent the Payment Request Block

      -  the Brand List Component for the payment, i.e. the Brand List
         referred to by the BrandListRef attribute on the Payment
         Component

   o  one Brand Selection Component for the Brand List, i.e. the Brand
      Selection Component where BrandListRef attribute points to the
      Brand List. This component can be either:

      -  copied from the TPO Selection Block if the payment was preceded
         by a Brand Dependent Offer Document Exchange (see section
         9.1.2.1), or

      -  created by the Consumer, containing the payment brand, payment
         protocol and currency/amount selected from the Brand List, if
         the payment was preceded by a Brand Independent Offer Document
         Exchange (see section 9.1.2.2)

   o  an optional Payment Scheme Component (see section 7.10) if
      required by the payment method used (see the Payment Method
      supplement to determine if this is needed).

   o  zero or more Trading Role Data Components (see section 7.17).

   Note that:

   o  if there is more than one Payment Components in an Offer Response
      Block, then the second payment is the one within the Offer
      Response Block that contains a StartAfter attribute (see section
      7.9) that identifies the Payment Component for the first payment

   o  the Payment Handler to include is identified by the Brand
      Selection Component (see section 7.8) for the payment. Also see
      section 6.3.1 Check Request Block sent Correct Organisation for an
      explanation on how Payment Handlers are identified

   o  the Brand List Component to include is the one identified by the
      BrandListRef attribute of the Payment Component for the identified
      payment





Burdett                      Informational                    [Page 207]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Brand Selection Component to include from the Offer Response
      Block is the one that contains an BrandListRef attribute (see
      section 3.5) which identifies the Brand List Component for the
      second payment.

   SIGNATURE BLOCK (PAYMENT REQUEST)

   If the either the preceding Offer Document Exchange included an Offer
   Response Signature (see section 9.1.2.5 Offer Response IOTP Message),
   or a preceding Payment Exchange included a Payment Response Signature

   (see section 9.1.3.4 Payment Response IOTP Message) then they should
   both be copied to the Signature Block in the Payment Request IOTP
   Message.

9.1.3.3 Payment Exchange IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of just a Payment Exchange Block.

   PAYMENT EXCHANGE BLOCK

   The Payment Exchange Block (see section 8.8) contains:

   o  one Payment Scheme Component (see section 7.10) which contains
      payment method specific data. See the Payment Method supplement
      for the payment method being used to determine what this should
      contain.

9.1.3.4 Payment Response IOTP Message

   Apart from a Transaction Reference Block (see section 3.3), this
   message consists of:

   o  a Payment Response Block, and

   o  an optional Signature Block

   PAYMENT RESPONSE BLOCK

   The Payment Response Block (see section 8.9) contains:

   o  one Payment Receipt Component (see section 7.11) which contains
      scheme specific data which can be used to verify the payment
      occurred






Burdett                      Informational                    [Page 208]


RFC 2801                       IOTP/1.0                       April 2000


   o  one Payment Scheme Component (see section 7.10) if required which
      contains payment method specific data. See the Payment Method
      supplement for the payment method being used to determine what
      this should contain

   o  an optional Payment Note Component (see section 7.12)

   o  zero or more Trading Role Data Components (see section 7.17).

   SIGNATURE BLOCK (PAYMENT RESPONSE)

   If a signed Payment Receipt is being provided, indicated by the
   SignedPayReceipt attribute of the Payment Component being set to
   True, then the Signature Block should contain a Signature Component
   which contains Digest Elements for the following:

   o  the Transaction Reference Block (see section 3.3) for the IOTP
      Message which contains the first usage of the Payment Response
      Block,

   o  the Transaction Id Component (see section 3.3.1) within the
      Transaction Reference Block that globally uniquely identifies the
      IOTP Transaction,

   o  the Payment Receipt Component from the Payment Response Block,

   o  the Payment Note Component from the Payment Response Block,

   o  the other Components referenced by the PayReceiptNameRefs
      attribute (if present) of the Payment Receipt Component,

   o  the Status Component from the Payment Response Block,

   o  any Trading Role Data Components in the Payment Response Block,
      and

   o  all the Signature Components contained in the Payment Request
      Block if present.

9.1.4 Delivery Document Exchange

   The Delivery Document Exchange is a direct implementation of a
   Delivery Trading Exchange (see section 2.2.3). It consists of:

   o  the Consumer requesting a Delivery by generating Delivery Request
      IOTP Message using information from previous IOTP Messages in the
      Transaction and then sending it to the Delivery Handler




Burdett                      Informational                    [Page 209]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Delivery Handler sending a Delivery Response IOTP Message to
      the Consumer containing details about the Handler's response to
      the request together with an optional signature.

   The message flow is illustrated by the diagram below.

 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
 Consumer
     |  Delivery
     |  Handler
STEP |     |
 1.          Consumer generates Delivery Request Block and sends it to
             the Delivery Handler with the Signature Block if present

     C --> D DELIVERY REQUEST. IotpMsg: Trans Ref Block; Signature
             Block; Delivery Request Block

 2.          Delivery Handler checks the Status and Order Components
             in the Delivery Request and the optional Signatures,
             creates a Delivery Response Block, sends to the Consumer
             and stops.

     C <-- D DELIVERY RESPONSE. IotpMsg: Trans Ref Block; Signature
             Block; Delivery Response Block

3.           Consumer checks Delivery Response Block and optional
             Signature Block are OK. Optionally keeps information on
             IOTP Transaction for record keeping purposes and stops.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                    Figure 22 Delivery Document Exchange

9.1.4.1 Message Processing Guidelines

   On receiving a Delivery Request IOTP Message, the Delivery Handler
   should check that they are authorised to carry out the Delivery (see
   section 6 Digital Signatures). They may then either:

   o  generate and send a Delivery Response IOTP Message to the
      Consumer, or

   o  indicate failure to continue with the Delivery by sending a Cancel
      Block back to the Consumer containing a Status Component with a
      StatusType of Delivery, a ProcessState of Failed and the
      CompletionCode (see section 7.16.4) set to either: DelivCanceled,
      or Unspecified.




Burdett                      Informational                    [Page 210]


RFC 2801                       IOTP/1.0                       April 2000


   On receiving a Delivery Response IOTP Message, the Consumer should
   just stop since the IOTP Transaction is complete.

   If the Consumer receives an IOTP Message containing a Cancel block,
   then the information contained in the IOTP Message should be reported
   to the Consumer but no further action taken.

9.1.4.2 Delivery Request IOTP Message

   The Delivery Request IOTP Message consists of:

   o  a Delivery Request Block, and

   o  an optional Signature Block

   DELIVERY REQUEST BLOCK

   The Delivery Request Block (see section 8.10) contains:

   o  the following components copied from the Offer Response Block:

      -  the Status Component (see section 7.16)

      -  the Order Component (see section 7.5)

      -  the Organisation Component (see section 7.6) with the roles of:
         Merchant, DeliveryHandler and DeliverTo

      -  the Delivery Component (see section 7.13)

   o  the following Component from the Payment Response Block:

      -  the Status Component (see section 7.16).

   o  zero or more Trading Role Data Components (see section 7.17).

   SIGNATURE BLOCK (DELIVERY REQUEST)

   If the preceding Offer Document Exchange included an Offer Response
   Signature or the Payment Document Exchange included a Payment
   Response Signature, then they should both be copied to the Signature
   Block.

9.1.4.3 Delivery Response IOTP Message

   The Delivery Response IOTP Message contains a Delivery Response Block
   and an optional Signature Block.




Burdett                      Informational                    [Page 211]


RFC 2801                       IOTP/1.0                       April 2000


   DELIVERY RESPONSE BLOCK

   The Delivery Response Block contains:

   o  one Delivery Note Component (see section 7.15) which contains
      delivery instructions about the delivery of goods or services

      in3 SIGNATURE BLOCK (DELIVERY RESPONSE)

      The Signature Block should contain one Signature Component that
      contains Digest elements that refer to

   o  the Transaction Id Component (see section 3.3.1) of the IOTP
      message that contains the Delivery  Response Signature

   o  the Transaction Reference Block (see section 3.3) of the IOTP
      Message that contains the Delivery  Response Signature

   o  the Consumer Delivery Data component contained in the Delivery
      Request Block (if any)

   o  the Signature Components contained in the Delivery Request Block
      (if any)

   o  the Status Component

   o  the Delivery Note Component

9.1.5 Payment and Delivery Document Exchange

   The Payment and Delivery Document Exchange is a combination of the
   last part of the Payment Trading Exchange (see section 2.2.2) and a
   Delivery Trading Exchange (see section 2.2.3). It consists of:

   o  the Consumer requesting that a payment starts by generating
      Payment Request IOTP Message using information from previous IOTP
      Messages in the Transaction and then sending it to the Payment
      Handler

   o  the Payment Handler and the Consumer then swapping Payment
      Exchange IOTP Messages encapsulating payment protocol messages
      until the payment is complete, and finally

   o  the Payment Handler sending to the Consumer in one IOTP Message:

      -  a Payment Response Block containing a receipt for the payment,
         and




Burdett                      Informational                    [Page 212]


RFC 2801                       IOTP/1.0                       April 2000


      -  a Delivery Response Block containing details of the goods or
         services to be delivered

   The IOTP Messages which are involved are illustrated by the diagram
   below.














































Burdett                      Informational                    [Page 213]


RFC 2801                       IOTP/1.0                       April 2000


 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
 Consumer
     |  Payment
     |  Handler
STEP |     |
 1.          Consumer generates Pay Request Block encapsulating a
             payment protocol message if required and sends to Payment
             Handler with the Signature Block if present

     C --> P PAYMENT REQUEST. IotpMsg: Trans Ref Block; Signature
             Block; Pay Request Block

 2.          Payment Handler processes Pay Request Block, checks
             optional signature and starts exchanging payment protocol
             messages encapsulated in a Pay Exchange Block, with the
             Consumer

     C <-> P PAYMENT EXCHANGE. IotpMsg: Trans Ref Block; Pay Exchange
             Block

 3.          Consumer and Payment Handler keep on exchanging Payment
             Exchange blocks until eventually payment protocol
             messages finish so Payment Handler creates a Pay Receipt
             Component inside a Pay Response Block, and an optional
             Signature Component inside a Signature Block, then uses
             information from the Offer Response Bock to create a
             Delivery Response Block and sends both to the Consumer
             and stops.

     C <-- P PAYMENT RESPONSE & DELIVERY RESPONSE. IotpMsg: Trans Ref
             Block; Signature Block; Pay Response Block; Delivery
             Response Block

 4.          Consumer checks Payment Response and Delivery Response
             Blocks are OK. Optionally keeps information on IOTP
             Transaction for record keeping purposes and either stops
             or creates the next IOTP message for the Transaction and
             sends it together with the Signature Block, if present,
             to the required Trading Role

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

              Figure 23 Payment and Delivery Document Exchange








Burdett                      Informational                    [Page 214]


RFC 2801                       IOTP/1.0                       April 2000


   The Delivery Response Block and the Payment Response Block may be
   combined into the same IOTP Message only if the Payment Handler has
   the information available so that she can send the Delivery Response
   Block.  This is likely to, but will not necessarily, occur when the
   Merchant, the Payment Handler and the Delivery Handler Roles are
   combined.

   The DelivAndPayResp attribute of the Delivery Component (see section
   7.13) contained within the Offer Response Block (see section 8.3) is
   set to True if the Delivery Response Block and the Payment Response
   Block are combined into the same IOTP Message and is set to False if
   the Delivery Response Block and the Payment Response Block are sent
   in separate IOTP Messages.

9.1.5.1 Message Processing Guidelines

   On receiving a Payment Request IOTP Message or a Payment Exchange
   IOTP Message, the Payment Handler should carry out the same actions
   as for a Payment Document Exchange (see section 9.1.3.1).

   On receiving a Payment Exchange IOTP Message, the Consumer should
   also carry out the same actions as for a Payment Document Exchange
   (see section 9.1.3.1).

   On receiving a Payment Response and Delivery Response IOTP Message
   then the IOTP Transaction is complete and should take no further
   action.

   If the Consumer receives an IOTP Message containing a Cancel block,
   then the information contained in the IOTP Message should be reported
   to the Consumer but no further action taken.

   If the Payment Handler receives an IOTP Message containing a Cancel
   block, then the Consumer is likely to go to the CancelNetLocn
   specified on the Trading Role Element in the Organisation Component
   for the Payment Handler from which any further action may take place.

   If the Merchant receives an IOTP Message containing a Cancel block,
   then the Consumer should have completed the payment but not
   continuing with the transaction for some reason. In this case the
   Consumer is likely to go to the CancelNetLocn specified on the
   Trading Role Element in the Organisation Component for the Merchant
   from which any further action may take place.

9.1.5.2 Payment Request IOTP Message

   The content of this message is the same as for a Payment Request IOTP
   Message in a Payment Document Exchange (see section 9.1.3.2).



Burdett                      Informational                    [Page 215]


RFC 2801                       IOTP/1.0                       April 2000


9.1.5.3 Payment Exchange IOTP Message

   The content of this message is the same as for a Payment Exchange
   IOTP Message in a Payment Document Exchange (see section 9.1.3.3).

9.1.5.4 Payment Response and Delivery Response IOTP Message

   The content of this message consists of:

   o  a Payment Response Block,

   o  an optional Signature Block (Payment Response), and

   o  a Delivery Response Block.

   PAYMENT RESPONSE BLOCK

   The content of this block is the same as the Payment Response Block
   in the Payment Response IOTP Message associated with a Payment
   Document Exchange (see section 9.1.3.4).

   SIGNATURE BLOCK (PAYMENT RESPONSE)

   The content of this block is the same as the Signature Block (Payment
   Response) in the Payment Response IOTP Message associated with a
   Payment Document Exchange (see section 9.1.3.4).

   DELIVERY RESPONSE BLOCK

   The content of this block is the same as the Delivery Response Block
   in the Delivery Response IOTP Message associated with a Delivery
   Document Exchange (see section 9.1.4.3).

9.1.6 Baseline Authentication IOTP Transaction

   A Baseline Authentication IOTP Transaction may occur at any time
   between any of the Trading Roles involved in IOTP Transactions. This
   means it could occur:

   o  before another IOTP Transaction

   o  at the same time as another IOTP Transaction

   o  independently of any other IOTP Transaction.

   The Baseline Authentication IOTP Transaction consists of just an
   Authentication Document Exchange (see section 9.1.1) as illustrated
   by the diagram below.



Burdett                      Informational                    [Page 216]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -------------------------------------------------------
                                                                v
                                                       ----------------
                                                      | AUTHENTICATION |
                                                       ----------------
                                                                 |
                                                                 |
                                                                 |
                                                                 |
                  -------------------     -----------------      |
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |     |
                 |       OFFER       |   |      OFFER      |     |
                  -------------------     -----------------      |
                                                                 |
                                                                 |
                                                                 |
                                                                 |
                                                                 |
                      ---------           --------------         |
                     | PAYMENT |         | PAYMENT WITH |        |
                     | (first) |         |   DELIVERY   |        |
                      ---------           --------------         |
                                                                 |
                                                                 |
                                                                 |
         ----------        ---------                             |
        | DELIVERY |      | PAYMENT |                            |
        |          |      | {second)|                            |
         ----------        ---------                             |
                                                                 v
                                                               STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

               Figure 24 Baseline Authentication IOTP Transaction

   Example uses of the Baseline Authentication IOTP Transaction include:

   o  when the Baseline Authentication IOTP Transaction takes place as
      an early part of a session where strong continuity exists. For
      example, a Financial Institution could:

      -  set up a secure channel (e.g., using [SSL/TLS]) with a customer

      -  authenticate the customer using the Baseline Authentication
         IOTP Transaction, and then



Burdett                      Informational                    [Page 217]


RFC 2801                       IOTP/1.0                       April 2000


      -  provide the customer with access to account information and
         other services with the confidence that they are communicating
         with a bona fide customer.

   o  as a means of providing a Merchant role with Organisation
      Components that contain information about Consumer and DelivTo
      Trading Roles

   o  so that a Consumer may authenticate a Payment Handler before
      starting a payment.

9.1.7 Baseline Deposit IOTP Transaction

   The Baseline Deposit IOTP Transaction supports the deposit of
   electronic cash with a Financial Institution.

