e-GIF supplier compliance questionnaire
The questionnaire is split into four parts, all of which can be found on this web page. For a printable version of this questionnaire, please use the 'Print' button.
Please place the letter C, N or D in the right-hand column with regard to the proposed solution. Add numbered notes to explain response as necessary.
1. Interconnection
Table 1 - Specifications for interconnectivity:
C = Compliant
N = Not applicable to CMS - please explain why
D = Don't know
| Component | Specification | Status |
|---|---|---|
| Hypertext transfer protocols | RFC 2616, Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection | |
| E-mail transport (see 4.1) | E-mail products that support interfaces that conform to the SMTP/MIME for message transfer. This includes RFC 2821, RFC 2822, RFC 2045, RFC 2046, RFC 2646, RFC 2047, RFC 2231, RFC 2048, RFC 3023, RFC 2049 Note: e-mail attachments may conform to the file types for browsers and viewers as defined for the specific delivery channel, see Section 7 e-Services access and Channels |
|
| E-mail transport security | Unless security requirements dictate otherwise, e-mail products that provide secure mail transport facilities shall as a minimum conform to RFC 3207 | |
| E-mail content security | Unless security requirements dictate otherwise, and only when appropriate, S/MIME v3 will be used for pan-government messaging security when end-to-end security is required. This includes RFC 3369, RFC 2631, RFC 2632, RFC 2633 | |
| Mailbox access (see 4.1) | Unless security requirements dictate otherwise, e-mail products that provide mail access facilities shall as a minimum conform to POP3 for remote mailbox access. This includes RFC 1939, RFC 1957 and RFC 2449. Where additional mail facilities are required, unless security requirements dictate otherwise, e-mail products that provide advanced mail access facilities shall conform to IMAP for remote mailbox access. This includes RFC 3501, RFC 2342, RFC 2971, RFC 3502, RFC 3503, and RFC 3510. Interfaces for e-mail systems are to conform to POP3 for mailbox retrieval |
|
| Secure mailbox access | Mailbox access over insecure networks shall use HTTPS, conforming to the Transport security standards listed below. This includes RFC 2595 when using TLS with IMAP, POP3 and ACAP to access mailbox | |
| Directory | GSI Notice 1/2003 Information GSI Directory Schema. LDAP v3 is to be used for general purpose directory user access | |
| Domain name services | DNS (RFC 1035) GSI domain-naming follows these guidelines as far as possible. GSI e-mail addressing specifications are defined in GNC Technical Notice 2/2001 (Domain Names, DNS and E-mail Addressing) |
|
| File transfer protocols | FTP (RFC 959) (with restart and recovery) and HTTP (RFC 2616) for file transfer | |
| Newsgroup services | NNTP (RFC 977) where required, subject to security constraints | |
| LAN/WAN interworking | IP v4 (RFC 791) Departments are to interconnect using IP v4 and plan for migration to IP v6 in due course |
|
| Security | Central government departments should refer to the Manual of Protective Security. Other parts of the public sector should refer to the e-Government strategy framework and guidelines on security |
|
| The following specifications are to be used to meet the requirements of the e-Government Security Framework where appropriate: | ||
| IP security (Authenticated header) | IP-SEC (RFC 2402/2404) | |
| IP encapsulation security (for VPN requirements) | ESP (RFC 2406) | |
| Transport security | SSL v3/TLS (RFC 2246) | |
| Encapsulation security | CMS (RFC3369) | |
| Timestamp token | TSP (RFC 3161) | |
| Certain e-government information is ‘sensitive’ in that it might contain personal or commercially confidential information, but it does not fall within the definitions of government classified information. For the protection of such information, e.g. data and private keys, the following specifications are advised: | ||
| Encryption algorithms | 3DES, AES, Blowfish | |
| For signing | RSA, DSA | |
| For key transport | RSA, DSA | |
| For hashing | SHA-1, MD5 | |
| The above is not exhaustive and is intended as a guide. For advice on specific implementations or specific algorithms please contact CSIA@cabinet-office.x.gsi.gov.uk | ||
| Transport | TCP (RFC 793) UDP (RFC 768) where required, subject to security constraints |
|
2. Specifications for web services
