nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.
https://nuts-foundation.gitbook.io
GNU General Public License v3.0
25 stars 16 forks source link

gRPC-less Nuts network without big-bang migration to did:web #2825

Open reinkrul opened 8 months ago

reinkrul commented 8 months ago

We want to move away from the gRPC network to improve reliability and debuggability. The gRPC network is used for several purposes:

We introduced a set of new features to replace the Nuts gRPC network; OpenID4VCI, did:web and Discovery Services. If parties with an existing implementation want to start using these features, they need to migrate their implementation on at least the following points:

Aside from that, the authorization protocol changed (from bearer token request to a Presentation Exchange based token with different API semantics), meaning authorization changes on both client and server side.

Risks

These changes are non-trivial. I suspect that, at best, the new features will be adopted with a severe delay (thinking of years?). At worst, they will never be adopted (the new product is so much better, but so different that nobody adopts it).

At the same time, we want parties to moving towards these features as soon as possible, to improve reliability/analysability of the implementations. So any non-trivial work (reworking implementation) will stall or prevent these improvements from taking effect.

Solutions

In this issue, I want to explore the possibilities of migrating parties to these new features without them having to rework their implementations.

We also should not forget to design how/when we stop supporting (remove) the "old" features.

reinkrul commented 8 months ago

Migrating Nuts Registry to Discovery Service

Currently, parties publish organization identifiers (NutsOrganizationCredential, KIK-v's HealthcareproviderDetailsExcerptCredential) as "public credentials" to the Nuts network. The gRPC-networkless alternative we devised is the Discovery Service, which is hosted by a Discovery Server. Clients configure the Discovery Service and hosting server by loading a JSON document known as a Discovery Definition.

Current implementation

Migration

Impact on Nuts node:

Required community actions:

Vendor changes required:

reinkrul commented 8 months ago

Migrating Private Credentials to Server-to-Server issued Credentials

OpenID4VCI works only with a browser involved, and current implementations use server-to-server issued credentials (KIKvGevalideerdeVraagCredential and NutsAuthorizationCredential). We need to retain this feature, but not by publishing on the network. We can use the current OpenID4VCI server-to-server implementation to migrate away from them being issued on the Nuts network.

Current implementation

Migration

Impact on Nuts node:

Required community actions:

Vendor changes required:

Process of dropping support for private credentials:

reinkrul commented 8 months ago

Migrating from revocations published to Nuts Network

In v5.5: start supporting StatusList2021 In v6: enable StatusList2021 by default (when expirationDate is not set for a credential)

Current implementation

Migration

Impact on Nuts node:

Required community actions:

Vendor changes required:

Process of dropping support for Nuts-network style revocations

reinkrul commented 8 months ago

Migrating away from did:nuts storage on Nuts network

Credentials are issued to did:nuts DIDs, which are resolved when:

did:nuts DIDs are published to the Nuts network, so to resolve them a Nuts node to be in sync with the Nuts gRPC network.

As long as there are credentials issued to did:nuts DIDs, they should be resolvable. A gRPC-less alternative could involve a did:web approach similar to the "Well-Known DID Configurations" specification:

Things to decide:

Current implementation

Migration

Impact on Nuts node:

Required community actions:

Vendor changes required:

Process of dropping support for Nuts network:

Process of dropping support for did:nuts:

gerardsn commented 6 months ago

related to #2548

woutslakhorst commented 1 month ago

issue needs work/2Bupdated to current state of the node.