51.7 KB
Newer Older
1 2
id: functional-architecture
title: eSSIF-Lab Functional Architecture
Rieks Joosten's avatar
Rieks Joosten committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

The purpose of the functional architecture and its views is to

-   **provide mental models** that all of its stakeholders interpret in sufficiently the same way, so as to be able to talk, think and discuss about what it is we try to achieve and ways to achieve this;
-   help **inventory and subsequently address any (other) concerns and issues** of every one of its stakeholders;
-   help **achieve interoperability** both at the technical and at the business levels.

## 1.  Basic Terminology

In order to serve such purposes, we have found out that it is necessary that to make a strict and consequent distinction between people and organizations that are capable of making decisions and bearing responsibility/accountability (we will use the term ‘**party**’ for that) and people and ‘things’ that are capable of acting/doing things (we will use the term ‘**actor**’ for that). This means that an organization is always a party, whereas we consider a person to be a party at one time and an actor at another time, and computers/robots (and SSI components) are always an actor.

This distinction is necessary because actors do things that parties are accountable for. In order to know which party is accountable for what actions, we need the ability to link parties and actors. When an actor acts and a (single) specific party is accountable for that, we say that the actor is an ‘**agent**’ for or of that party (at that particular point in time). We say that this actor acts ‘**on behalf of**’ that party. When an SSI component acts as an agent for/on behalf of some party, we call it an \`**SSI-agent**\`, and we say that this party is the ‘**owner**’ of that component. Also, we use the term \`**(electronic or human) colleague (of an agent)**\` to refer to any other (electronic or human) agent that acts on behalf of the same party as this agent.

Given these definitions, it is obvious that parties are not necessarily capable of acting. However, we also would like to be able to generically use phrases such as ‘party X does Y’. To this end we introduce the term \`**organization**\` as the collection of one specific party and every of its agents, and when we say ‘party X does Y’, we mean to say that there is an agent that does Y, where that agent belongs to the same organization as the specified party..

We caution that the notions of being an ‘agent’, ‘owner’, ‘colleague’, and being part of an ‘organization’ are dynamic; they may frequently change over time and are never self-evident.

Also, to serve the aforementioned purposes, we cannot fix the architecture (and the fact that eSSIF-Lab is an experimentation environment already implies this). We see it is a first attempt to describe an architecture that will be regularly updated as we - i.e. the eSSIF-Lab consortium and all subgrantees and perhaps some others - work together as an ecosystem-in-formation to realize the aforementioned vision.

## 2.  Functional Architecture Overview

Figure 1 shows the initial *functional* eSSIF-Lab architecture, and its scope, context and (functional) components each of which is an agent for the same party (meaning that they are all part of the same organization as defined above, and they are all (digital) ‘colleagues’ of one another).

However, the participants of a business transaction are different parties, which means that the negotiation, commitment and execution thereof is done by agents of different parties. Assuming that a single transaction has two participating parties, we will use the term ‘**peer party (of a specific party, in the context of a single transaction)**’ to refer to the participating party in that transaction that is not the specific party itself.

Every agent that communicates with another actor for the purpose of progressing a transaction, will need to be sufficiently sure (to the extent necessary for the value of the transaction) that the actor that it is communicating with, is in fact an agent of the peer party of its owner. We will use the term ‘**peer agent (of a specific agent, in the context of a single transaction)**’ to refer to an actor with which the specific agent has a communications session, and for which it has obtained sufficient assurance that it is an agent of the peer party of its owner. Note that establishing whether or not an actor is a peer agent does not necessarily require knowing who the peer party actually is.

![eSSIF-Lab Single Party Functional Architecture Overview](../images/functional-architecture.png)
Rieks Joosten's avatar
Rieks Joosten committed
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

*Figure 1. eSSIF-Lab Single Party Functional Architecture Overview.*

We use the following coloring conventions in this figure: red(dish) is business related, which means that we do not consider this to be part of the SSI Infrastructure. Brown is used for policies, which are defined by (or on behalf) of the Owner of the component that uses them to configure themselves, and/or act according to the Owner’s preferences and policies. Green is used for generic SSI infrastructure related functions, and blue represents functions that may be implemented as ‘plug-ins’ for specific SSI-related technologies.

The remainder of this chapter describes the layers and their components at a high abstraction level. <!--Further details on components, such as design decisions, can be found in \[reference\].-->

### 2.1.  Business Transaction Layers

At the top of the figure are two business-related layers. Both are within the scope of the eSSIF-Lab project/architecture, yet they are outside the scope of the eSSIF-Lab infrastructure/architecture - that is because they are too business-specific.

The top layer (in the red rounded rectangle) has the functions of actual business transactions: it starts with a transaction form, the data of which is valid, consistent and complete, from which the (business) decision can be made whether or not to engage in a business transaction, and that has everything necessary to actually execute that business transaction. The (administrative) results of such a business transaction are then stored in business data stores. We have put this layer in the eSSIF-Lab architecture for the single purpose of showing how the components of the bottom layer contribute to conduct business transactions.