   Note: The Financial Institution has, in IOTP terminology, a role of
   merchant in that a service (i.e. a deposit of electronic cash) is
   being offered in return for a fee, for example bank charges of some
   kind. The term "Financial Institution" is used in the diagrams and in
   the text for clarity.

   The Baseline Deposit IOTP Transaction consists of the following
   Document Exchanges:

   o  an optional Authentication Document Exchange (see section 9.1.1)

   o  an Offer Document Exchange (see section 9.1.2), and

   o  a Payment Document Exchange (see section 9.1.3).

   The way in which these Document Exchanges may be combined together is
   illustrated by the diagram below.


















Burdett                      Informational                    [Page 218]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -----------------------------------------------------
      |                                                       v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |
                       |                     |              |
                       |      -------------- | -------------
                       v      v              v      v
                  -------------------     -----------------
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |
                 |       OFFER       |   |      OFFER      |
                  -------------------     -----------------
                        |                        |
                        |                        |
                        |                        |
                        |     -------------------
                        v    v
                      ---------           --------------
                     | PAYMENT |         | PAYMENT WITH |
                     | (first) |         |   DELIVERY   |
                      ---------           --------------
                          |
                           ----------------
                                           |
         ----------        ---------       |
        | DELIVERY |      | PAYMENT |      |
        |          |      | {second)|      |
         ----------        ---------       |
                                           |
                                            -----------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                   Figure 25 Baseline Deposit IOTP Transaction

   See section 9.1.12 "Valid Combinations of Document Exchanges" to
   determine which combination of document exchanges apply to a
   particular instance of an IOTP Transaction

   Note that:

   o  a Merchant (Financial Institution) may be able to accept a deposit
      in several different types of electronic cash although, since the
      Consumer role that is depositing the electronic cash usually knows
      what type of cash they want to deposit, it is usually constrained



Burdett                      Informational                    [Page 219]


RFC 2801                       IOTP/1.0                       April 2000


      in practice to only one type. However, there may be several
      different protocols which may be used for the same "brand" of
      electronic cash. In this case a Brand Dependent Offer may be
      appropriate to negotiate the protocol to be used.

   o  the Merchant (Financial Institution) may use the results of the
      authentication to identify not only the consumer but also the
      account to which the payment is to be deposited. If no single
      account can be identified, then it must be obtained by other
      means. For example:

      -  the consumer could specify the account number prior to the
         Baseline Deposit IOTP Transaction starting, or

      -  the consumer could have been identified earlier, for example
         using a Baseline Authentication IOTP Transaction, and an
         account selected from a list provided by the Financial
         Institution.

   o  The Baseline Deposit IOTP Transaction without an Authentication
      Document Exchange might be used:

      -  if a previous IOTP transaction, for example a Baseline
         Withdrawal or a Baseline Authentication, authenticated the
         consumer, and a secure channel has been maintained, therefore
         the authenticity of the consumer is known

      -  if authentication is achieved as part of a proprietary payment
         protocol and is therefore included in the Payment Document
         Exchange

      -  if authentication of the consumer has been achieved by some
         other means outside of the scope of IOTP, for example, by using
         a pass phrase, or a proprietary banking software solution.

9.1.8 Baseline Purchase IOTP Transaction

   The Baseline Purchase IOTP Transaction supports the purchase of goods
   or services using any payment method. It consists of the following
   Document Exchanges:

   o  an optional Authentication Document Exchange (see section 9.1.1)

   o  an Offer Document Exchange (see section 9.1.2)

   o  either:

      -  a Payment Document Exchange (see section 9.1.3) followed by



Burdett                      Informational                    [Page 220]


RFC 2801                       IOTP/1.0                       April 2000


      -  a Delivery Document Exchange (see section 9.1.4)

   o  a Payment Document Exchange only, or

   o  a combined Payment and Delivery Document Exchange (see section
      9.1.5).

   The ways in which these Document Exchanges are combined is
   illustrated by the diagram below.

   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -----------------------------------------------------
      |                                                       v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |    |
                       |                     |              |    |
                       |      -------------- | -------------     |
                       v      v              v      v            |
                  -------------------     -----------------      |
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |     |
                 |       OFFER       |   |      OFFER      |     |
                  -------------------     -----------------      |
                        |    |                   |   |           |
                        |     ---------------    |   |           |
                        |                    |   |   |           |
                        |     -------------- | --    |           |
                        v    v               v       v           |
                      ---------           --------------         |
                     | PAYMENT |         | PAYMENT WITH |        |
                     | (first) |         |   DELIVERY   |        |
                      ---------           --------------         |
                          |                      |               |
              -----------------------------      |               |
              v                            |     |               |
         ----------        ---------       |     |               |
        | DELIVERY |      | PAYMENT |      |     |               |
        |          |      | {second)|      |     |               |
         ----------        ---------       |     |               |
              |                            |     |               v
               ----------------------------------------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                  Figure 26 Baseline Purchase IOTP Transaction




Burdett                      Informational                    [Page 221]


RFC 2801                       IOTP/1.0                       April 2000


   See section 9.1.12 "Valid Combinations of Document Exchanges" to
   determine which combination of document exchanges apply to a
   particular instance of an IOTP Transaction.

9.1.9 Baseline Refund IOTP Transaction

   In business terms the refund process typically consists of:

   o  a request for a refund being made by the Consumer to the Merchant,
      typically supported by evidence to demonstrate:

      -  the original trade took place, for example by providing a
         receipt for the original transaction

      -  using some type of authentication, that the consumer requesting
         the refund is the consumer, or a representative of the
         consumer, who carried out the original trade

      -  the reason why the merchant should make the refund

   o  the merchant agreeing (or not) to the refund. This may involve
      some negotiation between the Consumer and the Merchant, and, if
      the merchant agrees,

   o  a refund payment by the Merchant to the Consumer.

   The Baseline Refund IOTP Transaction supports a subset of the above,
   specifically it supports:

   o  stand alone authentication of the Consumer using a separate
      Baseline Authentication IOTP Transaction (see section 9.1.6)

   o  a refund payment by the Merchant to the Consumer using the
      following two Trading Exchanges:

      -  an optional Authentication Document Exchange (see section
         9.1.1)

      -  an Offer Document Exchange (see section 9.1.2), and

      -  a Payment Document Exchange (see section 9.1.3).

   The ways in which these Document Exchanges are combined is
   illustrated by the diagram below.







Burdett                      Informational                    [Page 222]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -----------------------------------------------------
      |                                                       v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |
                       |                     |              |
                       |      -------------- | -------------
                       v      v              v      v
                  -------------------     -----------------
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |
                 |       OFFER       |   |      OFFER      |
                  -------------------     -----------------
                        |                        |
                        |                        |
                        |                        |
                        |     -------------------
                        v    v
                      ---------           --------------
                     | PAYMENT |         | PAYMENT WITH |
                     | (first) |         |   DELIVERY   |
                      ---------           --------------
                          |
                           ----------------
                                           |
         ----------        ---------       |
        | DELIVERY |      | PAYMENT |      |
        |          |      | {second)|      |
         ----------        ---------       |
                                           |
                                            -----------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                   Figure 27 Baseline Refund IOTP Transaction

   A Baseline Refund IOTP Transaction without an Authentication Document
   Exchange might be used:

   o  when authentication of the consumer has been achieved by some
      other means, for example, the consumer has entered some previously
      supplied code in order to identify herself and the refund to which
      the code applies. The code could be supplied, for example on a web
      page or by e-mail.





Burdett                      Informational                    [Page 223]


RFC 2801                       IOTP/1.0                       April 2000


   o  when a previous IOTP transaction, for example a Baseline
      Authentication, authenticated the consumer, and a secure channel
      has been maintained, therefore the authenticity of the consumer is
      known and therefore the previously agreed refund can be
      identified.

   o  when the authentication of the consumer is carried out by the
      Payment Handler using a payment scheme authentication algorithm.

9.1.10 Baseline Withdrawal IOTP Transaction

   The Baseline Withdrawal IOTP Transaction supports the withdrawal of
   electronic cash from a Financial Institution.

   Note: The Financial Institution has, in IOTP terminology, a role of
   merchant in that a service (i.e. a withdrawal of electronic cash) is
   being offered in return for a fee, for example bank charges of some
   kind. The term "Financial Institution" is used in the diagrams and in
   the text for clarity.

   The Baseline Withdrawal IOTP Transaction consists of the following
   Document Exchanges:

   o  an optional Authentication Document Exchange (see section 9.1.1)

   o  an Offer Document Exchange (see section 9.1.2), and

   o  a Payment Document Exchange (see section 9.1.3).

   The way in which these Document Exchanges may be combined together is
   illustrated by the diagram below.




















Burdett                      Informational                    [Page 224]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -----------------------------------------------------
      |                                                       v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |
                       |                     |              |
                       |      -------------- | -------------
                       v      v              v      v
                  -------------------     -----------------
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |
                 |       OFFER       |   |      OFFER      |
                  -------------------     -----------------
                        |                        |
                        |                        |
                        |                        |
                        |     -------------------
                        v    v
                      ---------           --------------
                     | PAYMENT |         | PAYMENT WITH |
                     | (first) |         |   DELIVERY   |
                      ---------           --------------
                          |
                           ----------------
                                           |
         ----------        ---------       |
        | DELIVERY |      | PAYMENT |      |
        |          |      | {second)|      |
         ----------        ---------       |
                                           |
                                            -----------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                 Figure 28 Baseline Withdrawal IOTP Transaction

   Note that:

   o  a Merchant (Financial Institution) may be able to offer withdrawal
      of several different types of electronic cash. In practice usually
      only one form of electronic cash may be offered. However, there
      may be several different protocols which may be used for the same
      "brand" of electronic cash.






Burdett                      Informational                    [Page 225]


RFC 2801                       IOTP/1.0                       April 2000


   o  the Merchant (Financial Institution) may use the results of the
      authentication to identify not only the consumer but also the
      account from which the withdrawal is to be made. If no single
      account can be identified, then it must be obtained by other
      means. For example:

      -  the consumer could specify the account number prior to the
         Baseline Withdrawal IOTP Transaction starting, or

      -  the consumer could have been identified earlier, for example
         using a Baseline Authentication IOTP Transaction, and an
         account selected from a list provided by the Financial
         Institution.

   o  a Baseline Withdrawal without an authentication might be used:

      -  if a previous IOTP transaction, for example a Baseline Deposit
         or a Baseline Authentication, authenticated the consumer, and a
         secure channel has been maintained, therefore the authenticity
         of the consumer is known

      -  if authentication is achieved as part of a proprietary payment
         protocol and is therefore included in the Payment Document
         Exchange

      -  if authentication of the consumer has been achieved by some
         other means, for example, by using a pass phrase, or a
         proprietary banking software solution.

9.1.11 Baseline Value Exchange IOTP Transaction

   The Baseline Value Exchange Transaction uses Payment Document
   Exchanges to support the exchange of value in one currency obtained
   using one payment method with value in the same or another currency
   using the same or another payment method. Examples of its use
   include:

   o  electronic cash advance on a credit card. For example the first
      payment could be a "dollar SET Payment" using a credit card with
      the second payment being a download of Visa Cash e-cash in
      dollars.

   o  foreign exchange using the same payment method. For example the
      payment could be an upload of Mondex value in British Pounds and
      the second a download of Mondex value in Euros






Burdett                      Informational                    [Page 226]


RFC 2801                       IOTP/1.0                       April 2000


   o  foreign exchange using different payment methods. For example the
      first payment could be a SET payment in Canadian Dollars followed
      a download of GeldKarte in Deutchmarks.

   The Baseline Value Exchange uses the following Document Exchanges:

   o  an optional Authentication Document Exchange (see section 9.1.1)

   o  an Offer Document Exchange (see section 9.1.2), which provides
      details of what values and currencies will be exchanged, and

   o  two Payment Document Exchanges (see section 9.1.3) which carry out
      the two payments involved.

   The way in which these Document Exchanges may be combined together is
   illustrated by the diagram below.



































Burdett                      Informational                    [Page 227]


RFC 2801                       IOTP/1.0                       April 2000


   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START -----------------------------------------------------
      |                                                         v
      |                                                ----------------
      |                                               | AUTHENTICATION |
      |                                                ----------------
       --------------------------------------               |
                       |                     |              |
                       |      -------------- | -------------
                       v      v              v      v
                  -------------------     -----------------
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |
                 |       OFFER       |   |      OFFER      |
                  -------------------     -----------------
                        |                        |
                        |                        |
                        |                        |
                        |     -------------------
                        v    v
                      ---------           --------------
                     | PAYMENT |         | PAYMENT WITH |
                     | (first) |         |   DELIVERY   |
                      ---------           --------------
                          |
                           ----
                               v
         ----------        ---------
        | DELIVERY |      | PAYMENT |
        |          |      | {second)|
         ----------        ---------
                               |
                                -----------------------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

               Figure 29 Baseline Value Exchange IOTP Transaction














Burdett                      Informational                    [Page 228]


RFC 2801                       IOTP/1.0                       April 2000


   The Baseline Value Exchange IOTP Transaction occurs in two basic
   forms:

   o  Brand Dependent Value Exchange. Where the content of the offer,
      for example the rate at which one form of value is exchanged for
      another, is dependent on the payment brands and protocols selected
      by the consumer, and

   o  Brand Independent Value Exchange. Where the content of the offer
      is not dependent on the payment brands and protocols selected.

   Note: In the above the role is a Merchant even though the
   Organisation carrying out the Value Exchange may be a Bank or some
   other Financial Institution. This is because the Bank is acting as a
   merchant in that they are making an offer which the Consumer can
   either accept or decline.

   The TPO Block and Offer Response Block may only be combined into the
   same IOTP Message if the content of the Offer Response Block does not
   change as a result of selecting the payment brands and payment
   protocols to be used in the Value Exchange.

   BASELINE VALUE EXCHANGE SIGNATURES

   The use of signatures to ensure the integrity of a Baseline Value
   Exchange is illustrated by the diagram below.

























Burdett                      Informational                    [Page 229]


RFC 2801                       IOTP/1.0                       April 2000


*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

Signature generated                  IotpMsg (TPO)
by Merchant ensures                  - Trans Ref Block
integrity of the Offer -------->  -  - Signature Block
                                 |   - TPO Block              MERCHANT
                                 |   - Offer Response Block
                                 |
Signature generated by           |
the Payment Handler of           |   IotpMsg (Pay Resp 1)
the first payment binds          |   - Trans Ref Block         PAYMENT
Pay Receipt for the first ----->  -> - Signature Block -----   HANDLER
payment to the Offer                 - Pay Response Block 1 |    1
                                                            |
Signature generated by                                      |
the Payment Handler of           IotpMsg (Pay Resp 2)       |  PAYMENT
the second payment binds           - Trans Ref Block        |  HANDLER
the second payment to the ----->   - Signature Block <------     2
first payment and therefore        - Pay Response Block 2
to the Offer

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

              Figure 30 Baseline Value Exchange Signatures

9.1.12 Valid Combinations of Document Exchanges

   The following diagram illustrates the data conditions in the various
   IOTP messages which can be used by a Consumer Trading Role to
   determine whether the combination of Document Exchanges are valid.

