Generic technical standards
This part of the iSHARE Trust Framework is considered normative and is therefore compliant with RFC 2119.
This chapter contains information on the generic technical standards that are applied in the iSHARE Scheme, relevant to all parties involved.
The iSHARE Trust Framework provides an API architecture, which enables all parties involved to engage in direct communication. For interoperability reasons, it makes use of widely used open standards. Modified implementations of OAuth 2.0 and OpenID Connect 1.0 are used to facilitate an ecosystem in which parties can interact with previously unknown parties. Pre-registration, therefore, is not a prerequisite and this requires alterations to the official standards. Also, for the authentication of parties within an iSHARE (data spaces/network) context, it uses PKI and digital certificates relating to all participating parties.
Technical standards used in iSHARE and configuration aspects
The iSHARE Trust Framework also prescribes various general interface specifications regarding Caching, Dates & Times, Party Identifiers, Response Codes and Web Server configuration. These are described in the following table and corresponding topic pages as referred to in the table. More information on Technical standards
*BOLD: Contains specific iSHARE specifications
| Technical standard | Character | Description |
|---|---|---|
| PKI | Architectural principle | Public Key Infrastructure System for issuing and managing digital certificates. For authentication purposes, The iSHARE Trust Framework requires adhering and Certified Parties to acquire an X.509 certificate which is distributed by a trusted root under certain PKI's (Public Key Infrastructure). For interoperability on a European scale, all trusted roots under the eIDAS regulation will be trusted within data spaces/iSHARE network. However, initially, this will be limited to certificates issued under PKIoverheid. |
| OAuth 2.0 | Open standard for authentication | Authentication standard, used in the data spaces/iSHARE network to gain access to services through access tokens. The Trust Framework has modified the OAuth 2.0 standard to work without pre-registration. Pre-registration of clients MUST NOT be used. Certificate and status validation with the Satellite is sufficient for authentication purposes. If needed, clients can be registered after authenticating. To ensure security in unknown clients, the Trust Framework prescribes whitelisted Certificate Authorities that MUST be used. The OAuth 2.0 subpage also describes the generic Authentication flow. |
| OpenID Connect 1.0 | Open standard for authentication of humans | Authentication standard for the authentication of humans in an online context. Functions as an additional layer on top of the OAuth 2.0 protocol. |
| HTTP(S) | Communication protocol | HyperText Transfer Protocol (Secure) Communication with Satellite MUST be carried out over the HTTP protocol, and secured through TLS 1.2 resulting in HTTPS. iSHARE authentication/authorisation data is generally transferred in HTTP Headers. These headers can become very large when containing multiple encrypted certificates or JWT's. iSHARE parties SHOULD configure their web servers to accept HTTP headers of 100K length to minimise implementation impact on current services The most recent version of the HTTP specification can be found here. An overview of relevant iSHARE HTTP response codes can be found here. |
| TLS | Cryptographic protocol | Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol that describes communication security for computer networks. It is used to secure the HTTP protocol, resulting in HTTPS. Within data spaces/iSHARE network, TLS 1.2 MUST be used for securing all HTTP communications. For the most recent version of the specification click on this link. |
| JSON | Open standard for file formatting | JavaScript Object Notation JSON is an open standard data format that does not depend on a specific programming language. This compact data format makes use of human-readable (easy to read) text to exchange data objects (structured data) between applications and for data storage. Within data spaces/iSHARE network, JSON is used as data structuring standard for communication. For the most recent version of the JSON specification click on this link. |
| JSON Web Token (JWT) | Open standard for definition of access tokens | JSON Web Token A JSON Web Token (JWT) is used in data spaces/ iSHARE network when non-repudiation between parties is required. A statement, of which the data is encoded in JSON, is digitally signed to protect the authenticity and integrity of the statement. All JWTs MUST be signed using the JWS specifications. |
| XACML 3.0 | Access control policy language | eXtensible Access Control Markup Language Standard for defining authorisation policies. Within data spaces/ iSHARE network, a JSON port of XACML 3.0 is used to enable parties to communicate delegation evidence. For the most recent version of the specification click on this link. |