The lower business layer contains two functional components, one for initiating transactions and the other for stating transaction results (as per the [*DEMO*]( method), each of which with an associated business policy that contains business-specific policies/preferences.

The task of the **Transaction (Validation) Engine** (or **TVE**) is to handle and initiate requests from/to peer agents to engage in some kind of transaction, by negotiating and exchanging data (through one or more, physical or electronic communication channels), and to produce a transaction form whose contents is complete and valid, enabling an appropriate colleague to decide whether or not to engage in the transaction. Note that negotiating a transaction has two parts: requesting a peer agent to provide data that its owner needs, and providing data on behalf of its owner that a peer agent requests. After all, a business transaction can only start after all parties have decided to commit, which they can only do after each of them has obtained the information it (subjectively) needs to do so. Also note that data that the TVE must ensure that the transaction context is properly maintained if it chooses to exchange data through different communication channels.

The task of the **Transaction Result Dispatcher** (or **TRD**) is to state the (various, sometimes intermediary) results of transactions, by collecting data from the Business Data Stores, and creating a set of (related) statements/claims that can subsequently be issued to other parties. Since such state-data may change, issuing data that supersedes an earlier state implies the revocation of such a state.

Note that both components are within scope of eSSIF-Lab architecture, but NOT in scope of the eSSIF-Lab infrastructure, as they are too business-specific.

### 2.2.  SSI Roles Layer (Issuer, Verifier, Holder and Wallet)

The SSI Roles Layer contains functional components that match the well-known roles of issuer, holder, wallet and verifier. These components are part of the eSSIF-Lab infrastructure.

Apart from each having a specific task, as described below, implementations that are being deployed by one party should be aligned in that they support the same (sub)set(s) of SSI Protocols and Crypto features, as described in the following section.

The task of the **Issuer** is to issue what we will generically call ‘credentials’, i.e. sets of (related) statements/claims (e.g. as produced by the TRD) that have metadata (e.g. date of issuing) and a digital signature by which third parties can prove its provenance and integrity. Another task of the Issuer is to handle revocation (and (un)suspension) of credentials that it has issued. For such tasks, it relies on functions that are made available by the SSI Protocols and Crypto Layer.

One task of the **Wallet** is to (securely) store credentials - both those that have been issued by the issuer (i.e. self-signed credentials) and those that have been obtained from issuers of other parties. Another task of the Wallet is to (securely) store (private) keys that can be used to sign or seal data on behalf of its owner. Perhaps the most important task of the Wallet is to ensure that credentials and keys can only become available to another component if they have the same (single) owner, and will become available if such other component implements a functionality that needs it.

The task of the **Verifier** is to support the TVE as it tries to acquire credentials from some other party for the purpose of negotiating a business transaction. It does so by creating Presentation Requests that ask for such credentials, sending them to a Holder component of another party, receiving a response to such a request (which we call a ‘Presentation’), verifying the Presentation, i.e. checking the signature and other proofs of the veracity of both the construction of the Presentation as well as its contents, thus providing the TVE with verified data.

The task of the **Holder** is to handle Presentation Requests that it receives from Verifier components (both of its owner, and of other parties). Typically, this means looking for the requested data in the owner’s Wallet, and using it to construct a Presentation (=response). However, if the Wallet doesn’t have it, the Holder may negotiate a transaction with a component of the designated issuer for the purpose of obtaining the needed credential, which - when obtained - it can subsequently store in the Wallet and use in the Presentation.

### 2.3.  SSI Protocols and Crypto Layer

While represented as a layer, the SSI Protocols and Crypto Layer can be seen more as a set of libraries that can be used by Wallet, Holder, Issuer and Verifier (WHIV) components for the purpose of actually implementing some/all of the functionality that they need to provide. Each ‘Component’ in this layer implements a specific technology, and any implementation of any of the WHIV components may choose which of these to use. Of course, if one of the WHIV components implements a technology, it would seem that the others would need to do so, too.

Technologies may come as a (proprietary or open source) library, as a service (offered by one or more parties), or both. There are way too many to mention here, but to give you an idea, here is a classification of such underlying/supporting technologies that seems to be useful. While we do mention some technologies explicitly, this should in no way be interpreted as that this would be necessary to support, or that others are not to be considered.

First, we have **credential-related technologies**, most often in the form of libraries, basically for the creation, (storing,) and verification of specific kinds of credentials such as [*Verifiable Credentials*]( (VCs), [*Attribute Based Credentials*](<sup>[ABC]</sup> (ABCs), [*X.509 Attribute Certificates*](!!PDF-E), [*OIDC*]( tokens, etc. Various projects/implementations can already be used here, such as [*Hyperledger Aries*](, [*IRMA*](, [*OpenCerts*](, [*BlockCerts*](, and more.

