AS4
AS4, or Applicability Statement 4, is an open standard conformance profile of the OASIS ebXML Messaging Services version 3.0 (ebMS 3.0) specification, providing a simplified framework for secure, reliable, and interoperable exchange of business-to-business (B2B) documents and data using web services over HTTP or HTTPS.[1] Developed by the OASIS technical committee and published in 2013, AS4 builds on the success of earlier protocols like AS2 by incorporating web services standards such as SOAP and WS-Security to ensure non-repudiation, confidentiality, and one-time delivery through built-in receipt mechanisms.[1][2] Key features of AS4 include support for both push and pull messaging patterns, allowing flexible one-way or two-way exchanges without requiring direct connections, as well as payload-agnostic handling for formats like EDI, XML, or binary files.[1][2] It emphasizes a "just-enough" design principle to minimize complexity while maintaining compatibility with international web services standards, making it suitable for diverse B2B scenarios such as electronic invoicing and supply chain integration.[1] Compared to its predecessor AS2, AS4 offers enhanced interoperability through modern web service contexts, active pull options for better control in multi-hop networks, and improved delivery notifications, reducing reliance on older HTTP-based methods.[2][3] Since its release, AS4 has seen growing adoption, particularly in Europe, where it was selected in 2015 as the core protocol for the EU's Connecting Europe Facility (CEF) eDelivery network to facilitate secure cross-border data exchanges in public and private sectors.[4] In 2021, AS4 (ISO/IEC 15000-2) and ebMS 3.0 (ISO/IEC 15000-1) were published as International Standards, affirming their role in global electronic commerce and administration processes.[5] As of 2025, AS4 continues to expand, with the eDelivery AS4 2.0 profile adopted in December 2024 and mandatory implementation in the German energy market from April 2025.[6][7] It is implemented in sectors like energy markets, e-invoicing via PEPPOL, and B2B integrations, with certification programs ensuring compliance and easing partner onboarding.[7][8]Overview
Definition and Purpose
AS4, or Applicability Statement 4, is an open standard defined as a conformance profile of the OASIS ebXML Messaging Services version 3.0 (ebMS 3.0) Core Specification, enabling payload-agnostic exchange of business-to-business (B2B) documents using Web services.[1] It represents a profiled subset of ebMS 3.0, incorporating a combination of conformance profiles for implementation capabilities and a usage profile to streamline Web services-based B2B messaging through a "just-enough" design approach.[1] The primary purpose of AS4 is to facilitate the secure and reliable transfer of business documents, such as electronic data interchange (EDI) messages including invoices and purchase orders, between trading partners over the Internet.[1] This standard supports both B2B and business-to-government (B2G) scenarios by leveraging SOAP envelopes and Web services protocols to ensure interoperability without restrictions on payload types or sizes.[1] Key benefits of AS4 include simplifying the adoption of Web services for B2B integrations by avoiding dependencies on specific SOAP actions and reducing the complexity of the underlying ebMS 3.0 specification, thereby promoting broader interoperability among diverse systems.[1] Its scope encompasses one-way push and pull message exchange patterns (MEPs), with support for optional synchronous or asynchronous responses to enhance flexibility in document handling.[1]Historical Development
The AS4 profile originated within the framework of the ebXML Messaging Services (ebMS) 3.0 specification, which was approved as an OASIS Standard on October 1, 2007, providing a foundation for reliable, secure messaging using Web services protocols. Developed by the OASIS ebXML Messaging Services Technical Committee, AS4 emerged as a simplified conformance profile of ebMS 3.0 to address the need for straightforward, AS2-like functionality in B2B electronic data interchange over HTTP, building on the proven reliability of earlier Internet-based standards while incorporating SOAP and WS-Security for modern interoperability.[9][1] The development of AS4 was influenced by the increasing adoption of Web services in business-to-business communications, aiming to reduce complexity in ebMS 3.0 while supporting essential features for secure document exchange. Contributions from the OASIS technical committee were driven by practical requirements, including those from the Australian government's superannuation sector, where standardized messaging was needed for efficient business-to-government data flows under the SuperStream initiative. This focus helped shape AS4's emphasis on accessibility and compliance for regulated industries.[9][10][11] A pivotal milestone occurred on January 23, 2013, when the AS4 Profile of ebMS 3.0 Version 1.0 received OASIS Standard approval, formalizing its status and highlighting enhancements like GZIP compression for payloads and support for multiple attachments to improve transmission efficiency.[1][12] In a further step toward global recognition, following ISO approval on July 28, 2020, AS4 was published as ISO 15000-2:2021 in February 2021, incorporating the profile as a subset of ebMS functionality with implementation guidelines.[13][14] This evolution solidified AS4's role in bridging legacy and contemporary messaging paradigms.Technical Foundation
Core Standards and Profiles