   *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   START
     |
     v
   Auth Request Block in  =TRUE
    first IOTP Message ? ---------------------------------------
      | = FALSE                                                 |
      v                                                         v
   Offer Response Block in                             ----------------
     first IOTP Message ?                             | AUTHENTICATION |
      |=TRUE         |=FALSE                           ----------------
      |              |                                        |
      |              |                                        v






Burdett                      Informational                    [Page 230]


RFC 2801                       IOTP/1.0                       April 2000


      |                ----------------------       TPO & Offer Response
       -------------                         |   Blocks in last IOTP Msg
                    |                        |     |=TRUE        |=FALSE
                    |                        |     |             v
                    |          ------------- | ----    TPO Block only if
                    |         |              |         last IOTP Message
                    |         |              |         of Authentication
                    |         |              |          |=TRUE   |=FALSE
                    v         v              v          v        |
                  -------------------     -----------------      |
                 | BRAND INDEPENDENT |   | BRAND DEPENDENT |     |
                 |       OFFER       |   |      OFFER      |     |
                  -------------------     -----------------      |
                          |                   |                  |
                          v                   v                  |
                       Offer Response Block contains             |
                             Delivery Component ?                |
                            |=FALSE        |=TRUE                |
                         ---               v                     |
                        |        Value of DelivAndPayResp        |
                        |    attribute of Delivery Component ?   |
                        |    |=FALSE         |=TRUE              |
                        |    |               |                   |
                        v    v               v                   |
                      ---------           --------------         |
                     | PAYMENT |         | PAYMENT WITH |        |
                     | (first) |         |   DELIVERY   |        |
                      ---------           --------------         |
                          |                      |               |
                          v                      |               |
            Offer and Response Block contains     -------------->|
                  Delivery Component ?                           |
                  |=TRUE           |=FALSE                       |
                  |                v                             |
                  |         Two Payment Components               |
                  |      present in Offer Response Block?        |
                  |           |=TRUE             |=FALSE         |
                  v           v                  |               |
         ----------        ---------             |               |
        | DELIVERY |      | PAYMENT |            |               |
        |          |      | {second)|            |               |
         ----------        ---------             |               |
              |                |                 |               v
               ----------------------------------------------> STOP

   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

               Figure 31 Valid Combinations of Document Exchanges



Burdett                      Informational                    [Page 231]


RFC 2801                       IOTP/1.0                       April 2000


   1) If first IOTP Message of an IOTP Transaction contains an
      Authentication Request then:

      a) IOTP Transaction includes an Authentication Document Exchange
         (see section 9.1.1). (Note 1)

      b) If the last IOTP Message of the Authentication Document
         Exchange includes a TPO Block and an Offer Response Block then:

         i) IOTP Transaction includes a Brand Independent Offer Document
            Exchange (see section 9.1.2.2). (Note 2)

      c) Otherwise, if the last IOTP Message of the Authentication
         Exchange includes a TPO Block but NO Offer Response Block,
         then:

         i) IOTP Transaction includes a Brand Dependent Offer Document
            Exchange (see section 9.1.2.1). (Note 2)

      d) Otherwise (Authentication Status IOTP Message of the
         Authentication Document Exchange contains neither a TPO Block
         but nor an Offer Response Block)

         i) IOTP Transaction consists of just an Authentication Document
            Exchange. (Note 3)

   2) Otherwise (no Authentication Request in first IOTP Message):

      e) IOTP Transaction does not include an Authentication Document
         Exchange (Note 2)

      f) If first IOTP Message contains an Offer Response Block, then:

         i) the IOTP Transaction contains a Brand Independent Offer
            Document Exchange (Note 2)

      g) Otherwise (no Offer Response Block in first IOTP Message):

         i) the IOTP Transaction includes a Brand Dependent Offer
            Document Exchange (Note 2)

   3) If an Offer Response Block exists in any IOTP message then:

      h) If the Offer Response Block contains a Delivery Component then:

         i) If the DelivAndPayResp attribute of the Delivery Component
            is set to True, then:




Burdett                      Informational                    [Page 232]


RFC 2801                       IOTP/1.0                       April 2000


            (1) the IOTP Transaction consists of a Payment And Delivery
                Document Exchange (see section 9.1.5) (Note 4)

        ii) otherwise (the DelivAndPayResp attribute of the Delivery
            Component is set to False)

            (1) the IOTP Transaction consists of a Payment Document
                Exchange (see section 9.1.3) followed by a Delivery
                Document Exchange (see section 9.1.4) (Note 4)

      i) otherwise (the Offer Response Block does not contain a Delivery
         Component)

         i) if the Offer Response Block contains just one Payment
            Component, then:

            (1) the IOTP Transaction contains just one Payment Document
                Exchange (Note 5)

        ii) if the Offer Response Block contains two Payment Components,
            then:

            (1) the IOTP Transaction contains two Payment Document
                Exchanges.  The StartAfter attribute of the Payment
                Components is used to indicate which payment occurs
                first (Note 6)

       iii) if the Offer Response Block contains no or more than two
            Payment Components, then there is an error

   4) Otherwise (no Offer Response Block) there is an error.

   The following table indicates the types of IOTP Transactions which
   can validly have the conditions indicated above.

   Note                     IOTP Transaction Validity

   1. Any Payment and Authentication IOTP Transaction

   2. Any Payment and Authentication IOTP Transaction except Baseline
      Authentication

   3. Either Baseline Authentication, or a Baseline Purchase, Refund,
      Deposit, Withdrawal or Value Exchange with a failed Authentication

   4. Baseline Purchase only

   5. Baseline Purchase, Refund, Deposit or Withdrawal



Burdett                      Informational                    [Page 233]


RFC 2801                       IOTP/1.0                       April 2000


   6. Baseline Value Exchange only

9.1.13 Combining Authentication Transactions with other Transactions

   In the previous sections an Authentication Document Exchange is shown
   preceding an Offer Document Exchange as part of a single IOTP
   Transaction with the same IOTP Transaction Id.

   It is also possible to run a separate Authentication Transaction at
   any point, even in parallel with another IOTP Transaction. Typically
   this will be used:

   o  by a Consumer to authenticate a Merchant, Payment Handler or a
      Delivery Handler, or

   o  by a Payment Handler or Delivery Handler to authenticate a
      Consumer.

   In outline the basic process consists of:

   o  the Trading Role that decides it wants to carry out an
      authentication of another role suspends the current IOTP
      transaction being carried out

   o  a stand-alone Authentication transaction is then carried out. This
      may, at implementer's option, be linked to the original IOTP
      Transaction using a Related To Component (see section 3.3.3) in
      the Transaction Reference Block.

   o  if the Authentication transaction is successful, then the original
      IOTP Transaction is restarted

   o  if the Authentication fails then the original IOTP Transaction is
      cancelled.

   For example, a Consumer could:

   o  authenticate the Payment Handler for a Payment between receiving
      an Offer Response from a Merchant and before sending the Payment
      Request to that Payment Handler

   o  authenticate a Delivery Handler for a Delivery between receiving
      the Payment Response from a Payment Handler and before sending the
      Delivery Request

   A Payment Handler could authenticate a Consumer after receiving the
   Payment Request and before sending the next Payment related message.




Burdett                      Informational                    [Page 234]


RFC 2801                       IOTP/1.0                       April 2000


   A Delivery Handler could authenticate a Consumer after receiving the
   Delivery Request and before sending the Delivery Response.

   Note: Some Payment Methods may carry out an authentication within the
   Payment Exchange. In this case the information required to carry out
   the authentication will be included in Payment Scheme Components.

   In this instance IOTP aware application will not be aware that an
   authentication has occurred since the Payment Scheme Components that
   contain authentication request information will be indistinguishable
   from other Payment Scheme Components.

9.2 Infrastructure Transactions

   Infrastructure Transactions are designed to support inquiries about
   whether or not a transaction has succeeded or a Trading Role's
   servers are operating correctly. There are two types of transaction:

   o  a Transaction Status Inquiry Transaction which provides
      information on the status of an existing or complete IOTP
      transaction, and

   o  Ping Transaction that enables one IOTP aware application to
      determine if the IOTP aware application at another Trading Role is
      operating and verify whether or not signatures can be handled.

   Each of these is described below

9.2.1 Baseline Transaction Status Inquiry IOTP Transaction

   The Baseline IOTP Transaction Status Inquiry provides information on
   the status of an existing or complete IOTP transaction.

   The Trading Blocks used by the Baseline Transaction Status Inquiry
   Transaction are:

   o  an Inquiry Request Trading Block (see section 8.12),

   o  an Inquiry Response Trading Block (see section 8.13)

   o  an optional Signature Block (see section 8.16).

   The Inquiry IOTP Transaction can be used for a variety of reasons.
   For example:

   o  to help in resuming a suspended transaction to determine the
      current state of processing of one of the other roles,




Burdett                      Informational                    [Page 235]


RFC 2801                       IOTP/1.0                       April 2000


   o  for a merchant to determine if a payment, delivery, etc., was
      completed.  For example, a Consumer might claim that payment was
      made but no signed IOTP payment receipt was available to prove it.
      If the Merchant makes an inquiry of the Payment Handler then the
      Merchant can determine whether or not payment was made.

   Note: Inquiries on Baseline Ping IOTP Transactions (see section
   9.2.2) are ignored.

   MAKING INQUIRIES OF ANOTHER TRADING ROLE

   One Trading Role may make an inquiry of any other Trading Role at any
   point in time.

   IOTP aware software that supports the Consumer Trading Role may not:

   o  digitally sign a response if requested, since it may not have the
      capability, or

   o  respond to an Inquiry Request at all since it may not be on-line,
      or may consider that the request is not reasonable since, for
      example, the Request was not digitally signed.

   As a guideline:

   o  the Consumer should send a Transaction Status Inquiry Block to a
      Trading Role only after the following events have occurred:

      - to the Merchant, after sending a TPO Selection Block,

      - to the Payment Handler, after sending a Payment Request Block,

      - to the Delivery Handler, after sending a Delivery Request Block,

   o  other Trading Roles should send a Transaction Status Inquiry Block
      to the Consumer only after receiving a message from the Consumer
      and before sending the final "Response" message to the Consumer

   o  there are no restrictions on non-Consumer Trading Roles sending
      Inquiries to other trading roles.

   TRANSACTION STATUS INQUIRY TRANSPORT SESSION

   For a Transaction Status Inquiry on an ongoing transaction a
   different transport session from the ongoing transaction is used. For
   a Transaction Status Inquiry on a past transaction, how the IOTP





Burdett                      Informational                    [Page 236]


RFC 2801                       IOTP/1.0                       April 2000


   module on the software at the Trading Role is started upon the
   receipt of Inquiry Request message is defined in each Mapping to
   Transport supplement for IOTP.

   TRANSACTION STATUS INQUIRY ERROR HANDLING

   Errors in a Transaction Status Inquiry can be categorised into one of
   the following three cases:

   o  Business errors (see section 4.2) in the original (inquired)
      messages

   o  Technical errors (see section 4.1) - both IOTP and payment scheme
      specific ones - in the original IOTP (inquired) messages

   o  Technical errors in the message containing the Inquiry Request
      Block itself

   The following outlines what the software should do in each case

   BUSINESS ERRORS IN THE ORIGINAL MESSAGES

   Return an Inquiry Response Block containing the Status Component
   which was last sent to the Consumer Role.

   TECHNICAL ERRORS IN THE ORIGINAL MESSAGES

   Return an Inquiry Response Block containing a Status Component. The
   Status Component should contain a ProcessState attribute set to
   ProcessError. In this case send back an Error Block indicating where
   the error was found in the original message.

   TECHNICAL ERRORS IN THE INQUIRY REQUEST BLOCK

   Return an Error message. That is, send back an Error Block containing
   the Error Code (see section 7.21.2) which describes the nature of the
   error in the Inquiry Request message.

   INQUIRY TRANSACTION MESSAGES

   The following Figure outlines the Baseline IOTP Transaction Status
   Inquiry process.









Burdett                      Informational                    [Page 237]


RFC 2801                       IOTP/1.0                       April 2000


 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*

   1st Role
     |  2nd Role
STEP |     |
 1.          The first role decides to inquire on an IOTP Transaction
             by, for example, clicking on the inquiry button of an
             IOTP Aware Application. This will then generate an
             Inquiry Request Block and send it to the appropriate
             Trading Role.

     1 --> 2 INQUIRY REQUEST. IotpMsg: TransRef Block; Signature Block
             (optional); Inquiry Request Block

 2.          The Trading Role checks the digital signature (if
             present). If the recipient wants to respond, then the
             Trading Role checks the transaction status of the
             transaction that is being inquired upon by using the
             IotpTransId in the Transaction ID Component of the
             Transaction Reference Block, then generates the
             appropriate Inquiry Response Block, sends the message
             back to the 1st Role and stops

     1 <-- 2 INQUIRY RESPONSE. IotpMsg: TransRef Block; Inquiry
             Response Block; Signature Block (Optional)

3.           First role checks the Inquiry Response Block and optional
             signature, takes whatever action is appropriate or
             perhaps stops. This may include displaying status
             information to the end user.

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                Figure 32 Baseline Transaction Status Inquiry


   The remainder of this sub-section on the Baseline Transaction Status
   Inquiry IOTP Transaction defines the contents of each Trading Block.
   Note that the term "original transaction" is the transaction which a
   trading role wants to discover some information about.

   TRANSACTION REFERENCE BLOCK

   A Trading Role making an inquiry must use a Transaction Id Component
   (see section 3.3.1) where both the IotpTransId and TransTimeStamp
   attributes are the same as in the Transaction Id Component of the
   original transaction that is being inquired upon. The IotpTransId
   attribute in this component serves as the key in querying the



Burdett                      Informational                    [Page 238]


RFC 2801                       IOTP/1.0                       April 2000


   transaction logs maintained at the Trading Role's site. The value of
   the ID attribute of the Message Id Component should be different from
   those of any in the original transaction (see section 3.4.1).

   If up-to-date status information is required then the MsgId
   Component, and in particular the ID attribute for the MsgId Component
   must be different from any other IOTP Message that has been sent by
   the Trading Role. This is required because of the way that
   Idempotency is handled by IOTP (see section 4.5.2.2 Checking/Handling
   Duplicate Messages).

   INQUIRY REQUEST BLOCK

   The Inquiry Request Block (see section 8.12) contains the following
   components:

   o  one Inquiry Type Component (see section 7.18). This identifies
      whether the inquiry is on an offer, payment, or delivery.

   o  zero or one Payment Scheme Components (see section 7.10). This is
      for encapsulating payment scheme specific inquiry messages for
      inquiries on a payment.

   SIGNATURE BLOCK (INQUIRY REQUEST)

   If a signature block is present on the message containing the Inquiry
   Request Block then it may be checked to determine if the Inquiry
   Request is authorised.

   If present, the Inquiry Request Signature Block (see section 8.12)
   contains the following components:

   o  one Signature Component (see section 7.19)

   o  one or more Certificate Components, if required.

   Inquiry Response Blocks should only be generated if the Transaction
   is authorised.

   Note: Digital signatures on an Inquiry Request is only likely to
   occur if the recipient of the request expects the Inquiry Request to
   be signed. In this version of IOTP this will require some kind of
   pre-existing agreement. This means that:

   o  Consumers are unlikely to generate requests with signatures,
      although it is not an error if they do





Burdett                      Informational                    [Page 239]


RFC 2801                       IOTP/1.0                       April 2000


   o  the other trading roles may agree that digital signatures are
      required. For example a Payment Handler may require that an
      Inquiry Request is digitally signed by the Merchant so that they
      can check that the request is valid.

   On the other hand if the original transaction to which the Inquiry
   relates was carried out over a secure channel (e.g., [SSL]) then it
   is probably reasonable to presume that if the sender of the Inquiry
   knows the Transaction Id component of the original message (including
   for example the timestamp) then the inquiry is likely to be genuine.

   INQUIRY RESPONSE BLOCK

   The Inquiry Response Block (see section 8.13) contains the following
   components:

   o  one Status Component (see section 7.16). This component holds the
      status information on the inquired transaction,

   o  zero or one Payment Scheme Components. These contain encapsulated
      payment scheme specific inquiry messages for inquiries on payment.

   SIGNATURE BLOCK (INQUIRY RESPONSE)

   If a signature block is present on the message containing the Inquiry
   Response Block then it may be checked by the receiver of the block to
   determine if the Inquiry Response is valid.

   If present, the Inquiry Response Signature Block (see section 8.13)
   contains the following components:

   o one Signature Component (see section 7.19)

   o one or more Certificate Components, if required.

   Note: Digital signatures on an Inquiry Response is only likely to
   occur if the recipient of the response expects the Inquiry Request to
   be signed. In this version of IOTP this will require some kind of
   pre-existing agreement. This means that:

   o  Consumers are unlikely to generate responses with signatures,
      although it is not an error if they do

   o  the other trading roles may agree that digital signatures are
      required. For example a Merchant may require that an Inquiry
      Response is digitally signed by the Payment Handler so that they
      can check that the request response is valid.




Burdett                      Informational                    [Page 240]


RFC 2801                       IOTP/1.0                       April 2000


9.2.2 Baseline Ping IOTP Transaction

   The purpose of the Baseline IOTP Ping Transaction is to test basic
   connectivity between the Trading Roles that may take part in an IOTP
   Transaction.

