Consolidation and Restructuring of Use Case Framework Agreement

[DanielaWuensch]

Description

As of today (Catena-X Release 24.05), we have the following use case framework agreements per use case:

• traceability:1.0
• pcf:1.0
• quality:1.0
• circulareconomy:1.0
• demandcapacity:1.0
• puris:1.0
• businesspartner:1.0
• behavioraltwin:1.0

These framework agreements describe all general conditions and the purposes, which are mandatory or allowed in the asset negotiations for assets of this use case. With Catena-X Release 24.08, there should only be one use case framework agreement for Catena-X, which contains only the conditions valid for all use cases. The mandatory or allowed purposes will not be part of the use case framework agreement anymore but only be referenced in the Catena-X standard CX-0018 as part of an CX ODRL profile.

Timeline when new consolidated framework agreement is planned:

• first version: end of April 2024
• sounding and publication of use cases framework agreeement: end of May 2024
• if framework agreement is signed, holder gets the credential assigned.

All members who want to share data need to sign the framework agreement, other wise credential is revoked and they cannot provide or consume data for any use case anymore.

Name:

• left operand: "cx-policy:FrameworkAgreement" - this name is required to be understood by EDC, policy hub
• final name for right operand is still in discussion (need to be finalized until end of April 2024, proposal: dataexchangegovernance:1.0 (small letters without _))
• credential name to be defined based on right operand: DataExchangeGovernanceCredential (need to be finalized until end of April 2024)

Impact = Outcome

• Prerequisite: Catena-X association will provide a new consolidated framework agreement
• new Verifiable credential for consolidated framework agreement - naming proposed by data sovereignty task force (expert group)
• revocation/deprication of existing verifiable credential
• Standards: CX-0050, CX-0018 should be adapted to new credentials, new constraints as reference to CX ODRL profile
• CX ODRL profile in ODRL repo
• CX ODRL profile in policy hub
• SSI credential issuer (creation of new credential, de-activating of specific use case framework credentials, expired ones are automatically revoked, no manual revoke necessary)

Additional information

• [x] I'm willing to contribute to this feature

• related to https://github.com/eclipse-tractusx/sig-release/issues/583 (clarifies the governance process if the old framework and old credentials are still valid and what happens in case of further versions)

[DanielaWuensch]

Labels: "SSI" and "data sovereignty" will be added as soon as they exist

[DanielaWuensch]

Decision matrix for separate credential should be included (based on member without use cases framework agreement, versioning, issuance and offboarding)

[jjeroch]

Ticket Refinement needed this week. I have summarized the outstanding tasks below @DanielaWuensch

• Please clearly state which Frameworks are replaced by the consolidated framework contract. This will ensure that no misunderstandings are existing.
• Additionally following questions need to get answered to allow a possible implementation:
  • When will the replacement take place
  • With the replacement will it still be possible to obtain the useCase Framework Credential?
  • Is it ok if the current useCase Framework Credential holders keep the credential until it expires?
  • What is needed to obtain the consolidated framework credential? (e.g. signing something, etc.)
  • Will the consolidated framework contract might have versions in future (means do we need to foresee this scenario)?
  • What if a member has no consolidated framework credential anymore (e.g. due to expiry)?
  • Are we free in the naming? E.g. following known names such as "cx-policy:FrameworkAgreement" with the value "core:1.0"

As soon as those information are shared following tickets are needed in the respective repos

• information to the Operation Committee needed (ideally via ticket)
• implementation ticket for policy hub needed
• implementation ticket for policy repo needed
• implementation ticket for authority & schema registry needed
• implementation ticket for issuer component needed
• sub-task for standard needed ++ ideally directly the ownership to be defined since not everyone will be able to update the standard

Last but not least:

• any risks?
• any dependencies which the community needs to know?

[stefan-ettl]

Hi @DanielaWuensch,

in my opinion this is not a EDC topic. @jjeroch where do you see this topic?

[jjeroch]

Hi @DanielaWuensch,

in my opinion this is not a EDC topic. @jjeroch where do you see this topic?

Agree; it is SSI (following components: Policy Hub, Policy Registry, authority & schema registry, issuer component)

[DanielaWuensch]

@stefan-ettl : As standard CX-0018 need to be adapted as result I also added EDC as label. If this is not necessary, I can remove it.

[DanielaWuensch]

Ticket Refinement needed this week. I have summarized the outstanding tasks below @DanielaWuensch

• Please clearly state which Frameworks are replaced by the consolidated framework contract. This will ensure that no misunderstandings are existing.

