DISCLAIMER: all descriptions are definitions written by iSHARE, unless specified otherwise
ABAC (Attribute-Based Access Control) is assigning authorizations based on attributes (contextual pieces of information that are relevant to an access decision, such as device type, RBAC role, time, location, or CRUD level). The attributes can be associated with all entities that are involved with certain actions, such as the subject, the object, the action itself and the context (e.g. time, location). The attributes are compared with policies to decide which actions are allowed in which context, granting access based on the policy outcomes.
There is a clear distinction between accountability and Responsibility.
Accountability can be described as being liable or answerable for the completion of a certain task. Someone or something who is accountable oversees and manages the stakeholder(s) who are responsible for performing the work effort. In order to be effective, accountability should lie with a sole entity or role.
Responsibility may be delegated, but accountability cannot.
An API (Application Programming Interface) is a technical interface, consisting of a set of protocols and data structuring standards ('API specifications') which enables computer systems to directly communicate with each other. Data or services can be directly requested from a server by adhering to the protocols. APIs are used to hide the full complexity of software and make it easy for third parties to use parts of software or data services. APIs are mainly meant for developers to make the creation of new applications depending on other applications easier.
Authentication is the process of determining or validating whether someone or something is, in fact, who or what it is claiming to be. There are several means of authenticating the identity of an entity, which can be used alone or in combination:
- Something the entity knows – examples includes a password, PIN, passphrase, or answer to a secret question;
- Something the entity possesses – examples include electronic keycard, smartcard, token, and smartphone;
- Something the entity is (biometrics) – examples include recognition by fingerprint, retina, iris, and face;
- Something the entity does (behavioral dynamics) – examples include recognition by voice pattern, swipe characteristics, handwriting characteristics, and typing rhythm;
- Something about the context of the entity – examples include IP address, device type, geolocation, and time of day.
In the context of information security, authenticity refers to the truthfulness of information and if this has been sent or created by an authentic sender.
Authenticity can be achieved by digitally Signing a message with the private key from the sender. The recipient can verify the digital signature with the matching public key. Certificates containing public and private keys are issued by a Certificate Authority.
Authorization is the process of giving someone or something permission to something, for example to access to services, data or other functionalities. Authorization is enabled by Authentication. Policies and attributes determine what types of activities are permitted by an entity.
Authorization Registry (role)
The Authorization Registry:
Within the iSHARE Scheme, the term Authorization Registry always refers to an external Authorization Registry (not part of the Service Provider (role) or Entitled Party (role)).
The Authorization Registry is a role for which iSHARE Certification (iSHARE) is REQUIRED.
Web servers can temporarily store data in order to enable faster access to this data at a later moment, this is called 'caching'.
A Certificate Authority (CA) is:
- An entity that issues digital certificates;
- A trusted party, and;
- Responsible for the binding to a specific entity of the certificate (registration & issuance).
A digital certificate certifies the ownership of a public key by the named subject of the certificate, so other parties can rely upon signatures or assertions made with the private key that corresponds to the certified public key.
A Registration Authority verifies the identity of entities requesting digital certificates to be issued by the CA and validates the correctness of the registration.
A Validation Authority verifies the validity of digital certificates on behalf of the CA.
Roles for which certification is required facilitate certain functions for the iSHARE Scheme that every party within iSHARE must able to rely upon. An iSHARE Certified Party MUST apply to the Scheme Owner (role) for certification and, after providing sufficient proof, MUST sign a certification agreement with the Scheme Owner (role).
In the context of information security, confidentiality refers to the protection of information from disclosure to unauthorized parties.
Confidentiality can be achieved by the use of cryptography, as well as access control; the message the recipient gets can be proven not to have been read by anyone else but the legitimate sender and recipient.
In the context of information security, credentials are used to control access of someone or something to something, for example to services, data or other functionalities. The right credentials validate (i.e. Authentication) the identity claimed during Identification.
The best-known example of credentials is a password, but other forms include electronic keycards, biometrics and, for machines, public key certificates.
CRUD (acronym for Create, Read, Update, Delete) are considered to be basic functions regarding stored data. In computer programming, possible actions are often mapped to these standard CRUD functions in order to clarify the actions. For example, standard HTTP(S) actions GET and POST refer to Read and Create functions regarding stored data.
The classification of data in categories is an important pre-requisite for proper Authorization. Data can be classified in categories defining their type, location, sensitivity and protection level.
