]> Greicodex Software

javier@greicodex.com https://greicodex.com

Applications and Real-Time Area (art) Individual Submission EDI B2B JOSE JWS JWE AS5 electronic data interchange JSON Web Signature JSON Web Encryption This document specifies the FideX Protocol (AS5), a modern application-layer protocol for secure Business-to-Business (B2B) message exchange. FideX provides cryptographic non-repudiation, data integrity, and confidentiality using JOSE (JSON Object Signing and Encryption) over HTTPS, replacing legacy AS2 and AS4 standards with a REST-oriented approach accessible to modern web developers. FideX adopts the "AS" naming lineage: AS2 () used S/MIME over HTTP; AS4 () used SOAP/WS-Security; AS5 (FideX) uses REST/JSON/JOSE over HTTPS. This document defines the message format, cryptographic operations, partner discovery, state management, acknowledgment receipts (J-MDN), and error handling. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document is a work in progress and represents the current thinking of the FideX Protocol Working Group at Greicodex Software.

Introduction

Purpose FideX (Fast Integration for Digital Enterprises eXchange) defines a secure, reliable message exchange protocol for B2B electronic data interchange. The protocol ensures:

• Non-repudiation: Cryptographic proof of message origin
• Integrity: Detection of message tampering
• Confidentiality: End-to-end encryption
• Reliability: Asynchronous acknowledgments with retry semantics

Scope This specification defines:

• Message format and structure
• Cryptographic operations (sign-then-encrypt using JOSE)
• Partner discovery and registration
• State management and acknowledgments (J-MDN)
• Error codes and handling

This specification does NOT define:

• Business document formats (the protocol is payload-agnostic)
• Application-specific processing logic
• Implementation details or code examples
• Deployment or operational procedures

AS Naming Lineage FideX adopts the "AS" (Application Statement) naming lineage from established B2B interchange standards:

• AS2 () -- MIME/S/MIME over HTTP (2005)
• AS4 () -- SOAP/WS-Security over HTTP (2013)
• AS5 (FideX) -- REST/JSON/JOSE over HTTPS (2026)

The designation signals evolutionary continuity while marking a generational leap to modern web-native architecture. AS5 is implementable by any developer with knowledge of REST APIs and standard JOSE libraries, without requiring specialized B2B middleware.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Additional terms used in this document:

Node

A FideX-compliant server capable of sending and receiving messages.

Partner

A trading partner with an established trust relationship.

Message

A business document wrapped in a FideX envelope.

J-MDN

JSON Message Disposition Notification -- a signed receipt acknowledging receipt and processing of a FideX message.

JWKS

JSON Web Key Set -- a JSON structure representing a set of public keys.

AS5 Configuration

A JSON document published by a node describing its endpoints, supported algorithms, and identity.

Transport Layer

Required Transport Nodes MUST support HTTP/1.1 over TLS 1.3 as defined in . TLS 1.2 () MAY be supported with Perfect Forward Secrecy (ECDHE key exchange) as fallback for backward compatibility. Transport requirements:

• Port 443 (HTTPS)
• Valid certificate from a trusted Certificate Authority (CA)
• Server Name Indication (SNI) per
• Full certificate chain validation

Optional Transports Nodes MAY additionally support:

• HTTP/2 (): For multiplexed connections and improved throughput.
• HTTP/3 (): For connection resilience using QUIC.

Request Method All FideX message transmissions MUST use the HTTP POST method to the receiving endpoint specified in the partner's AS5 configuration (see ).

Content Type FideX message envelopes MUST use Content-Type: application/json. Registration requests MUST use Content-Type: application/jose (see ).

Message Size Limits Implementations MUST accept messages up to 10 megabytes (complete HTTP request body). Implementations MAY accept larger messages by prior bilateral agreement. Senders MUST NOT assume support above 10 MB without prior explicit agreement. Implementations SHOULD reject oversized messages with HTTP 413 and the error code PAYLOAD_TOO_LARGE (see ).

