Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
Eclipse Conformity Assessment Policy and Credential Profile
To create new, better and/or more accurate services, data must be exchanged. While there are several existing protocols to exchange data, there is no de facto standard to negotiate a service usage, a data exchange and policies in general yet.
This proposal complement the Contract negociation information model from the IDSA Dataspace Protocol by focusing on a semantic and technical specification to express policies and demonstrate fulfilment on such policies based on the use of claims and evidence in the form of Verifiable Credentials and the vocabularies from the conformity assessment ISO standards.
This will enable to anchor existing ICT services descriptions (AI, infrastructure, SaaS, IaaS, ...) and their certifications into the policies used for data exchange.
The Eclipse Conformity Assessment Policy and Credential Profile defines a specification for expressing and verifying policies through verifiable credentials and conformity assessment vocabularies (ISO/IEC 17000:2020).
The Eclipse Conformity Assessment Policy and Credential Profile:
- specifies an ODRL profile supporting the use of Verifiable Credentials (VC)
- defines a semantic model for conformity assessment terms (declaration, certification, attestation, accreditation, claim, evidence, requirement, ...)
- defines an entity-relationship model and VC schemas of the above terms and the consequences for the policies (Example; if the holder of a credential is the issuer, it's de facto a declaration, independently of credential format and protocol exchange)
- defines a semantic and requirements model for VC issuers depending on the type of verifiable credentials used in the policy negotiation (Example; a certification can only be issued by a certification authority or an appointed representative of the certification authority, independently of the certification type, or how to make legally relevant evidence in line with the civil law of obligations.)
Out of scope:
- The management of the policies, the claims and the evidence.
- Implementation of specific jurisdiction or domain requirements.
- Automated compliance or Compliance as Code
- Law enforcement
- Gaia-X Compliance
This proposal contributes to implements an end-to-end holistic approach to seamlessly integrate, anchor, and enforce negotiated data exchange agreements throughout the underlying infrastructure, encompassing processes related to data processing, storage, and transfer.
Conformity assessment is one of the industry answers to handle risk management, yet there is no commonly accepted specification for interoperable conformity assessment.
This specification goal is to combine the existing world of conformity assessment and the needs for a Provider and a Consumer to reach an agreement based on a common understanding using existing claims and evidence.
Examples:
- How can Provider express that an unknown Consumer shall only process data on ISO 27001 certified services ?
- How does the Consumer demonstrate such requirement ?
To demonstrate the viability of the current proposal, Gaia-X used this specification to build the Gaia-X Compliance and an open-source implementation of the elements described in the Scope section has been done https://gitlab.com/gaia-x/lab/compliance
The Gaia-X compliance and its implementation based on the current specification proposal is being used by several dataspaces such as Catena-X, Eona-X, Prometheus-X, Agdatahub, ...
The implementation used to validate the current specification is based on:
- W3C Verifiable Credential, W3C SHACL and W3C SPARQL for the validation and verification of the models mentioned in the Scope section.
- W3C DID, X509 and JOSE for the cryptographic chains of trust.
- ETSI TS 119 312 and EBSI APIs for the presentations of the trust anchors.
- OIDC4VCi and OIDC4VP for the exchange of W3C Verifiable Credentials.
- TRAIN to discover the ecosystem rules and trust anchors.
The input for the specifications will come from Gaia-X AISBL which is the sole IP owner.
The input for the software artefacts is under EPL-2.0 license and all contributors signed a CLA granting the rights to Gaia-X AISBL which will in turn transfer the IP to the Eclipse group
We believe that the approach to dataspace and data exchange should be done with pragmatism and therefore directly engage with a vibrant developer community and domain experts to address the core features of data exchange.
The expectation is to become part of a wider community working on the several layers of interoperability for data exchange.
We would like to collect feedback to improve the specifications and organize community events with presentations, hackathon, deep dives in coordination with the existing organizations.
Gaia-X AISBL demonstrated in November 2023 how to achieve organizational and semantic interoperability across ecosystems (aka dataspace or federations) with 8 independent projects synchronizing their catalogues using non-permissioned public endpoints.
We would like to increase this number by at least a factor of 10 within the next quarters and we believe that an open standard for technical interoperability is the way to go.
The initial contributions can be done before summer 2024.
The specifications come with an existing open-source implementation under the Eclipse Public License 2.0.
Gaia-X AISBL is the copyright holder.
Before transferring the code from https://gitlab.com/gaia-x/lab/compliance to the future Eclipse hosted repositories, some work need to be done by Gaia-X to remove customs rules and specific implementations from the source.
- Log in to post comments
- Log in to post comments