Eclipse Conformity Assessment Policy and Credential Profile

This proposal contributes to implements an end-to-end holistic approach to seamlessly integrate, anchor, and enforce negotiated data exchange agreements throughout the underlying infrastructure, encompassing processes related to data processing, storage, and transfer.

Conformity assessment is one of the industry answers to handle risk management, yet there is no commonly accepted specification for interoperable conformity assessment.

This specification goal is to combine the existing world of conformity assessment and the needs for a Provider and a Consumer to reach an agreement based on a common understanding using existing claims and evidence.

Examples:

• How can Provider express that an unknown Consumer shall only process data on ISO 27001 certified services ?
• How does the Consumer demonstrate such requirement ?

To demonstrate the viability of the current proposal, Gaia-X used this specification to build the Gaia-X Compliance and an open-source implementation of the elements described in the Scope section has been done https://gitlab.com/gaia-x/lab/compliance

The Gaia-X compliance and its implementation based on the current specification proposal is being used by several dataspaces such as Catena-X, Eona-X, Prometheus-X, Agdatahub, ...

The implementation used to validate the current specification is based on:

• W3C Verifiable Credential, W3C SHACL and W3C SPARQL for the validation and verification of the models mentioned in the Scope section.
• W3C DID, X509 and JOSE for the cryptographic chains of trust.
• ETSI TS 119 312 and EBSI APIs for the presentations of the trust anchors.
• OIDC4VCi and OIDC4VP for the exchange of W3C Verifiable Credentials.
• TRAIN to discover the ecosystem rules and trust anchors.