Message Structure

Message Envelope A FideX message envelope consists of exactly two top-level JSON fields: The routing_header is cleartext JSON containing message metadata readable by intermediate infrastructure without decryption. The encrypted_payload is a JWE compact serialization that wraps the signed business document. These two fields are the ONLY top-level fields in a FideX message envelope.

Routing Header The routing header is a cleartext JSON object conveying message routing metadata. It MUST contain the following fields:

fidex_version

(string, REQUIRED) Protocol version in semantic "major.minor" format, e.g., "1.0".

message_id

(string, REQUIRED) Globally unique message identifier. UUID v4 () with an "fdx-" prefix is RECOMMENDED (e.g., "fdx-550e8400-e29b-41d4-a716-446655440000").

sender_id

(string, REQUIRED) URN of the sending organization. See for valid formats.

receiver_id

(string, REQUIRED) URN of the receiving organization. See for valid formats.

document_type

(string, REQUIRED) Business document type identifier. MUST match the pattern ^[A-Z0-9_]+$. See .

timestamp

(string, REQUIRED) ISO 8601 UTC timestamp with millisecond precision. Format: YYYY-MM-DDTHH:mm:ss.SSSZ. The UTC designator "Z" MUST be used; no local timezone offsets are permitted.

receipt_webhook

(string, OPTIONAL) HTTPS URL where the J-MDN receipt SHOULD be delivered. HTTP (non-TLS) is NOT allowed. When omitted, the receiver MUST deliver the J-MDN to the sender's receive_receipt endpoint from the sender's AS5 configuration (see ).

payload_digest

(string, OPTIONAL) SHA-256 digest of the encrypted_payload field value. Computed as "sha256:" followed by the lowercase hexadecimal encoding of SHA-256 applied to the UTF-8 byte representation of the encrypted_payload string as it appears in the JSON envelope. Enables routing-layer integrity checks without decryption.

Extension fields MAY be included and MUST use the prefix "x-" to avoid collision with future standard fields. Implementations MUST ignore unknown extension fields without error.

Identifier Format The sender_id and receiver_id fields MUST use URN format. The following URN namespaces are recognized:

• urn:gln:{gln} -- GS1 Global Location Number
• urn:duns:{duns} -- D-U-N-S Number
• urn:lei:{lei} -- Legal Entity Identifier (ISO 17442)
• urn:tin:{tin} -- Tax Identification Number
• urn:custom:{identifier} -- Organization-defined identifier

Document Type Registry The document_type field uses a two-tier naming system to accommodate both standardized inter-organization document types and organization-specific custom types.

Standard Document Types The following standard document types are defined by the FideX Working Group. Standard types use uppercase alphanumeric characters and underscores, matching the pattern ^[A-Z0-9_]+$. GS1 document types are defined in . Standard FideX Document Types

Type Identifier	Standard	Description
GS1_ORDER_JSON	GS1	Purchase order (JSON binding)
GS1_INVOICE_JSON	GS1	Commercial invoice (JSON binding)
GS1_DESADV_JSON	GS1	Despatch advice (JSON binding)
GS1_RECADV_JSON	GS1	Receiving advice (JSON binding)
GS1_CATALOG_JSON	GS1	Product catalog (JSON binding)
X12_850	ANSI X12	Purchase order
X12_810	ANSI X12	Invoice
X12_856	ANSI X12	Advance ship notice
EDIFACT_ORDERS	UN/EDIFACT	Purchase order message
EDIFACT_INVOIC	UN/EDIFACT	Invoice message
EDIFACT_DESADV	UN/EDIFACT	Despatch advice message
UBL_ORDER_21	OASIS UBL 2.1	Order document
UBL_INVOICE_21	OASIS UBL 2.1	Invoice document

Custom Document Types Organizations MAY define custom document types using reverse domain notation to avoid collision with standard types and with other organizations' custom types. Custom types MUST follow the pattern: {TLD}_{ORG}_{DOCTYPE}_{VERSION}, for example: COM_ACME_WAREHOUSE_RECEIPT_V2. Custom types MUST NOT use the reserved prefixes: GS1_, X12_, EDIFACT_, or UBL_.