AS4 functions as both a usage profile and a conformance profile of the OASIS ebMS 3.0 specification, designed to simplify and standardize secure B2B messaging while maintaining compatibility with web services standards. This profile constrains the ebMS 3.0 framework to use SOAP 1.2 envelopes, ensuring adherence to the WS-I Basic Profile 2.0 for interoperability and the WS-I Attachments Profile 1.0 for handling multipart messages. By limiting optional features and mandating specific behaviors, AS4 promotes straightforward implementation for electronic document exchange in B2B scenarios.[1] AS4 defines two conformance profiles: the ebHandler profile, which supports full features including both push and pull patterns, and the Light Client profile, which provides minimal capabilities for basic exchanges without advanced options like multi-hop messaging. At its foundation, AS4 leverages the core elements of ebMS 3.0, including the ebMS messaging header—which encapsulates metadata for routing, processing, and correlation—and standardized payload handling to encapsulate business documents within SOAP envelopes. The profile explicitly supports the transmission of single or multiple attachments, packaged using MIME multipart/related structures to bundle payloads with the SOAP body, and incorporates MTOM (Message Transmission Optimization Mechanism) for efficient serialization of binary content directly into the SOAP envelope without base64 encoding overhead. These components enable robust packaging for diverse B2B payloads while minimizing complexity compared to the full ebMS 3.0 specification.[1][15] AS4 integrates supporting web services standards to enhance its messaging capabilities, such as WS-Addressing for specifying endpoint references and facilitating dynamic routing of messages to intended recipients. For reliability, it uses ebMS 3.0 receipt mechanisms to provide basic delivery assurance. Security is addressed via integration with WS-Security for protecting message integrity and confidentiality.[1] Central to AS4's architecture are Processing Modes (P-Modes), which define configurable parameters for how messages are processed and exchanged between AS4 messaging endpoints, including details on transport protocols, error handling, and security configurations. AS4 messages include either a UserMessage to carry the business payload or a SignalMessage for conveying receipts, errors, or other control signals. These P-Modes ensure predictable behavior across implementations by profiling ebMS 3.0 elements to a minimal yet functional set.[1] The AS4 profile is inherently payload-agnostic, placing no restrictions on the formats or types of documents exchanged, which allows it to support a broad spectrum of B2B content such as XML invoices, EDI files, or unstructured data. It accommodates compression of payloads using gzip to reduce transmission size and explicitly enables the handling of binary data through MIME attachments or MTOM, promoting efficiency in bandwidth-constrained environments.[1]Message Exchange Patterns
AS4 defines two primary Message Exchange Patterns (MEPs) for the transmission of business documents between trading partners: One-Way/Push and One-Way/Pull. In the One-Way/Push pattern, the sending Message Service Handler (MSH) initiates the exchange by directly transmitting a UserMessage to the receiving MSH over HTTP or HTTPS, allowing for either synchronous (back-channel response) or asynchronous (separate callback) modes depending on the configuration. This pattern is mandatory for AS4-conformant implementations acting as the initiating partner, ensuring straightforward delivery without requiring the receiver to actively poll.[1] The One-Way/Pull pattern, in contrast, enables the receiving MSH to poll the sending MSH for pending messages by issuing a PullRequest signal, which prompts the delivery of queued UserMessages; this supports scenarios where the sender lacks direct access to the receiver's endpoint or for batch processing. Like Push, Pull accommodates synchronous or asynchronous operations, with the responding MSH required to support PullRequests in full-profile implementations such as the ebHandler. Both patterns rely on ebMS 3.0 headers to enforce the exchange semantics, with P-Modes—processing mode parameters—specifying details like the MEP binding (push or pull) and reply patterns for acknowledgments.[1] Receipt mechanisms in AS4 ensure delivery assurance through SignalMessages, particularly the Non-Repudiation of Receipt (NRR), which mirrors the functionality of Message Disposition Notifications (MDNs) in AS2 by providing cryptographic proof of message processing. Upon receiving a UserMessage, the MSH generates an eb:Receipt SignalMessage containing a reference to the original message ID and, when NRR is enabled via P-Mode parameters (e.g., PMode[16].Security.SendReceipt.NonRepudiation set to true), includes signed digests using NonRepudiationInformation elements for verifiable acknowledgment. These receipts can be returned synchronously in the HTTP response, asynchronously via a callback endpoint, or bundled with other signals like PullRequest responses, confirming that the message was well-formed and successfully processed by the MSH.[1] AS4 supports multi-hop messaging to facilitate routed exchanges through intermediaries, where P-Modes configure endpoint behaviors such as adding actor or role attributes to SOAP headers (PMode[16].Protocol.AddActorOrRoleAttribute set to true), allowing messages to traverse multiple MSHs while maintaining end-to-end integrity. Error handling follows standardized SOAP faults embedded in ebMS Error elements, with specific fault types like EBMS:0301 for missing receipts; retry logic is governed by P-Mode settings, such as error reporting patterns (e.g., asResponse or separateRequest), enabling robust recovery without disrupting the overall flow. For instance, in a typical One-Way/Push flow, the sender encapsulates the UserMessage within a SOAP envelope and transmits it to the receiver's URL; the receiver processes it and responds with a SignalMessage receipt, either immediately or via a configured callback, ensuring traceability across the exchange.[1]Security and Reliability
