Open reinkrul opened 8 months ago
Currently, parties publish organization identifiers (NutsOrganizationCredential
, KIK-v's HealthcareproviderDetailsExcerptCredential
) as "public credentials" to the Nuts network. The gRPC-networkless alternative we devised is the Discovery Service, which is hosted by a Discovery Server. Clients configure the Discovery Service and hosting server by loading a JSON document known as a Discovery Definition.
NutsOrganizationCredential
s by setting publishToNetwork
to true
. This causes other nodes to receive the credential.did:nuts
DID) to have their node accept public credentials from other nodes.SearchOrganization
and/or VCR's SearchVCs
API to search for organization credentials (e.g. to find an organization to perform an eOverdracht with).Impact on Nuts node:
did:nuts
DIDs in Discovery Servicesretract_jti
claim needs to be specified for JSON-LD (or implement differently, since it requires a custom JSON-LD context)did:nuts
VCs as well, they now aren't in the wallet (no migration there, we planned for it to only contain did:web
-related VCs), so we need a solution thereRequired community actions:
NutsOrganizationCredential
HealthcareproviderDetailsExcerptCredential
) on how to migrate as well.Vendor changes required:
OpenID4VCI works only with a browser involved, and current implementations use server-to-server issued credentials (KIKvGevalideerdeVraagCredential
and NutsAuthorizationCredential
). We need to retain this feature, but not by publishing on the network. We can use the current OpenID4VCI server-to-server implementation to migrate away from them being issued on the Nuts network.
NutsAuthorizationCredential
s by setting publishToNetwork
to true
and visibility
to private
. This causes other the node to publish an encrypted network transaction which only intended receiver Nuts node can decrypt and retrieve.RequestAccessToken
.Impact on Nuts node:
GevalideerdeVraagCredential
).NutsOrganizationCredential
s may send me NutsAuthorizationCredential
s")Required community actions:
Vendor changes required:
GevalideerdeVraagCredential
NutsOrganizationCredential
) that allows issuance of NutsAuthorizationCredential
Process of dropping support for private credentials:
NutsAuthorizationCredential
, revoked when the eOverdracht endsNutsOrganizationCredential
, revoked when a care organization stops supporting Nuts or is renamedGevalideerdeVraagCredential
, revoked when ... ?HealthcareproviderDetailsExcerptCredential
revoked when ... ?In v5.5: start supporting StatusList2021
In v6: enable StatusList2021 by default (when expirationDate
is not set for a credential)
Impact on Nuts node:
Required community actions:
Vendor changes required:
Process of dropping support for Nuts-network style revocations
did:nuts
storage on Nuts networkCredentials are issued to did:nuts
DIDs, which are resolved when:
did:nuts
DIDs are published to the Nuts network, so to resolve them a Nuts node to be in sync with the Nuts gRPC network.
As long as there are credentials issued to did:nuts
DIDs, they should be resolvable. A gRPC-less alternative could involve a did:web
approach similar to the "Well-Known DID Configurations" specification:
did:nuts
owner self-issues a DIDOwnerCredential
(better name?), that contains an URL where the did:nuts
document can be resolved.did:nuts
owner publishes the credential to a Discovery Service.did:nuts
by looking up the HTTP endpoint in the Discovery Service. It then reads the DID document from that endpoint.Things to decide:
node-http-services-baseurl
is a "node-to-node" endpoint, meaning PKIOverheid Private Services certificate is required. But many DID documents should already have it (we need to check this). It registers .../n2n/identity
, so we resolver needs to be hosted under this URLImpact on Nuts node:
DIDOwnerCredential
on node startup (and refresh when expires or HTTP endpoint changes)did:nuts
DIDsdid:nuts
resolution endpoint through Discovery Service and resolve thereRequired community actions:
Vendor changes required:
did:nuts
owner credentialsProcess of dropping support for Nuts network:
did:web
DID resolutiondid:nuts
will only be resolved over HTTPdid:web
instead of did:nuts
by defaultProcess of dropping support for did:nuts
:
related to #2548
issue needs work/2Bupdated to current state of the node.
We want to move away from the gRPC network to improve reliability and debuggability. The gRPC network is used for several purposes:
We introduced a set of new features to replace the Nuts gRPC network; OpenID4VCI,
did:web
and Discovery Services. If parties with an existing implementation want to start using these features, they need to migrate their implementation on at least the following points:did:web
) need to be created for care organizations, this also means newNutsOrganizationCredential
s have to be issued to those new DIDs.Aside from that, the authorization protocol changed (from bearer token request to a Presentation Exchange based token with different API semantics), meaning authorization changes on both client and server side.
Risks
These changes are non-trivial. I suspect that, at best, the new features will be adopted with a severe delay (thinking of years?). At worst, they will never be adopted (the new product is so much better, but so different that nobody adopts it).
At the same time, we want parties to moving towards these features as soon as possible, to improve reliability/analysability of the implementations. So any non-trivial work (reworking implementation) will stall or prevent these improvements from taking effect.
Solutions
In this issue, I want to explore the possibilities of migrating parties to these new features without them having to rework their implementations.
We also should not forget to design how/when we stop supporting (remove) the "old" features.