   It enables IOTP aware application software to:

   o  determine if the IOTP aware application at another Trading Role is
      operating, and

   o  verify whether or not the two trading roles signatures can be
      processed.

   For example it can be used by a Merchant to determine if a Payment
   Handler or Delivery Handler is up and running prior to starting a
   Purchase transaction that uses those trading roles.

   The Trading Blocks used by the Baseline Ping IOTP Transaction are:

   o a Ping Request Block (see section 8.14)

   o a Ping Response Block (see section 8.15), and

   o a Signature Block (see section 8.16).

   PING MESSAGES

   The following figure outlines the message flows in the Baseline IOTP
   Ping Transaction.





















Burdett                      Informational                    [Page 241]


RFC 2801                       IOTP/1.0                       April 2000


 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*
    1st Role
     |  2nd Role
STEP |     |
 1.          The IOTP Aware Application in the first Trading Role
             decides to check whether the counterparty IOTP
             application is up and running. It generates a Ping
             Request Block and optional Signature Block and sends them
             to the second trading role.

     1 --> 2 PING REQUEST. IotpMsg: Trans Ref Block; Signature Block
             (Optional); Ping Request Block

 2.          The second Trading Role which receives the Ping Request
             Block generates a Ping Response Block and sends it back
             to the sender of the original Ping Request with a
             signature block if required.

     1 <-- 2 PING Response. IotpMsg: Trans Ref Block; Signature Block
             (Optional); Ping Response Block

 3.          The first Trading Role checks the Ping Response Block and
             takes appropriate action, if necessary

 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

                      Figure 33 Baseline Ping Messages

   The verification that signatures can be handled is indicated by the
   sender of the Ping Request Block including:

   o  Organisation Components that identify itself and the intended
      recipient of the Ping Request Block, and

   o  a Signature Block that signs data in the Ping Request.

   In this way the receiver of the Ping Request:

   o  knows who is sending the Ping Request and can therefore verify the
      Signature on the Request, and

   o  knows who to generate a signature for on the Ping Response.

   Note that a Ping Request:

   o  does not affect any on-going transaction





Burdett                      Informational                    [Page 242]


RFC 2801                       IOTP/1.0                       April 2000


   o  does NOT initiate an IOTP transaction, unlike other IOTP
      transaction messages such as TPO or Transaction Status Inquiry.

   All IOTP aware applications must return a Ping Response message to
   the sender of a Ping Request message when it is received.

   A Baseline IOTP Ping request can also contain an optional Signature
   Block. IOTP aware applications can, for example, use the Signature
   Block to check the recipient of a Ping Request can successfully
   process and check signatures it has received.

   For each Baseline Ping IOTP Transaction, each IOTP role shall
   establish a different transport session from other IOTP transactions.

   Any IOTP Trading Role can send a Ping request to any other IOTP
   Trading Role at any time it wants. A Ping message has its own
   IotpTransId, which is different from other IOTP transactions.

   The remainder of this sub-section on the Baseline Ping IOTP
   Transaction defines the contents of each Trading Block.

   TRANSACTION REFERENCE BLOCK

   The IotpTransId of a Ping transaction should be different from any
   other IOTP transaction.

   PING REQUEST BLOCK

   If the Ping Transaction is anonymous then no Organisation Components
   are included in the Ping Request Block (see section 8.7).

   If the Ping Transaction is not anonymous then the Ping Request Block
   contains Organisation Components for:

   o  the sender of the Ping Request Block, and

   o  the verifier of the Signature Component

   If Organisation Components are present, then it indicates that the
   sender of the Ping Request message has generated a Signature Block.
   The signature block must be verified by the Trading Role that
   receives the Ping Request Block.

   SIGNATURE BLOCK (PING REQUEST)

   The Ping Request Signature Block (see section 8.16) contains the
   following components:




Burdett                      Informational                    [Page 243]


RFC 2801                       IOTP/1.0                       April 2000


   o  one Signature Component (see section 7.19)

   o  one or more Certificate Components, if required.

   PING RESPONSE BLOCK

   The Ping Response Block (see section 8.15) contains the following
   component:

   o  the Organisation Component of the sender of the Ping Response
      message

   If the Ping Transaction is not anonymous then the Ping Response
   additionally contains:

   o  copies of the Organisation Components contained in the Ping
      Request Block.

   SIGNATURE BLOCK (PING RESPONSE)

   The Ping Response Signature Block (see section 8.16) contains the
   following components:

   o  one Signature Component (see section 7.19)

   o  one or more Certificate Components, if required.

10. Retrieving Logos

   This section describes how to retrieve logos for display by IOTP
   aware software using the Logo Net Locations attribute contained in
   the Brand Element (see section 7.7.1) and the Organisation Component
   (see section 7.6).

   The full address of a logo is defined as follows:  Logo_address ::=
   Logo_net_location "/" Logo_size Logo_color_depth ".gif"

   Where:

   o  Logo_net_location is obtained from the LogoNetLocn attribute in
      the Brand Element (see section 7.7.1) or the Organisation
      Component. Note that:

      -  the content of this attribute is dependent on the Transport
         Mechanism (such as HTTP) that is used. See the Transport
         Mechanism supplement,





Burdett                      Informational                    [Page 244]


RFC 2801                       IOTP/1.0                       April 2000


      -  implementers should check that if the rightmost character of
         Logo Net Location is set to right-slash "/" then another, right
         slash should not be included when generating the Logo Address,

   o  Logo_size identifies the size of the logo,

   o  Logo_color_depth identifies the colour depth of the logo

   o  "gif" indicates that the logos are in "gif" format

   Logo_size and Logo_color_depth are specified by the implementer of
   the IOTP software that is retrieving the logo depending on the size
   and colour that they want to use.

10.1 Logo Size

   There are five standard sizes for logos. The sizes in pixels and the
   corresponding values for Logo Size are given in the table below.

           Size in     Logo Size
           Pixels        Value

        32 x 32 or   exsmall
        32 x 20

        53 x 33      small

        103 x 65     medium

        180 x 114    large

        263 x 166    exlarge

10.2 Logo Color Depth

   There are three standard colour depths. The colour depth (including
   bits per pixel) and the corresponding value for Logo_Color_Depth are
   given in the table below.

                Color Depth          Logo Color
             (bits per pixel)        Depth Value

         4 (16 colors)            4

         8 (256 colors)           nothing

         24 (16 million colors)   24




Burdett                      Informational                    [Page 245]


RFC 2801                       IOTP/1.0                       April 2000


   Note that if Logo Color Depth is omitted then a logo with the default
   colour depth of 256 colours will be retrieved.

10.3 Logo Net Location Examples

   If Logo Net Location was set to "ftp://logos.xzpay.com", then:

   o  "ftp://logos.xzpay.com/medium.gif" would retrieve a medium size
      256 colour logo

   o  "http://logos.xzpay.com/small4.gif" would retrieve a small size 16
      colour logo

   Note: Organisations which make logos available for use with IOTP
   should always make available "small" and "medium" size logos and use
   the "gif" format.

11. Brands

   This section contains:

   o  a definition of Brands and an outline of Brand Selection using
      Brand Lists, and

   o  some XML examples of Brand Lists

11.1 Brand Definitions and Brand Selection

   One of the key features of IOTP is the ability for a merchant to
   offer a list of Brands from which a consumer may make a selection.
   This section provides an overview of what is involved and provides
   guidance on how selection of a brand and associated payment
   instrument can be carried out by a Consumer. It covers:

   o  definitions of Payment Instruments and Brands - what are Payment
      Instruments and Brands in an IOTP context. Further categorises
      Brands as optionally a "Dual Brand" or a "Promotional Brand",

   o  identification and selection of Promotional Brands - Promotional
      Brands offer a Consumer some additional benefit, for example
      loyalty points or a discount. This means that both Consumers and
      Merchant must be able to correctly identify that a valid
      Promotional Brand is being used.

   Also see the following sections:






Burdett                      Informational                    [Page 246]


RFC 2801                       IOTP/1.0                       April 2000


   o  Brand List Component (section 7.7) which contains definitions of
      the XML elements which contain the list of Brands offered by a
      Merchant to a Consumer, and

   o  Brand Selection Component (section 7.8) for details of how a
      Consumer records the Brand, currency, amount and payment protocol
      that was selected.

11.1.1 Definition of Payment Instrument

   A Payment Instrument is the means by which a Consumer pays for goods
   or services offered by a Merchant. It can be, for example:

   o  a credit card such as MasterCard or Visa;

   o  a debit card such as MasterCard's Maestro;

   o  a smart card based electronic cash payment instrument such as a
      Mondex Card, a GeldKarte card or a Visa Cash card

   o  a software based electronic payment account such as a CyberCash or
      DigiCash account.

   Most Payment Instruments have a number, typically an account number,
   by which the Payment Instrument can be identified.

11.1.2 Definition of Brand

   A Brand is the mark which identifies a particular type of Payment
   Instrument. A list of Brands are the payment options which are
   presented by the Merchant to the Consumer and from which the Consumer
   makes a selection. Each Brand may have a different Payment Handler.
   Examples of Brands include:

   o  payment association and proprietary Brands, for example
      MasterCard, Visa, American Express, Diners Club, Mondex,
      GeldKarte, CyberCash, etc.

   o  promotional brands (see below). These include:

      -  store brands, where the Payment Instrument is issued to a
         Consumer by a particular Merchant, for example Walmart, Sears,
         or Marks and Spencer (UK)

      -  cobrands, for example American Advantage Visa, where an
         Organisation uses their own brand in conjunction with,
         typically, a payment association Brand.




Burdett                      Informational                    [Page 247]


RFC 2801                       IOTP/1.0                       April 2000


11.1.3 Definition of Dual Brand

   A Dual Brand means that a single payment instrument may be used as if
   it were two separate Brands. For example there could be a single
   Japanese "UC" MasterCard which can be used as either a UC card or a
   regular MasterCard. The UC card Brand and the MasterCard Brand could
   each have their own separate Payment Handlers. This means that:

   o  the merchant treats, for example "UC" and "MasterCard" as two
      separate Brands when offering a list of Brands to the Consumer,

   o  the consumer chooses a Brand, for example either "UC" or
      "MasterCard,

   o  the consumer IOTP aware application determines which Payment
      Instrument(s) match the chosen Brand, and selects, perhaps with
      user assistance, the correct Payment Instrument to use.

   Note: Dual Brands need no special treatment by the Merchant and
   therefore no explicit reference is made to Dual Brands in the DTD.
   This is because, as far as the Merchant is concerned, each Brand in a
   Dual Brand is treated as a separate Brand. It is at the Consumer,
   that the matching of a Brand to a Dual Brand Payment Instrument needs
   to be done.

11.1.4 Definition of Promotional Brand

   A Promotional Brand means that, if the Consumer pays with that Brand,
   then the Consumer will receive some additional benefit which can be
   received in two ways:

   o  at the time of purchase. For example if a Consumer pays with a
      "Walmart MasterCard" at a Walmart web site, then a 5% discount
      might apply, which means the consumer actually pays less,

   o  from their Payment Instrument (card) issuer when the payment
      appears on their statement. For example loyalty points in a
      frequent flyer scheme could be awarded based on the total payments
      made with the Payment Instrument since the last statement was
      issued.

   Note that:

   o  the first example (obtaining the benefit at the time of purchase),
      requires that:

      -  the Consumer is informed of the benefits which arise if that
         Brand is selected



Burdett                      Informational                    [Page 248]


RFC 2801                       IOTP/1.0                       April 2000


      -  if the Brand is selected, the Merchant changes the relevant
         IOTP Components in the Offer Response to reflect the correct
         amount to be paid

   o  the second (obtaining a benefit through the Payment Instrument
      issuer) does not require that the Offer Response is changed

   o  each Promotional Brand should be identified as a separate Brand in
      the list of Brands offered by the Merchant. For example:
      "Walmart", "Sears", "Marks and Spencer" and "American Advantage
      Visa", would each be a separate Brand.

11.1.5 Identifying Promotional Brands

   There are two problems which need to handled in identifying
   Promotional Brands:

   o  how does the Merchant or their Payment Handler positively identify
      the promotional brand being used at the time of purchase

   o  how does the Consumer reliably identify the correct promotional
      brand from the Brand List presented by the Merchant

   The following is a description of how this could be achieved.

   Note: Please note that the approach described here is a model
   approach that solves the problem. Other equivalent methods may be
   used.

11.1.5.1 Merchant/Payment Handler Identification of Promotional Brands

   Correct identification that the Consumer is paying using a
   Promotional Brand is important since a Consumer might fraudulently
   claim to have a Promotional Brand that offers a reduced payment
   amount when in reality they do not.

   Two approaches seem possible:

   o  use some feature of the Payment Instrument or the payment method
      to positively identify the Brand being used. For example, the SET
      certificate for the Brand could be used, if one is available, or

   o  use the Payment Instrument (card) number to look up information
      about the Payment Instrument on a Payment Instrument issuer
      database to determine if the Payment Instrument is a promotional
      brand.





Burdett                      Informational                    [Page 249]


RFC 2801                       IOTP/1.0                       April 2000


   Note that:

   o  the first assumes that SET is available.

   o  the second is only possible if the Merchant, or alternatively the
      Payment Handler, has access to card issuer information.

   IOTP does not provide the Merchant with Payment Instrument
   information (e.g., a card or account number). This is only sent as
   part of the encapsulated payment protocol to a Payment Handler. This
   means that:

   o  the Merchant would have to assume that the Payment Instrument
      selected was a valid Promotional Brand, or

   o  the Payment Handler would have to check that the Payment
      Instrument was for the valid Promotional Brand and fail the
      payment if it was not.

   A Payment Handler checking that a brand is a valid Promotional Brand
   is most likely if the Payment Handler is also the Card Issuer.

11.1.5.2 Consumer Selection of Promotional Brands

   Two ways by which a Consumer can correctly select a Promotional Brand
   are:

   o  the Consumer visually matching a logo for the Promotional Brand
      which has been provided to the Consumer by the Merchant,

   o  the Consumer's IOTP aware application matching a code for the
      Promotional Brand which the application has registered against a
      similar code contained in the list of Brands offered by the
      Merchant.

   In the latter case, the code contained in the Consumer wallet must
   match exactly the code in the list offered by the Merchant otherwise
   no match will be found. Ways in which the Consumer's IOTP Aware
   Application could obtain such a code include:

   o  the Consumer types the code in directly. This is error prone and
      not user friendly, also the consumer needs to be provided with the
      code.  This approach is not recommended,

   o  using one of the Brand Identifiers defined by IOTP and pre-loaded
      into the Consumers IOTP Aware application or wallet by the
      developer of the Wallet,




Burdett                      Informational                    [Page 250]


RFC 2801                       IOTP/1.0                       April 2000


   o  using some information contained in the software or other data
      associated with the Payment Instrument. This could be:

      -  a SET certificate for Brands which use this payment method

      -  a code provided by the payment software which handles the
         particular payment method, this could apply to, for example,
         GeldKarte, Mondex, CyberCash and DigiCash,

   o  the consumer making an initial "manual" link between a Promotional
      Brand in the list of Brands offered by the Merchant and an
      individual Payment Instrument, the first time the promotional
      brand is used. The IOTP Aware application would then "remember"
      the code for the Promotional Brand for use in future purchases.

11.1.5.3 Consumer Software Brand Id recommendation

   New Brand Ids are allocated under IANA procedures (see section 12
   IANA Considerations). Which also contains an initial list of Brand
   Identifiers.

   It is recommended that implementers of consumer IOTP aware
   applications (e.g., software wallets) pre-load their software with
   the then current set of Brand Ids and provide a method by which they
   can be updated. For example, by going to the software developer's web
   site.

11.2 Brand List Examples

   This example contains three examples of the XML for a Brand List
   Component. It covers:

   o  a simple credit card based example

   o  a credit card based brand list including promotional credit card
      brands, and

   o  a complex electronic cash based brand list

   Note that:

   o  brand lists can be as complex or as simple as required

   o  all example techniques described in this appendix can be included
      in one brand list.