Then, there are **secure communications technologies**, for the purposes of (a) ensuring that a technical component owned by a specific party can recognize that another component as one that it has had previous communications with and/or is owned by an identified party, and (b) setting up a secure communications channel, i.e. one that guarantees message confidentiality (encryption) and integrity/authentication. A well-known way to do this is SSL, but new ones are being developed, such as [*DID Comm(unication)*](, that uses [*peer DIDs*]( (work in progress).

Another important category is that of **crypto (related) technologies**, which are used for various purposes, such as creating/verifying digital signatures, zero-knowledge-proofs, etc. Such technologies may come as a library (e.g. [*Hyperledger/Ursa*](, or as a service, e.g. an [*eIDAS*](<sup>[eIDAS]</sup> trust service.

We conclude for now by mentioning **blockchain/distributed ledger technologies**, for secure logging of (e.g. registration) events, where such logs have the property that it is virtually impossible to change the order and/or contents of the logged events, and that the logs are highly available to those that are authorized. Both public and private blockchains are known to be used, and different SSI-solutions may use them for different purposes, e.g. the registration of schema’s, credential definitions, DIDs and associated DID documents, revocation accumulators, etc. Examples include [*EBSI*]( ([*European Blockchain Partnership*](, [*Hyperledger Indy*]( (Alastria, Findy, Sovrin), Ethereum ([*OpenCerts*](, [*BlockCerts*](, bitcoin ([*BlockCerts*]( and many more.

It is expected that there are already some interfaces out there that may turn out to be useful here (e.g. (unverified) [*FIWARE*](, CEF)


[ABC] Its origins lie with the [*ABC4Trust project*]( Extensive [*documentation*]( is available, e.g. an [*Architecture for Attribute-based Credential Technologies*]( (also one [*for developers*](

[eIDAS5] [*"Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC"*]( *EUR-Lex*. The European Parliament and the Council of the European Union.


### 2.4.  API Layers (‘ESSIF Glue’ and ‘SSI Tech APIs’)

There are two interface layers in this architecture

The \`**ESSIF Glue**\` interface layer consists of a set of API’s between the Transaction (Validation) Engine and Transaction Result Dispatcher on the one hand, and the WHIV components on the other hand. The specification of these API’s can be found in \[reference needed\]. The purpose of these APIs is to make calling the WHIV functions as simple as possible, given the functions of the Transaction Result Dispatcher and Transaction (Validation) Engine. Ultimately, we would like to see these API’s standardized. Having such APIs allows different parties to create their own version of the WHIV components, supporting the SSI technologies as they see fit, and shrinking or expanding functionalities as they feel appropriate. Parties can then select such WHIV components as they see fit.

The **SSI Tech APIs** interface layer is the union of the interfaces that the components that are in it provide. Any standardization in there is outside the scope of eSSIF-Lab.

## 3.  eSSIF-Lab Infrastructure Functional Components

This section details the functional specifications of the components that are in scope of the eSSIF-Lab infrastructure, i.e. in the green (rounded) rectangle as shown in the figure below:

![eSSIF-Lab functional components that are part of the eSSIF-Lab infrastructure](../images/functional-architecture-infra.png)
Rieks Joosten's avatar
Rieks Joosten committed
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160

*Figure 2: eSSIF-Lab infrastructural (functional) components.*

### 3.1.  Transaction (Validation) Engine and Validation Policy

The purpose of the Transaction (Validation) Engine (TVE) is to produce (transaction-type specific) data structures or forms, each of which contains the necessary and sufficient data that allows (an agent of) its owner to decide whether or not to engage in a (new) transaction of the specified type.

Typically, the TVE would start a transaction either

-   when it receives a request from some agent of another party for engaging in a transaction of a specific kind.
-   when it is instructed by, or on behalf of its owner, to request a specific kind of transaction to some agent of another party.<sup>[TVE.1]</sup>

In either case, a transaction form (object, context) has to be created that matches the kind of transaction, and a ‘**transaction-id**’ must be generated that identifies this form/object/context. It will be used for binding incoming or outgoing messages to this transaction, enabling communications to remain congruent, not only with the agent that requested the transaction, but also with other agents from the same owner and/or using different communications channels.

Handling/managing the various communications channels through which data can be exchanged is also a task of the TVE<sup>[TVE.2]</sup>. One reason for this is that negotiating a transaction not only requires data to be acquired, but also to be provided to the peer participant. Another reason is that the peer participant may use multiple agents to provide such data, e.g. human agents (that might use web-browsers, social-media apps, phones, or physical visits), SSI agents (that use the SSI infrastructure), or other electronic agents (e.g. services that can provide data when appropriate permissions are submitted - e.g. user consent tokens).

Thus, the TVE is generally considered capable of obtaining data through different communications channels. However, the technical tracks of eSSIF-Lab will exclusively focus on the communications channel through which credentials can be requested and obtained. Any extensions or business productization of TVE designs may be considered in the business tracks of eSSIF-Lab. The latter is not considered any further in this section.