Clustering data in categories does not only simplify the authorization process (i.e. giving someone or something permission to data), it also provides a clear overview and lowers the risk of exchanging sensitive data with unauthorized entities. A risk analysis is part of the data classification process.
Data exchange is the process of supplying data and receiving (an)other (set of) data in return.
The Data owner is the legal person Accountability for the Confidentiality, Integrity, availability and accurate reporting of data.
The Data Owner can be the Service Provider (role). In this case, he is not only accountable for the availability of data, but also Responsibility.
Delegation is the act of empowering someone or something to act for another or to represent other(s).
In the iSHARE network, a delegated Service Consumer (role) acts on behalf of an Entitled Party (role).
eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. The regulation provides important aspects related to electronic transactions, such as qualified electronic certificates.
Encryption is the process of converting data from plaintext to ciphertext. Plaintext (also called cleartext) represents data in its original (readable) format, whereas ciphertext (also called cryptogram) represents data in encrypted (unreadable) format.
Decryption is the process of converting data from ciphertext to plaintext.
The algorithm represents the mathematical or non-mathematical function used in the encryption and decryption process.
A cryptographic key represents the input that controls the operation of the cryptographic algorithm. With symmetric encryption the same key is use for encryption and decryption, whereas with asymmetric encryption two different, but mathematically related keys are used for either encryption or decryption, a so-called public key and a private key.
A crypto system represents the entire cryptographic environment, including hardware, software, keys, algorithms and procedures.
Entitled Party (role)
The Entitled Party is the legal entity that has one or more rights to something, e.g. to data at a Service Provider (role) that it has a legal agreement with. The Entitled Party is either the same entity as the Service Consumer (role), or delegates its rights to another Service Consumer. In the latter case, this other Service Consumer('s machines and humans) can consume services on the Entitled Party's behalf.
The Entitled Party is a role for which iSHARE Adherence (iSHARE) is REQUIRED.
An EORI (Economic Operator Registration and Identification) is an identification number, unique throughout the European Community, assigned by a customs authority or designated authority in a Member State to economic operators and other persons, and valid throughout the Community.
The format of the EORI number consists of a country code followed by a unique code which is established within an EU member state. For example, in the Netherlands the EORI consists of: NL, followed by an RSIN (Rechtspersonen en Samenwerkingsverbanden Identificatie number. If the NL-RSIN combination contains less than 9 digits, the EORI is prefixed with 0's.
In the iSHARE network, the EORI number is used to uniquely identify legal persons. Note that non-European Community legal persons doing business in/with Europe also have an EORI.
HTTP stands for 'Hypertext Transfer Protocol', and when secured via TLS or SSL it is referred to as HTTPS (HTTP Secure). It is a protocol for (secure) communication over a computer network and is widely used on the Internet.
Human Service Consumer (role)
The Human Service Consumer is a role that represents a human (person) who requests, receives, and uses certain services, such as data, from a Service Provider (role) on behalf of and authorized by the Service Consumer (role).
The Human Service Consumer is not a separate role, but belongs to the Adhering Party Service Consumer.
Identification is the process of someone or something claiming an identity by presenting characteristics called identity attributes. Such attributes include a name, user name, e-mail address, etc. The claimed identity can be validated (i.e. Authentication) with the right credentials.
Identity Broker (role)
If multiple distinct Service Provider (role) exist where each data set is protected under a distinct trust domain, multiple Identity Provider (role) may be needed. Moreover, the iSHARE Scheme may require different Levels of assurance for specific data and may wish to designate specific Identity Providers for specific services.
In order to support multiple Identity Providers (with possible multiple rules) and Service Providers, an Identity Broker is required. An Identity Broker allows Human Service Consumer (role) to select the Identity Provider they prefer to Authentication themselves at. It prevents the need for a direct relationship between all Service Providers and all Identity Providers.
The Identity Broker is a role for which iSHARE Certification (iSHARE) is REQUIRED.
Identity Provider (role)
The Identity Provider:
In the iSHARE environment an Identity Provider could support various methods of Authentication, such as:
- Password authentication;
- Hardware-based authentication (e.g. smartcard, token);
- Biometric authentication;
- Attribute-based authentication.
Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an Identity Provider can provide a client with a high or low confidence in the claimed identity of the user which is known to the Identity Provider. This is also known as the Levels of assurance.
The Identity Provider is a role for which iSHARE Certification (iSHARE) is REQUIRED.
In the context of information security, integrity refers to the protection of information from being modified by unauthorized parties.