Receiver Behavior for Document Types Receiver nodes:

• MUST accept messages with any syntactically valid document_type.
• SHOULD return a J-MDN with error code UNKNOWN_DOCUMENT_TYPE for types they cannot process.
• MUST NOT reject messages at the HTTP level solely because of an unknown document_type. The J-MDN mechanism MUST be used instead.

Encrypted Payload The encrypted_payload field contains a JWE (JSON Web Encryption) token in compact serialization as defined in . The JWE encrypts a JWS (JSON Web Signature) token as defined in , creating a nested "sign-then-encrypt" structure: This pattern ensures both authenticity (the signature is inside the encryption envelope, protecting it from substitution) and confidentiality (the business content is encrypted end-to-end).

Cryptographic Requirements

Signature (JWS) Messages MUST be signed using the sender's private key before encryption. The REQUIRED signing algorithm is RS256 (RSASSA-PKCS1-v1_5 with SHA-256) as defined in . The following signing algorithms are OPTIONAL:

• RS384, RS512 -- stronger RSA variants
• PS256, PS384, PS512 -- RSA-PSS variants
• ES256 (ECDSA with P-256 and SHA-256) -- RECOMMENDED for new deployments
• ES384 (ECDSA with P-384 and SHA-384)

Minimum key sizes: 2048 bits for RSA (4096 bits RECOMMENDED); P-256 minimum for ECDSA (P-384 RECOMMENDED). The JWS Protected Header MUST include:

Encryption (JWE) Signed messages MUST be encrypted using the receiver's public key. The REQUIRED algorithms are:

• Key Encryption: RSA-OAEP as defined in
• Content Encryption: A256GCM (AES-256-GCM)

The JWE Protected Header MUST include: The cty (content type) header parameter MUST be set to "JWT" to indicate the JWE payload contains a nested JWS/JWT token, per Section 4.1.12. This is required for correct processing of nested tokens.

Payload Encoding The JWS payload MUST be the UTF-8 encoding of the JSON-serialized business document. Binary payloads (images, PDFs, etc.) MUST be base64-encoded before JWS signing.

Sender Identity Verification Receivers MUST verify that the JWS signing key identified by kid in the JWS header belongs to the partner identified by sender_id in the routing header. Specifically:

• The kid MUST resolve to a public key in the sender's JWKS.
• The sender's JWKS MUST be fetched from the public_domain associated with the sender_id in the local partner registry.

This prevents cross-partner key substitution attacks where an attacker uses a valid key from one partner to impersonate another.

Prohibited Algorithms Implementations MUST NOT use:

• The none algorithm (unsigned tokens)
• Symmetric signature algorithms (HS256, HS384, HS512)
• RSA keys smaller than 2048 bits
• Deprecated algorithms: MD5, SHA-1-based signatures

Key Distribution

JSON Web Key Set (JWKS) Endpoint Nodes MUST publish their public keys via a JWKS endpoint at the well-known URI: This endpoint:

• MUST be publicly accessible without authentication.
• MUST return Content-Type: application/json.
• SHOULD include Cache-Control headers (1 hour RECOMMENDED).

JWKS Format Per , keys MUST include at minimum the following fields. An RSA signing key example: An EC signing key example: Field semantics:

kty

Key type: "RSA" or "EC".

use

"sig" for signing keys; "enc" for encryption keys.

kid

Unique key identifier used in JWS/JWE headers.

alg

Algorithm for this key (RS256, ES256, RSA-OAEP, etc.).