Burdett                      Informational                    [Page 251]


RFC 2801                       IOTP/1.0                       April 2000


11.2.1 Simple Credit Card Based Example

   This is a simple example involving:

   o  only major credit card payment brands

   o  a single price in a single currency

   o  a single Payment Handler, and

   o  a single payment protocol

   <BrandList ID='M1.2'
     XML:Lang='us-en'
     ShortDesc='Purchase book including s&h'
     PayDirection='Debit' >
     <Brand ID ='M1.30'
       BrandId='MasterCard'
       BrandName='MasterCard Credit'
       BrandLogoNetLocn='ftp://otplogos.mastercard.com/mastercardcredit'
       ProtocolAmountRefs='M1.33'>
     </Brand>
     <Brand ID ='M.31'
       BrandId='Visa'
       BrandName='Visa Credit'
       BrandLogoNetLocn='ftp://otplogos.visa.com/visacredit'
       ProtocolAmountRefs='M1.33'>
     </Brand>
     <Brand ID ='M1.32'
       BrandId='AmericanExpress'
       BrandName='American Express'
       BrandLogoNetLocn='ftp://otplogos.amex.com'
       ProtocolAmountRefs ='M1.33' >
     </Brand >
     <ProtocolAmount ID ='M1.33'
       PayProtocolRef='M1.35'
       CurrencyAmountRefs='M1.34'>
     </ProtocolAmount>
     <CurrencyAmount ID ='M1.34'
       Amount='10.95'
       CurrCode='USD'/>
     <PayProtocol ID ='M1.35'
       ProtocolId='SCCD1.0'
       ProtocolName='Secure Channel Credit/Debit'
       PayReqNetLocn='http://www.example.com/etill/sccd1' >
     </PayProtocol>
   </BrandList>




Burdett                      Informational                    [Page 252]


RFC 2801                       IOTP/1.0                       April 2000


11.2.2 Credit Card Brand List Including Promotional Brands

   An example of a Credit Card based Brand List follows. It includes:

   o  two ordinary card association brands and two promotional credit
      card brands. The promotional brands consist of one loyalty based
      (British Airways MasterCard) which offers additional loyalty
      points and one store based (Walmart) which offers a discount on
      purchases over a certain amount

   o  two payment protocols:

      -  SET (Secure Electronic Transactions) see [SET], and

      -  SCCD (Secure Channel Credit Debit) see [SCCD].

 <BrandList ID='M1.2'
   XML:Lang='us-en'
   ShortDesc='Purchase ladies coat'
   PayDirection='Debit' >
   <Brand ID ='M1.3'
     BrandId='MasterCard'
     BrandName='MasterCard Credit'
     BrandLogoNetLocn='ftp://otplogos.mastercard.com'
     ProtocolAmountRefs='M1.7 M1.8'>
     <ProtocolBrand ProtocolId='SET1.0' ProtocolBrandId='MasterCard:'>
     </ProtocolBrand>
   </Brand>
   <Brand ID ='M1.4'
     BrandId='Visa'
     BrandName='Visa Credit'
     BrandLogoNetLocn='ftp://otplogos.visa.com'
     ProtocolAmountRefs='M1.7 M1.8'>
     <ProtocolBrand ProtocolId='SET1.0' ProtocolBrandId='Visa:'>
     </ProtocolBrand>
   </Brand>
   <Brand ID ='M1.5'
     BrandId='BritishAirwaysMC'
     BrandName='British Airways MasterCard'
     BrandLogoNetLocn='ftp://otplogos.britishairways.co.uk'
     BrandNarrative='Double air miles with British Airways MasterCard'
     ProtocolAmountRefs ='M1.7 M1.8' >
     <ProtocolBrand ProtocolId='SET1.0' ProtocolBrandId='MasterCard:BA'>
     </ProtocolBrand>
   </Brand >
   <Brand ID ='M1.6'
     BrandId='Walmart'
     BrandName='Walmart Store Card'



Burdett                      Informational                    [Page 253]


RFC 2801                       IOTP/1.0                       April 2000


     BrandLogoNetLocn='ftp://otplogos.walmart.com'

     BrandNarrative='5% off with your Walmart Card
                   on purchases over $150'
     ProtocolAmountRefs='M1.8'>
   </Brand>
   <ProtocolAmount ID ='M1.7'
     PayProtocolRef='M1.10'
     CurrencyAmountRefs='M1.9' >
     <PackagedContent Transform="BASE64">
        238djqw1298erh18dhoire
     </PackagedContent>
   </ProtocolAmount>
   <ProtocolAmount ID ='M1.8'
     PayProtocolRef='M1.11'
     CurrencyAmountRefs='M1.9' >
     <PackagedContent Transform="BASE64">
        238djqw1298erh18dhoire
     </PackagedContent>
   </ProtocolAmount>
   <CurrencyAmount ID ='M1.9'
     Amount='157.53'
     CurrCode='USD'/>
   <PayProtocol ID ='M1.10'
     ProtocolId='SET1.0'
     ProtocolName='Secure Electronic Transaction Version 1.0'
     PayReqNetLocn='http://www.example.com/etill/set1' >
     <PackagedContent Transform="BASE64">
       8ueu26e482hd82he82
     </PackagedContent>
   </PayProtocol>
   <PayProtocol ID ='M1.11'
     ProtocolId='SCCD1.0'
     ProtocolName='Secure Channel Credit/Debit'
     PayReqNetLocn='http://www.example.com/etill/sccd1' >
     <PackagedContent Transform="BASE64">
        82hd82he8226e48ueu
     </PackagedContent>
   </PayProtocol>
  </BrandList>

11.2.3 Brand Selection Example

   In order to pay by 'British Airways' MasterCard using the example
   above using SET and therefore getting double air miles, the Brand
   Selection would be:

   <BrandSelection ID='C1.2'



Burdett                      Informational                    [Page 254]


RFC 2801                       IOTP/1.0                       April 2000


     BrandListRef='M1.3'
     BrandRef='M1.5'
     ProtocolAmountRef='M1.7'
     CurrencyAmountRef='M1.9' >
   </BrandSelection>

11.2.4 Complex Electronic Cash Based Brand List

   The following is an fairly complex example which includes:

   o  payments using either Mondex, GeldKarte, CyberCash or DigiCash

   o  in currencies including US dollars, British Pounds, Italian Lira,
      German Marks and Canadian Dollars

   o  a discount on the price if the payment is made in Mondex using
      British pounds or US dollars, and

   o  more than one Payment Handler is used for payments involving
      Mondex or CyberCash

   o  support for more than one version of a CyberCash CyberCoin payment
      protocol.

   <BrandList ID='M1.2'
     XML:Lang='us-en'
     ShortDesc='Company report on XYZ Co'
     PayDirection='Debit' >
     <Brand ID ='M1.13'
       BrandId='Mondex'
       BrandName='Mondex Electronic Cash'
       BrandLogoNetLocn='ftp://otplogos.mondex.com'
       ProtocolAmountRefs='M1.17 M1.18'>
     </Brand>
     <Brand ID ='M1.14'
       BrandId='GeldKarte'
       BrandName='GeldKarte Electronic Cash'
       BrandLogoNetLocn='ftp://otplogos.geldkarte.co.de'
       ProtocolAmountRefs='M1.19'>
     </Brand>
     <Brand ID ='M1.15'
       BrandId='CyberCoin'
       BrandName='CyberCoin Eletronic Cash'
       BrandLogoNetLocn='http://otplogos.cybercash.com'
       ProtocolAmountRefs ='M1.20' >
     </Brand >
     <Brand ID ='M1.16'
       BrandId='DigiCash'



Burdett                      Informational                    [Page 255]


RFC 2801                       IOTP/1.0                       April 2000


       BrandName='DigiCash Electronic Cash'
       BrandLogoNetLocn='http://otplogos.digicash.com'
       BrandNarrative='5% off with your Walmart Card
                     on purchases over $150'
       ProtocolAmountRefs='M1.22'>
     </Brand>
     <ProtocolAmount ID ='M1.17'
       PayProtocolRef='M1.31'
       CurrencyAmountRefs='M1.25 M1.29'>
     </ProtocolAmount>
     <ProtocolAmount ID ='M1.18'
       PayProtocolRef='M1.32'
       CurrencyAmountRefs='M1.26 M1.27 M1.28 M1.30'>
     </ProtocolAmount>
     <ProtocolAmount ID ='M1.19'
       PayProtocolRef='M1.35'
       CurrencyAmountRefs='M1.28'>
     </ProtocolAmount>
     <ProtocolAmount ID ='M1.20'
       PayProtocolRef='M1.34 M1.33'
       CurrencyAmountRefs='M1.23 M1.24 M1.27 M1.28 M1.29 M1.30'>
     </ProtocolAmount>
     <ProtocolAmount ID ='M1.21'
       PayProtocolRef='M1.36'
       CurrencyAmountRefs='M1.23 M1.24 M1.27 M1.28 M1.29 M1.30'>
     </ProtocolAmount>
     <CurrencyAmount ID ='M1.23'
       Amount='20.00'
       CurrCode='USD'/>
     <CurrencyAmount ID ='M1.24'
       Amount='12.00'
       CurrCode='GBP'/>
     <CurrencyAmount ID ='M1.25'
       Amount='19.50'
       CurrCode='USD'/>
     <CurrencyAmount ID ='M1.26'
       Amount='11.75'
       CurrCode='GBP'/>
     <CurrencyAmount ID ='M1.27'
       Amount='36.00'
       CurrCode='DEM'/>
     <CurrencyAmount ID ='M1.28'
       Amount='100.00'
       CurrCode='FFR'/>
     <CurrencyAmount ID ='M1.29'
       Amount='22.00'
       CurrCode='CAD'/>
     <CurrencyAmount ID ='M1.30'



Burdett                      Informational                    [Page 256]


RFC 2801                       IOTP/1.0                       April 2000


       Amount='15000'
       CurrCode='ITL'/>
     <PayProtocol ID ='M1.31'
       ProtocolId='MXv1.0'
       ProtocolName='Mondex IOTP Protocol Version 1.0'
       PayReqNetLocn='http://www.mxbankus.com/etill/mx' >
     </PayProtocol>
     <PayProtocol ID ='M1.32'
       ProtocolId='MXv1.0'
       ProtocolName='Mondex IOTP Protocol Version 1.0'
       PayReqNetLocn='http://www.mxbankuk.com/vserver' >
     </PayProtocol>
     <PayProtocol ID ='M1.33'
       ProtocolId='Ccashv1.0'
       ProtocolName='CyberCoin Version 1.0'
       PayReqNetLocn='http://www.cybercash.com/ccoin' >
     </PayProtocol>
     <PayProtocol ID ='M1.34'
       ProtocolId='CCashv2.0'
       ProtocolName='CyberCoin Version 2.0'
       PayReqNetLocn='http://www.cybercash.com/ccoin' >
     </PayProtocol>
     <PayProtocol ID ='M1.35'
       ProtocolId='GKv1.0'
       ProtocolName='GeldKarte Version 1.0'
       PayReqNetLocn='http://www.example.com/pgway' >
     </PayProtocol>
     <PayProtocol ID ='M1.36'
       ProtocolId='DCashv1.0'
       ProtocolName='DigiCash Protocol Version 1.0'
       PayReqNetLocn='http://www.example.com/digicash' >
     </PayProtocol>
     </BrandList>

12. IANA Considerations

   This section describes the codes that are controlled by IANA, and
   also how new codes can be created for testing purposes that are not
   controlled by IANA.

12.1 Codes Controlled by IANA

   To help ensure interoperability, there is a need for codes used by
   IOTP to be maintained in a controlled environment so that their
   meaning and usage are well defined and duplicate codes avoided.
   [IANA] is the mechanism to be used for this purpose as described in
   RFC 2434.




Burdett                      Informational                    [Page 257]


RFC 2801                       IOTP/1.0                       April 2000


   The element types and attributes names to which this procedure
   applies is shown in the table below together with the initial values
   that are valid for these attributes.

   Note that:

   o  the IETF Trade mailing list's email address is ietf-
      trade@elistx.com

   o  "Designated Experts" (see [IANA]) are appointed by the IESG.

     Element Type/                     Attribute Values
     Attribute Name

   Algorithm/         "sha1" - indicates that a [SHA1] authentication
   Name               will apply
   (When Algorithm
   is a child of an   "signature" - indicates that authentication
   AuthReq            consists of the generation of a digital signature.
   Component)
                      "Pay:ppp" where "ppp" may be set to any valid
                      value for "iotpbrand" (see below)

                      With the exception of Algorithms that begin with
                      "pay:", new values are allocated following review
                      on the IETF Trade mailing list and by the
                      Designated Expert.

   Note:     The Algorithm element is likely to be eventually defined
   within the [DSIG] name space. It is likely that the maintenance
   procedure defined here may need to vary over time, as the DSIG
   proposals become more widely adopted.

     Element Type/                     Attribute Values
     Attribute Name

   Brand/BrandId      The following list of initial BrandIds have been
                      taken from those Organisations that have applied
                      for SET certificates as at 1st June 1999:

                      "Amex" - American Express

                      "Dankort" - Dankort

                      "JCB" - JCB

                      "Maestro" - Maestro




Burdett                      Informational                    [Page 258]


RFC 2801                       IOTP/1.0                       April 2000


                      "MasterCard" - MasterCard

                      "NICOS" - NICOS

                      "VISA" - Visa

                      In addition the following Brand Id values are
                      defined:

                      "Mondex"

                      "GeldKarte"

                      New values of BrandId must be announced to the
                      IETF Trade mailing list and, if there are no
                      objections within three weeks, are allocated on a
                      "first come first served" basis.

   CurrencyAmount/    Currency codes are dependent on CurrCodeType (see
   CurrCode           below).

                      If CurrCodeType is "ISO4217-A" then the currency
                      code is an alphabetic currency code as defined by
                      [ISO4217].

                      If CurrCodeType is "IOTP" then new values must be
                      announced to the IETF Trade mailing list and, if
                      there are no objections within three weeks, are
                      allocated on a "first come first served" basis.

   Note:     The Currency Code Type of IOTP, is designed to allow the
   support of "new" psuedo currencies such as loyalty or frequent flyer
   points. At the time of writing this specification, no currency codes
   of this type have been defined.

     Element Type/                     Attribute Values
     Attribute Name

   CurrencyAmount/    "ISO4217-A"
   CurrCodeType
                      "IOTP"

                      New values of CurrCodeType attribute are allocated
                      following review on the IETF Trade mailing list
                      and by the Designated Expert.

   DeliveryData/      "Post"
   DelivMethod



Burdett                      Informational                    [Page 259]


RFC 2801                       IOTP/1.0                       April 2000


                      "Web"

                      "Email"

                      New values of Delivery Method attribute are
                      allocated following review on the IETF Trade
                      mailing list and by the Designated Expert. This
                      may require the publication of additional
                      documentation to describe how the delivery method
                      is used.

   PackagedContent/   "PCDATA"
   Content
                      "MIME"

                      "MIME:mimetype" (where mimetype must be the same
                      as content-type as defined by [MIME] )

                      "XML"

                      If the Content attribute is of the form
                      "MIME"mimetype", then control of new values for
                      "mimetype" is as defined in [MIME].

                      Otherwise, new values of the Content attribute are
                      allocated following review on the IETF Trade
                      mailing list and by the Designated Expert. This
                      may require the publication of additional
                      documentation to describe how the new attribute is
                      used within a Packaged Content element.

   RelatedTo/         "IotpTransaction"
   RelationshipType
                      "Reference"

                      New values of the RelationshipType attribute are
                      allocated following review on the IETF Trade
                      Working Group mailing list and by the Designated
                      Expert. This may require the publication of
                      additional documentation to describe how the

     Element Type/                     Attribute Values
     Attribute Name
                      delivery method is used.

   Status/            Offer
   StatusType
                      Payment



Burdett                      Informational                    [Page 260]


RFC 2801                       IOTP/1.0                       April 2000


                      Delivery

                      Authentication

                      Unidentified

                      New values of the Status Type attribute are
                      allocated following:
                       o publication to the IETF Trade Working Group,
                         of an RFC describing the Trading Exchange,
                         Trading Roles and associated components that
                         relate to the Status, and
                       o review of the document on the IETF Trade
                         mailing list and by the Designated Expert.

