search

ietf-wg-scitt / draft-ietf-scitt-scrapi

Transparency Service REST API
https://datatracker.ietf.org/doc/draft-ietf-scitt-scrapi/
Other
2 stars 4 forks source link

API for Collections of Statements #9

Open SteveLasker opened 3 months ago

SteveLasker commented 3 months ago

APIs which enables users to find a collection of signed statements based on protected, or unprotected header properties

A client may send any known or custom header property, or combination

TODO:

Collection of Signed Statement Header Properties REQUEST:

GET /findstatements?issuer=my-identity.me&subject=my-product-id HTTP/1.1
Host: transparency.example
Accept: application/json

RESPONSE: a paged collection of references to Signed Statements, and the possible payload locations

{
   "signed-statements": [
      {
         "protected-headers": {
            "cwt_claims": {
               "iss": "my-identity.me",
               "sub": "my-product-id"
            },
            "content_type": "application/json",
            "alg": "1",
            "kid": "abc123",
            "location-hint": "service.storage/abc123",
            "detached-hash": "abc123...321cba"
         },
         "unprotected-headers": {
            "registered": "sometime"
         }
      },
      {
         "protected-headers": {
            "cwt_claims": {
               "iss": "my-identity.me",
               "sub": "my-product-id"
            },
            "content_type": "application/spdx+json",
            "alg": "1",
            "kid": "abc123",
            "location-hint": "service.storage/def456",
            "detached-hash": "def246...642fed"
         },
         "unprotected-headers": {
            "registered": "sometime+1"
         }
      }
   ]
}
howethomas commented 3 months ago

So, for the integration with vCon example, subject="my-product-id" could simply be the vcon uuid? So, an audit trail of a particular vCon could be supplied by this API endpoint?

SteveLasker commented 3 months ago

Yup, exactly. Any issuer that wants to make a statement about the vCon would use the identifie, enabling filtering on statements for the vCon, from different issuers, and even different content-types

OR13 commented 2 months ago

Lets look at COAP / CORE / OSCORE / ACE for examples of good CBOR APIs, and copy them.

OR13 commented 2 months ago

For some inspiration: https://datatracker.ietf.org/doc/html/draft-ietf-ace-revoked-token-notification-08#section-3.2.1