2024-05-20

Owned by Petteri Kivimäki, created
Last updated: May 20, 2024
3 min read

Date and Location

May 20, 2024 at 15:00-16:00 (EEST, UTC+3)

Location: Microsoft Teams

Attendees

  • Petteri Kivimäki (NIIS)

  • Raido Kaju (NIIS)

  • Aivar Meisterson

  • Oleksii Danyliuk

  • Tõnis Pihlakas

Discussion items

#

Item

Notes

#

Item

Notes

1

Summary of development activities

Summary of ongoing development activities.

2

X-Road 8 PoC status

The main focus has been on making X-Road technically compatible with the Gaia-X trust framework. In addition, work on supporting message logging in X-Road 8 has continued.

When joining Gaia-X and becoming a Gaia-X Participant, every organisation needs to get a Gaia-X Compliance Credential. Getting the credential requires submitting three credentials to the Gaia-X Compliance Service:

  1. Registration Number Credential issued by the Gaia-X Notary Service.

  2. Legal Participant Credential self-issued by the Participant.

  3. Gaia-X Terms & Conditions Credential self-issued by the Participant.

Organisation must present these 3 credentials to the Gaia-X Compliance Service that does a minimum validation to them, e.g., the Registration Number Credential is issued by a Gaia-X approved Notary Service. If all 3 credentials satisfy the Gaia-X Compliance Rules, the Gaia-X Compliance Service issues a Gaia-X Compliance Credential. The organisation may then use the Compliance Credential to prove being a Gaia-X Participant.

The credentials are tied to an identity that’s based on DID:WEB. In other words, every organisation must have a DID:WEB before becoming applying for the Gaia-X Compliance credential. In addition, every organisation must have a certificate that’s issued by a Gaia-X approved trust anchor, e.g., eIDAS compliant Certificate Authority (CA). The key pair associated with the certificate must be used to create the DID:WEB and the public key is included in the DID document. Also, the self-issued credentials must be signed using the same key pair. Existing X-Road sign keys are considered trusted by Gaia-X if the sign certificate was issued by an eIDAS compliant CA.

As so far, the PoC has implemented the following features:

  • Use the Gaia-X Wizard to:

    • Create a DID:WEB and the self-issued credentials using an existing X-Road sign key and certificate.

    • Apply for the Gaia-X Compliance Credential.

      • NIIS has its own instance of the Gaia-X Digital Clearing House services where the X-Road Test CA is defined trusted.

  • Store the credentials in the EDC Identity Hub.

    • Also, the X-Road sign key and certificate are stored in the EDC Identity Hub in addition to signer - there's no integration with signer yet.

  • Verify that the credentials are issued by trusted issuers before using them.

  • Use the credentials to authenticate organisations and verify them being Gaia-X Participants during the data exchange process.

    • The Security Server is connected to the Identity Hub.

To be still implemented in the PoC:

  • Verify the credentials' integrity before using them.

  • Use the Legal Registration Number from the Registration Number Credential to define access policies using ODRL.

    • As a result, the Legal Registration Number can be used to define access rights to services just like the subsystem code is used currently.

    • A sample workflow of participant authorization is available here.

3

Open topics



Next meetings

  • Meeting 24, June 19 2024, 15:00-16:00 (EEST, UTC +3)

  • Meeting 25, August 21 2024, 15:00-16:00 (EEST, UTC +3)

  • Meeting 26, September 18 2024, 15:00-16:00 (EEST, UTC +3)

  • Meeting 27, October 23 2024, 15:00-16:00 (EEST, UTC +3)

  • Meeting 28, November 20 2024, 15:00-16:00 (EET, UTC +2)

  • Meeting 29, December 18 2024, 15:00-16:00 (EET, UTC +2)

  • Meeting 30, January 22 2025, 15:00-16:00 (EET, UTC +2)

  • Meeting 31, February 19 2025, 15:00-16:00 (EET, UTC +2)

  • Meeting 32, March 19 2025, 15:00-16:00 (EET, UTC +2)