Multiple Identifiers

Why a Single Identifier is Insufficient for the iSHARE Foundation

In the iSHARE Trust Framework, relying on a single identifier for the authentication and onboarding of participants is inadequate due to the complexity of interactions within the data ecosystem. The Framework’s reliance on Economic Operators Registration and Identification (EORI) numbers for identifying participants presents limitations. Not all organisations use EORI numbers, especially those outside international trade and customs. EORI numbers are further limited to European economic operators, excluding non-European entities and organisations operating with industry-specific identifiers, which led to the need for multiple identifiers to lower barriers to iSHARE participation.

Understanding Multiple Identifiers in the iSHARE Trust Framework

The iSHARE Trust Framework promotes secure and standardised data sharing among trusted partners by using multiple identifiers. This approach ensures accurate identification, authentication, and authorisation across the data ecosystem with different roles and implementation processes to maintain trust and security in data sharing. Participants are assigned unique identifiers (such as EORI numbers), validated through digital certificates issued by Identity Providers. These certifications, along with authorisation tokens managed by Authorization Registries, define and control access rights and permissions. This layered approach ensures secure and verifiable interactions between iSHARE participants.

Types and Roles of Multiple Identifiers in the iSHARE Trust Framework

  1. Participant Identifiers: Uniquely identify each entity within the iSHARE Trust Framework, assigned during registration and stored in a central registry.

  2. User Identifiers: Identify individual users within participant organisations by linking the internal user management system and integrating it with iSHARE's authentication mechanisms.

  3. Service Identifiers: Uses service metadata for service discovery and access requests, which help distinguish between different services or APIs offered by participants.

  4. Session Identifiers: Generated dynamically through the session tokens and cookies for tracking user sessions for security and auditing purposes.

  5. Unique Identifiers: Ensure each participant is assigned a unique identifier (EORI number) for distinct identity across the iSHARE Trust Framework.

Technical Implementation of Multiple Identifiers

  1. Digital Certification: Issued by Identity Providers to authenticate and validate participant identities, ensuring secure data exchange.

  2. Tokens: Issued by Authorization Registries to manage and grant specific access rights.

  3. Identification Process: Use Public Key Infrastructure (PKI) to securely manage and verify identifiers, with each participant and service possessing a unique key pair in the iSHARE Trust Framework.

  4. Authentication Mechanisms: Ensures robust protocols like JWTs (JSON Web Tokens), which enable the integrity and authenticity of data exchanges.

  5. Authorisation Workflow: Defines and enforces authorisation policies, using relevant identifiers to grant users and service permissions.

Advantages of Using Multiple Identifiers

  1. Enhanced Security: Ensures only verified participants can access services, reducing unauthorised access and simplifying security policy management.

  2. Scalability: Supports the efficient management of a growing number of participants and services.

  3. Interoperability: Consistent identifiers across the iSHARE Trust Framework ensure seamless interaction between diverse systems and services.

  4. Auditability: Comprehensive tracking of identifiers maintains the detailed log's compliance with regulatory requirements.

Role of Decentralised Identifiers (DIDs) in Managing Multiple Identifiers

Decentralised Identifiers (DIDs) manage identifiers in a decentralised manner without relying on central authorities. In the iSHARE Trust Framework, DIDs enable participants to create and control their identifiers, enhancing privacy and security. This includes:

  1. Flexibility: Data Space Authorities can select suitable identifiers for participants with a preference for DID methods.

  2. Unique IDs: Each participant receives a unique iSHARE-ID in the form of a Decentralised Identifier (DID).

  3. PKI Integration: The iSHARE-ID is derived from a participant’s PKI certificate, ensuring secure and verifiable identification.

  4. Alignment with Global Standards: DIDs support global initiatives like GAIA-X, IDS, and EBSI, improving inclusivity and secure data exchange.

Role of iSHARE ID in the DID Method

The iSHARE ID is a unique identifier assigned to each participant within the iSHARE Trust Framework for secure and interoperable data sharing across various data spaces. This identifier is provided in the form of a Decentralised Identifier (DID) and is derived from a participant’s Public Key Infrastructure (PKI) certificate, ensuring data sharing among participants is secure and authenticated. Here’s how it works:

  1. DID Format: The iSHARE ID uses the DID format, which ensures that identifiers can be easily resolved and verified across various systems and data spaces.

  2. Unique Identification: Each iSHARE ID is derived from a participant's PKI certificate, ensuring that each identifier is securely tied to a verifiable digital certificate.

  3. Interoperability: DIDs enable iSHARE IDs to interact seamlessly with other DID-based identification systems, allowing engagement across multiple data spaces without compatibility issues.

  4. Multiple Identifiers: DIDs support multiple identifier formats within a single DID document. This means that, in addition to the iSHARE ID, other identifiers such as industry-specific or self-defined identifiers can also be included.

  5. Verifiability: Since the iSHARE ID is derived from a PKI certificate, it can be programmatically verified, ensuring trust and security in the participant's identity.

Updates Introduced by RFC031 in the iSHARE Trust Framework.

  1. Alternative Identifiers: The framework now supports multiple identifiers beyond the EORI number, reducing participation barriers.

  2. iSHARE-ID: Each participant receives a unique iSHARE-ID in the form of a Decentralised Identifier (DID), derived from their PKI certificate for secure identification.

  3. Interoperability: DIDs enable seamless interaction with other DID-based systems, enhancing interoperability across data spaces.

  4. Multiple Identifier Support: Participants can include multiple identifiers within a single DID document, allowing broader recognition.

  5. Enhanced Cryptographic Methods: The framework incorporates advanced cryptographic techniques for improved security.

  6. Support for Decentralised Identifiers: Integrating DIDs reduces reliance on central authorities, increasing security.

PreviousIdentificationNexteiDAS 2.0 & Digital wallet

Last updated