Key Rotation Implementations SHOULD rotate keys annually. During rotation, the following procedure MUST be followed to ensure uninterrupted partner communication:

1. Publish the new key alongside the old key in the JWKS.
2. Maintain both keys for a transition period (30-60 days RECOMMENDED).
3. Begin signing new outbound messages with the new key after partners have had time to cache it.
4. Remove the old key from the JWKS after the transition period.

The kid value SHOULD encode the purpose and date to aid key management, e.g., "org-sign-rsa-2026-01".

Partner Discovery

Discovery Overview Partner discovery enables automated trading partner onboarding without manual certificate exchange. The process consists of four phases:

1. Configuration discovery
2. Key retrieval
3. Signed registration
4. Mutual confirmation

The AS5 configuration URL MAY be distributed via QR code, email, or a trading partner portal. The protocol is designed so that scanning a QR code initiates fully automated mutual trust establishment.

AS5 Configuration Endpoint Nodes MUST expose an AS5 configuration document at an HTTPS URL. This URL:

• MAY be at any path (no required well-known location).
• MAY include a single-use security token as a query parameter.
• SHOULD be shareable via QR code.

The AS5 configuration document structure: Required fields in the AS5 configuration:

fidex_version

Current active protocol version (string, REQUIRED).

supported_versions

Array of all protocol versions this node supports (array, REQUIRED).

node_id

URN identifier for this node (string, REQUIRED).

organization_name

Human-readable organization name (string, REQUIRED).

public_domain

Public-facing domain name hosting JWKS and endpoints (string, REQUIRED).

endpoints

Object containing service endpoint URLs (object, REQUIRED). MUST include: receive_message, receive_receipt, register, jwks.

security

Cryptographic algorithm declarations (object, REQUIRED).

conformance_profile

"core", "enhanced", or "edge" (string, OPTIONAL).

supported_document_types

Array of document_type identifiers this node processes (array, OPTIONAL).

Version Negotiation When two nodes with different supported versions communicate, the sender MUST:

1. Retrieve the receiver's supported_versions from their AS5 configuration.
2. Select the highest version present in BOTH supported_versions arrays.
3. Set fidex_version in the routing header to the negotiated version.

The receiver MUST reject messages with a fidex_version not present in its supported_versions. If no common version exists, the sender MUST NOT transmit and SHOULD report an incompatibility error to the local system.

Discovery Handshake The four-phase discovery handshake proceeds as follows: Phase 1 -- Initiator Discovers Responder:

1. Initiator obtains the responder's AS5 configuration URL.
2. Initiator fetches the responder's AS5 configuration document.
3. Initiator fetches the responder's JWKS from the well-known endpoint.

Phase 2 -- Initiator Registers: The initiator constructs and submits a signed registration payload:

1. Initiator constructs the registration payload as shown above.
2. Initiator signs the payload with its private key (JWS compact serialization).
3. Initiator POSTs the JWS to the responder's register endpoint with Content-Type: application/jose.

Phase 3 -- Responder Validates:

1. Responder validates the security token (if configured).
2. Responder fetches the initiator's AS5 configuration from the URL in the request.
3. Responder fetches the initiator's JWKS and verifies the JWS signature.
4. Responder stores the initiator's details and returns HTTP 200.

Phase 4 -- Completion:

1. Initiator receives HTTP 200 confirmation.
2. Initiator stores the responder's details.
3. Both parties MAY immediately exchange FideX messages.

Registration Security Requirements Registration requests MUST:

• Be signed with the initiator's private key (RS256 minimum).
• Be transmitted with Content-Type: application/jose.
• Include a timestamp within +/-15 minutes of current time.
• Include the security token if the responder has configured one.

Security tokens MUST contain at least 128 bits of entropy, generated using a cryptographically secure pseudo-random number generator (CSPRNG). Examples: UUID v4, 32 hexadecimal characters, or 22 base64url characters. Responders MUST:

• Validate the JWS signature before trusting any payload content.
• Reject registrations with timestamps outside +/-15 minutes.
• Reject invalid or previously used security tokens.

