OFTP2 or AS2 - which EDI protocol to use where?
Abstract - For B2B communication OFTP (ODETTE File Transfer Protocol) in the current version 2 and AS2 are frequently used protocols. So which one to use and when? The question of advantages and disadvantages of both methods cannot be answered so easily from a technical point of view, as they are quite similar.Wednesday, 13. November 2019
As far as the security of data transmission is concerned, the protocols do not take anything away in principle. Both encrypt the data and use a digital signature to identify the sender beyond any doubt. To prevent messages from being intercepted or falsified on the way, OFTP2 relies on SSL/TLS technology, while AS2 secures integrity using hash algorithms. OFTP2 protects EDI traffic on three levels: Connection security is ensured by encrypting the TCP/IP packets. In addition, the transmitted data is encrypted. Using hash values that can be signed, the integrity and authenticity of the data can also be verified.
AS2 works here with a kind of "envelope". Electronic business documents of any format (EDI, XML, CSV, TXT, etc.) are embedded in these so that they can be transmitted via any TCP/IP-based network using the HTTP protocol. Each AS2 message receives an electronic signature and is transmitted to the receiving side in encrypted form. Like OFTP2, AS2 works with two-factor encryption. On the one hand, HTTPS (i.e. SSL or TLS) provides basic encryption of the entire communication, i.e. the HTTP header. This makes it impossible to see who is sending data to whom and with which certificates. AS2 now uses additional certificates for the actual data encryption, for which the S/MIME standard is used.
Push and pull with OFTP2 in one session
With OFTP2 sending and receiving take place within the same session, AS2 as a pure push protocol only sends and must be open for receiving in 24/7 operation. This difference could be used to argue that OFTP2 technology has an advantage over AS2. A group of experts from the automobile association ODETTE International Ltd., the creator of OFTP, regularly reviews and improves the protocol so that it always meets the latest security standards. This guarantees that OFTP2 is always guaranteed to be up-to-date.
The ODETTE variant also impresses with its wide range of functions, allowing not only technical data but also commercial information to be transmitted. It also allows the transmission of large amounts of data (by means of compression), can be used over any IP-based network and offers traceability of transmitted data by means of tracking, receiving and non-repudiation functions. Odette refers to this as End-to-End Response (EERP) or Negative End-to-End Response (NERP). AS2 also ensures traceability, however, by means of a so-called Message Disposition Notification (MDN). Similar to EERP and NERP, the MDN can be positive or negative. It contains the message ID of the data transmission that is to be confirmed - similar to registered mail with advice of receipt for postal dispatch.
For OFTP2, it is recommended - especially for small and medium-sized enterprises - to add an EDI service provider. Otherwise you will have to purchase your own OFTP2 server for communication with your partner. This however is expensive in acquisition and maintenance, connections with partners must be furnished again in each case. You also need digital certificates, which are either generated by yourself or purchased.
Since there are no telephone or usage fees, OFTP2 and AS2 is cost-effective to operate. However, the sender and receiver each require an Internet connection and a communication module.
Differences, especially with regard to industry orientation
This makes it clear that the two variants differ less technically than in terms of their intended use and historical background - which would suggest which protocol might be more suitable for which company/industry. OFTP was introduced by ODETTE International Ltd., the member organisation of the European automotive industry, which defines the standards for e-business communication and data exchange. As a result, the automotive industry in particular, but meanwhile also the public sector, uses OFTP to handle their EDI traffic. Originally it was developed for use over an X.25 network, which was historically used over ISDN. With the implementation of OFTP2 in 2007 the communication is internet based and uses the TCP/IP protocol.
AS2 was developed in the USA by the Uniform Code Council (UCC) and is mainly used in retail and manufacturing. EDI traffic is carried out with AS2 over the Internet via HTTP. The protocol specification describes the pure transmission of data, not its validation and processing. The protocol received a strong boost when the Walmart retail group told its 10,000 suppliers in 2002 to use AS2 for direct exchange of EDI data.Back to overview