Versions Compared

Old Version 107

changes.mady.by.user Marnix Vermaas

Saved on

compared with

New Version 108

changes.mady.by.user Vinith Bhandari

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DISCLAIMER: all descriptions are definitions written by iSHARE, unless specified otherwise


...

Anchor
ABAC
ABAC
ABAC

ABAC (Attribute-Based Access Control) is assigning authorizations based on attributes (contextual pieces of information that are relevant to an access decision, such as device type, RBAC 70222188 role, time, location, or CRUD 70222188 level). The attributes can be associated with all entities that are involved with certain actions, such as the subject, the object, the action itself and the context (e.g. time, location). The attributes are compared with policies to decide which actions are allowed in which context, granting access based on the policy outcomes.

...

There is a clear distinction between accountability and Responsibility 70222188.

Accountability can be described as being liable or answerable for the completion of a certain task. Someone or something who is accountable oversees and manages the stakeholder(s) who are responsible for performing the work effort. In order to be effective, accountability should lie with a sole entity or role.

...

An iSHARE Adhering Party adheres to the iSHARE terms of use. An iSHARE Adhering Party MUST sign an Accession Agreement with the Scheme Owner (role)70222188

...

Anchor
API
API
API

An API (Application Programming Interface) is a technical interface, consisting of a set of protocols and data structuring standards ('API specifications') which enables computer systems to directly communicate with each other. Data or services can be directly requested from a server by adhering to the protocols. APIs are used to hide the full complexity of software and make it easy for third parties to use parts of software or data services. APIs are mainly meant for developers to make the creation of new applications depending on other applications easier. 

...

Authenticity can be achieved by digitally Signing 70222188 a message with the private key from the sender. The recipient can verify the digital signature with the matching public key. Certificates containing public and private keys are issued by a Certificate Authority.

...

Anchor
Authorisation
Authorisation
Authorization

Authorization is the process of giving someone or something permission to something, for example to access to services, data or other functionalities. Authorization is enabled by Authentication 70222188. Policies and attributes determine what types of activities are permitted by an entity.

...

The Authorization Registry: 

Within the iSHARE Scheme, the term Authorization Registry always refers to an external Authorization Registry (not part of the Service Provider (role) or Entitled Party (role))of the 70222188 or 70222188)

The Authorization Registry is a role for which iSHARE Certification (iSHARE)70222188 is REQUIRED.

...

Anchor
Caching
Caching
Caching

...

Roles for which certification is required facilitate certain functions for the iSHARE Scheme that every party within iSHARE must able to rely upon. An iSHARE Certified Party MUST apply to the Scheme Owner (role)70222188 for certification and, after providing sufficient proof, MUST sign a certification agreement with the Scheme Owner (role)70222188.

...

Anchor
Confidentiality
Confidentiality
Confidentiality

...

In the context of information security, credentials are used to control access of someone or something to something, for example to services, data or other functionalities. The right credentials validate (i.e. Authentication70222188) the identity claimed during Identification 70222188.

The best-known example of credentials is a password, but other forms include electronic keycards, biometrics and, for machines, public key certificates.

...

CRUD (acronym for Create, Read, Update, Delete) are considered to be basic functions regarding stored data. In computer programming, possible actions are often mapped to these standard CRUD functions in order to clarify the actions. For example, standard HTTP(S) 70222188 actions GET and POST refer to Read and Create functions regarding stored data.

...

The classification of data in categories is an important pre-requisite for proper Authorization. Data can be classified in categories defining their type, location, sensitivity and protection level.  

...

The Data owner is the legal person Accountability 70222188 for the Confidentiality 70222188, Integrity 70222188, availability and accurate reporting of data. 

The Data Owner can be the Service Provider (role) 70222188. In this case, he is not only accountable for the availability of data, but also Responsibility 70222188.

...

Anchor
Delegation
Delegation
Delegation

...