In order to acquire data through SSI mechanisms for filling in a form for a specific kind of transaction, the TVE needs to know what kinds of credentials it should ask for, which parties its owner trusts to issue such credentials, what kinds of verification proofs for such credentials must hold and which may be disregarded.<sup>[TVE.3]</sup> Also, when the TVE gets a credential that satisfies the necessary verification proofs, it needs a way to map the contents of that credential to the structure of the transaction context that is used internally by (other systems of) its owner.<sup>[TVE.4]</sup> Also, as the TVE gets more and more data - which it may get through multiple, different channels - it needs to determine whether or not the resulting set is sufficiently consistent and coherent.<sup>[TVE.5]</sup>

In order to make the TVE work, a Validation Policy (or TVE Policy) is created by, or on behalf of the owner, which specifies at least:

-   the kinds of transactions the owner is willing to (electronically) engage in, from both the requester and the provider perspectives;
-   for each such transaction type:

    -   the criteria (business rules) that should be used to determine that the form is ‘clean’, i.e. that the necessary and sufficient data have been obtained and that they are consistent, coherent, and suitable for making a transaction commitment decision.

    -   the kinds of credentials and issuers that the owner is willing to accept as sources for valid data; (optionally?), the endpoint URI at which issuing parties do the actual credential issuing may be specified<sup>[TVE.6]</sup>.

    -   for each kind of credential: the verification proofs that must hold to be accepted as a source for valid data.

    -   the mapping between fields in such credentials and fields in the form to be filled in.

-   (anything else?)

The Policy must be designed in such a way that it is extendable as new features will be called for in the future.

The ability to create new transaction contexts and the availability of the TVE Policy enable the TVE to request the Verifier component of its owner to obtain credentials of the types that it can use to fill in the transaction form when they satisfy the verification and validation requirements of its owner. The specification of such requests is given in \[reference needed\].

When the Verifier returns such data (which comes with a list of proofs that the Verifier has checked), the TVE must then validate that data, i.e. determine whether or not it is valid for the specific transaction it is assembling the data for. The validation rules are party-specific and hence come from the TVE policy. For simple cases, validation can simply consist of checking whether or not all verification proofs succeeded. At the other end of the validation spectrum, the TVE itself must make validation decisions, either electronically (according to the TVE policy) or by ‘outsourcing’ such decisions to human agents of its owner by providing an appropriate validation user interface.

As long as data is needed, the TVE can intermittently request the verifier to produce it (or it can use other communications channels, which is outside scope for now). It does so until it times out, or the form has become ‘clean’.


[TVE.1] This feature ensures that the transaction is really two-way, and both parties can request credentials from the other. For example, a web-shop can then ask for a (delivery)address credential, and the customer can ask for a credential issued e.g. by the chamber of commerce that the web-shop is a legitimate company (and not some maffia website).

[TVE.2] It may well be that this functionality can somehow be split off in the (near) future.

[TVE.3] For high-value transactions, verification proofs are more important than for low-value transactions. This is to be decided by the owner of the TVE. An example from the physical world: in order to obtain a visa for China, it is required that your passport (credential) remains valid for 3 months after the end of your visit. But in order to identify yourself at the reception desk of a hotel, your passport may have expired several years.

[TVE.4] For example, a credential that contains an address uses a specific schema to specify addresses, e.g. the ‘PostalAddress’ as defined by This schema differs quite a bit from that of Dutch addresses as [*defined*]( by the official (authentic) Dutch Registration of Addresses and Buildings (BAG). It may also well differ from the structure of addresses that databases of the Owner have implemented. Mapping allows such cases to be accommodated for.

[TVE.5] Inconsistent or incoherent data is necessary for various purposes. First, it allows for correct further processing of the transaction. A non-existent postal code, or one that doesn’t match the delivery address, may hinder a fluent transaction processing, resulting in additional costs and processing times. Another purpose is the early warning or detection of possible fraud/abuse. Remember that part of the data is being asked for reducing transaction risk, and checking consistency/coherence of such data is part of the risk mitigation process.

fmerg's avatar
fmerg committed
[TVE.6] This enables the TVE to pass the endpoint URI on to the Verifier when it requests for such a credential, which in turn can send it to the holder of other parties enabling them to obtain the credential from that issuer endpoint if that other party does not have that credential in its wallet. The endpoint URI can in fact be put in the policy, because the (human) agent that creates/maintains the policy would need to know that the issuing party is actually issuing such credentials, what their contents means, etc., and hence is capable of tracking down the URI where that party issues the credentials.
Rieks Joosten's avatar
Rieks Joosten committed
162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306


### 3.2.   Verifier Component, and its Policy/Preferences

The purpose of the Verifier component is to support the Transaction (Validation) Engine by providing it with a single, simple API that it can use to request and obtain data that it needs to produce a clean transaction form, as well as the results of checking verification proofs (this is also why it is called the ‘verifier’ component).

Typically, the TVE would ask the Verifier to provide a credential that it can use to fill in a (coherent set of) field(s) in the transaction form. It is realistic to think that credentials from different issuers - trusted by the Verifier’s owner - can be used for this purpose. However, it is also realistic that such credentials will not use the same credential definition - they might well use different schemes to provide such data. Therefore, the TVE should specify a list of pairs (credential-type, issuer) instances of which could all be used to provide the data it needs - which it can obtain from the TVE policy.