Partner De-Registration De-registration is a local, unilateral operation. There is no protocol-level de-registration handshake. Partner states: Partner States

State	Description
ACTIVE	Normal operation -- messages accepted
SUSPENDED	Temporarily paused -- messages rejected with HTTP 503
INACTIVE	De-registered -- messages rejected with HTTP 401

De-registration procedure:

1. The initiating party sets partner status to INACTIVE locally.
2. The initiating party SHOULD notify the partner via out-of-band channel.
3. The initiating party MUST continue accepting J-MDNs for in-flight messages.
4. After a 24-hour grace period, new inbound messages MUST be rejected with HTTP 401.
5. Partner records SHOULD be retained for audit purposes (7 years RECOMMENDED).

Message States and Receipts

Message State Machine Messages transition through the following states: Message States

State	Description
QUEUED	Created locally, awaiting transmission
SENT	Transmitted to receiver, awaiting J-MDN receipt
DELIVERED	J-MDN received and cryptographically verified
FAILED	Permanent failure or maximum retries exceeded

Synchronous HTTP Response Upon receiving a message, nodes MUST perform structural validation and return:

• HTTP 202 Accepted: Message is structurally valid and queued for processing.
• HTTP 4xx/5xx: Immediate rejection (see ).

HTTP 202 indicates structural acceptance only. It does NOT indicate successful decryption, business document processing, or J-MDN generation. Idempotency: Receivers MUST handle duplicate message_id values idempotently. If a receiver encounters a message_id it has already accepted, it MUST return HTTP 202 again and MUST NOT process the message a second time. This ensures safe sender retries when HTTP responses are lost.

Asynchronous Receipt: J-MDN The J-MDN (JSON Message Disposition Notification) is the legally most significant artifact in the FideX protocol. It provides cryptographic proof that a specific message was received, decrypted, and accepted or rejected by the trading partner. After processing a message, the receiver MUST send a J-MDN to the sender. The delivery target is determined as follows:

1. If receipt_webhook is present in the routing header, deliver to that URL.
2. Otherwise, deliver to the sender's receive_receipt endpoint from the sender's AS5 configuration.
3. If neither is available, the J-MDN MUST be stored and the failure logged; J-MDNs MUST NOT be discarded.

J-MDN Payload Schema The J-MDN JSON object contains the following fields:

original_message_id

(string, REQUIRED) The message_id from the original message's routing_header.

status

(string, REQUIRED) Either "DELIVERED" or "FAILED".

receiver_id

(string, REQUIRED) URN of the receiver generating this J-MDN. MUST match the receiver_id in the original routing_header.

hash_verification

(string, REQUIRED) SHA-256 hash of the raw business payload bytes before JWS signing. Format: "sha256:{64 hex characters}". See .

timestamp

(string, REQUIRED) ISO 8601 UTC timestamp when the J-MDN was created. Format: YYYY-MM-DDTHH:mm:ss.SSSZ.

error_log

(object|null, REQUIRED) MUST be null when status is "DELIVERED". MUST be an error object when status is "FAILED".

signature

(string, REQUIRED) JWS compact serialization covering all other J-MDN fields. See .

Positive J-MDN example (DELIVERED): Negative J-MDN example (FAILED):

Hash Verification The hash_verification field proves that the receiver decrypted exactly the payload the sender signed. Definition: Where raw_business_payload_bytes is the UTF-8 encoded bytes of the business JSON payload BEFORE JWS signing (i.e., the exact cleartext that was the input to the JWS sign operation). When status is "FAILED" and the receiver could NOT decrypt the payload, hash_verification MUST be set to a string of 64 zero hex digits: "sha256:" followed by 64 ASCII "0" characters.

