Skip to content

Commit

Permalink
Merge b04ecbf into e4b9beb
Browse files Browse the repository at this point in the history
  • Loading branch information
Stefan Wiedemann authored Jan 18, 2023
2 parents e4b9beb + b04ecbf commit 2261fcd
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,9 +142,6 @@ into different **Distributed Ledgers / Blockchains**.






### Data Sovereignty and Trust


Expand All @@ -162,7 +159,9 @@ allowing European citizens and legal entities to use their national eIDs when ac
European countries. Additionally, regional certificates that match the requirements similar to eIDAS are legally recognized
for the purpose of digital signatures and can be added and made interoperable.

In addition to Keyrock, FIWARE also brings [VCBackend](https://github.com/FIWARE/VCBackend) and [VCWaltid](https://github.com/FIWARE/VCWaltid) to support [SIOP-2](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html) and [OIDC4VP](https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0-07.html).

>:warning: Support for [SIOP-2](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html) and [OIDC4VP](https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0-07.html) is currently under review and not yet part of the published building blocks.
#### Trusted exchange

Expand All @@ -189,20 +188,21 @@ relation with the Scheme Owner, and can check at the Scheme Owner whether other
Access and usage control guarantees enforcement of data access and usage policies defined as part of the terms and conditions established
when data resources or services are published or negotiated between providers and consumers. An API proxy plays the role of the
Policy Enforcement Point (PEP) and requires an additional Policy Decision Point (PDP).
In the current release of i4Trust, [API Umbrella](https://github.com/FIWARE/api-umbrella) implements both PEP and PDP functionalities.
In the current release of i4Trust, PEP and PDP functionalities are provided via libraries in [lua](https://github.com/FIWARE/lua-fiware-lib). The libraries can be used to implement plugins for various api-gateways, with a solution for the [Kong API-Gateway](https://github.com/Kong/kong) already [implemented by FIWARE](https://github.com/FIWARE/kong-plugins-fiware).
The PDP functionality for authorization via VerifiableCredentials is provided as an additional component, the [DSBA-PDP](https://github.com/FIWARE/dsba-pdp) and can be integrated into the flow, using the same [Kong-Plugins](https://github.com/FIWARE/kong-plugins-fiware) as PEP.
The [DSBA-PDP](https://github.com/FIWARE/dsba-pdp) uses the [EBSI Trusted Issuers Registry API](https://api-pilot.ebsi.eu/docs/apis/trusted-issuers-registry/latest#/) for evaluating if an issuer is allowed to issue certain credentials. The PDP provides a compatibility mechanism to use the [iShare delegation endpoint](https://dev.ishare.eu/delegation/endpoint.html) as trusted issuers source. Additionally, the [iShare delegation endpoint](https://dev.ishare.eu/delegation/endpoint.html) is used to evaluate the actual policies referenced by the roles in the received credential.

In addition, [Keyrock](https://github.com/ging/fiware-idm) also implements Policy Administration Point (PAP) and Policy
Management Point (PMP) standard [XACML](https://en.wikipedia.org/wiki/XACML) functions.

For defining access policies, iSHARE brings the
[delegation evidence data model](https://dev.ishareworks.org/delegation/delegation-evidence.html) which is structured according
[delegation evidence data model](https://dev.ishare.eu/delegation/delegation-evidence.html) which is structured according
to a JSON port of
the XACML standard. A key functionality of iSHARE is delegating rights to another party, authorising them to act on your behalf.
In that sense, a delegation evidence expresses the delegation of rights from a delegator to the delegate . Rights are expressed in
rules in terms of allowed actions to be performed on resources, under the licenses as defined in policySets.



Authorization capabilities through the SIOP-2/OIDC4VP flow are provided by [VCBackend](https://github.com/FIWARE/VCBackend) and [VCWaltid](https://github.com/FIWARE/VCWaltid). The combination of both can be used as issuer of VerfiableCredentials and as a verifier, creating [JWT's](https://jwt.io/) to access the backend secured by the [Kong-PEP](https://github.com/FIWARE/kong-plugins-fiware) and the [DSBA-PDP](https://github.com/FIWARE/dsba-pdp). A minimal wallet for storing the credentials is provided by the [VCWallet](https://github.com/FIWARE/VCWallet).



Expand Down Expand Up @@ -265,8 +265,10 @@ These [instructions](https://github.com/i4Trust/tutorials/tree/main/PacketDelive
an environment of such a data service provider based on the following components:

- Orion Context Broker as NGSI API service provider
- API Umbrella as API PEP Proxy (and probably PDP)
- Kong as API PEP Proxy (and probably PDP)
- Keyrock as Identity Provider and Authorization Registry
- DSBA-PDP as PDP for VerifiableCredentials
- VCBackend and VCWaltid as credentials issuer and verifier
- Activation Service to allow external parties to create policies in the Authorization Registry
- Portal demo application as an example for a simple portal application allowing external users to login using
their Identity Provider and sending requests to the Orion Context Broker protected by API Umbrella
Expand Down

0 comments on commit 2261fcd

Please sign in to comment.