Webapp should be deployed in HTTP and not in HTTPS? #218
Replies: 1 comment 2 replies
-
|
It's because links like
need to work. For that to happen over HTTPS, every SMP would need to have the TLS certificate with its private key for the domain iso6523-actorid-upis.edelivery.tech.ec.europa.eu. As I understand it, this is being worked on by OpenPeppol by transitioning from CNAME to NAPTR records. |
Beta Was this translation helpful? Give feedback.
-
|
That is totally correct. Due to the dynamic DNS name creation, every participant is accessed with a unique domain name, which makes it impossible to use a single TLS certificate. The official statement can be found in the official SMP specification https://docs.peppol.eu/edelivery/smp/PEPPOL-EDN-Service-Metadata-Publishing-1.2.0-2021-02-24.pdf chapter 5.1. It's not a GDPR problem, because the information in the SMP are person related. It's open data, for technical routing only. And because the data is signed with an electronic certificate, it's authenticity is secured. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, now is clear. |
Beta Was this translation helpful? Give feedback.
-
Ciao, reading the documentation at page: https://peppol.helger.com/public/menuitem-docs-setup-smp-ph#security I found this note:
"Note that a production SMP service MUST be deployed as the ROOT web application (at path "/") on the application server, since this is a prerequisite in the DNS lookup scheme. Furthermore it MUST be deployed on port 80 (standard http port) and may not use SSL to secure the transport.".
Using HTTP instead of HTTPS is not safe and not GDPR compliant.
Did I understand wrong? The port 80 is mandatory? why?
Kind regards
Beta Was this translation helpful? Give feedback.
All reactions