Receive requests to onboard Issuers and/or Verifiers

[jakubkoci]

User Story:

• As a Governance Authority I want to be able to receive requests to onboard Issuers and/or Verifiers based on a DID and information about the entity, so that I can get approved and participate in the trust ecosystem.

Additional Requirements:

• The submission MUST be signed with the DID of the entity that is making the requests.
• DIDs MUST be fully qualified

To do:

• [x] add submission endpoint to receive requests from issuer/verifier
• [ ] add multi-ledger support with fully qualified DIDs
• [ ] restrict access to the endpoint (we can perhaps use some invitation link, authorization token - basic auth or bearer) - requires user & access management
• [ ] add DID resolver
• [ ] verify signature (we should perhaps utilize some standardized format like JWS), how to validate multiple DIDs?
  • https://datatracker.ietf.org/doc/html/rfc7515

Supported DIDs for issuers:

• [ ] did:sov (v1.0.0)
• [ ] did:hedera
• [ ] did:indy (future)

Does the did have to be published on the ledger? Do we want to verify that before accepting or approving the submission?

Supported DIDs for verifiers:

• [ ] did:sov (v1.0.0)
• [ ] did:key
• [ ] did:web

Information we want to capture per issuer/verifier:

• [ ] DID
• [ ] Friendly Name
• [ ] Logo (URL)
• [ ] DNS FQDN (domain)
• [ ] Created_at
• [ ] Updated_at
• [ ] Is_Valid
• [ ] Role
• [ ] Version
• [ ] Short Description
• [ ] Available Credentials

[jakubkoci]

I feel we can implement this story in 3 iterations:

1. Add submission (or request, I just wanted to distinguish from the HTTP request) endpoint, with automatic approval.
2. Add verification of DID signature. That, by default, requires DID resolver functionality.
3. Remove automatic approval, and continue the work in #30

To the first point. If we want to deploy it to production, we have to somehow restrict access to the endpoint. Even if we remove automatic approval, we perhpas don't want that anyone can send a submission. Ideas:

• create an invitation with a randomly generated string and then validate it
• implement token authentication allowing access to the endpoint only with such token(s)