J-MDN Signature Requirements The signature field MUST contain a JWS compact serialization covering all other J-MDN fields (i.e., all fields except signature itself). JWS Protected Header for J-MDN signing: Signing procedure:

1. Construct a JSON object with all J-MDN fields EXCEPT signature.
2. Serialize to canonical JSON: no extra whitespace; keys in alphabetical order (error_log, hash_verification, original_message_id, receiver_id, status, timestamp).
3. Sign using RS256 with the receiver's private signing key.
4. Set signature to the resulting JWS compact serialization.

Verification procedure (sender side):

1. Extract signature from the received J-MDN.
2. Parse JWS; extract kid from the JWS header.
3. Look up the receiver's public key from their JWKS using kid.
4. Verify the JWS signature.
5. Compare the JWS payload with the remaining J-MDN fields for consistency.

J-MDN Error Codes When status is "FAILED", the error_log object MUST contain:

error_code

(string, REQUIRED) Machine-readable code from the table below.

error_message

(string, REQUIRED) Human-readable description.

details

(string, OPTIONAL) Additional diagnostic info. MUST NOT contain sensitive data.

Standard J-MDN Error Codes

Code	Description
DECRYPTION_FAILED	Cannot decrypt JWE (wrong key or corrupted ciphertext)
SIGNATURE_INVALID	JWS signature verification failed
UNKNOWN_DOCUMENT_TYPE	The document_type is not supported by the receiver
PAYLOAD_TOO_LARGE	Message exceeds receiver's processing limits
INTERNAL_ERROR	Receiver encountered an internal processing error

J-MDN Delivery Protocol The J-MDN is delivered via HTTP POST: Expected response: Timing requirements:

• Receivers SHOULD send J-MDN within 5 minutes of receiving the original message.
• If processing takes longer, the J-MDN MUST still be sent when processing completes.
• There is no strict upper time limit; delivery is asynchronous by design.

J-MDN Delivery Retry Schedule If the J-MDN delivery endpoint is unreachable, the receiver SHOULD retry according to the following schedule:

• Attempt 1: Immediate
• Attempt 2: +1 minute
• Attempt 3: +5 minutes
• Attempt 4: +15 minutes
• Attempt 5: +1 hour

After 5 failed attempts, the receiver SHOULD log the failure and store the J-MDN for manual retrieval. The J-MDN MUST NOT be discarded.

Sender Retry Semantics Senders SHOULD retry failed transmissions with exponential backoff:

• Attempt 1: Immediate
• Attempt 2: +1 minute
• Attempt 3: +5 minutes
• Attempt 4: +15 minutes
• Attempt 5: +30 minutes
• Attempt 6: +1 hour

After 5-6 failed attempts, the message SHOULD transition to FAILED state requiring manual operator intervention.

Error Handling

HTTP Status Codes HTTP Status Code Semantics

Code	Meaning	Sender Action
202	Accepted for processing	Wait for J-MDN
400	Invalid message structure	Do not retry (permanent error)
401	Authentication failed or partner INACTIVE	Do not retry (permanent error)
413	Payload too large	Do not retry (permanent error)
429	Rate limit exceeded	Retry with backoff; honor Retry-After header
500	Server internal error	Retry with backoff
503	Service unavailable or partner SUSPENDED	Retry with backoff

Implementations SHOULD include a Retry-After header on HTTP 429 responses, per Section 10.2.3.