In the iSHARE network, a delegated Service Consumer (role) 70222188 acts on behalf of an Entitled Party (role) 70222188.

...

Anchor
eIDAS
eIDAS
eIDAS

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. The regulation provides important aspects related to electronic transactions, such as qualified electronic certificates. 

...

The Entitled Party is the legal entity that has one or more rights to something, e.g. to data at a Service Provider (role) 70222188 that it has a legal agreement with. The Entitled Party is either the same entity as the Service Consumer (role) 70222188, or delegates its rights to another Service Consumer. In the latter case, this other Service Consumer('s machines and humans) can consume services on the Entitled Party's behalf.

The Entitled Party is a role for which iSHARE Adherence (iSHARE) 70222188 is REQUIRED.

...

Anchor
EORI
EORI
EORI

...

In the iSHARE network, the EORI number is used to uniquely identify legal persons. Note that non-European Community legal persons doing business in/with Europe also have an EORI.

Info
titleSource
EORI.eu


...

Anchor
HTTP(S)
HTTP(S)
HTTP(S)

HTTP stands for 'Hypertext Transfer Protocol', and when secured via TLS 70222188 or SSL it is referred to as HTTPS (HTTP Secure). It is a protocol for (secure) communication over a computer network and is widely used on the Internet. 

...

The Human Service Consumer is a role that represents a human (person) who requests, receives, and uses certain services, such as data, from a Service Provider (role) 70222188 on behalf of and authorized by the Service Consumer (role)70222188.

The Human Service Consumer is not a separate role, but belongs to the Adhering Party Service Consumer.

...

Identification is the process of someone or something claiming an identity by presenting characteristics called identity attributes. Such attributes include a name, user name, e-mail address, etc. The claimed identity can be validated (i.e. Authentication70222188) with the right credentials

...

Anchor
Identity Broker (role)
Identity Broker (role)
Identity Broker (role)

If multiple distinct Service Provider (role) 70222188 exist where each data set is protected under a distinct trust domain, multiple Identity Provider (role) 70222188 may be needed. Moreover, the iSHARE Scheme may require different Levels of assurance 70222188 for specific data and may wish to designate specific Identity Providers for specific services. 

In order to support multiple Identity Providers (with possible multiple rules) and Service Providers, an Identity Broker is required. An Identity Broker allows Human Service Consumer (role) 70222188 to select the Identity Provider they prefer to Authentication 70222188 themselves at. It prevents the need for a direct relationship between all Service Providers and all Identity Providers.

The Identity Broker is a role for which iSHARE Certification (iSHARE)70222188 is REQUIRED.

...

Anchor
Identity Provider (role)
Identity Provider (role)
Identity Provider (role)

The Identity Provider

In the iSHARE environment an Identity Provider could support various methods of Authentication 70222188, such as:

  • Password authentication;
  • Hardware-based authentication (e.g. smartcard, token);
  • Biometric authentication;
  • Attribute-based authentication.

Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an Identity Provider can provide a client with a high or low confidence in the claimed identity of the user which is known to the Identity Provider. This is also known as the Levels of assurance 70222188.

The Identity Provider is a role for which iSHARE Certification (iSHARE)70222188 is REQUIRED.

...

Anchor
Integrity
Integrity
Integrity

...

Integrity can be achieved by a.o. hash functions (hashing the received data and comparing it with the hash of the original message); the message the recipient receives from the sender can be proven not to have been changed during the transmission. 

...

Anchor
iSHARE Network
iSHARE Network
iSHARE Network

The iSHARE network is the collection of participants, satellites and data spaces that are established, maintained and governed accordingly with the iSHARE Trust Framework. The complete decentralised trust ecosystem that is established using the iSHARE Trust Standard for data sharing.

...

Anchor
JSON
JSON
JSON

JSON is short for 'JavaScript Object Notation' and is an open standard data format that does not depend on a specific programming language. This compact data format makes use of human-readable (easy to read) text to exchange data objects (structured data) between applications and for data storage.