• Additionally following questions need to get answered to allow a possible implementation:

  • When will the replacement take place
  • With the replacement will it still be possible to obtain the useCase Framework Credential?
  • Is it ok if the current useCase Framework Credential holders keep the credential until it expires?
  • What is needed to obtain the consolidated framework credential? (e.g. signing something, etc.)
  • Will the consolidated framework contract might have versions in future (means do we need to foresee this scenario)?
  • What if a member has no consolidated framework credential anymore (e.g. due to expiry)?
  • Are we free in the naming? E.g. following known names such as "cx-policy:FrameworkAgreement" with the value "core:1.0"

As soon as those information are shared following tickets are needed in the respective repos

• information to the Operation Committee needed (ideally via ticket)
• implementation ticket for policy hub needed
• implementation ticket for policy repo needed
• implementation ticket for authority & schema registry needed
• implementation ticket for issuer component needed
• sub-task for standard needed ++ ideally directly the ownership to be defined since not everyone will be able to update the standard

Last but not least:

• any risks?
• any dependencies which the community needs to know?

@jjeroch : Thanks for the detailed feedback. This really helps. I added all responses to questions in the ticket description. The refined tickets per party I will create after the PI planning did take place

[DanielaWuensch]

maybe label it dataspace connectivity expert group as soon as it here

[OSchlienz]

Hi @DanielaWuensch, is it planned to substitute all specific use-case agreements by one overarching agreement valid for all existing (and upcoming) usecases? In this case it would be sufficient to have a FrameworkAgrement-Credential type "core" for all use-cases, correct? Or is it planned to have a use-case-selection within the agreement?

[DanielaWuensch]

Hi @OSchlienz , it will only be one overarching framework agreement, which will not contain any purposes but only the general conditions valid for all use cases. The purposes remain use case specific but will not be listed in the agreement. Therefore, we still need the use cases in the namespace of the purposes. The credential itself has then a type like this or similar: "type": ["VerifiableCredential", "DataExchangeGovernance"].

[OSchlienz]

Hi @DanielaWuensch , then there will be only one verifiable credential for the overarching framework agreement, which covers all use case purposes, hence the use-case specific credentials are not needed anymore. The overarching framework VC will be the proof for all purposes, correct?

[DanielaWuensch]

@OSchlienz : Yes this is the idea, however, the governance process in issue https://github.com/eclipse-tractusx/sig-release/issues/581 will describe how long the old credentials are still valid and when they will be revoked. So, they might still exist for 2408.

[stephanbcbauer]

Was presented in the open planning ⇾ please clearify with policy hub and issuer component

[HFocken]

I'd like to contribute

[DanielaWuensch]

Labels to be added if they exist: issuer component, ssi, policy registry, policy hub, data sovereignty

[DanielaWuensch]

@DanielaWuensch : name of right operand and VC to be clarified until end of April 2024

[DanielaWuensch]

adapted based on reviewer comments in open planning with policy hub and credential issuer team - proposal to move it back to backlog in open planning on April 11, 2024

[stephanbcbauer]

Was presented in the open planning ⇾ open decision label can be deleted.

[stephanbcbauer]

Hello @DanielaWuensch , @HFocken

Since the feature is a 24.08 feature and the development phase is coming to an end, we need a status on the feature.

• [ ] Currently you are assigned (Responsible) → Is this correct? If not, please assign the correct contact person
• [ ] Please check whether the status (backlog, work in progress ...) is set correctly
• [ ] Please check whether there is an assignment to a committee or expert group (supported-by) to be found on the board
• [ ] Please comment on the current status of the feature
• [ ] Are all SubTasks (issues from other repositories that deal with the feature) linked? → The easiest way is to mention the feature here in the issue (via the ID) so we can see which teams/repositories are involved.

If you need any clarification, please get in touch, thank you very much. Stephan

[DanielaWuensch]

Status

• Prerequisite: Catena-X association will provide a new consolidated framework agreement: DONE
• new Verifiable credential for consolidated framework agreement - naming proposed by data sovereignty task force (expert group) revocation/deprication of existing verifiable credential --> forwarded to @jjeroch : Can you please report on the status or link the working issue?
• Standards: CX-0050, CX-0018 should be adapted to new credentials, new constraints as reference to CX ODRL profile: DONE
• CX ODRL profile in ODRL repo - DONE
• CX ODRL profile in policy hub - not done as policy hub future is currently not clear see issue [584](https://github.com/eclipse-tractusx/sig-release/issues/584
• SSI credential issuer (creation of new credential, de-activating of specific use case framework credentials, expired ones are automatically revoked, no manual revoke necessary) --> forwarded to @jjeroch : Can you please report on the status or link the working issue?