Authentication and Encryption Mechanisms
AS4 employs robust authentication mechanisms to verify the identity of communicating parties, primarily through the integration of Web Services Security (WS-Security) 1.1 standards. Authentication supports the use of X.509 certificates as digital identities, following the Web Services Security X.509 Certificate Token Profile 1.1, which enables digital signatures and encryption for secure party verification.[1][17] Additionally, AS4 mandates support for username and password tokens via the WS-Security UsernameToken Profile 1.1, which can be used for authorization in scenarios such as Pull signal requests, providing a simpler alternative to certificate-based methods when appropriate.[1][18] For protecting message confidentiality, AS4 utilizes XML Encryption (XML-Enc) as defined in the W3C XML Encryption Syntax and Processing recommendation, applied specifically to the SOAP body and all attachments or payload parts.[1] Implementations must encrypt all payload parts of an AS4 user message if encryption is enabled, ensuring that sensitive data remains confidential during transmission over the Internet, while the eb:Messaging header is typically not encrypted to allow processing. This approach leverages MIME multipart structures for handling attachments securely.[1] Message integrity is safeguarded through XML Digital Signatures (XML-DSig), adhering to the W3C XML Signature Syntax and Processing recommendation, which detects tampering via cryptographic hashing and signing.[1] In AS4, signatures must cover the entire eb:Messaging SOAP header block, the SOAP Body (even if empty), and all MIME body parts containing payloads, using detached signatures and appropriate canonicalization methods to handle XML structure variations. This ensures comprehensive protection against alterations to both headers and content.[1] Key management in AS4 relies on binary security tokens within WS-Security headers to embed X.509 certificates directly in messages, facilitating the exchange of public keys for encryption and signature verification without prior shared secrets.[1] Optionally, AS4 supports the WS-SecureConversation framework for establishing shared session keys, which can reduce computational overhead in multi-message exchanges by deriving symmetric keys from initial asymmetric handshakes, though this is not mandatory.[1] Overall, these mechanisms align with the ebMS 3.0 core specification by mandating WS-Security 1.1 compliance, ensuring that signatures explicitly include ebMS-specific headers and payloads to maintain interoperability and security in profile-based implementations.[1][15]Non-Repudiation and Receipts
In AS4, non-repudiation of origin (NRO) is achieved through digital signatures applied to UserMessages, which bind the sender's identity to the message content and ensure its integrity. These signatures utilize the XML Signature specification, employing detached signatures that cover the entire eb:Messaging header and the SOAP Body, thereby providing verifiable proof that the message originated from the specified sender and has not been altered in transit.[1] Non-repudiation of receipt (NRR) is facilitated by the receiver generating a signed SignalMessage in the form of an eb:Receipt, which references the original message's eb:MessageId and includes NonRepudiationInformation elements with ds:Reference URIs and digest values of the received message parts. This signed receipt serves as legal evidence of successful message delivery and processing by the recipient's Message Service Handler (MSH). AS4 builds on WS-Security signatures to ensure the receipt's authenticity.[1] Receipts in AS4 are mandatory for push message exchange patterns when non-repudiation is required, typically sent synchronously in the HTTP response or asynchronously via a callback to a separate endpoint; for pull patterns, receipts are optional but follow the callback reply pattern if enabled. These receipts support both reception awareness (confirming receipt without digests) and full NRR (with cryptographic digests for evidentiary purposes), all exchanged as independent SOAP messages.[1] The verification process involves the recipient's MSH validating the signature chain of the receipt against trusted X.509 certificates, confirming the digests match the original signed message parts, and checking timestamps to maintain sequence integrity and prevent replay attacks. Duplicate detection is enforced using the eb:MessageId to ensure each receipt correlates uniquely to its UserMessage.[1] Legally, AS4 receipts provide robust audit trails for non-repudiation, compliant with standards such as the EU's eIDAS regulation when using qualified X.509 certificates and PKI-based trust services, enabling their use as admissible evidence in electronic transactions across jurisdictions.[19]Comparisons and Evolution
Differences from AS2