Then, the Verifier needs to know the address and protocol that it can use to reach a Holder component owned by the party that its owner is trying to negotiate the transaction with. The TVE specifies this as part of the request - and it can do so because it has received the original request, and does all communications channel handling.

Verifiers are not expected to handle every kind of credential (e.g. VC’s, ABC’s, etc.) that exists, but rather a specific subset. For (at least one of) the credential types, the Verifier can construct a so-called presentation request, i.e. a message that is specific for the credential type and/or associated protocol, which it can then send to the Holder’s address.

This request message should contain at least

-   the transaction-id, so that when it is copied into the associated response message, the latter can be associated to the transaction it belongs to. Also, it should contain the
-   the (credential type, issuer) pairs that may satisfy the request, and to each of these additional data, e.g. the URI of the endpoint where the issuer issues such credentials, the maximum age of the credential, etc.
-   meta-data that may be useful for the holder (or its owner), e.g. texts stating the purpose(s) for which the data will be used ([*GDPR*]( Art. 5.1.b), or requesting consent ([*GDPR*]( Art. 7.2) “in an intelligible and easily accessible form, using clear and plain language”.
-   a signature of the Verifiers owner, for the purpose of showing compliance with the [*GDPR*]( (e.g. Art 28.3.h), and enabling the Holder’s owner to obtain proof that the Verifiers owner has violated the [*GDPR*](’s minimization principle asked for data for a particular purpose, which can be used in an argument in disputes about data minimization ([*GDPR*]( Art. 5.1.c).
-   (anything else?)

The request message must be designed in such a way that it is extendable as new features will be called for in the future.

In order to make the Verifier component work, a Verifier Policy/Preferences object is created by, or on behalf of the owner, which specifies at least: \[to be elaborated\]

A response to this request (called a Presentation) will be obtained from a Holder component of the peer party. This response will contain a reference to the request, allowing the Verifier to combine them. The Verifier will then check that the data in the response is a credential that it has asked for (correct type/issuer), verify the proofs that are provided (predominantly the digital signature), and do some additional checks (e.g. whether or not the credential has expired, is revoked, and such).

Then, the verifier will send a message to the TVE, containing the transaction-id, the data it has received, and the results of the various checks.

### 3.3.   Holder Component, and its Policy/Preferences

The purpose of the Holder component is to handle Presentation Requests that it receives from Verifier components (both of its own owner, and of other parties), and responding to such requests.

Typically, a Holder component would access its owners Wallet to check if it has a credential that it can use to construct a Presentation (=response) that satisfies the received request.

It may happen that the Wallet does not have such a credential. However, for every (credential, issuer) pair, the request should specify the URI that is capable of issuing such a credential. If or when the Holder Policy/Preferences permits this, the Holder then requests its owner’s TVE to initiate a new transaction that will get the credential from that issuer, for which a clean transaction form would then consist of one that contains said credential. The Holder would then store it in its owner’s Wallet, and then proceed to service the presentation request as if it had obtained that credential from its owner’s Wallet.

It may also happen that the Wallet has multiple credentials that satisfy the request, in which case the Holder must choose the one to use for constructing the presentation. Again, the Holder Policy/Preferences will specify how this choice needs to be made, and whether or not this can be done automatically by the Holder. If not, the Holder will need to provide for an interaction with a human colleague that will make such decisions.

In order to make the Holder component work, a Holder Policy/Preferences object is created by, or on behalf of the owner, which specifies e.g.:

-   whether or not credentials may be collected ‘on the fly’;
-   how to choose between credentials that all satisfy a presentation request (and whether the Holder can make such choices by itself, or whether or not human interaction is required);
-   the kinds of events and data to write to a holder-audit-log.
-   (anything else?)

### 3.4.  Transaction Result Dispatcher and Issuing Policy

The purpose of the TRD component is to state the (various, sometimes intermediary) results of transactions, by collecting data from the Business Data Stores, and creating a set of (related) statements/claims that can subsequently be issued to other parties. A special kind of result is the (provisioning of) a credential that its Owner already has created.

Typically, and at any point in time, parties are capable of expressing statements about entities that they know to exist. They could express statements about individuals, about themselves, the state of transactions, and so on. We will use the term ‘**subject (of a statement of a party)**’ to refer to the entity that this party knows to exist, and about whom/which the statement has been made.

We will use the term ‘**subject-id (of a statement of a party)**’ to refer to the representation that this party has chosen to use for referring to the subject in said statement. A subject-id must have the property of being an identifier within every administrative context that this party uses. It need not be humanly interpretable (and preferably is not).

Parties need to specify the kinds of credentials they are willing to issue, the class of entities (e.g. people, cars, organizations) for which it will issue them, and the information schema (structure) that it will use in credentials of such kinds.<sup>[TRD.1]</sup> This allows the TRD to construct data objects that conform to this information schema, and present it to the Issuer component for actual issuing.

