feature:

[faragom]

Representing a link as an attribute

For the release of the linking information, we need a text one-line representation of the link between two identities. Unfortunately, it is a complex set of data, involving two identities and a link-level of assurance. We propose a structured URI definition that will uniquely represent the two involved identities, the link issuer and the asserted level of assurance of the link. These are the needed fields to build the link attribute, all extracted from fields of the object in the dataStore.

• LinkIssuerId (linkRequest.issuer): A Unique string representing the SEAL module that managed this link issuing and or of the trusted entity that asserted the link. it is set by the module itself.
• LLoA (linkRequest.lloa): The asserted level of certainty of identity A and identity B being the same individual.
• SubjectA (**): Identifier of the individual behind identity A.
• IssuerA (**): Entity, domain, or any hierarchical combination of these where identity A belongs to. Subject + issuer must be universally unique.
• SubjectB (**): Identifier of the individual behind identity A.
• IssuerB (**): Entity, domain, or any hierarchical combination of these where identity B belongs to. Subject + issuer must be universally unique.

** To canonicalise the link objects and to ensure commutative property of the link (identityA <-> identityB == identityB <-> identityA), a link object will always be built following this algorithm:

if subjectA < subjectB: # Alphabetic order
    identityA_goes_first = True
if subjectA > subjectB: # Alphabetic order
    identityB_goes_first = True
else: # subjectA == subjectB
    if issuerA <= issuerB: # Alphabetic order
        identityA_goes_first = True
    else: # issuerA > issuerB
        identityB_goes_first = True

if identityA_goes_first:
    SubjectA = linkRequest.datasetA.attributes[linkRequest.datasetA.subjectId][0]
    IssuerA = linkRequest.datasetA.attributes[linkRequest.datasetA.issuerId][0]
    SubjectB = linkRequest.datasetB.attributes[linkRequest.datasetB.subjectId][0]
    IssuerB = linkRequest.datasetB.attributes[linkRequest.datasetB.issuerId][0]
else: # identityB_goes_first
    SubjectA = linkRequest.datasetB.attributes[linkRequest.datasetB.subjectId][0]
    IssuerA = linkRequest.datasetB.attributes[linkRequest.datasetB.issuerId][0]
    SubjectB = linkRequest.datasetA.attributes[linkRequest.datasetA.subjectId][0]
    IssuerB = linkRequest.datasetA.attributes[linkRequest.datasetA.issuerId][0]

The final URI string will be formed as stated below:

• Variables in brackets are substituted (also the brackets)
• Susbtituted strings must be URL-encoded RFC 3986

f"urn:mace:project-seal.eu:link:{LinkIssuerId}:{LLoA}:{SubjectA}:{IssuerA}:{SubjectB}:{IssuerB}"

Example (plain):

urn:mace:project-seal.eu:link:project-seal.eu_automatedLink:low:GR/ES/12345678A:eIDAS_ES:someone@university.gr:EduGAIN_university.gr

Example (encoded):

urn:mace:project-seal.eu:link:project-seal.eu_automatedLink:low:GR%2FES%2F12345678A:eIDAS_ES:someone%40university.gr:EduGAIN_university.gr

[ross-little]

So this will be the identity of the link request set by the linking module, but what will the data object Type be? Just now the types supported for dataSets are eIDAS, eduGAIN and eMRTD but we need to specify also the types for the linkRequest.

The SPs should also have a way to be able to explicitly request a linked identity so it should be clear how to handle this. Can it be specified in a seal specific URN e.g. urn:seal:eIDAS:edugain ?

[faragom]

So this will be the identity of the link request set by the linking module, but what will the data object Type be? Just now the types supported for dataSets are eIDAS, eduGAIN and eMRTD but we need to specify also the types for the linkRequest.

Well, this is an algorithm to transform the content of the LinkRequest object (well, the object represents the requets and the result of the linking process) in the datasStore. LinkRequests are a unique type. We allow to define issuers of links to specify which entity is asserting the link.

The SPs should also have a way to be able to explicitly request a linked identity so it should be clear how to handle this. Can it be specified in a seal specific URN e.g. urn:seal:eIDAS:edugain ?

That's what we were discussing on the e-mail the other day and we finally postponed, if you remember.