   Note: The document describing new values for the Status Type
   attribute may be combined with documents that describe new Trading
   Roles and types of signatures (see below).

   TradingRole/       "Consumer"
   TradingRole
                      "Merchant"

                      "PaymentHandler"

                      "DeliveryHandler"

                      "DelivTo"

                      "CustCare"

                      New values of the Trading Role attribute are
                      allocated following:
                       o publication to the IETF Trade Working Group,
                         of an RFC describing the Trading Exchange,
                         Trading Roles and associated components that
                         relate to the Trading Role, and
                       o review of the document on the IETF Trade
                         mailing list and by the Designated Expert.

   Note: The document describing new values for the Trading Role
   attribute may be

     Element Type/                     Attribute Values
     Attribute Name
                                   combined with documents that describe
                                   new Status Types (see above) and
                                   types of signatures (see below).



Burdett                      Informational                    [Page 261]


RFC 2801                       IOTP/1.0                       April 2000


   TransId/           "BaselineAuthentication"
   IotpTransType
                      "BaselineDeposit"

                      "BaselinePurchase"

                      "BaselineRefund"

                      "BaselineWithdrawal"

                      "BaselineValueExchange"

                      "BaselineInquiry"

                      "BaselinePing"

                      New values of the IotpTransType attribute are
                      allocated following:
                       o publication to the IETF Trade mailing list, of
                         an RFC describing the new IOTP Transaction, and
                       o review of the document on the IETF Trade
                         Working Group mailing list and by the
                         Designated Expert.

   Attribute/ Content
   (see Signature
                      "OfferResponse"
   Component)         "PaymentResponse"

                      "DeliveryResponse"

                      "AuthenticationRequest"

                      "AuthenticationResponse"

                      "PingRequest"

                      "PingResponse"

                      New values of the code that define the type of a
                      signature are allocated following:
                       o publication to the IETF Trade Working Group,
                         of an RFC describing the Trading Exchange where
                         the signature is being used, and
                       o review of the document on the IETF Trade
                         mailing list and by the Designated Expert.





Burdett                      Informational                    [Page 262]


RFC 2801                       IOTP/1.0                       April 2000


     Element Type/                     Attribute Values
     Attribute Name

   Note: The document describing new values for the types of signatures
   may be combined with documents that describe new Status Types and
   Trading Roles (see above).

12.2 Codes not controlled by IANA

   In addition to the formal development and registration of codes as
   described above, there is still a need for developers to experiment
   using new IOTP codes. For this reason, "user defined codes" may be
   used to identify additional values for the codes contained within
   this specification without the need for them to be registered with
   IANA.

   The definition of a user defined code is as follows:

   user_defined_code ::= ( "x-" | "X-" ) NameChar (NameChar)*

     NameChar           NameChar has the same definition as the [XML]
                        definition of NameChar

   Use of domain names (see [DNS]) to make user defined codes unique is
   recommended although this method cannot be relied upon.

13. Internet Open Trading Protocol Data Type Definition

   This section contains the XML DTD for the Internet Open Trading
   Protocols.





















Burdett                      Informational                    [Page 263]


RFC 2801                       IOTP/1.0                       April 2000


   <!--
   ******************************************************
   *                                                    *
   * INTERNET OPEN TRADING PROTOCOL VERSION 1.0 DTD     *
   * Filename: ietf.org/rfc/rfc2801.dtd                 *
   *                                                    *
   * Changes from version 07 (iotp-v1.0-protocol-07.dtd)*
   *   - NO CHANGES                                     *
   *                                                    *
   *                                                    *
   *                                                    *
   *                                                    *
   * Copyright Internet Engineering Task Force 1998-2000*
   *                                                    *
   ******************************************************

   ******************************************************
   * IOTP MESSAGE DEFINITION                            *
   ******************************************************
    -->

   <!ELEMENT IotpMessage
      ( TransRefBlk,
        IotpSignatures?,
        ErrorBlk?,
        ( AuthReqBlk |
          AuthRespBlk |
          AuthStatusBlk |
          CancelBlk |
          DeliveryReqBlk |
          DeliveryRespBlk |
          InquiryReqBlk |
          InquiryRespBlk |
          OfferRespBlk |
          PayExchBlk |
          PayReqBlk |
          PayRespBlk |
          PingReqBlk |
          PingRespBlk |
          TpoBlk |
          TpoSelectionBlk
        )*
      ) >
   <!ATTLIST IotpMessage
     xmlns              CDATA
      'iotp:ietf.org/iotp-v1.0' >





Burdett                      Informational                    [Page 264]


RFC 2801                       IOTP/1.0                       April 2000


   <!--
   ******************************************************
   * TRANSACTION REFERENCE BLOCK DEFINITION             *
   ******************************************************
    -->

   <!ELEMENT TransRefBlk (TransId, MsgId, RelatedTo*) >
   <!ATTLIST TransRefBlk
    ID                 ID      #REQUIRED >


   <!ELEMENT TransId EMPTY >
   <!ATTLIST TransId
    ID                 ID      #REQUIRED
    Version            NMTOKEN #FIXED '1.0'
    IotpTransId        CDATA   #REQUIRED
    IotpTransType      CDATA   #REQUIRED
    TransTimeStamp     CDATA   #REQUIRED >


   <!ELEMENT MsgId EMPTY >
   <!ATTLIST MsgId
    ID                 ID      #REQUIRED
    RespIotpMsg        NMTOKEN #IMPLIED
    xml:lang           NMTOKEN #REQUIRED
    LangPrefList       NMTOKENS #IMPLIED
    CharSetPrefList    NMTOKENS #IMPLIED
    SenderTradingRoleRef NMTOKEN #IMPLIED
    SoftwareId         CDATA   #REQUIRED
    TimeStamp          CDATA   #IMPLIED >


   <!ELEMENT RelatedTo (PackagedContent) >
   <!ATTLIST RelatedTo
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    RelationshipType   NMTOKEN #REQUIRED
    Relation           CDATA   #REQUIRED
    RelnKeyWords       NMTOKENS #IMPLIED >



   <!--
   ******************************************************
   * Packaged Content Common Element                    *
   ******************************************************
    -->




Burdett                      Informational                    [Page 265]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT PackagedContent (#PCDATA) >
   <!ATTLIST PackagedContent
    Name             CDATA     #IMPLIED
    Content          NMTOKEN   "PCDATA"
    Transform (NONE|BASE64)    "NONE" >

   <!--
   ******************************************************
   * TRADING COMPONENTS                                 *
   ******************************************************
    -->
   <!-- PROTOCOL OPTIONS COMPONENT -->
   <!ELEMENT ProtocolOptions EMPTY >
   <!ATTLIST ProtocolOptions
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    SenderNetLocn      CDATA   #IMPLIED
    SecureSenderNetLocn CDATA  #IMPLIED
    SuccessNetLocn     CDATA   #REQUIRED >


   <!-- AUTHENTICATION DATA COMPONENT -->
   <!ELEMENT AuthReq (Algorithm, PackagedContent*)>
   <!ATTLIST AuthReq
    ID                 ID      #REQUIRED
    AuthenticationId   CDATA   #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- AUTHENTICATION RESPONSE COMPONENT -->
   <!ELEMENT AuthResp (PackagedContent*) >
   <!ATTLIST AuthResp
    ID                 ID      #REQUIRED
    AuthenticationId   CDATA   #REQUIRED
    SelectedAlgorithmRef NMTOKEN #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!-- TRADING ROLE INFO REQUEST COMPONENT -->
   <!ELEMENT TradingRoleInfoReq EMPTY>
   <!ATTLIST TradingRoleInfoReq
    ID                 ID      #REQUIRED
    TradingRoleList    NMTOKENS #REQUIRED >

   <!-- ORDER COMPONENT -->
   <!ELEMENT Order (PackagedContent*) >
   <!ATTLIST Order
    ID                 ID      #REQUIRED



Burdett                      Informational                    [Page 266]


RFC 2801                       IOTP/1.0                       April 2000


    xml:lang           NMTOKEN #REQUIRED
    OrderIdentifier    CDATA   #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    ApplicableLaw      CDATA   #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!-- ORGANISATION COMPONENT -->
   <!ELEMENT Org (TradingRole+, ContactInfo?,
        PersonName?, PostalAddress?)>
   <!ATTLIST Org
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    OrgId              CDATA   #REQUIRED
    LegalName          CDATA   #IMPLIED
    ShortDesc          CDATA   #IMPLIED
    LogoNetLocn        CDATA   #IMPLIED >


   <!ELEMENT TradingRole EMPTY >
   <!ATTLIST TradingRole
    ID      ID#REQUIRED
    TradingRole        NMTOKEN #REQUIRED
    IotpMsgIdPrefix    NMTOKEN #REQUIRED
    CancelNetLocn      CDATA   #IMPLIED
    ErrorNetLocn       CDATA   #IMPLIED
    ErrorLogNetLocn  CDATA           #IMPLIED >


   <!ELEMENT ContactInfo EMPTY >
   <!ATTLIST ContactInfo
    xml:lang           NMTOKEN #IMPLIED
    Tel                CDATA   #IMPLIED
    Fax                CDATA   #IMPLIED
    Email              CDATA   #IMPLIED
    NetLocn            CDATA   #IMPLIED >


   <!ELEMENT PersonName EMPTY >
   <!ATTLIST PersonName
    xml:lang           NMTOKEN #IMPLIED
    Title              CDATA   #IMPLIED
    GivenName          CDATA   #IMPLIED
    Initials           CDATA   #IMPLIED
    FamilyName         CDATA   #IMPLIED >





Burdett                      Informational                    [Page 267]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT PostalAddress EMPTY >
   <!ATTLIST PostalAddress
    xml:lang           NMTOKEN #IMPLIED
    AddressLine1       CDATA   #IMPLIED
    AddressLine2       CDATA   #IMPLIED
    CityOrTown         CDATA   #IMPLIED
    StateOrRegion      CDATA   #IMPLIED
    PostalCode         CDATA   #IMPLIED
    Country            CDATA   #IMPLIED
    LegalLocation (True | False) 'False' >


   <!-- BRAND LIST COMPONENT -->
   <!ELEMENT BrandList (Brand+, ProtocolAmount+,
    CurrencyAmount+, PayProtocol+) >
   <!ATTLIST BrandList
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ShortDesc          CDATA   #REQUIRED
    PayDirection (Debit | Credit) #REQUIRED >

   <!ELEMENT Brand (ProtocolBrand*, PackagedContent*) >
   <!ATTLIST Brand
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #IMPLIED
    BrandId            CDATA   #REQUIRED
    BrandName          CDATA   #REQUIRED
    BrandLogoNetLocn   CDATA   #REQUIRED
    BrandNarrative     CDATA   #IMPLIED
    ProtocolAmountRefs IDREFS  #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!ELEMENT ProtocolBrand (PackagedContent*) >
   <!ATTLIST ProtocolBrand
    ProtocolId         CDATA   #REQUIRED
    ProtocolBrandId    CDATA   #REQUIRED >

   <!ELEMENT ProtocolAmount (PackagedContent*) >
   <!ATTLIST ProtocolAmount
    ID                 ID      #REQUIRED
    PayProtocolRef     IDREF   #REQUIRED
    CurrencyAmountRefs IDREFS  #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!ELEMENT CurrencyAmount EMPTY >
   <!ATTLIST CurrencyAmount
    ID                 ID      #REQUIRED
    Amount             CDATA   #REQUIRED



Burdett                      Informational                    [Page 268]


RFC 2801                       IOTP/1.0                       April 2000


    CurrCodeType       NMTOKEN 'ISO4217-A'
    CurrCode           CDATA   #REQUIRED >

   <!ELEMENT PayProtocol (PackagedContent*) >
   <!ATTLIST PayProtocol
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #IMPLIED
    ProtocolId         NMTOKEN #REQUIRED
    ProtocolName       CDATA   #REQUIRED
    ActionOrgRef       NMTOKEN #REQUIRED
    PayReqNetLocn      CDATA   #IMPLIED
    SecPayReqNetLocn   CDATA   #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- BRAND SELECTION COMPONENT -->
   <!ELEMENT BrandSelection (BrandSelBrandInfo?,
        BrandSelProtocolAmountInfo?,
        BrandSelCurrencyAmountInfo?) >
   <!ATTLIST BrandSelection
    ID                 ID      #REQUIRED
    BrandListRef       NMTOKEN #REQUIRED
    BrandRef           NMTOKEN #REQUIRED
    ProtocolAmountRef  NMTOKEN #REQUIRED
    CurrencyAmountRef  NMTOKEN #REQUIRED >

   <!ELEMENT BrandSelBrandInfo (PackagedContent+) >
   <!ATTLIST BrandSelBrandInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!ELEMENT BrandSelProtocolAmountInfo (PackagedContent+) >
   <!ATTLIST BrandSelProtocolAmountInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!ELEMENT BrandSelCurrencyAmountInfo (PackagedContent+) >
   <!ATTLIST BrandSelCurrencyAmountInfo
    ID                 ID      #REQUIRED
    ContentSoftwareId  CDATA   #IMPLIED >

   <!-- PAYMENT COMPONENT -->
   <!ELEMENT Payment EMPTY >
   <!ATTLIST Payment
    ID                 ID      #REQUIRED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    BrandListRef       NMTOKEN #REQUIRED



Burdett                      Informational                    [Page 269]


RFC 2801                       IOTP/1.0                       April 2000


    SignedPayReceipt (True | False) #REQUIRED
    StartAfterRefs     NMTOKENS #IMPLIED >


   <!-- PAYMENT SCHEME COMPONENT -->
   <!ELEMENT PaySchemeData (PackagedContent+) >
   <!ATTLIST PaySchemeData
    ID                 ID      #REQUIRED
    PaymentRef         NMTOKEN #IMPLIED
    ConsumerPaymentId  CDATA   #IMPLIED
    PaymentHandlerPayId CDATA  #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- PAYMENT RECEIPT COMPONENT -->
   <!ELEMENT PayReceipt (PackagedContent*) >
   <!ATTLIST PayReceipt
    ID                 ID      #REQUIRED
    PaymentRef         NMTOKEN #REQUIRED
    PayReceiptNameRefs NMTOKENS #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- PAYMENT NOTE COMPONENT -->
   <!ELEMENT PaymentNote (PackagedContent+) >
   <!ATTLIST PaymentNote
     ID                ID      #REQUIRED
     ContentSoftwareId CDATA   #IMPLIED >


   <!-- DELIVERY COMPONENT -->
   <!ELEMENT Delivery (DeliveryData?, PackagedContent*) >
   <!ATTLIST Delivery
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    DelivExch          (True | False) #REQUIRED
    DelivAndPayResp    (True | False) #REQUIRED
    ActionOrgRef       NMTOKEN #IMPLIED >

   <!ELEMENT DeliveryData (PackagedContent*) >
   <!ATTLIST DeliveryData
    xml:lang           NMTOKEN #IMPLIED
    OkFrom             CDATA   #REQUIRED
    OkTo               CDATA   #REQUIRED
    DelivMethod        NMTOKEN #REQUIRED
    DelivToRef         NMTOKEN #REQUIRED
    DelivReqNetLocn    CDATA   #IMPLIED
    SecDelivReqNetLocn CDATA   #IMPLIED



Burdett                      Informational                    [Page 270]


RFC 2801                       IOTP/1.0                       April 2000


    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- CONSUMER DELIVERY DATA COMPONENT -->
   <!ELEMENT ConsumerDeliveryData EMPTY >
   <!ATTLIST ConsumerDeliveryData
    ID                 ID      #REQUIRED
    ConsumerDeliveryId CDATA   #REQUIRED >


   <!-- DELIVERY NOTE COMPONENT -->
   <!ELEMENT DeliveryNote (PackagedContent+) >
   <!ATTLIST DeliveryNote
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    DelivHandlerDelivId CDATA  #IMPLIED
    ContentSoftwareId  CDATA   #IMPLIED >


   <!-- STATUS COMPONENT -->
   <!ELEMENT Status EMPTY >
   <!ATTLIST Status
    ID                 ID      #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    StatusType         NMTOKEN #REQUIRED
    ElRef              NMTOKEN #IMPLIED
    ProcessState (NotYetStarted | InProgress |
        CompletedOk | Failed | ProcessError) #REQUIRED
    CompletionCode     NMTOKEN #IMPLIED
    ProcessReference   CDATA   #IMPLIED
    StatusDesc         CDATA   #IMPLIED >