The TRD Issuing Policy specifies the kinds of (linked-)data-objects that credentials may be created for. This allows the TRD to construct such a (linked-)data-objects for every subject-id that identifies a subject of the class for which a credential can be issued, which can subsequently be sent to the Issuer component that can turn it into a credential of a specific sort.

You can think of the TRD as the component that pulls all data together that can be put in a credential (e.g. in a passport), and the Issuer as the component that puts the data in an (empty) passport, and signing it so as to create the actual credential.

The TRD may either push credential data to the Issuer component, so that the Issuer always has up-to-date credentials, or it can wait until the Issuer requests credential data for the creation of a credential of a specific type for a specific subject.


[TRD.1] We assume/stipulate that the party maintains a credential catalogue that contains this, and other information about every kind of credential that it issues, and that such catalogues are available to other parties that want or need to use such credentials.


### 3.5.  Issuer Component, and its Policy/Preferences

The purpose of the Issuer component is to issue ‘credentials’, i.e. digital constructs that contain

-   sets of (related) statements or claims (e.g. as produced by the TRD)
-   metadata (e.g. type of credential, date of issuing and expiration, endpoints, e.g. for revocation checking, credential definition, credential advertisements, credential enforcement policy, etc.)
-   proofs (e.g. a digital signature by which third parties can prove its provenance and integrity.

Another purpose that an Issuer might serve is to provide a means that allows any other agent that somehow has obtained a copy or presentation of a credential, to verify whether or not the data therein is conformant to the business administration of its owner. We will use the term ‘revocation service’ to refer to such means. Whether or not an Issuer provides such a service, and what kind of revocation service is provided (e.g. a revocation list, an online revocation status protocol, etc.), is a decision that its owner should make, and specify in the Issuer Policies/Preferences.

An Issuer component may issue credentials in various formats, e.g. as a Verifiable Credential (VC), an Attribute-Based Credential (ABC), an OpenID Connect/JWT token, etc. The issuing party must specify credential-types in such a way that if the same credential is issued in different formats, it is possible for an arbitrary Verifier to determine whether or not two credentials that have different formats, are in fact the same. One way of doing this is that the Issuer generates an identifier for every credential that it constructs (before expressing it in a specific format).

After the issuer has created a credential (in one or more formats), it checks the wallet to see if it contains a credential of the same type for the same subject. If (one or more formats) are there, and their contents are the same as the newly created credential, the existing ones are revoked, deleted and/or archived/tombstoned.<sup>[Issuer.1]</sup> Then, the newly created credential is added to the wallet (in one or more formats). Thus, at any point in time, the wallet will contain an actual set of all credentials that have been issued.<sup>[Issuer.2]</sup>


[Issuer.1] Tombstoning is a mechanism that is used e.g. in (distributed) ledgers that do not allow for actual deletion, such as blockchains, by marking entries in the ledger as ‘being deleted’ (i.e. adding a ‘tombstone’ to such entries).

[Issuer.2] This allows e.g. individuals, that have an Issuer component in their SSI app, to issue self-signed credentials and provide them to verifiers that request them as usual for non-self-signed credentials.


### 3.6.  Wallet Component, and its Policy/Preferences

The primary purpose of the Wallet Component is to (securely) store data, and in particular:

-   credentials - both those that have been issued by the issuer (i.e. self-signed credentials) and those that have been obtained from issuers of other parties, and
-   (private) keys e.g. for signing/sealing data on behalf of its owner.
-   \[anything else?\]

Other kinds of data may be stored by a wallet as well - we will have to see what is practical and makes sense.

By ‘securely storing data’ we mean that such data

-   remains available until a request is received from an electronic colleague that is entitled to request deletion of such data;
-   remains unchanged during the time in which it is stored;

-   can only become available to electronic colleagues that implement a functionality that requires such access (e.g. a colleague Holder component);
-   can only be stored by electronic colleagues that implement a functionality that require such data to be stored (e.g. a colleague Holder or Issuer component).

It is expected that components other than the Holder and Issuer will (arise and) need access. One example could be a component that is capable of securely signing data on behalf of the owner. Another example could be a component that implements some kind of credential revocation functionality.

Human Beings cannot directly access any Wallet component, not even the ones they own. They need an electronic agent that is capable of authenticating them as (an agent of) the party that owns the Wallet component, and upon successful authentication provides a User Interface through which the Human Being can instruct this electronic agent to manage the Wallet’s contents.

In order to make the Wallet component work, a Wallet Policy/Preferences object is created by, or on behalf of the owner, the contents of which remains to be specified.

## 4.  Initial SSI-Agent Network Architecture

The SSI-Agent Network Architecture has two viewpoints:

1.  the **intra-party or single-party SSI viewpoint**, which focuses on the set of (human and/or electronic) agents of a single, specific party.
2.  the **inter-party or multi-party SSI viewpoint**, which is about specific functional components (e.g. Verifier, Holder, etc.) that typically belong to different parties.