Table 2 - The following standards apply where systems use a web services architecture:
C = Compliant
N = Not applicable to CMS - please explain why
D = Don't know
| Component | Specification | Status |
|---|---|---|
| Web service request delivery | SOAP v1.2, as defined by the W3C www.w3.org/TR/soap12-part1/ www.w3.org/TR/soap12-part2/ Guidance on the use of SOAP can be found at www.w3.org/TR/soap12-part0/ and www.w3.org/TR/xmlp-scenarios/. See the W3C web site www.w3.org for the latest drafts of the SOAP specifications and transport bindings. Web services may use SOAP version 1.1 as an interim solution provided there is a migration strategy for conformance to SOAP version 1.2 |
|
| Web service request registry | UDDI v3.0 specification (Universal Description, Discovery and Integration) defined by OASIS www.uddi.org/specification.html
Applicable for dynamic Web services requiring web service discovery using WSDL |
|
| Web service description language | WSDL 1.1, Web Service Description Language as defined by the W3C, the specifications can be found at www.w3.org/TR/wsdl |
3. Data integration
Table 3 - Specifications for data integration:
C = Compliant
N = Not applicable to CMS - please explain why
D = Don't know
| Component | Specification | Status |
|---|---|---|
| Data integration metadata/meta language | XML (Extensible Markup Language) as defined by W3C www.w3.org/XML | |
| Data integration metadata definition | XML schema as defined by W3C, the specifications can be found at: XML Schema Part 1: Structures www.w3.org/TR/2004/REC-xmlschema-1-20041028 Schema Part 2: Datatypes www.w3.org/TR/xmlschema-2/datatypes |
|
| Data transformation | XSL (Extensible Stylesheet Language) as defined by W3C www.w3.org/TR/xsl XSLTransformation (XSLT) as defined by W3C www.w3.org/TR/xslt |
|
| Data description language | RDF (Resource Description Framework) as defined by W3C www.w3.org/TR/REC-rdf-syntax/ | |
| Data modelling language | UML (Unified Modelling Language) at www.omg.org/gettingstarted/specsandprods.htm | |
| Data definition and schema standardisation process | As per GovTalk processes in Part 1 Government Data Standards, | |
| Minimum interoperable character set | Transformation Format - 8 bit UTF-8 (RFC 2279), which supports the exchange of the full character set. Individual items in the XML schema may be further restricted in character set on a case-by-case basis | |
| XML signature and encryption | Decryption Transform for XML Signature as defined by W3C www.w3.org/TR/xmlenc-decrypt | |
| XML key management where a PKI environment is used | XML-Key Management Specification (XKMS 2.0) as defined by W3C www.w3.org/TR/xkms2/ | |
| XML security markup | SAML (Security Assertion Markup Language) as defined by OASIS |
4. Content management metadata
Table 4 - Specifications for content management metadata:
C = Compliant
N = Not applicable to CMS - please explain why
D = Don't know
| Component | Specification | Status |
|---|---|---|
| Content management metadata definition | XML Schema Government XML metadata schema |
|
| Content management metadata elements and refinements | e-GMS which incorporates Dublin Core | |
| Subject element, category refinement | IPSV (Integrated Public Sector Vocabulary) and GCL (Government Category List) | |
| Data definition | Government Data Standards Catalogue | |
| Metadata harvesting | Open Archives Initiative Protocol for Metadata Harvesting 2.0 (OAI-PMH) for metadata collection Protocol Version 2.0 of 2002-06-14 Document Version 2004/10/12T15:31:00Z www.openarchives.org/OAI/openarchivesprotocol.html |
|
| Content syndication | RSS (Really Simple Syndication) Version 1 The RSS is a standard format for syndicating news content over the web using Dublin Core and RDFPublished by the RSS-DEV Working Group web.resource.org/rss/1.0/ |
|
| Context-sensitive linking | OpenURL 0.1 (migrating to 1.0) for context-sensitive linking www.exlibrisgroup.com/sfx_openurl.htm The OpenURL is designed to enable the transfer of the metadata from the information service to a service component that can provide context-sensitive services for the transferred metadata |
|
| Distributed searching |
ISO 23950:1998 Information and documentation -- Information retrieval (Z39.50) -- Application Service Definition and Protocol Specification http://www.loc.gov/z3950/agency/ Note: The two documents are technically the same with only slight editorial differences |