...

A JSON Web Token (JWT) is used when Non-repudiation 70222188 between parties is required. A statement, of which the data is encoded in JSON 70222188, is digitally Signing 70222188 to protect the Authenticity 70222188 and Integrity 70222188 of the statement.

...

Anchor
Levels of assurance
Levels of assurance
Levels of Assurance (LoA)

Within online Authentication 70222188, depending on the authentication protocol used, the server is to some extend assured of the client's identity. Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an authentication protocol can provide a server with a high or low confidence in the claimed identity of the client. For low-interest products, a low certainty might be sufficient, while for sensitive data it is essential that a server is confident that the client's claimed identity is valid.

...

The Machine Service Consumer is a role that represents a machine that requests, receives, and uses certain services, such as data, from a Service Provider (role) 70222188 on behalf of and authorized by the Service Consumer (role) 70222188.

The Machine Service Consumer is not a separate role, but it belongs to the Adhering Party Service Consumer (role) 70222188.

...

Anchor
Non-repudiation
Non-repudiation
Non-repudiation

...

Non-repudiation is closely related to Authenticity 70222188 and can be achieved by digital Signing 70222188 in combination with message tracking.

...

OAuth is an open standard for Authorization which is used by i.e. Google, Facebook, Microsoft, Twitter etc. to let their users exchange information about their accounts with other applications or websites. OAuth is designed to work with HTTP(S) 70222188. Within iSHARE, a modified version of OAuth 2.0 is used.

Through OAuth users can authorize third party applications or websites to access their account information on other 'master' systems without the need of exchanging with them their Credentials 70222188 to login onto the platform. OAuth provides a 'secure delegated access' to resources (email accounts, pictures accounts, etc.) on behalf of the resource owner.

...

OpenID Connect (OIDC) is the authentication layer that is built on top of OAuth 70222188 2.0 protocol which is an authorization framework. The OIDC authentication layer allows clients to verify the ID and obtain basic profile information of their end-users

The authentication is performed by the authorization server (managing the access rights and conditions) in an interoperable and REST 70222188-like manner. Within iSHARE, OpenID Connect 1.0 is used.

...

Policy Decision Point. Entity that evaluates access requests that are received from the policy enforcement point (PEP70222188). Subsequently an answer is sent back to the PEP.

...

Policy Enforcement Point. Entity that determines whether an action is permitted or not. It takes any access requests and forwards these to the policy decision point (PDP70222188).

Anchor
PIP
PIP
PIP

Policy Information Point. Entity that holds policy information and is contacted as a source of information regarding Delegation 70222188/Authorization information.

...

Anchor
PKI
PKI
PKI (Public Key Infrastructure)

...

A PKI can be considered as a chain of certificates. At the beginning of the chain is the root 'Certificate Authority70222188' (CA), a public trusted party which is allowed to digitally Signing 70222188 their own certificates (SSC, self-signed certificate). This 'PKI Root 70222188 CA' distributes certificates and encryption keys to organisations. The certificate is signed by the 'root CA' as proof that the owner of the certificate is trusted. These organisations can start distributing certificates as well, if allowed by their root. They become CA's, and as such sign the certificates that they distribute. Repeating these steps, a chain of certificates is created, with each certificate signed by the CA who distributed the certificate. 

Parties need to trust a certificate for Authentication 70222188 purposes. Instead of trusting individual certificates of organisations, root certificates can be trusted. By trusting a root, all certificates that have the root within their PKI chains are automatically trusted. Most large root CA's are automatically trusted within web browsers, enabling computers to safely interact with most web servers. 

...

A PKI root is another term for root certificate, and stands for an unsigned or self-signed public key certificate that identifies the Certificate Authority, the party who is trusted by all members in the trust framework. The most common type of PKI certificates are based on the X.509 standard and normally include the digital signature of the Certificate Authority. The certificate authority issues digital certificates to all members in the trust framework.

