| | 4.3 Fulfilment
02b. Support Note Request | | |
|---|
| 4.3.02b. Support Note Request: | | 1. Notes are used as subscription evidence for each Business Message sent as an email envelope with link. Notes may be used for other reasons, but that is not the purpose of this page. | | 2. Every support request may be shown as a read-only support document that is viewed by an email link. At the current time, it is not proposed that a person can enter any data or change any field value because they have not formally signed in. In a future phase, a person may be able to append a new note that does not change existing data, but adds new information without being signed in. |
| Glossary: | | 1. Opt-In means the person subscribes and gives their consent to view the support request. | | 2. Opt-Out means the person unsubscribes and does not give their consent to view the support request. | | 3. Consent evidence provided by the person is a legal requirement for each and every business message sent by email (or phone). |
| 2. Support Note Record: | | 1. When a new support note record is added, the following field values are created and never change. These field values are used in an algorithm to create a unique URL that is shown in the envelope as approval to view the support request. | | 2. It is noted that the URL is derived from the support note to grant access to its parent support record. This enables more than one support note to be created with unique email addresses to grant access to the support request to more than one person. | | 3. when a business message envelope is sent to an email address, that email address is changed to "name at domain" and protected so it cannot be changed and another email cannot be sent again using the same support note. Fields 12 and 13 hold the date and time when a person subscribes and fields 10 and 11 holds the date and time when the person unsubscribes. |
| 3. Support Note Fields: | | 01. primary key. | | 03. site code - look up branch number. | | 04. support request key. | | 05. support note key. | | 14. email user key. | | 15. week number in year. | | 16. month number in year. | | 20. author user key. | | 21. authored date. | | 22. authored time. |
| 4. Algorithms: | | 1. Each field value has a unique length and range of values that are algorithmically changed to a fixed length set of digits. This simply obfuscates the actual field value and makes it hard to differentiate between field values that are all numeric. | | 2. Field values are concatenated together together with some random digits according to an algorithm. The resulting string of digits is then scrambled according to an algorithm. | | 3. CRC numbers are calculated and appended so any change to the string of digits can be identified. The procedure number and email identifier are made part of the URL. |
| 5. Security: | | 1. The email address entered in field 38 is verified as being approved by looking up the persons name and number. It the email address is not found, the email request is rejected - only approved people may view a support request. The person user number is saved in field 14 and becomes part of the URL for that specific person. | | 2. c01+c04+c05+c14+c20+c21+c22 have lengths as 8+6+8+6+6+8+6 as 48 digits. Random digits extend that to 50 digits before it is scrambled (25*2). | | 3. CRC (5) algorithm is done on the scrambled numbers and CRC (2) algorithm is done and concatenated. The procedure number (4) and email identifier (6) are concatenated. The URL includes an opt-in and an opt-out suffix of 4 digits. | | 4. The resulting URL is always 71 digits that is easy to validate and easy to detect criminal behaviour. |
| 6. Attack: | | 1. This procedure can be published because the algorithms used are a trade secret. Even if a criminal had access to all these algorithms, they would still have no idea of the data needed to create a URL. Every URL has by design a built in expiry date and time, so a criminal has a very limited amount of time to access a support request while its support note has not expired. A support request without a support note cannot be accessed by any URL, no matter how it is crafted. |
| 7. Business Message: | | 1. Every email envelope has two URL links to opt-in or opt-out. The URL must be complete and correct to identify a unique support note record before any action is taken. | | 2. When the person clicks the opt-in button the support request document is shown - the date and time are recorded. When the person clicks the opt-out button, the opt-out message is shown - the date and time are recorded. |
| 8. Opt-Out Message: | | 1. When a person declines an invitation to subscribe to a support request document, then the following opt-out message is shown. | | 2. It has been recorded that you have chosen to opt-out of viewing this support request document. You have not given your consent and so the support request document will not shown. | | 3. Your email button to opt-in and give your consent to be shown the support request document shall remain active until its documented expiry date and time. You have the right to change you mind and give your consent by clicking the opt-in button. |
| Document Control: | | 2017 Jan 13 : Latest edition as (public) page 164302b. Part of ITIL Request Fulfilment Managers responsibilities. |
|
|