Error Response Format All error responses MUST use the following JSON structure:

Standard Error Codes Message transmission errors:

• INVALID_ROUTING_HEADER -- Missing or malformed routing header
• UNKNOWN_RECEIVER -- receiver_id not recognized in partner registry
• UNKNOWN_DOCUMENT_TYPE -- document_type not supported
• PAYLOAD_TOO_LARGE -- Message exceeds the 10 MB size limit

Cryptographic errors:

• DECRYPTION_FAILED -- Cannot decrypt JWE
• SIGNATURE_INVALID -- JWS signature verification failed
• UNKNOWN_KEY_ID -- Key ID not found in JWKS

Discovery errors:

• INVALID_TOKEN -- Security token invalid or expired
• DUPLICATE_REGISTRATION -- Partner already registered
• CONFIG_UNREACHABLE -- Cannot fetch AS5 configuration

Security Considerations

Threat Model FideX addresses the following threats:

Man-in-the-Middle (MitM)

Mitigated by TLS 1.3 transport encryption combined with JWE application-layer encryption. An attacker who intercepts the TLS session cannot read the encrypted payload.

Message Tampering

Mitigated by JWS digital signatures. Any modification to the signed payload invalidates the signature, detected during verification.

Replay Attacks

Mitigated by unique message IDs combined with timestamp validation. Receivers MUST maintain a replay cache and reject duplicate message_id values.

Repudiation

Mitigated by cryptographic signatures on both messages (JWS) and receipts (J-MDN signature), creating a legally auditable chain of custody.

Key Compromise

Mitigated by key rotation procedures and JWKS-based distribution. Compromised keys can be revoked by removing them from the JWKS.

Cross-Partner Key Substitution

Mitigated by sender identity verification (Section 4.4): the receiver verifies the signing key belongs to the claimed sender_id.

Implementation Security Requirements Implementations MUST:

• Validate TLS certificates against a trusted CA store on all outbound connections.
• Use constant-time comparison for signature verification to prevent timing attacks.
• Maintain a cache of recently seen message IDs to detect replay attacks.
• Reject messages with timestamps outside a +/-15-minute window of current time.
• Maintain the message ID replay cache for at least 24 hours.
• Synchronize system clocks using NTP () or equivalent.
• Generate cryptographically secure random message IDs using a CSPRNG.
• Never expose private keys in logs, error messages, or API responses.

Implementations SHOULD:

• Implement per-partner rate limiting on all endpoints.
• Use separate key pairs for signing and encryption (different use values).
• Rotate keys annually following the procedure in .
• Monitor for anomalous patterns (repeated authentication failures, invalid signatures).

Key Management Private keys:

• MUST be generated using a cryptographically secure random number generator.
• MUST be stored encrypted at rest.
• MUST NOT be transmitted over any network.
• SHOULD be stored in a Hardware Security Module (HSM) for high-security deployments.

Public keys:

• MUST be distributed exclusively via the JWKS endpoint.
• SHOULD include a kid value encoding purpose and date (e.g., "org-sign-rsa-2026-01").
• MAY be cached by consuming parties for up to 24 hours.

Compliance Considerations FideX is designed to support compliance with:

• Non-repudiation requirements for legally binding electronic transactions.
• FDA 21 CFR Part 11 (electronic signatures in regulated industries).
• GDPR and similar data protection frameworks (via encrypted payloads).
• GS1 and UN/CEFACT EDI standards (via payload-agnostic design).

Recommended audit trail retention periods:

• Message metadata: 7 years
• Cryptographic signatures (JWS): 7 years
• J-MDN receipts: 7 years

Deployment Note FideX is designed to operate on standard web infrastructure. A conforming node can be implemented as a standard HTTPS web application behind any reverse proxy (Nginx, Apache, Caddy, cloud load balancers). No specialized B2B middleware, message broker, or gateway software is required. This is a key differentiator from AS2 (which required dedicated gateway software) and AS4 (which required SOAP stacks and ebMS processing engines).

IANA Considerations This document has no IANA actions.

References Normative References Informative References OASIS GS1

Appendix A: Complete Message Example The following illustrates a complete FideX message exchange. HTTP request (sender to receiver): HTTP 202 response (receiver accepts): J-MDN receipt (receiver delivers to sender's webhook):

Appendix B: Glossary

AS5

Application Statement 5 -- the formal designation of the FideX protocol.

B2B

Business-to-Business electronic commerce.

