Closed Sakurann closed 7 months ago
Hi Kristina,
Thanks for your help and insight and for taking the time to create the diagram and writing down your thoughts on this issue. You raise some really good points and we see some areas where the specifications can be improved based on your feedback:
It would be great to continue the discussion with the DSP in mind.
The Dataspace Protocol (DSP) draft didn't address Identity yet.
As described in the IDSA rulebook 2.0 function requirements: https://docs.internationaldataspaces.org/ids-knowledgebase/v/idsa-rulebook/idsa-rulebook/3_functional_requirements
The data space authority (DSA) is responsible for issuing membership credentials. It ensures that an appropriate mechanism is provided for identifying and verifying membership... In a largely decentralized architecture, it could be the issuance of a tamper-proof credential, such as a W3C verifiable credential (VC) which provides proof of the attribute of membership.
The DSA (operational company) also performs other functional roles not directly related to building trust but necessary for the operation of a data space. These are primarily the mandatory function of regulating the lifecycle of membership (participant discoverability, issuing of membership credentials, verification services for membership proofs), but also many optional services like observability and auditing, brokering and marketplaces, providing vocabularies or other services required by the data space members.
The communities coming together in the data space needs to make decisions for the setup. Whether a centralized DSA is required, or a more federated or even fully decentralized model is appropriate must be reasoned over when the data space is founded, as these architectural choices are very hard to change later. Where on this spectrum of possibilities an optimal design for a data space can be found depends on the context and purpose of the data space.
That's so true, because if we are not designing the drafted protocol in the right way we can't integrate commercial wallet provider like Microsoft Entra, Bosch, SAP, T-Systems etc. in the future.
:warning: The community want to help to specify a disambiguous protocol that fosters an easy integration of commercial wallets and self-made wallets into the data spaces ecosystems.
:point_right: We need a working group to refine the Verifiable Presentation protocol for data spaces to address the issues stated here by other members like @PeterKoen-MSFT and @Sakurann and @matgnt.
@ma3u, thanks for your thoughts. A few comments:
I hope this clarifies the background of IATP. Since this issue does not contain a specific, actionable item that can be addressed in the specification text, I'm going to close it out.
I don't understand why this issue was closed when it contains protocol feedback and a concrete proposal? It might not 100% fit the DSP ideas, but I 100% agree that there is value to try to better align with extrem standards/concepts.
A new OAuth grant type that uses either DIDs or some form of client attestation (some form of attestation that this system belongs to company or trust domain XYZ) would go a long way and solve at least the AS related parts of the system in a way that aligns with existing standards and can be re-used.
I'd like to preface the following by saying we appreciate feedback, and, of course, we want to align with existing standards when possible. We also need to make forward progress and deliver a solution in a reasonable amount of time. Fundamental to this is respecting the work that has already gone into these specifications (and the DSP specification). This involves taking the time to engage and understand the specifications and the use cases that have informed them. Asking questions and making proposals is welcome and fine. Posting issues or solutions that make no effort to follow this process is not.
This issue was closed because it does not contain any actionable items. For example, #33 identifies a specific item in the specification (use of a nonce), which is still open. As both @PeterKoen-MSFT and I mentioned, the diagram does not accurately capture dataspace interactions and is not actionable. It's not a question of being a little off or not a "100% fit"; it is wholly inaccurate. For example:
If one "corrects" (re-writes) the diagram and:
The resulting presentation flow will only change by introducing a new series of calls to an authorization server to receive an access token for the Credential Service. It does nothing else.
Adding this extra step introduces a series of unnecessary complications:
There was a conscious effort not to expose the authorization server through IATP interactions for the above reasons. You're welcome to make an argument for why this should be done, but please invest time in understanding the DSP specifications and our use cases. Feel free to bring it to the working group as a formal proposal for discussion.
We currently have two working implementations of the presentation flow client: EDC and a proof-of-concept that uses Keycloak. It's therefore not unreasonable to assume the current design can be implemented with many off-the-shelf solutions.
Specifically regarding client attestation in Catena-X, I would recommend looking at its defined credentials (membership, dismantler, etc.) for more details.
Hi, Trying to address my own concernz in #34 but also trying to answer questions I have been receiving regarding how OpenID4VP and other decentralized identity can be used to achieve the goals of this project.
I am trying to do two things:
In short, from what I have gathered, I think what needs to be defined in a standard is the following flow: "Data Space X authenticates itself to Data Space Y and requests access to certain resources. (Data Space X has a way to pre-discover out of band what it needs to present to Data Space Y to get authorization for each resource being requested.) Data Space Y makes authorization decision and returns Access Token to Data Space X. Data Space X takes that Access Token to Data Space Y's Server (can also be called wallet, ID Hub, etc.) and Data Space Y returns the resource."
and it this flow is happening twice as per diagram below: 1) Data Space B getting access to Data Space A to get information about Data Space A (part of B authenticating A); and 2) Data Space A getting access to Data Space B to get B's resources it wants (end goal)
Below are implementation details:
If above diagram is true, I think defining, a new OAuth grant type might be sufficient where and entity authenticates itself using a sender-constrained Token (aka VC) (in steps 1 and 2) to receive an Access Token (in steps 4 and 6 respectfully). No need to Decentralized Identity Foundation ID Hub/Decentralized Web Nodes (DWN) spec. and probably no need for OID4VP either.
What I still don't understand is if Data Space A is sending a VC to authenticate itself in step 1, why does Data Space B needs more VCs about Data Space A from A's server...