An individual party may use the single-party SSI viewpoint to come to grips with concerns related to the creation and maintenance of its network of its electronic agents. The set of concerns would include:

-   How can electronic components be onboarded as an agents of this party?
-   How can the integrity of such electronic agents be stated in a trustworthy manner (do such components need some kind of accreditation certificate, do we need to come up with a service that can remotely test the integrity of a component and have it issue ephemeral integrity-certificates/credentials, …)?
-   How can the party specify which of its agents may talk with which other agents, and for what purposes?
-   How should a party specify the policies for the various SSI functionalities - what kind of support would be useful here?

Parties that want (their agents) to interact with one another may use the multi-party SSI viewpoint to come to grips with concerns related to the interoperability of the functionalities that their components implement. The set of concerns would include:

-   How can parties interact with one another at the information level (this includes decentralized semantic interoperability issues, advertising credentials, how a party can find other parties that issue credentials that are useful to him, etc.)
-   What kinds of underlying technologies must agents of a party support so as to be(come) interoperable with parties that it wants to interact with?

## 5.  High Level Transaction Flows

This chapter explains at a high level how electronic business transactions are being conducted. This is prerequisite to the explanations in chapter 4, that describe how the eSSIF-Lab architectural components are used in such transactions. For illustrative purposes, we stick to the example of getting a parking permit that we introduced in section 1.1.

### 5.1.  Overview

307 308
![eSSIF-Lab - high level trx overview](../images/high-level-trx-overview.png)
The adjacent figure shows how a transaction is conducted at the highest abstraction level. One party, called the ‘Requester’, sends a request for a product or service to another party (that we will call the ‘Provider’). Then, they start to negotiate a ‘transaction agreement’, which means that they exchange data through various channels for the purpose of establishing the details of the product/service to be provided and the compensation, data needed to mitigate transaction risks, etc., all of which is necessary for the parties to (individually/subjectively) decide whether or not to commit to the transaction. Section 3.2 provides more detail about this phase.
Rieks Joosten's avatar
Rieks Joosten committed
309 310 311 312 313 314 315 316 317 318 319 320 321

After commitment, the producer works to provide the product or service, and the requester arranges the compensation. This phase is entirely up to the business, and hence out of scope of this document.

When all is done, parties may issue a (signed) statement that specifies the results. Section 3.3. provides some more details about this phase.

In the example of the parking permit, a citizen (requester) sends a request to its municipality (provider) for obtaining a parking permit (the product/service). Then, the citizen fills in an online form (and uploads necessary PDFs) to enable the municipality to decide whether or not to produce the requested permit. The eSSIF-lab architecture adds a secondary, electronic channel that allows citizens to fill in the forms by using e.g. an SSI app on their phone. When the form is complete, the municipality decides whether or not to produce and issue the permit, which it can do as usual. It can also issue a credential that states the result of the transaction, i.e. contains the details of the parking permit.

Please note that while transactions are symmetrical in nature (i.e. both requester and provider need data from the other so as to decide whether or not to commit to the transaction), there is an implicit asymmetry in that activities that parties perform are ordered in time, which implies e.g. that the commitment decisions of both parties cannot be done at the same time. Also, in practice, it often happens that a party requires the other party to have executed (and stated) its part of the transaction before it actually commits to the transaction. For example, a provider may require the requester to have paid for the product before it is being shipped out. Consequently, the protocols for exchanging data/credentials will need to support such ‘asynchronous’ ways of working.

### 5.2.  Transaction Negotiation Phase

This phase starts by the requester sending a transaction request to the provider, and ends whenever either one of the parties quits, or both parties commit.

322 323
![eSSIF-Lab - high level trx negotiation](../images/high-level-trx-negotiation.png)
The adjacent figure shows the high-level interactions during this phase. It starts by the requester sending a request for a product or service to the provider. Typically, this would lead to the provider presenting a (web) form the requester must fill in. In the eSSIF-Lab context, the form will also provide a means for setting up a SSI communications channel, i.e. a secure communications channel through which provider and requester can both request and obtain (presentations of) credentials, the contents of which they can use to fill in the form. Then, after the form is ‘clean’, i.e. contains sufficient information for deciding whether or not to commit to the transaction, this phase ends.
Rieks Joosten's avatar
Rieks Joosten committed
324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369

Note that forms may contain fields that are required only in specific circumstances. It may only be possible to assess whether or not such circumstances apply after some (other) fields have been filled in. This means that the phase for requesting credential presentations and responding to such requests may very well consist of multiple requests and associated responses.

In the example of the parking permit, the municipality might ask for a credential that proves the requester is a citizen that is a registered inhabitant of said municipality, a credential stating its residential address, a credential stating the make and license plate of the vehicle for which a parking permit is requested, etc. All this is subject to the policy that the municipality has established for issuing such permits, and hence, it must be expected to differ between municipalities.