...

There is a clear distinction between responsibility and Accountability 70222188.

Responsibility can be described as tasked with getting the job done. Someone or something who is responsible performs the actual work effort to meet a stated objective.

...

REST stands for 'Representational State Transfer' and is an architectural style for building systems and services, systems adhering to this architectural style are commonly referred to as 'RESTful systems'. REST itself is not a formal standard, but it is an architecture that applies various common technical standards such as HTTP(S 70222188, JSON 70222188 and URI.

A RESTful API 70222188 indicates that the API architecture follows REST 'constraints'. Constraints restrict the way that servers respond and process client requests, in order to preserve the design goals which are intended by applying REST. Goals of REST are, among others, performance and scalability. Both are of utmost importance in iSHARE.

...

The Scheme Owner represents the body that governs the iSHARE Scheme and its participants.

As part of the secondary use cases, parties will need to register themselves as certified or adhering at the Scheme Owner. They will also need to consult the Scheme Owner to check whether their counterparty is adherent or certified. 

...

The Service Consumer is the legal entity that consumes the Service Provider (role) 70222188's service on the basis of the Entitled Party (role) 70222188's rights to that service. It can do so because the Service Consumer is either the same legal entity as the Entitled Party (i.e. it already has these rights), or because the Entitled Party has delegated rights to the Service Consumer

The Service Consumer interacts with the Service Provider; in the form of a Machine Service Consumer (role) or Human Service Consumer (role)70222188 or 70222188.

The Service Consumer is a role for which iSHARE Adherence (iSHARE)70222188 is REQUIRED.

...

Anchor
Service Provider (role)
Service Provider (role)
Service Provider (role)

The Service Provider is a role that provides certain services, such as data, to a Service Consumer (role) 70222188. In case the service pertains to data provisioning, the Service Provider is either the Data Owner 70222188, or has explicit consent of the Data Owner to provide the services.

The Service Provider is Responsibility70222188 for the availability of services, and Accountability70222188 for these services if it is also the Data Owner.

The  Service Provider is a role for which iSHARE Adherence (iSHARE)70222188 is REQUIRED.

...

Anchor
Service provision
Service provision
Service provision

Service provision is the act of providing or supplying something for consumption or use. One of the most common forms of service provision is the Data exchange 70222188.

...

Anchor
Signing
Signing
Signing

Signing is the process of Encryption 70222188 data (message, document, transaction) with the private key of the sender. It enables a receiver to confirm the Authenticity 70222188 of the data. Signing also provides for Non-repudiation 70222188, so that it is ensured that a sender cannot deny having sent a message.

In most cases, a hash of the data is encrypted. Thus, both the Integrity 70222188 and the Authenticity 70222188 of the data can be verified. Confirmation takes place by the receiver using the public key of the sender. The public key is contained in the digital certificate that is sent by the sender along with the signed data. The association of the key pair with the sender MUST be assured by a Certificate Authority 70222188.

...

Anchor
Status Code
Status Code
Status Code / Response Code

After sending a HTTP(S) 70222188 request to a server, the server responds with (among others) a Status Code which indicates the outcome of the request made to the server. A well known response is 404 Not found, indicating that the requested location or resource is not (yet) found. 

...

TLS (Transport Layer Security) is a set of protocols that provides for secure communication in computer networks. TLS makes use of cryptography and is widely used by a variety of applications such as web browsing, email and voice-over-IP. Securing HTTP(S) 70222188 communication via (among others) TLS results in the HTTP(S) 70222188 protocol. Securing communication with TLS v1.2 is mandatory for all iSHARE communication.

...

Within iSHARE, Tokens are issued after successfully completing API 70222188 requests which are then used to process the next request. For example, to access a certain service, first an access token is required. Upon receiving this access token, it can be used to request the service itself.

...