London Market Implementation of ACORD DRI Messages and Data
The mandatory elements of the ACORD Basic Security Profile has been mandated for use in the London Market (see The London Market Accounting and Settlement Technical Information, Section 5). This requires:
Mandatory use of SSL/TLS Server authentication and Encryption
Mandatory use of digital signatures (SOAP Body only)
The following optional elements of the Basic Security Profile are not to be used by London Market implementers:
WSS Username Token (including a digital signature to protect integrity of the password)
Referred Message Signature to prove that a message was read by the Receiver as originally sent.
Digital certificates will be exchanged between trading parties out of band where each party will provide the other with their code signing certificate and its public key reference. Within the SOAP Header message the certificate should be referenced in the Key Information aggregate. All Simple Object Access Protocol (SOAP) servers are required to be configured for HTTPS traffic.
It has become a common convention for PostRs messages not to be signed. Clarification direction is being sought from ACORD regarding their position on signing of PostRs messages.
Audit and Control
It is the responsibility of each trading party to maintain adequate controls and audit trails in accordance with their own requirements. The audit trail should contain sufficient data to verify the processing stage of each incoming and outgoing message, including related responses.
All packages and ACORD DRI messages must be responded to by the receiver. This will include an initial synchronous system
London Market Implementation of ACORD DRI Messages v1.doc
Page 26 of 48