Please add new issuer agent that parallels PRIME agent but may/will be used for the Health Gateway to issue credentials

[swcurran]

Add to our environment a Public Health Gateway Issuer agent set up essentially the same as the PRIME issuer, with access to the same people Jason A, Anis.

Ideal to have this deployed by Thursday morning, but I'm not sure what the level of effort is for that these days. They would like exercise Dev and Test in the next week -- definitely not a production instance.

Do we need to request a new OCP environment for this, or could we add this to the environment where the PRIME agent resides?

@esune -- I assume you have the lead on this, but added Wade and Wade to the issue.

Thanks

[esune]

@swcurran do we need a completely new issuer for Health Gateway, or could we share the same agent/did?

My question comes up as both organizations fall under the same Ministry of Health umbrella, and am therefore wondering whether whoever receives the credential(s) should see them coming from the same DID.

[swcurran]

I think we want a new one. It's a bit of a gray area, but I think the PHG will be used to issue credentials to Citizens, which is somewhat different than, for example, PRIME as an issuer.

Could be wrong, but we could be fine with doing this for now.

[swcurran]

@WadeBarnes -- this issue is back and needs to be done more or less immediately. I assume this is for you, and you will pull in @esune and @wadeking98 as needed.

What we know so far:

• needed ASAP and no later than a week today (2021.05.18)
• this will be a new Issuer agent specifically for the Public Health Gateway, so it will have a new DID.
• the ledger for the Dev and Test instances will be Sovrin Staging and for production Sovrin MainNet.
• since we are using Sovrin Staging and MainNet, the TAA handling is necessary.
• the PRIME team will be creating an Issuer-Controller on OpenShift (Dev, Test and Prod) that will use this agent.
  • I'm assuming we will use Network Policies (KNP -- is that the right acronym) to prevent any other service from using the agent
  • Is that enough to secure the agent, are do we need to add authentication?

Please let us know what else is needed to deploy this.

Thanks

FYI - @CharlesMacpherson

[WadeBarnes]

@swcurran, to confirm, we just need a hosted agent, we don't need a Visual Verifier like the Prime setup; correct?

[swcurran]

No visual verifier needed.

[WadeBarnes]

The Public Health Gateway agents have been provisioned in dev, test, and prod. dev and test have been registered on Sovrin StagingNet, and the DID for prod has been sent out to be written to Sovrin MainNet. Teams have been notified.

[swcurran]

Nice! We'll hold off for now on the MainNet writing, but that's a trivial step when the time comes.

Thanks!

[CharlesMacpherson]

minor thing, but Nino mentioned they want to be referred to as "Heath Gateway" not "Public Health Gateway". Can we update how we label things if that's a trivial task.

[swcurran]

@esune -- is the Endorser Sign implementation sufficiently stable that we could have this issuer as a just a transaction author, and we have an endorser agent available to sign the transaction? I'd to have us consider that before we go to Prod.

This won't hold anything up, but I think the DTS team should probably plan on one of endorser DIDs (or a new one) become THE endorser for BC Gov. That would very much formalize the agent, and it would need to highly available, but it would centralize the control of the endorser within BC Gov.

Thoughts?

[swcurran]

Should have tagged @ianco @WadeBarnes @amanji on the previous comment for the general question vs. the "is it ready" question.

[esune]

@esune -- is the Endorser Sign implementation sufficiently stable that we could have this issuer as a just a transaction author, and we have an endorser agent available to sign the transaction? I'd to have us consider that before we go to Prod.

This won't hold anything up, but I think the DTS team should probably plan on one of endorser DIDs (or a new one) become THE endorser for BC Gov. That would very much formalize the agent, and it would need to highly available, but it would centralize the control of the endorser within BC Gov.

Thoughts?

Just seeing this now: as demonstrated during the aries-vcr-issuer-agency demo today, the endorser protocol appears to be at a point where it is stable and could be used. Chances are that some things will be tweaked in the coming months, but that shouldn't be major in my opinion.

We might have to chat about how endorsing transactions would scale in this specific scenario, as there are a couple of things to consider:

• each controller will need to implement the new logic to author, request endorsement and then write the transaction
• there is a one-time setup task that will likely need to be done manually (on both the issuer and endorser end) to establish the roles and metadata in the connection between the endorser and the issuer (I assume issuers should NOT have access to the endorser's admin API)

[WadeBarnes]

The agents have been relabeled relabeled from "Public Health Gateway" to "Heath Gateway".