An example of conditionally required fields would be when the requester wants the municipality to customize the parking lot, e.g. because the requester has disabilities. Assessing such circumstances depends on the (optional) field where the requester must state any disabilities it has, and when that is the case, the requester may be asked to fill in fields such as whether or not a parking lot has to be customized (painted blue, with a sign stating that it is reserved for the provided license-place, or the kind of charging device if (s)he has an electric vehicle).

Conversely, the citizen might request the (alleged) municipality to provide credentials, e.g. to prove that it is actually an official municipality of the country it is part of. This would provide assurance to the citizen that it would actually be paying the fees to that municipality rather than to e.g. a rogue organization that might have spoofed the website of the municipality.

### 5.3.  Stating Transactions - Issuing Credentials

In the eSSIF-Lab context, we take ‘credential’ to mean any (set of coherent) statement(s) about any (one or more) subject(s) that a single party has issued with proof of provenance (i.e. anyone else can determine the identity of that issuer) and a proof of integrity (i.e. anyone can determine whether or not the content of the credential has been changed/tampered with since it was issued). From this, it follows that any party can issue any kind of credential for any entity that it knows to exist. A credential does not need to be about a person or an organization, but it can also refer to an order, a delivery, a seat-reservation, a prescription, etc.

We foresee two ways in which credentials can be issued:

1.  both the requester and provider may issue credentials to the other party in the process flow that they are in. They can do so for the purpose of stating any (lack of) progress and/or results of the administrative process flow they are in.
    In the example of the parking permit, the municipality may need some time to do some manual checks before it can issue the permit; in this case, it could issue a credential that states that the citizen has requested the parking permit and any other details that might be appropriate. Also, if it can issue the parking permit straight away, it can issue a credential that contains the details of that permit. The requester may issue a credential to the municipality stating the date/time and kind of transaction, judgements or comments about the service that the municipality has provided.
2.  any party may issue a credential upon request. Basically, this means that a party (in the role of requester) issues a request to that other party (in the role of provider) asking for the particular credential. This is just another case of doing transactions, that can be handled just as any other kind of transaction.
    In the example of the parking permit, when a citizen requests a permit, the provider might look for an existing permit prior to issuing a new one (it would have to do such a check during the process anyway), and depending on its business logic it would be providing the credential without further ado, or start the process of issuing a new one.

## 6.  Detailed Transaction Flows

**this section is being constructed now (it is only for the very curious to read...)**

This chapter explains the details of how electronic business transactions are being conducted using the eSSIF-Lab architectural components as described in chapter 2. We keep on using the parking permit example that we introduced in section 1.1. for illustrative purposes.

Note that both parties, requester and provider, each have components as described in chapter 2. Also note that whenever we introduce another party, it too has such components. Thus, every party can play any of the traditional SSI roles ‘verifier’, ‘holder’ and ‘issuer’, and each has its own ‘wallet’ functionality. Also, they all have TVE and TRD functionality that connect these aforementioned infrastructural components with the business applications.

When reading the next sections, please be aware that when a component of one of these parties communicates with another component, this other component may be of the same party, as well as of the other party. Figure 2 only shows components that belong to a single party.

### 6.1.  Starting a Transaction

The requester starts the transaction by pointing his web-browser to a web-page of the provider that (a) explains how to get a parking permit, and (b) provides a parking-permit application form that needs to be filled in. Technically, this means that the browser does a GET request to an endpoint that is serviced by the providers TVE component.

The TVE services this request by creating an empty form of a type appropriate for the request. Then, it continues with requesting data to fill in the form (and providing data as requested by the other party). It starts this by providing a web page that includes the form to be filled in, as well as a deep-link, QR-code or something similar that allows the requester’s browser (plug-in) or SSI-app to contact the provider-endpoint and set up a secure communications channel through which both can communicate electronically. From then on there are two channels between the requester and the provider: one is a traditional (manual) web-browser - web-server channel, the other is one within which the SSI-agent components of various parties will be communicating.

It is a task of the TVE to orchestrate the inputs: different parts of the form may be filled in and subsequently changed in different ways. Some parts

-   are required only after a certain condition is met (which is to be evaluated whenever the data that is entered into the form is changed)
-   must or may initially be filled in manually (i.e.: through the browser);
-   must or may initially be filled in with data from a credential;
-   may be changed manually;
-   may be changed with data from a newly supplied credential.

Because of this orchestration, the interface to the verifier component can be quite simple; it is shown in the image below:

![Generic Verification with SSI service](../images/generic-verification-with-ssi-service.png)
Rieks Joosten's avatar
Rieks Joosten committed
371 372 373 374 375 376 377 378 379

The request identifier is included in messages between the TVE and verifier so as to allow them to handle different transactions at the same time.

We assume that the provider has specified the form and the associated validation- and issuing policies that make the following description work. We refer the reader to section \[tbd\] for an explanation of how the provider can do this.

### 6.2.  Stating a Transaction

[text still needs to be written\]

![Generic Issuing with SSI service](../images/generic-issuing-with-ssi-service.png)