Integrity can be achieved by a.o. hash functions (hashing the received data and comparing it with the hash of the original message); the message the recipient receives from the sender can be proven not to have been changed during the transmission.
JSON is most commonly used for asynchronous communication between browsers and servers.
A JSON Web Token (JWT) is used when Non-repudiation between parties is required. A statement, of which the data is encoded in JSON, is digitally Signing to protect the Authenticity and Integrity of the statement.
Levels of Assurance (LoA)
Within online Authentication, depending on the authentication protocol used, the server is to some extend assured of the client's identity. Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an authentication protocol can provide a server with a high or low confidence in the claimed identity of the client. For low-interest products, a low certainty might be sufficient, while for sensitive data it is essential that a server is confident that the client's claimed identity is valid.
Machine Service Consumer (role)
The Machine Service Consumer is a role that represents a machine that requests, receives, and uses certain services, such as data, from a Service Provider (role) on behalf of and authorized by the Service Consumer (role).
The Machine Service Consumer is not a separate role, but it belongs to the Adhering Party Service Consumer (role).
In the context of information security, non-repudiation (Dutch 'onweerlegbaarheid') refers to the fact that the sending (or broadcast) and receipt of the message cannot be denied by either of the involved parties (sender and recipient).
Non-repudiation is closely related to Authenticity and can be achieved by digital Signing in combination with message tracking.
OAuth is an open standard for Authorization which is used by i.e. Google, Facebook, Microsoft, Twitter etc. to let their users exchange information about their accounts with other applications or websites. OAuth is designed to work with HTTP(S). Within iSHARE, a modified version of OAuth 2.0 is used.
Through OAuth users can authorize third party applications or websites to access their account information on other 'master' systems without the need of exchanging with them their Credentials to login onto the platform. OAuth provides a 'secure delegated access' to resources (email accounts, pictures accounts, etc.) on behalf of the resource owner.
It specifies a method for resource owners to authorize third parties access to their resources without exchanging their credentials (username, password). Authorization servers (of the platform) issue access tokens to third party clients (applications or websites) with the approval of the resource owner (= end user). The third party client needs the access token to get access to the resources that are stored on the resource server (of the master system).
The OIN format is used to uniquely identify organisations. OIN stands for Organization Identifying Number. An OIN consists of the following concatenated elements:
- An 8-digit prefix that tells the register where the number is defined (e.g. Chamber of Commerce, RSIN etc.)
- A number whose value depends on the register
OpenID Connect (OIDC) is the authentication layer that is built on top of OAuth 2.0 protocol which is an authorization framework. The OIDC authentication layer allows clients to verify the ID and obtain basic profile information of their end-users
The authentication is performed by the authorization server (managing the access rights and conditions) in an interoperable and REST-like manner. Within iSHARE, OpenID Connect 1.0 is used.
Policy Decision Point. Entity that evaluates access requests that are received from the policy enforcement point (PEP). Subsequently an answer is sent back to the PEP.
Policy Enforcement Point. Entity that determines whether an action is permitted or not. It takes any access requests and forwards these to the policy decision point (PDP).
Policy Information Point. Entity that holds policy information and is contacted as a source of information regarding Delegation/Authorization information.
PKI (Public Key Infrastructure)
A PKI is a system for distribution and management of digital keys and certificates, which enables secure authentication of parties interacting with each other.
Generally, three different methods exist for creating trust within PKI's. These are through 'Certificate Authorities', 'Web of Trust' and 'Simple PKI'. Within iSHARE the 'Certificate Authority' approach is used, and as such the other methods will not be discussed.
A PKI can be considered as a chain of certificates. At the beginning of the chain is the root 'Certificate Authority' (CA), a public trusted party which is allowed to digitally Signing their own certificates (SSC, self-signed certificate). This 'PKI Root CA' distributes certificates and encryption keys to organisations. The certificate is signed by the 'root CA' as proof that the owner of the certificate is trusted. These organisations can start distributing certificates as well, if allowed by their root. They become CA's, and as such sign the certificates that they distribute. Repeating these steps, a chain of certificates is created, with each certificate signed by the CA who distributed the certificate.
Parties need to trust a certificate for Authentication purposes. Instead of trusting individual certificates of organisations, root certificates can be trusted. By trusting a root, all certificates that have the root within their PKI chains are automatically trusted. Most large root CA's are automatically trusted within web browsers, enabling computers to safely interact with most web servers.
