Creation Review

Type
Creation
State
Successful
End Date of the Review Period

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.

Proposal

Eclipse Conformity Assessment Policy and Credential Profile

Monday, February 12, 2024 - 09:16 by Pierre Gronlier
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Is this a specification project?
Patent License
Implementation Patent License
Parent Project
Proposal State
Created
Background

To create new, better and/or more accurate services, data must be exchanged. While there are several existing protocols to exchange data, there is no de facto standard to negotiate a service usage, a data exchange and policies in general yet.

This proposal complement the Contract negociation information model from the IDSA Dataspace Protocol by focusing on a semantic and technical specification to express policies and demonstrate fulfilment on such policies based on the use of claims and evidence in the form of Verifiable Credentials and the vocabularies from the conformity assessment ISO standards.

This will enable to anchor existing ICT services descriptions (AI, infrastructure, SaaS, IaaS, ...) and their certifications into the policies used for data exchange.

Scope

The Eclipse Conformity Assessment Policy and Credential Profile defines a specification for expressing and verifying policies through verifiable credentials and conformity assessment vocabularies (ISO/IEC 17000:2020).

The Eclipse Conformity Assessment Policy and Credential Profile:

  • specifies an ODRL profile supporting the use of Verifiable Credentials (VC)
  • defines a semantic model for conformity assessment terms (declaration, certification, attestation, accreditation, claim, evidence, requirement, ...)
  • defines an entity-relationship model and VC schemas of the above terms and the consequences for the policies (Example; if the holder of a credential is the issuer, it's de facto a declaration, independently of credential format and protocol exchange)
  • defines a semantic and requirements model for VC issuers depending on the type of verifiable credentials used in the policy negotiation (Example; a certification can only be issued by a certification authority or an appointed representative of the certification authority, independently of the certification type, or how to make legally relevant evidence in line with the civil law of obligations.)

Out of scope:

  • The management of the policies, the claims and the evidence.
  • Implementation of specific jurisdiction or domain requirements.
  • Automated compliance or Compliance as Code
  • Law enforcement
  • Gaia-X Compliance
Description

This proposal contributes to implements an end-to-end holistic approach to seamlessly integrate, anchor, and enforce negotiated data exchange agreements throughout the underlying infrastructure, encompassing processes related to data processing, storage, and transfer.

Conformity assessment is one of the industry answers to handle risk management, yet there is no commonly accepted specification for interoperable conformity assessment.

This specification goal is to combine the existing world of conformity assessment and the needs for a Provider and a Consumer to reach an agreement based on a common understanding using existing claims and evidence.

Examples:

  • How can Provider express that an unknown Consumer shall only process data on ISO 27001 certified services ?
  • How does the Consumer demonstrate such requirement ?

 

To demonstrate the viability of the current proposal, Gaia-X used this specification to build the Gaia-X Compliance and an open-source implementation of the elements described in the Scope section has been done https://gitlab.com/gaia-x/lab/compliance

The Gaia-X compliance and its implementation based on the current specification proposal is being used by several dataspaces such as Catena-X, Eona-X, Prometheus-X, Agdatahub, ...

The implementation used to validate the current specification is based on:

  • W3C Verifiable Credential, W3C SHACL and W3C SPARQL for the validation and verification of the models mentioned in the Scope section.
  • W3C DID, X509 and JOSE for the cryptographic chains of trust.
  • ETSI TS 119 312 and EBSI APIs for the presentations of the trust anchors.
  • OIDC4VCi and OIDC4VP for the exchange of W3C Verifiable Credentials.
  • TRAIN to discover the ecosystem rules and trust anchors.
Why Here?

We believe that the approach to dataspace and data exchange should be done with pragmatism and therefore directly engage with a vibrant developer community and domain experts to address the core features of data exchange.


The expectation is to become part of a wider community working on the several layers of interoperability for data exchange.

Future Work

We would like to collect feedback to improve the specifications and organize community events with presentations, hackathon, deep dives in coordination with the existing organizations.