   <!-- TRADING ROLE DATA COMPONENT -->
   <!ELEMENT TradingRoleData (PackagedContent+) >
   <!ATTLIST TradingRoleData
     ID                ID      #REQUIRED
     OriginatorElRef   NMTOKEN #REQUIRED
     DestinationElRefs NMTOKENS #REQUIRED >

   <!-- INQUIRY TYPE COMPONENT -->
   <!ELEMENT InquiryType EMPTY >
   <!ATTLIST InquiryType
    ID                 ID      #REQUIRED
    Type               NMTOKEN #REQUIRED
    ElRef              NMTOKEN #IMPLIED
    ProcessReference   CDATA   #IMPLIED >





Burdett                      Informational                    [Page 271]


RFC 2801                       IOTP/1.0                       April 2000


   <!-- ERROR COMPONENT -->
   <!ELEMENT ErrorComp (ErrorLocation+, PackagedContent*) >
   <!ATTLIST ErrorComp
    ID                 NMTOKEN #REQUIRED
    xml:lang           NMTOKEN #REQUIRED
    ErrorCode          NMTOKEN #REQUIRED
    ErrorDesc          CDATA   #REQUIRED
    Severity (Warning|TransientError|HardError) #REQUIRED
    MinRetrySecs       CDATA   #IMPLIED
    SwVendorErrorRef   CDATA   #IMPLIED >


   <!ELEMENT ErrorLocation EMPTY >
   <!ATTLIST ErrorLocation
    ElementType        NMTOKEN #REQUIRED
    IotpMsgRef         NMTOKEN #IMPLIED
    BlkRef             NMTOKEN #IMPLIED
    CompRef            NMTOKEN #IMPLIED
    ElementRef         NMTOKEN #IMPLIED
    AttName            NMTOKEN #IMPLIED >



   <!--
   ******************************************************
   * TRADING BLOCKS                                     *
   ******************************************************
    -->

   <!-- TRADING PROTOCOL OPTIONS BLOCK -->
   <!ELEMENT TpoBlk ( ProtocolOptions, BrandList*, Org* ) >
   <!ATTLIST TpoBlk
    ID                 ID      #REQUIRED >


   <!-- TPO SELECTION BLOCK -->
   <!ELEMENT TpoSelectionBlk (BrandSelection+) >
   <!ATTLIST TpoSelectionBlk
    ID                 ID      #REQUIRED >


   <!-- OFFER RESPONSE BLOCK -->
   <!ELEMENT OfferRespBlk (Status, Order?, Payment*,
                Delivery?, TradingRoleData*) >
   <!ATTLIST OfferRespBlk
    ID                 ID      #REQUIRED >





Burdett                      Informational                    [Page 272]


RFC 2801                       IOTP/1.0                       April 2000


   <!-- AUTHENTICATION REQUEST BLOCK -->
   <!ELEMENT AuthReqBlk (AuthReq*, TradingRoleInfoReq?) >
   <!ATTLIST AuthReqBlk
    ID                 ID      #REQUIRED >


   <!-- AUTHENTICATION RESPONSE BLOCK -->
   <!ELEMENT AuthRespBlk (AuthResp?, Org*) >
   <!ATTLIST AuthRespBlk
    ID                 ID      #REQUIRED >


   <!-- AUTHENTICATION STATUS BLOCK -->
   <!ELEMENT AuthStatusBlk (Status) >
   <!ATTLIST AuthStatusBlk
    ID                 ID      #REQUIRED >


   <!-- PAYMENT REQUEST BLOCK -->
   <!ELEMENT PayReqBlk (Status+, BrandList, BrandSelection,
        Payment, PaySchemeData?, Org*, TradingRoleData*) >
   <!ATTLIST PayReqBlk
    ID                 ID      #REQUIRED >


   <!-- PAYMENT EXCHANGE BLOCK -->
   <!ELEMENT PayExchBlk (PaySchemeData) >
   <!ATTLIST PayExchBlk
    ID                 ID      #REQUIRED >


   <!-- PAYMENT RESPONSE BLOCK -->
   <!ELEMENT PayRespBlk (Status, PayReceipt?, PaySchemeData?,
        PaymentNote?, TradingRoleData*) >
   <!ATTLIST PayRespBlk
    ID                 ID      #REQUIRED >
   <!-- DELIVERY REQUEST BLOCK -->
   <!ELEMENT DeliveryReqBlk (Status+, Order, Org*, Delivery,
        ConsumerDeliveryData?, TradingRoleData*) >
   <!ATTLIST DeliveryReqBlk
    ID                 ID      #REQUIRED >


   <!-- DELIVERY RESPONSE BLOCK -->
   <!ELEMENT DeliveryRespBlk (Status, DeliveryNote) >
   <!ATTLIST DeliveryRespBlk
    ID                 ID      #REQUIRED >




Burdett                      Informational                    [Page 273]


RFC 2801                       IOTP/1.0                       April 2000


   <!-- INQUIRY REQUEST BLOCK -->
   <!ELEMENT InquiryReqBlk ( InquiryType, PaySchemeData? ) >
   <!ATTLIST InquiryReqBlk
    ID                 ID      #REQUIRED >


   <!-- INQUIRY RESPONSE BLOCK -->
   <!ELEMENT InquiryRespBlk (Status, PaySchemeData?) >
   <!ATTLIST InquiryRespBlk
    ID                 ID      #REQUIRED
    LastReceivedIotpMsgRef NMTOKEN #IMPLIED
    LastSentIotpMsgRef NMTOKEN #IMPLIED >


   <!-- PING REQUEST BLOCK -->
   <!ELEMENT PingReqBlk (Org*)>
   <!ATTLIST PingReqBlk
    ID                 ID      #REQUIRED>


   <!-- PING RESPONSE BLOCK -->
   <!ELEMENT PingRespBlk (Org+)>
   <!ATTLIST PingRespBlk
    ID                 ID      #REQUIRED
    PingStatusCode (Ok | Busy | Down) #REQUIRED
    SigVerifyStatusCode (Ok | NotSupported | Fail) #IMPLIED
    xml:lang           NMTOKEN #IMPLIED
    PingStatusDesc     CDATA   #IMPLIED>


   <!-- ERROR BLOCK -->
   <!ELEMENT ErrorBlk (ErrorComp+, PaySchemeData*) >
   <!ATTLIST ErrorBlk
    ID                 ID      #REQUIRED >


   <!-- CANCEL BLOCK -->
   <!ELEMENT CancelBlk (Status) >
   <!ATTLIST CancelBlk
    ID                 ID      #REQUIRED >


   <!--
   ******************************************************
   * IOTP SIGNATURES BLOCK DEFINITION                   *
   ******************************************************
   -->




Burdett                      Informational                    [Page 274]


RFC 2801                       IOTP/1.0                       April 2000


   <!ELEMENT IotpSignatures (Signature+ ,Certificate*) >
   <!ATTLIST IotpSignatures
       ID        ID        #IMPLIED
   >

   <!--
   ******************************************************
   * IOTP SIGNATURE COMPONENT DEFINITION                *
   ******************************************************
   -->

   <!ELEMENT Signature (Manifest, Value+) >
   <!ATTLIST Signature
       ID         ID        #IMPLIED
   >

   <!ELEMENT Manifest
       (       Algorithm+,
               Digest+,
               Attribute*,
               OriginatorInfo,
               RecipientInfo+
       )
   >

   <!ATTLIST Manifest
       LocatorHRefBase       CDATA             #IMPLIED
   >

   <!ELEMENT Algorithm (Parameter*) >
   <!ATTLIST Algorithm
       ID                     ID                #REQUIRED
       type            (digest|signature)      #IMPLIED
       name                  NMTOKEN           #REQUIRED
   >

   <!ELEMENT Digest (Locator, Value) >
   <!ATTLIST Digest
       DigestAlgorithmRef    IDREF             #REQUIRED
   >

   <!ELEMENT Attribute ( ANY ) >
   <!ATTLIST Attribute
       type                   NMTOKEN           #REQUIRED
       critical            ( true | false )     #REQUIRED
   >

   <!ELEMENT OriginatorInfo ANY >



Burdett                      Informational                    [Page 275]


RFC 2801                       IOTP/1.0                       April 2000


   <!ATTLIST OriginatorInfo
       OriginatorRef           NMTOKEN          #IMPLIED
   >

   <!ELEMENT RecipientInfo ANY >
   <!ATTLIST RecipientInfo
       SignatureAlgorithmRef   IDREF            #REQUIRED
       SignatureValueRef       IDREF            #IMPLIED
       SignatureCertRef        IDREF            #IMPLIED
       RecipientRefs           NMTOKENS         #IMPLIED
   >

   <!ELEMENT KeyIdentifier EMPTY>
   <!ATTLIST KeyIdentifier
       value                    CDATA           #REQUIRED
   >

   <!ELEMENT Parameter ANY >
   <!ATTLIST Parameter
       type                     CDATA           #REQUIRED
   >


   <!--
   ******************************************************
   * IOTP CERTIFICATE COMPONENT DEFINITION              *
   ******************************************************
   -->

   <!ELEMENT Certificate
    (  IssuerAndSerialNumber,  ( Value | Locator ) )
   >

   <!ATTLIST Certificate
       ID                        ID                #IMPLIED
       type                      NMTOKEN           #REQUIRED
   >

   <!ELEMENT IssuerAndSerialNumber EMPTY >
   <!ATTLIST IssuerAndSerialNumber
       issuer                     CDATA            #REQUIRED
       number                     CDATA            #REQUIRED
   >

   <!--
   ******************************************************
   * IOTP SHARED COMPONENT DEFINITION                   *
   ******************************************************



Burdett                      Informational                    [Page 276]


RFC 2801                       IOTP/1.0                       April 2000


   -->
   <!ELEMENT Value ( #PCDATA ) >
   <!ATTLIST Value
       ID               ID           #IMPLIED
       encoding    (base64|none)    'base64'
   >

   <!ELEMENT Locator EMPTY>
   <!ATTLIST Locator
       xml:link        CDATA         #FIXED        'simple'
       href            CDATA         #REQUIRED
   >

14. Glossary

   This section contains a glossary of some of the terms used within
   this specification in alphabetical order.

          NAME                            DESCRIPTION

   Authenticator      The Organisation which is requesting the
                      authentication of another Organisation, and

   Authenticatee      The Organisation being authenticated by an
                      Authenticator

   Business Error     See Status Component.

   Brand              A Brand is the mark which identifies a particular
                      type of Payment Instrument. A list of Brands are
                      the payment options which are presented by the
                      Merchant to the Consumer and from which the
                      Consumer makes a selection. Each Brand may have a
                      different Payment Handler. Examples of Brands
                      include:
                       o payment association and proprietary Brands,
                         for example MasterCard, Visa, American Express,
                         Diners Club, American Express, Mondex,
                         GeldKarte, CyberCash, etc.
                       o Promotional Brands (see below). These include:
                       o store Brands, where the Payment Instrument is
                         issued to a Consumer by a particular Merchant,
                         for example Walmart, Sears, or Marks and
                         Spencer (UK)
                       o coBrands, for example American Advantage Visa,
                         where an a company uses their own Brand in
                         conjunction with, typically, a payment
                         association Brand.



Burdett                      Informational                    [Page 277]


RFC 2801                       IOTP/1.0                       April 2000


   Consumer           The Organisation which is to receive the benefit
                      of and typically pay for the goods or services.

   ContentSoftwareId  This contains information which identifies the
                      software which generated the content of the
                      element. Its purpose is to help resolve
                      interoperability problems that might occur as a
                      result of incompatibilities between messages
                      produced by different software. It is a single
                      text string in the language defined by xml:lang.
                      It must contain, as a minimum:
                       o the name of the software manufacturer
                       o the name of the software
                       o the version of the software, and
                       o the build of the software

                      It is recommended that this attribute is included
                      whenever the software which generated the content
                      cannot be identified from the SoftwareId attribute
                      on the Message Id Component (see section 3.3.2)

   Customer Care      An Organisation that is providing customer care
   Provider           typically on behalf of a Merchant. Examples of
                      customer care include, responding to problems
                      raised by a Consumer arising from an IOTP
                      Transaction that the Consumer took part in.

   Delivery Handler   The Organisation that directly delivers the goods
                      or services to the Consumer on behalf of the
                      Merchant. Delivery can be in the form of either
                      digital goods (e.g., a [MIME] message), or
                      physically delivered using the post or a courier.

   Document Exchange  A Document Exchange consists of a set of IOTP
                      Messages exchanged between two parties that
                      implement part or all of two Trading Exchanges
                      simultaneously in order to minimise the number of
                      actual IOTP Messages which must be sent over the
                      Internet.

                      Document Exchanges are combined together in
                      sequence to implement a particular IOTP
                      Transaction.

   Dual Brand         A Dual Brand means that a single Payment
                      Instrument may be used as if it were two separate
                      Brands. For example there could be a single
                      Japanese "UC" MasterCard which can be used as



Burdett                      Informational                    [Page 278]


RFC 2801                       IOTP/1.0                       April 2000


                      either a UC card or a regular MasterCard. The UC
                      card Brand and the MasterCard Brand could each
                      have their own separate Payment Handlers. This
                      means that:
                       o the Merchant treats, for example "UC" and
                         "MasterCard" as two separate Brands when
                         offering a list of Brands to the Consumer,
                       o the Consumer chooses a Brand, for example
                         either "UC" or "MasterCard,
                       o the Consumer IOTP aware application determines
                         which Payment Instrument(s) match the chosen
                         Brand, and selects, perhaps with user
                         assistance, the correct Payment Instrument to
                         use.

   Error Block        An Error Block reports that a Technical Error was
                      found in an IOTP Message that was previously
                      received. Typically Technical Errors are caused by
                      errors in the XML which has been received or some
                      technical failure of the processing of the IOTP
                      Message. Frequently the generation or receipt of
                      an Error Block will result in failure of the IOTP
                      Transaction. They are distinct from Business
                      Errors, reported in a Status Component, which can
                      also cause failure of an IOTP Transaction.

   Exchange Block     An Exchange Block is sent between the two Trading
                      Roles involved in a Trading Exchange. It contains
                      one or more Trading Components. Exchange Blocks
                      are always sent after a Request Block and before a
                      Response Block in a Trading Exchange. The content
                      of an Exchange Block is dependent on the type of
                      Trading Exchange being carried out.

   IOTP Message       An IOTP Message is the outermost wrapper for the
                      document(s) which are sent between Trading Roles
                      that are taking part in a trade. It is a well
                      formed XML document. The documents it contains
                      consist of:
                       o a Transaction Reference Block to uniquely
                         identify the IOTP Transaction of which the IOTP
                         Message is part,
                       o an optional Signature Block to digitally sign
                         the Trading Blocks or Trading Components
                         associated with the IOTP Transaction
                       o an optional Error Block to report on technical
                         errors contained in a previously received IOTP
                         Message, and



Burdett                      Informational                    [Page 279]


RFC 2801                       IOTP/1.0                       April 2000


                       o a collection of IOTP Trading Blocks which
                         carries the data required to carry out an IOTP
                         Transaction.

   IOTP Transaction   An instance of an Internet Open Trading Protocol
                      Transaction consists of a set of IOTP Messages
                      transferred between Trading Roles. The rules for
                      what may be contained in the IOTP Messages is
                      defined by the Transaction Type of the IOTP
                      Transaction.

   IOTP Transaction   A Transaction Type identifies the type an of IOTP
   Type               Transaction. Examples of Transaction Type include:
                      Purchase, Refund, Authentication, Withdrawal,
                      Deposit (of electronic cash). The Transaction Type
                      specifies for an IOTP Transaction:
                       o the Trading Exchanges which may be included in
                         the transaction,
                       o how those Trading Exchanges may be combined to
                         meet the business needs of the transaction
                       o which Trading Blocks may be included in the
                         IOTP Messages that make up the transaction
                       o Consult this specification for the rules that
                         apply for each Transaction Type.