AS4, as a profile of ebMS 3.0, introduces several key enhancements over its predecessor AS2, primarily by aligning with web services standards while maintaining compatibility for B2B messaging.[20] Unlike AS2, which relies on direct HTTP POST requests for transport, AS4 employs SOAP 1.2 envelopes over HTTP/HTTPS, enabling seamless integration with service-oriented architecture (SOA) environments and supporting advanced features like message pulling for scenarios where the receiving party initiates retrieval.[20][21] This SOAP-based approach contrasts with AS2's simpler, non-XML-centric HTTP method, which prioritizes lightweight direct transfers but limits interoperability with modern web services stacks.[21] In payload handling, both protocols utilize MIME structures for attachments, allowing AS4 to support binary and multipart data similar to AS2's packaging of EDI or XML content.[20][21] However, AS4 extends this by incorporating ebMS 3.0 headers within the SOAP envelope, providing richer metadata for routing and processing without requiring the custom extensions often needed in AS2 implementations.[20] This results in more standardized handling for complex payloads, such as compressed attachments, while AS2's MIME reliance can lead to less flexible metadata management in multi-party exchanges.[20][21] Security mechanisms in AS4 build on AS2's foundation but offer greater granularity through WS-Security 1.1, which enables XML-level signing and encryption alongside optional S/MIME for body parts.[20] In comparison, AS2 primarily depends on S/MIME (via CMS) for end-to-end authentication, integrity, and confidentiality, which, while effective, applies security at the MIME level and can introduce higher overhead for XML-specific protections.[21] AS4's approach reduces this overhead by allowing targeted security on SOAP elements, supporting username/password tokens and TLS for transport, thus providing finer control in web services contexts without compromising AS2-like reliability.[20][21] For receipts and non-repudiation, AS4 employs structured ebMS SignalMessages, including dedicated Receipt elements that confirm both business-level acknowledgment and reception, offering more robust support for multi-hop messaging than AS2's Message Disposition Notifications (MDNs).[20] AS2's MDNs, whether synchronous or asynchronous, provide similar non-repudiation of receipt (NRR) but lack the native multi-hop capabilities and detailed error signaling inherent in AS4's ebMS framework.[21] This makes AS4 better suited for routed environments, while AS2's receipts remain simpler for direct peer-to-peer transfers.[20][21] Regarding complexity, AS4's adherence to ebMS 3.0 and web services standards introduces a more comprehensive but potentially steeper implementation curve compared to AS2's streamlined, HTTP-focused design, which favors simplicity for legacy EDI exchanges.[20][21] AS4 mitigates this through defined conformance profiles, such as the Minimal Client option, which echoes AS2's lightweight nature while adding essential modern features.[20] Overall, these differences position AS4 as an evolution influenced by ebXML principles, trading some of AS2's ease for broader interoperability and future-proofing in B2B ecosystems.[20]Integration with ebMS 3.0
AS4 serves as a constrained profile of the ebMS 3.0 specification, designed to simplify business-to-business (B2B) messaging over Web services by fixing optional features and mandating specific implementations for enhanced interoperability. It requires the use of SOAP 1.2 as the messaging protocol and restricts reliability mechanisms to basic options, such as one-way message exchange patterns (MEPs) with push or pull bindings, thereby reducing complexity while maintaining core ebMS 3.0 functionality for secure document exchange. This subset approach ensures that AS4 implementations are compliant with ebMS 3.0 but tailored for practical deployment in modern Web environments, omitting advanced features like multi-hop routing unless explicitly profiled.[1] To extend ebMS 3.0, AS4 introduces specific Processing Mode (P-Mode) parameters that standardize configuration for various use cases, including domain-specific adaptations like the PEPPOL network. For instance, the AS4-PEPPOL profile defines fixed P-Mode values such asPMode.Agreement set to urn:fdc:peppol.eu:2017:agreements:tia:ap_provider and PMode.[MEP](/page/MEP) to http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/oneWay, ensuring seamless integration within PEPPOL's four-corner topology for e-invoicing and procurement. These P-Modes control aspects like security, error handling, and business information (e.g., service and action identifiers derived from PEPPOL's Service Metadata Publisher), allowing dynamic discovery via PEPPOL's SMP/SML infrastructure while adhering to the Peppol PKI for certificate validation.[1][22]
Conformance in AS4 is defined through capability levels that build on ebMS 3.0 compliance, specifying "AS4 Sender" roles for outbound messaging (including signal generation) and "AS4 Receiver" roles for inbound processing (including receipt handling). Implementations must support profiles such as the full AS4 ebHandler for complete sending and receiving, or lighter variants like the AS4 Light Client for push/pull operations, with optional extensions for features like compression and reception awareness. The OASIS conformance clause mandates full adherence to ebMS 3.0 core requirements plus AS4-specific constraints, enabling rigorous interoperability testing through standardized P-Mode parameters and WS-I Basic Profile 2.0 compliance. This evolution from ebMS 3.0 focuses on simplification, providing a robust yet accessible framework for Web services-based B2B without the overhead of ebMS's more general-purpose options.[1]