With a public sector customer I had an interesting discussion on non-repudiation
, messaging and regulatory control. We were discussing how to ensure awareness of information that has behavioural or legal consequences. While "I didn't know
" is hardly a viable defence
, relying on the other party to keep themselves updated is just asking for trouble. In a collaborative environment, where a regulator sees itself primarily as the facilitator of orderly conduct
and only as policing the conduct as secondary mission, this is inefficient.
An efficient way is a closed loop system of information dissemination and acknowledgement. The closed loop requirement isn't just for regulators, but anybody that shares information resulting in specific behaviour. Just look at the communication pattern of a pilot with air traffic control (paraphrased): Tower: "Flight ABC23 turn to runway 270, descend to 12 thousand feet
" - Pilot: "Roger that, turning to 270, descent to 12 thousand
When we look at eMail, the standard mechanism that seems to get close to this pattern are Return Receipts:
- Message Disposition Notification - MDN (commonly referred to as Return Receipt) to capture the "state of acknowledgement", is a folly.
So some better mechanism is needed!
- the RFC is completely optional and a messages system can have it switched off (or delete it from the outbox), so it isn't suitable as guarantee
- MDN only indicates that a message has been opened. It does not indicate: was it read, was it understood, were the actions understood, was the content accepted (the later one might not be relevant in a regulatory situation). It also doesn't - which is the biggest flaw - indicate what content was opened. If the transmission was incomplete, damaged or intercepted a return receipt wouldn't care.
Using documents that have a better context a closed loop system can be designed. When I say "document" I don't mean: propriety binary or text format file sitting in a file system, but entity (most likely in a database) that has content and meta information. The interesting part is the meta information:
- Document hierarchy: where does it fit in. For a car manufacturer recalling cars that could be: model, make, year. For a legislator the act and provisions it belongs in
- Validity: when does it come into effect (so one can browse by enactment date), when does (or did) it expire
- History: which document(s) did it supersede, which document(s) superseded it
- Audience: who needs to acknowledge it and how fast. Level of acknowledgement needed (simple confirmation or some questionnaire)
- Pointer to discussion, FAQ and comments
An email has no structured way to carry such information forward. So a document repository solution is required. On a high level it can look like this:
Messaging is only used for notification of the intended audience. Acknowledgement is not an automatic, but a conscious act of clicking a link and confirming the content. The confirmation would take a copy of original text and sign it, so it becomes clear who
. An ideal candidate would be XML Signature
, but there isn't a model how to sign that from a browser. There is an emerging w3C standard
for browser based Crypto, that has various level of adoption:
Once you have dedicated records who has acknowledged a document, you can start chasing, reliable and automated, the missing participants and, if you are a regulator, take punitive actions when chasing fails. It also opens the possibility to run statistics how fast what type of documents get adopted.
The big BUT
usually is: I don't want to deploy additional 2 servers for document storage and web access. The solution for that is, you might have guessed it
, is Domino. One server can provide all 3 roles easily:
As usual YMMV