Status message

A Eclipse Conformity Assessment Policy and Credential Profile Creation Review has been created for this proposal.

Eclipse Conformity Assessment Policy and Credential Profile

Date Review
never
Date Trademark
never
Date Provisioned
never
Date Initial Contribution
never
Date Initial Contribution Approved
never
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Is this a specification project?
Patent License
Implementation Patent License
Parent Project
Proposal State
Community Review
Background

To create new, better and/or more accurate services, data must be exchanged. While there are several existing protocols to exchange data, there is no de facto standard to negotiate a service usage, a data exchange and policies in general yet.

This proposal complement the Contract negociation information model from the IDSA Dataspace Protocol by focusing on a semantic and technical specification to express policies and demonstrate fulfilment on such policies based on the use of claims and evidence in the form of Verifiable Credentials and the vocabularies from the conformity assessment ISO standards.

This will enable to anchor existing ICT services descriptions (AI, infrastructure, SaaS, IaaS, ...) and their certifications into the policies used for data exchange.

Scope

The Eclipse Conformity Assessment Policy and Credential Profile defines a specification for expressing and verifying policies through verifiable credentials and (ISO 27001) conformity assessment vocabularies

The Eclipse Conformity Assessment Policy and Credential Profile:

  • specifies an ODRL profile supporting the use of Verifiable Credentials (VC)
  • defines a semantic model for conformity assessment terms (declaration, certification, attestation, accreditation, claim, evidence, requirement, ...)
  • defines an entity-relationship model and VC schemas of the above terms and the consequences for the policies (Example; if the holder of a credential is the issuer, it's de facto a declaration, independently of credential format and protocol exchange)
  • defines a semantic and requirements model for VC issuers depending on the type of verifiable credentials used in the policy negotiation (Example; a certification can only be issued by a certification authority or an appointed representative of the certification authority, independently of the certification type, or how to make legally relevant evidence in line with the civil law of obligations.)

Out of scope:

  • The management of the policies, the claims and the evidence.
  • Implementation of specific jurisdiction or domain requirements.
  • Automated compliance or Compliance as Code
  • Law enforcement
  • Gaia-X Compliance
Why Here?

We believe that the approach to dataspace and data exchange should be done with pragmatism and therefore directly engage with a vibrant developer community and domain experts to address the core features of data exchange.


The expectation is to become part of a wider community working on the several layers of interoperability for data exchange.

Project Scheduling

Gaia-X AISBL demonstrated in November 2023 how to achieve organizational and semantic interoperability across ecosystems (aka dataspace or federations) with 8 independent projects synchronizing their catalogues using non-permissioned public endpoints.

We would like to increase this number by at least a factor of 10 within the next quarters and we believe that an open standard for technical interoperability is the way to go.

The initial contributions can be done before summer 2024.

Future Work

We would like to collect feedback to improve the specifications and organize community events with presentations, hackathon, deep dives in coordination with the existing organizations.

Description

This proposal contributes to implements an end-to-end holistic approach to seamlessly integrate, anchor, and enforce negotiated data exchange agreements throughout the underlying infrastructure, encompassing processes related to data processing, storage, and transfer.

Conformity assessment is one of the industry answers to handle risk management, yet there is no commonly accepted specification for interoperable conformity assessment.

This specification goal is to combine the existing world of conformity assessment and the needs for a Provider and a Consumer to reach an agreement based on a common understanding using existing claims and evidence.

Examples:

  • How can Provider express that an unknown Consumer shall only process data on ISO 27001 certified services ?
  • How does the Consumer demonstrate such requirement ?

 

To demonstrate the viability of the current proposal, Gaia-X used this specification to build the Gaia-X Compliance and an open-source implementation of the elements described in the Scope section has been done https://gitlab.com/gaia-x/lab/compliance

The Gaia-X compliance and its implementation based on the current specification proposal is being used by several dataspaces such as Catena-X, Eona-X, Prometheus-X, Agdatahub, ...

The implementation used to validate the current specification is based on:

  • W3C Verifiable Credential, W3C SHACL and W3C SPARQL for the validation and verification of the models mentioned in the Scope section.
  • W3C DID, X509 and JOSE for the cryptographic chains of trust.
  • ETSI TS 119 312 and EBSI APIs for the presentations of the trust anchors.
  • OIDC4VCi and OIDC4VP for the exchange of W3C Verifiable Credentials.
  • TRAIN to discover the ecosystem rules and trust anchors.
Initial Contribution

The specifications come with an existing open-source implementation under the Eclipse Public License 2.0.

Gaia-X AISBL is the copyright holder.

Before transferring the code from https://gitlab.com/gaia-x/lab/compliance to the future Eclipse hosted repositories, some work need to be done by Gaia-X to remove customs rules and specific implementations from the source.

Source Repository Type