CSPRNG

Cryptographically Secure Pseudo-Random Number Generator.

EDI

Electronic Data Interchange.

GLN

Global Location Number -- GS1 standard organization identifier.

HSM

Hardware Security Module -- tamper-resistant hardware for key storage.

J-MDN

JSON Message Disposition Notification -- the FideX signed delivery receipt.

JOSE

JSON Object Signing and Encryption -- the IETF framework comprising JWS, JWE, JWK, and JWA.

JWE

JSON Web Encryption (RFC 7516).

JWK

JSON Web Key (RFC 7517).

JWKS

JSON Web Key Set -- a JSON document containing a set of public keys.

JWS

JSON Web Signature (RFC 7515).

Node

A FideX-compliant server capable of sending and receiving messages.

URN

Uniform Resource Name -- a persistent, location-independent identifier.

Appendix C: Conformance Profiles FideX defines three conformance profiles to enable progressive adoption. Implementations MUST declare which profile(s) they conform to via the conformance_profile field in their AS5 configuration.

C.1 FideX Core An implementation claiming FideX Core conformance MUST support all requirements listed in Sections 2 through 8 of this specification, including:

• HTTP/1.1 over TLS 1.3
• Sign-then-encrypt: JWE(JWS(payload))
• RS256 signatures; RSA-OAEP + A256GCM encryption
• RSA key size >= 2048 bits
• JWKS endpoint at /.well-known/jwks.json
• AS5 configuration endpoint
• 4-phase discovery handshake
• Message state machine (QUEUED, SENT, DELIVERED, FAILED)
• J-MDN generation, signing, and delivery
• J-MDN fallback delivery via AS5 config receive_receipt endpoint
• Standard error codes and HTTP status codes
• Replay detection via message_id cache (>= 24 hours)
• Timestamp validation (+/-15-minute window)

C.2 FideX Enhanced An implementation claiming FideX Enhanced conformance MUST satisfy FideX Core AND additionally support:

• HTTP/2 for multiplexed connections
• Separate signing and encryption key pairs (different kid and use values)
• RSA key size >= 4096 bits
• Key rotation support (overlapping key publication)
• J-MDN delivery retry per the schedule in Section 7.3.6
• Per-partner rate limiting on all endpoints
• Structured JSON logging with security event correlation IDs
• Health endpoints (/health and /ready)

C.3 FideX Edge An implementation claiming FideX Edge conformance MUST satisfy FideX Enhanced AND additionally support:

• HTTP/3 over QUIC for connection resilience
• Mutual TLS (mTLS) -- client certificate authentication
• HSM-based private key storage

Appendix D: Interoperability Test Vectors This appendix provides known-answer test vectors to allow implementers to verify their JOSE cryptographic operations produce correct output. WARNING: The key material in this appendix is public and MUST NOT be used for any production traffic. Test payload (UTF-8 bytes): SHA-256 hash of test payload: Expected JWS header for signing: Expected JWE header for encryption: Test routing header: Verification procedure:

1. Sign Test: Sign the test payload using RS256. Verify using the test public key. Verified payload MUST match original.
2. Encrypt Test: Encrypt the JWS using RSA-OAEP/A256GCM. Decrypt using the test private key. Decrypted content MUST match the JWS.
3. Hash Test: Compute SHA-256 of the raw payload bytes. Result MUST equal bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f9a69e4c98b7b0f09cb281e71.
4. Round-Trip Test: Construct a complete envelope, parse it, decrypt, verify signature, and extract payload. Result MUST match original test payload.
5. J-MDN Test: Construct a J-MDN for the test message. Sign with receiver's key. Verify the J-MDN signature.

Appendix E: JSON Schema Definitions The following JSON Schema (Draft-07) definitions provide machine-readable validation rules for FideX structures.

E.1 Routing Header Schema

E.2 J-MDN Schema

E.3 AS5 Configuration Schema