   Merchant           The Organisation from whom the service or goods
                      are being obtained, who is legally responsible for
                      providing the goods or services and receives the
                      benefit of any payment made

   Merchant Customer  The Organisation that is involved with customer
   Care Provider      dispute negotiation and resolution on behalf of
                      the Merchant

   Organisation       A company or individual that takes part in a Trade
                      as a Trading Role. The Organisations may take one
                      or more of the roles involved in the Trade

   Payment Handler    The Organisation that physically receives the
                      payment from the Consumer on behalf of the
                      Merchant

   Payment            A Payment Instrument is the means by which
   Instrument         Consumer pays for goods or services offered by a
                      Merchant. It can be, for example:
                       o a credit card such as MasterCard or Visa;
                       o a debit card such as MasterCard's Maestro;
                       o a smart card based electronic cash Payment



Burdett                      Informational                    [Page 280]


RFC 2801                       IOTP/1.0                       April 2000


                         Instrument such as a Mondex Card, a GeldKarte
                         card or a Visa Cash card
                       o a software based electronic payment account
                         such as a CyberCash's CyberCoin or DigiCash
                         account.

                      All Payment Instruments have a number, typically
                      an account number, by which the Payment Instrument
                      can be identified.

   Promotional Brand  A Promotional Brand means that, if the Consumer
                      pays with that Brand, then the Consumer will
                      receive some additional benefit which can be
                      received in two ways:
                       o at the time of purchase. For example if a
                         Consumer pays with a "Walmart MasterCard" at a
                         Walmart web site, then a 5% discount might
                         apply, which means the Consumer actually pays
                         less,
                       o from their Payment Instrument (card) issuer
                         when the payment appears on their statement.
                         For example loyalty points in a frequent flyer
                         scheme could be awarded based on the total
                         payments made with the Payment Instrument since
                         the last statement was issued.

                      Each Promotional Brand should be identified as a
                      separate Brand in the list of Brands offered by
                      the Merchant.

   Receipt Component  A Receipt Component is a record of the successful
                      completion of a Trading Exchange. Examples of
                      Receipt Components include: Payment Receipts, and
                      Delivery Notes. It's content may dependent on the
                      technology used to perform the Trading Exchange.
                      For example a Secure Electronic Transaction (SET)
                      payment receipt consists of SET payment messages
                      which record the result of the payment.

   Request Block      A Request Block is Trading Block that contains a
                      request for a Trading Exchange to start. The
                      Trading Components in a Request Block may be
                      signed by a Signature Block so that their
                      authenticity may be checked and to determine that
                      the Trading Exchange being requested is
                      authorised. Authorisation for a Trading Exchange
                      to start can be provided by the signatures
                      contained on Receipt Components contained in



Burdett                      Informational                    [Page 281]


RFC 2801                       IOTP/1.0                       April 2000


                      Response Blocks resulting from previously
                      completed Trading Exchanges.  Examples of Request
                      Blocks are Payment Request and Delivery Request

   Response Block     A Response Block is a Trading Block that indicates
                      that a Trading Exchange is complete. It is sent by
                      the Trading Role that received a Request Block to
                      the Trading Role that sent the Request Block. The
                      Response Block contains a Status Component that
                      contains information about the completion of the
                      Trading Exchange, for example it indicates whether
                      or not the Trading Exchange completed
                      successfully. For some Trading Exchanges the
                      Response Block contains a Receipt Component that
                      forms a record of the Trading Exchange. Receipt
                      Components may be digitally signed using a
                      Signature Block to make completion non-refutable.
                      Examples of Response Blocks include Offer
                      Response, Payment Response and Delivery Response.

   Signature Block    A Signature Block is a Trading Block that contains
                      one or more digital signatures in the form of
                      Signature Components. A Signature Component may
                      digitally sign any Block or Component in any IOTP
                      Message in the same IOTP Transaction.

   Status Component   A Status Component contains information that
                      describes the state of a Trading Exchange.

                      Before the Trading Exchange is complete the Status
                      Component can indicate information about how the
                      Trading Exchange is progressing.

                      Once a Trading Exchange is complete the Status
                      Component can only indicate the success of the
                      Trading Exchange or that a Business Error has
                      occurred.

                      A Business Error indicates that continuation with
                      the Trading Exchange was not possible because of
                      some business rule or logic, for example,
                      "insufficient funds available", rather than any
                      Technical Error associated with the content or
                      format of the IOTP Messages in the IOTP
                      Transaction.

   Technical Error    See Error Block.




Burdett                      Informational                    [Page 282]


RFC 2801                       IOTP/1.0                       April 2000


   Trading Block      A Trading Block consists of one or more Trading
                      Components. One or more Trading Blocks may be
                      contained within the IOTP Messages which are
                      physically sent in the form of [XML] documents
                      between the different Trading Roles that are
                      taking part in a trade. Trading Blocks are of
                      three main types:
                       o a Request Block,
                       o an Exchange Block, or a
                       o a Response Block

   Trading Component  A Trading Component is a collection of XML
                      elements and attributes. Trading Components are
                      the child elements of the Trading Blocks. Examples
                      of Trading Components are: Offer, Brand List,
                      Payment Receipt, Delivery [information], Payment
                      Amount [information]

   Trading Exchange   A Trading Exchange consists of the exchange,
                      between two Trading Roles, of a sequence of
                      documents. The documents may be in the form of
                      Trading Blocks or they may be transferred by some
                      other means, for example through entering data
                      into a web page. Each Trading Exchange consists of
                      three main parts:
                       o the sending of a Request Block by one Trading
                         Role (the initiator) to another Trading Role
                         (the recipient),
                       o the optional exchange of one or more Exchange
                         Blocks between the recipient and the initiator,
                         until eventually,
                       o the Trading Role that received the Request
                         Block sends a Response Block to the initiator.

                      A Trading Exchange is designed to implement a
                      useful service of some kind. Examples of Trading
                      Exchanges/services are:
                       o Offer, which results in a Consumer receiving
                         an offer from a Merchant to carry out a
                         business transaction of some kind,
                       o Payment, where a Consumer makes a payment to a
                         Payment Handler,
                       o Delivery, where a Consumer requests, and
                         optionally obtains, delivery of goods or
                         services from a Delivery Handler, and
                       o Authentication, where any Trading Role may
                         request and receive information about another
                         Trading Role.



Burdett                      Informational                    [Page 283]


RFC 2801                       IOTP/1.0                       April 2000


   Trading Role       A Trading Role identifies the different ways in
                      which Organisations can participate in a trade.
                      There are five Trading Roles: Consumer, Merchant,
                      Payment Handler, Delivery Handler, and Merchant
                      Customer Care Provider.

   Transaction        A Transaction Reference Block identifies an IOTP
   Reference Block    Transaction. It contains data that identifies:
                       o the Transaction Type,
                       o the IOTP Transaction uniquely, through a
                         globally unique transaction identifier
                       o the IOTP Message uniquely within the IOTP
                         Transaction, through a message identifier

                      The Transaction Reference Block may also contain
                      references to other transactions which may or may
                      not be IOTP Transactions

15. References

   This section contains references to related documents identified in
   this specification.

   [Base64]    Freed, N. and N. Borenstein, "Multipurpose Internet Mail
               Extensions (MIME) Part One: Format of Internet Message
               Bodies", RFC 2045, November 1996.

   [DOM-HASH]  Maruyama, H., Tamura, K. and N. Uramoto, "Digest Values
               for DOM (DOMHASH)", RFC 2803, April 2000.

   [DNS]       Mockapetris, P., "Domain names - concepts and
               facilities", STD 13, RFC 1034, November 1987.

   [DNS]       Mockapetris, P., "Domain names - implementation and
               specification", STD 13, RFC 1035, November 1987.

   [DSA]       The Digital Signature Algorithm (DSA) published by the
               National Institute of Standards and Technology (NIST) in
               the Digital Signature Standard (DSS), which is a part of
               the US government's Capstone project.

   [ECCDSA]    Elliptic Curve Cryptosystems Digital Signature Algorithm
               (ECCDSA). Elliptic curve cryptosystems are analogues of
               public-key cryptosystems such as RSA in which modular
               multiplication is replaced by the elliptic curve addition
               operation. See: V. S. Miller. Use of elliptic curves in
               cryptography. In Advances in Cryptology - Crypto '85,
               pages 417-426, Springer-Verlag, 1986.



Burdett                      Informational                    [Page 284]


RFC 2801                       IOTP/1.0                       April 2000


   [HMAC]      Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:  Keyed-
               Hashing for Message Authentication", RFC 2104, February
               1997.

   [HTML]      Berners-Lee, T. and D. Connolly, "Hypertext Markup
               Language - 2.0", RFC 1866, November 1995.

   [HTML]      Hyper Text Mark Up Language. The Hypertext Mark-up
               Language (HTML) is a simple mark-up language used to
               create hypertext documents that are platform independent.
               See the World Wide Web (W3C) consortium web site at:
               http://www.w3.org/MarkUp/

   [HTTP]      Berners-Lee, T., Fielding, R. and H. Frystyk, "Hypertext
               Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.

   [HTTP]      Fielding, R., Gettys, J., Mogul, J., Frystyk, T. and T.
               Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1.",
               RFC 2616, June 1999.

   [IANA]      The Internet Assigned Numbers Authority. The organisation
               responsible for co-ordinating the names and numbers
               associated with the Internet. See http://www.iana.org/

   [ISO4217]   ISO 4217: Codes for the Representation of Currencies.
               Available from ANSI or ISO.

   [IOTPDSIG]  Davidson, K. and Y. Kawatsura, "Digital Signatures for
               the v1.0 Internet Open Trading Protocol (IOTP)", RFC
               2802, April 2000.

   [MD5]       Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
               April 1992.

   [MIME]      Crocker, D., "Standard for the Format of ARPA Internet
               Text Messages", STD 11, RFC 822, August 1982.

   [MIME]      Freed, N. and N. Borenstein, "Multipurpose Internet Mail
               Extensions (MIME) Part One: Format of Internet Message
               Bodies", RFC 2045, November 1996.

   [MIME]      Freed, N. and N. Borenstein, "Multipurpose Internet Mail
               Extensions (MIME) Part Two: Media Types", RFC 2046,
               November 1996.

   [MIME]      Moore, K., "MIME (Multipurpose Internet Mail Extensions)
               Part Three: Message Header Extensions for Non-ASCII Text"
               RFC 2047, November 1996.



Burdett                      Informational                    [Page 285]


RFC 2801                       IOTP/1.0                       April 2000


   [MIME]      Freed, N., Klensin, J. and J. Postel, "Multipurpose
               Internet Mail Extensions (MIME) Part Four: Registration
               Procedures", RFC 2048, November 1996.

   [MIME]      Freed, N. and N. Borenstein, "Multipurpose Internet Mail
               Extensions (MIME) Part Five: Conformance Criteria and
               Examples" RFC 2049, November 1996.

   [OPS]       Open Profiling Standard. A proposed standard which
               provides a framework with built-in privacy safeguards for
               the trusted exchange of profile information between
               individuals and web sites.  Being developed by Netscape
               and Microsoft amongst others.

   [RFC1738]   Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform
               Resource Locators (URL)", RFC 1738, December 1994.

   [RFC2434]   Narten, T. and H. Alvestrand, "Guidelines for Writing an
               IANA Considerations Section in RFCs", BCP 26, RFC 2434,
               October 1998.

   [RSA]       RSA is a public-key cryptosystem for both encryption and
               authentication supported by RSA Data Security Inc. See:
               R. L. Rivest, A. Shamir, and L.M. Adleman. A method for
               obtaining digital signatures and public-key
               cryptosystems. Communications of the ACM, 21(2): 120-126,
               February 1978.

   [SCCD]      Secure Channel Credit Debit. A method of conducting a
               credit or debit card payment where unauthorised access to
               account information is prevented through use of secure
               channel transport mechanisms such as SSL/TLS. An IOTP
               supplement describing how SCCD works is under
               development.

   [SET]       Secure Electronic Transaction Specification, Version 1.0,
               May 31, 1997. Supports credit and debit card payments
               using certificates at the Consumer and Merchant to help
               ensure authenticity.  Download from:
               <http://www.setco.org>.

   [SSL/TLS]   Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
               RFC 2246, January 1999.

   [SHA1]      [FIPS-180-1]"Secure Hash Standard", National Institute of
               Standards and Technology, US Department Of Commerce,
               April 1995. Also known as: 59 Fed Reg. 35317 (1994). See
               http://www.itl.nist.gov/div897/pubs/fip180-1.htm



Burdett                      Informational                    [Page 286]


RFC 2801                       IOTP/1.0                       April 2000


   [UTC]       Universal Time Co-ordinated. A method of defining time
               absolutely relative to Greenwich Mean Time (GMT).
               Typically of the form:  "CCYY-MM-DDTHH:MM:SS.sssZ+n"
               where the "+n" defines the number of hours from GMT. See
               ISO DIS8601.

   [UTF16]     The Unicode Standard, Version 2.0.  The Unicode
               Consortium, Reading, Massachusetts. See ISO/IEC 10646 1
               Proposed Draft Amendment 1

   [X.509]     ITU Recommendation X.509 1993 | ISO/IEC 9594-8: 1995,
               Including Draft Amendment 1: Certificate Extensions
               (Version 3 Certificate)

   [XML        Recommendation for Namespaces in XML, World Wide Web
   Namespace]  Consortium, 14 January 1999, "http://www.w3.org/TR/REC-
               xml-names"

   [XML]       Extensible Mark Up Language. A W3C recommendation. See
               http://www.w3.org/TR/1998/REC-xml-19980210 for the 10
               February 1998 version.

16. Author's Address

   The author of this document is:

   David Burdett
   Commerce One
   4440 Rosewood Drive, Bldg 4
   Pleasanton
   California 94588
   USA

   Phone: +1 (925) 520 4422
   EMail: david.burdett@commerceone.com

   The author of this document particularly wants to thank Mondex
   International Limited (www.mondex.com) for the tremendous support
   provided in the formative stages of the development of this
   specification.











Burdett                      Informational                    [Page 287]


RFC 2801                       IOTP/1.0                       April 2000


   In addition the author appreciates the following contributors to this
   protocol (in alphabetic order of company) without which it could not
   have been developed.

      -  Phillip Mullarkey, British Telecom plc

      -  Andrew Marchewka, Canadian Imperial Bank of Commerce

      -  Brian Boesch, CyberCash Inc.

      -  Tom Arnold, CyberSource

      -  Terry Allen, Commerce One (formally Veo Systems)

      -  Richard Brown, GlobeSet Inc.

      -  Peter Chang, Hewlett Packard

      -  Masaaki Hiroya, Hitachi Ltd

      -  Yoshiaki Kawatsura, Hitachi Ltd

      -  Mark Linehan, International Business Machines

      -  Jonathan Sowler, JCP Computer Services Ltd

      -  John Wankmueller, MasterCard International

      -  Steve Fabes, Mondex International Ltd

      -  Donald Eastlake 3rd, Motorola Inc (formerly International
         Business Machines Inc)

      -  Surendra Reddy, Oracle Corporation

      -  Akihiro Nakano, Plat Home, Inc. (ex Hitachi Ltd)

      -  Chris Smith, Royal Bank of Canada

      -  Hans Bernhard-Beykirch, SIZ (IT Development and Coordination

         Centre of the German Savings Banks Organisation)

      -  W. Reid Carlisle, Spyrus (ex Citibank Universal Card Services,
         formally AT&T Universal Card Services)

      -  Efrem Lipkin, Sun Microsystems




Burdett                      Informational                    [Page 288]


RFC 2801                       IOTP/1.0                       April 2000


      -  Tony Lewis, Visa International

   The author would also like to thank the following organisations for
   their support:

      -  Amino Communications

      -  DigiCash

      -  Fujitsu

      -  General Information Systems

      -  Globe Id Software

      -  Hyperion

      -  InterTrader

      -  Nobil I T Corp

      -  Mercantec

      -  Netscape

      -  Nippon Telegraph and Telephone Corporation

      -  Oracle Corporation

      -  Smart Card Integrations Ltd.

      -  Spyrus

      -  Verifone

      -  Unisource nv

      -  Wells Fargo Bank













Burdett                      Informational                    [Page 289]


RFC 2801                       IOTP/1.0                       April 2000


17. Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Burdett                      Informational                    [Page 290]