Project Scheduling

Gaia-X AISBL demonstrated in November 2023 how to achieve organizational and semantic interoperability across ecosystems (aka dataspace or federations) with 8 independent projects synchronizing their catalogues using non-permissioned public endpoints.

We would like to increase this number by at least a factor of 10 within the next quarters and we believe that an open standard for technical interoperability is the way to go.

The initial contributions can be done before summer 2024.

Initial Contribution

The specifications come with an existing open-source implementation under the Eclipse Public License 2.0.

Gaia-X AISBL is the copyright holder.

Before transferring the code from https://gitlab.com/gaia-x/lab/compliance to the future Eclipse hosted repositories, some work need to be done by Gaia-X to remove customs rules and specific implementations from the source.

Source Repository Type

This is a joint comment from Peter Koen, Jim Marino, Julia Pampus, and Markus Spiekermann:

After reading the "Eclipse Trust Protocol Proposal," we have several clarifying questions and comments about the scope of the proposed work.

Our first question is if the proposal is for a specification or an implementation? If it is an implementation, it is unclear what the governing specification is (is there a governing specification?) If it is a specification, will there be separate implementation projects proposed for Eclipse or another open-source venue? 

It is not clear who "trust" is targeted at. The project title, "Eclipse Trust Protocol," is too vague and open-ended. Does "trust" involve dataspace participants, workloads like SPIFFE and SPIRE, end users, or organizations? The proposed work appears to be for "data exchange." If so, it should clearly state that and discuss what parties are targeted and how. 

The proposal states:

"Eclipse Trust Protocol implements an end-to-end holistic approach to seamlessly integrate, anchor, and enforce negotiated data exchange agreements throughout the underlying infrastructure, encompassing processes related to data processing, storage, and transfer."

What does the above mean, and how does it relate to Eclipse Dataspace Protocol Specifications? Will this work be based on DSP, and in particular, its policy format, contract negotiation protocol, and transfer process protocol? We are not arguing that it should, but clarifying this is important because it will directly impact the project scope. 

The scope states:

"In scope:

To specify the information model and workflow enabling policy reasoning based on gathered and compiled claims and evidences.

To specify the information model and workflow creating legally relevant proofs in line with the civil law of obligations.

To specify protocols and formats enabling and enforcing the above, including the enforcement of the agreement resulting from the negotiation and the capability to prove its proper execution."

Based on this scope, it appears the proposal is to define more than an information model covering trust "attributes." The term "workflow" is extremely broad and could be interpreted as including message exchange patterns for establishing identity, presenting data policies, presenting verifiable credentials, negotiating contracts, and establishing data transfer connections. If the scope is only some of those and not others, that should be explicitly spelled out and detailed.

The list of technical specifications is also extremely broad:

"In detail, the current implementation is based on W3C JSON-LD, W3C VC, W3C SHACL, W3C SPARQL, W3C DID, X509, ETSI TS 119 312 for the data format and OIDC4VCi, OIDC4VP, EBSI for the APIs."

What is the architectural picture tying these disparate technologies together?  

Peter, Jim, Julia, and Markus

 

This proposal is listed on https://projects.eclipse.org/working-group/eclipse-dataspace so it seems to have a relation to the other Eclipse dataspace activities. Reading through the text, however, I don't understand the difference to the other two (Eclipse Dataspace Identity and Trust Protocol & Eclipse Dataspace Protocol). Why is this one needed in addition? Why is it not possible to merge it with the others?

In reply to by Sebastian Bader

It's unclear to us what the relationship to the other dataspace projects is, hence the questions we raised to clarify that. I see the possibility that this project focuses on a profile of the Identity and Trust Protocol to define a specific trust model for particular use cases. The Identity and Trust Protocol scope is specifically limited to allow other projects to create profiles.

As written, the scope of this project proposal is much broader than specifying a trust model. It appears the project aims to define alternative protocols to the DSP specifications. I also think that is fine, but the scope should clearly state whether it will be built on DSP or be an alternative.

I would suggest you move this discussion to the GitLab ticket linked above: https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/714

PMI comments require moderation wich might cause some delays in the posting.