Rule definition by different data spaces

[HeinrichPet]

Hi,

in the DRM there is a requirement that each participant must use the clearing house (compliance requirement).

The question now is how this can be ensured technically.

From my point of view, this must be a configuration that is loaded by the connectors. This would have to be loaded from some kind of central "Data Space Controller" component, where certain settings can be defined mandatory for participants.

An alternative could be that such configurations can be loaded in the Connector (without a central component) and checked externally to ensure that the correct and current configuration has been loaded.

In both cases, the certification must ensure that configurations are also executed accordingly.

But perhaps there are other suggestions.

[HeinrichPet]

Plugfest discussion November 29th 2021

SCSN Req.: The Universal Business Language (UBL) have to be used in the Self-Description (Legal Identitifer, etc.) DRM Req.: The use of the Clearing House is mandatory.

We have two seperate things here:

1. The mandatory UBL can be set as a requirement during registration at the Broker. In the scenario the Broker ist used.

2. For the Clearing House requirement it is more difficult.

   • We may use the DAPS to give the connector the order to use the Clearing House for all communications inside DRM. But then we do not divde areas of concerns.
   • We may need a seperate component here

General thoughts:

• Try to use existing components, but ensure that different concerns are divided.
• We need some kind of Registry to define governance aspects in different data spaces
• Governance aspects should be provided via Subscription Pattern as Open API for the Connectors and other components

Did we need a automatic configuration or is a manual configuration also fine?

• Trust is difficult to ensure within manual set ups (nobody checks if someone did the configuraiton probaply)
• You can manualy check configurations, but you then need some persons to do so, even if it is the consumer.

[gboege]

If considering mandatory Clearing House usage:

• Have a non-Clearing House option for data offers that do not want or need this logging
• Consider and describe exactly when and what has to be logged (high frequency data, streaming...)
• Describe ways how to handle downtimes off the Clearing house (this shall not prevent exchange from happening)

[mokamhuber]

Can we maybe represent the required usage of a clearing house with a usage control policy? For me, the usage of a clearing house is not necessarily something, we have to see as an attribute/configuration of a connector, but it could also be an attribute for a data exchange: every action or specific actions (usage, transfer, ...) performed for a received data asset has to be logged

[mokamhuber]

With regards to different compliance rules and certification: If we want to introduce them into the IDS certification, we could discuss having possible "Extensions" to the existing certification profiles which address the specific rules for this data space (if we want to include them into the IDS certification). However, I am uncertain whether we truly want to do this for all future data spaces due to the increasing efforts for maintaining and realizing the certification scheme. Alternatively, this could also be part of the responsibility for the enablers of a specific data space and be asserted/verified by some evaluation mechanism (automated compliance checks, additional evaluation, ...) that has to be offered by the data space. The way to chose probably depends on our Governance model for different data spaces as well as the concrete additional compliance rules.

[gboege]

Can we maybe represent the required usage of a clearing house with a usage control policy?

I would prefer to go that direction with policies on provider AND consumer side NOT on connector level. A connector and it's configuration must not be exclusive to only one dataspace, but should also bridge multiple dataspaces with different requirements. And even in mandatory dataspaces, there might be services with high frequency data that might bring such a requirement down.

[HeinrichPet]

Mh.. my problem is, that both governance and policies must be implemented by people. This screams faulty handling.

The requirement for the use of the clearing house is a regulatory requirement that could actually be mapped well in technical terms. However, as @gboege says, individuel for each dataspace, so it does not make sense to solve this via the certification. Could the clearing house be set as mandatory by using the DAT? @milux @gbrost

The rule that a metadata broker in a dataspace expects an additional metadata is also understandable. @mborowski511 @NehaThawani44 what do you think, can you provide a high level concept for this? See Comment here: https://github.com/International-Data-Spaces-Association/IDS-RAM_4_0/pull/79/files#r789692054

[gbrost]

This brings us back to https://github.com/International-Data-Spaces-Association/IDS-ThinkTank/blob/main/ids-trust-model/concept.md and the question about certification for data spaces. The Dat would not be a useful mechanism for this, since it serves more as an input for usage policies (it brings in attributes to decided upon. Usage policies could be a way to go, since they define the usage restrictions for data flows. I guess it could be totally possible to require CH interactions only for some workflows.

[gboege]

I still think about the solution to use policies for providers and consumers i.e. to express duties for logging to the clearing house. But I also understand Heinrich's concern about faulty handling.

Maybe, there could be something like inheritance? Policies that are somehow assigned to data spaces and those are valid for ALL underlying policies and must not be maintained for each policy manually.

This is not a ready solution, but my way of thinking that might bring up new thoughts.