2. Supports the development & implementation of a IPPC Global ePhyto Hub to: Utilize modern Cloud technology. Ensure there is a secure folder for each countries’ certificate information. Reduce the complexity and rigidity of bilateral exchanges Simplify setup and ongoing maintenance for participating countries = lower cost. Improve visibility of certificate exchanges. Separate the message carrier (envelope) from the actual certificate information payload making it more flexible and modular – not hard coded together. Use internet standard security SSL certificates = lower cost for participating countries.

3. Ensure the sender NPPO identity. Ensure the receiver NPPO identity. Is highly configurable. Allows for the push/push method as well as push/pull method to achieve the ePhyto message exchange. Is highly extensible - allows for extended NPPO functionality without the need to ask the HUB service provider for changes in their service. Allows for the inclusion of other Transmission Protocols (for example, secure SMTP)

4. Hub Country B Country A Software to Software Country C Country D NPPO to NPPO ePhyto Certificate Information Exchange through the Hub.

5. Country B Country A Software to Software Country C Country D

6. Use of the hub is Voluntary. Some countries will choose to continue to use paper certificates for a long time. Some countries may prefer point to point transmission. Paper certificates will continue to be used – countries will agree bilaterally when to use only electronic exchange. Start using the hub when you are ready – 1 year, 5 years, 10 years... Security and confidentiality is paramount. ePhytos are encrypted for transmission and not opened by hub. Costs of maintaining the hub are carried by the users of the hub. Participating countries will require a National System to exchange ePhyto data with the Hub. The Hub will conduct verification on the transmitted ePhytos (envelopes only). The content verification is only accomplished through the “contract” that the participants of the hub must sign before they can participate on the HUB. This is, the HUB doesn't validate the ePhyto (message content) content.

7. Introduction In a secure electronic transmission the identity of the message sender must be ensured. In order to achieve this goal there are a lot of method to ensure the identity. For example, a login with user and password, a signature, etc.. Nowadays, NPPOs which already has implemented an electronic exchange are achieving the sender identity ensuring in different ways. To maintain the authentication in an abstract manner, an authentication server is proposed. It must provide a way to obtain credentials and a method to validate credentials. The method by the credential has been obtained is not important for the receiver (user/password, signature, etc.).

8. In order to ensure the sender identity, the importer NPPO, the exporter NPPO as well as the HUB must interact with the Authentication server. The following slides tries to explain the interaction between the exporter NPPO, the importer NPPO, the Authentication server and the HUB server.

9. Hub Server Exporter NPPO Importer NPPO Authentication Server 1. LoginWithXXX() 2. Exporter credential 3. receiveMessage (includes exporter credential) 4. Verify exporter credential 5. verifyCredential response 6. LoginWithXXX() 7. HUB credential 8. receiveMessage (includes HUB credential) 9. Verify HUB credential 10. verifyCredential response

10. The receipt of the export NPPO ePhyto message by the HUB, and the delivery/sending of the ePhyto message by the HUB to the destination/import NPPO do not need to be simultaneous. The ePhyto messages are only to be kept in the hub temporarily, (i.e. until they are confirmed as received by the final destination NPPO). Use of the Hub is voluntary. Participating NPPOs MUST register with the Hub to participate on the Hub. Registered participating NPPOs will to have a National System to prepare ePhyto messages and exchange and receive ePhyto messages through the Hub. The Hub validates export NPPO id and the import NPPO id on the ePhyto message envelopes only. Verification of the ePhyto message “content”is undertaken by the import NPPO. The HUB does NOT validate the ePhyto message content.

11. To assist in the understanding of our Hub goal/objective we use pictures of the post office mail pathway with explanatory text to explain security and authentication steps: The following slides explain the functionality of the HUB service to achieve a completely secure transmission.

13. 1.The export NPPO national system (sender) prepares the certificate data (i.e. writes the letter). 2.The export NPPO national system (sender) authorises the issuance the XML phytosanitary certificate data set (equivalent to signing a letter). This action ensures the content can not be altered, the certificate is an original (i.e. message encryption through the use of private and public key security processes). It is not agreed yet. 3.The export NPPO national system ask for a credential to the Authentication authority. The credential is analogous to a stamped ticket that only the authentication authority is capable to determine its validity. 4.The export NPPO national system inserts the XML ePhyto message and the credential into an envelope. This step ensures authenticity of the sender NPPO identity, and set free to the importer NPPO of the duty of validate the sender identity.

14. The envelope contains data to facilitate the delivery envelope (credential, message itself, sender NPPO id, receiver NPPO id, message date, message id). 5.The export NPPO envelope containing the XML ePhyto message and the export NPPO credential is delivered to the Hub (post office). Secure delivery is visualised by the armoured truck. This is to emphasise the secure delivery of the envelope. This also ensures that the initial receiver will be the Hub (post office). 6.The Hub (post office) verifies the envelope data (i.e. asks to the authentication authority for the authentication of the exporter NPPO credential; if it is valid, then the export NPPO identity is ensured).

15. 7.The envelope is saved in the Hub (post office) until sent to the destination import NPPO. The security of the envelope at this stage is responsibility of the Hub (post office). 8.When the envelopes is to be sent to the import NPPO, the HUB (post office) searches the Hub storage folders, retrieves the envelopes and sends these to the import NPPO. 9.In order to the import NPPO could be sure of the HUB identity, the HUB needs to ask for a credential to the Authentication authority. 10.All this envelopes are introduced in a new envelope that also contains the HUB credential.

16. 11.The delivery of the new envelope to the import NPPO is also a secure transmission as visualised by an armoured truck (HTTPS). 12.Once that the message is received by the destination import NPPO, it asks to the authentication authority for the authentication of the HUB credential; if it is valid, then the HUB identity is ensured). 13.The destination import NPPO opens the envelope, obtains the messages (original envelopes), and depending of the type of each message the NPPO decides what to do. In the case of an ePhyto message where the content is phytosanitary data, the import NPPO national systems internal process may only involve saving the message, verifying the version, verifying mandatory fields, etc.

17. The message content could also be, for example, the rejection of an ePhyto, the withdraw of an ePhyto, the clearance confirmation, etc. This unique method of operating through the Hub allows us to extend the number & type of message transactions without changes to the HUB services. We may only need to have the Hub service provider count the number of new message types. For example, our request may be for the number of ePhytos transacted, and the number of response messages associated with each ePhyto (e.g. provision of a report listing messages against the list of ePhytos). Important to note; this can be achieved without any change in the HUB functionality.