A PKI root is another term for root certificate, and stands for an unsigned or self-signed public key certificate that identifies the Certificate Authority, the party who is trusted by all members in the trust framework. The most common type of PKI certificates are based on the X.509 standard and normally include the digital signature of the Certificate Authority. The certificate authority issues digital certificates to all members in the trust framework.
Role-Based Access Control. Assigning authorizations through business roles. An RBAC role represents a set of tasks or activities translated into authorizations, reflecting one or more of the following:
- Organisational structure
- Business processes
- Policies (rules)
RBAC authorizations can either give access to the front door of the information system or can be translated to access rights within the information system (often through application roles or groups).
There is a clear distinction between responsibility and Accountability.
Responsibility can be described as tasked with getting the job done. Someone or something who is responsible performs the actual work effort to meet a stated objective.
Responsibility may be delegated, but accountability cannot.
REST stands for 'Representational State Transfer' and is an architectural style for building systems and services, systems adhering to this architectural style are commonly referred to as 'RESTful systems'. REST itself is not a formal standard, but it is an architecture that applies various common technical standards such as HTTP(S, JSON and URI.
A RESTful API indicates that the API architecture follows REST 'constraints'. Constraints restrict the way that servers respond and process client requests, in order to preserve the design goals which are intended by applying REST. Goals of REST are, among others, performance and scalability. Both are of utmost importance in iSHARE.
A scheme can be defined as a collaborative effort to establish and maintain a set of agreements, to achieve a common goal.
iSHARE is a scheme with common goals. Other schemes include credit card schemes such as MasterCard and Visa, payment scheme iDEAL and identity scheme eHerkenning.
Scheme Administrator (role)
The Scheme Administrator is a legal entity, approved by the Scheme Owner, that is responsible for assessing, certifying and admitting new parties to the iSHARE Scheme.
As part of the secondary use cases, parties will need to register themselves as certified or adhering with a Scheme Administrator.
Scheme Owner (role)
The Scheme Owner represents the body that governs the iSHARE Scheme and its participants.
As part of the secondary use cases, parties will need to register themselves as certified or adhering at the Scheme Owner. They will also need to consult the Scheme Owner to check whether their counterparty is adherent or certified.
Service Consumer (role)
The Service Consumer is the legal entity that consumes the Service Provider (role)'s service on the basis of the Entitled Party (role)'s rights to that service. It can do so because the Service Consumer is either the same legal entity as the Entitled Party (i.e. it already has these rights), or because the Entitled Party has delegated rights to the Service Consumer
The Service Consumer interacts with the Service Provider; in the form of a Machine Service Consumer (role) or Human Service Consumer (role).
The Service Consumer is a role for which iSHARE Adherence (iSHARE) is REQUIRED.
Service Provider (role)
The Service Provider is a role that provides certain services, such as data, to a Service Consumer (role). In case the service pertains to data provisioning, the Service Provider is either the Data Owner, or has explicit consent of the Data Owner to provide the services.
The Service Provider is Responsibility for the availability of services, and Accountability for these services if it is also the Data Owner.
The Service Provider is a role for which iSHARE Adherence (iSHARE) is REQUIRED.
Service provision is the act of providing or supplying something for consumption or use. One of the most common forms of service provision is the Data exchange.
Signing is the process of Encryption data (message, document, transaction) with the private key of the sender. It enables a receiver to confirm the Authenticity of the data. Signing also provides for Non-repudiation, so that it is ensured that a sender cannot deny having sent a message.
In most cases, a hash of the data is encrypted. Thus, both the Integrity and the Authenticity of the data can be verified. Confirmation takes place by the receiver using the public key of the sender. The public key is contained in the digital certificate that is sent by the sender along with the signed data. The association of the key pair with the sender MUST be assured by a Certificate Authority.
Status Code / Response Code
After sending a HTTP(S) request to a server, the server responds with (among others) a Status Code which indicates the outcome of the request made to the server. A well known response is 404 Not found, indicating that the requested location or resource is not (yet) found.
TLS (Transport Layer Security) is a set of protocols that provides for secure communication in computer networks. TLS makes use of cryptography and is widely used by a variety of applications such as web browsing, email and voice-over-IP. Securing HTTP(S) communication via (among others) TLS results in the HTTP(S) protocol. Securing communication with TLS v1.2 is mandatory for all iSHARE communication.
Something that serves as a verifiable representation of some fact, e.g. an identity or entitlement.
Within iSHARE, Tokens are issued after successfully completing API requests which are then used to process the next request. For example, to access a certain service, first an access token is required. Upon receiving this access token, it can be used to request the service itself.