Glossary
Last updated
Version 2.1 (current version)
Last updated
DISCLAIMER: all descriptions are definitions written by iSHARE, unless specified otherwise
Accountability can be described as being liable or answerable for the completion of a certain task. Someone or something who is accountable oversees and manages the stakeholder(s) who are responsible for performing the work effort. In order to be effective, accountability should lie with a sole entity or role.
Responsibility may be delegated, but accountability cannot.
An API (Application Programming Interface) is a technical interface, consisting of a set of protocols and data structuring standards ('API specifications') which enables computer systems to directly communicate with each other. Data or services can be directly requested from a server by adhering to the protocols. APIs are used to hide the full complexity of software and make it easy for third parties to use parts of software or data services. APIs are mainly meant for developers to make the creation of new applications depending on other applications easier.
Authentication is the process of determining or validating whether someone or something is, in fact, who or what it is claiming to be. There are several means of authenticating the identity of an entity, which can be used alone or in combination:
Something the entity knows – examples includes a password, PIN, passphrase, or answer to a secret question;
Something the entity possesses – examples include electronic keycard, smartcard, token, and smartphone;
Something the entity is (biometrics) – examples include recognition by fingerprint, retina, iris, and face;
Something the entity does (behavioral dynamics) – examples include recognition by voice pattern, swipe characteristics, handwriting characteristics, and typing rhythm;
Something about the context of the entity – examples include IP address, device type, geolocation, and time of day.
In the context of information security, authenticity refers to the truthfulness of information and if this has been sent or created by an authentic sender.
The Authorization Registry:
Web servers can temporarily store data in order to enable faster access to this data at a later moment, this is called 'caching'.
A Certificate Authority (CA) is:
An entity that issues digital certificates;
A trusted party, and;
Responsible for the binding to a specific entity of the certificate (registration & issuance).
A digital certificate certifies the ownership of a public key by the named subject of the certificate, so other parties can rely upon signatures or assertions made with the private key that corresponds to the certified public key.
A Registration Authority verifies the identity of entities requesting digital certificates to be issued by the CA and validates the correctness of the registration.
A Validation Authority verifies the validity of digital certificates on behalf of the CA.
In the context of information security, confidentiality refers to the protection of information from disclosure to unauthorized parties.
Confidentiality can be achieved by the use of cryptography, as well as access control; the message the recipient gets can be proven not to have been read by anyone else but the legitimate sender and recipient.
The best-known example of credentials is a password, but other forms include electronic keycards, biometrics and, for machines, public key certificates.
Clustering data in categories does not only simplify the authorization process (i.e. giving someone or something permission to data), it also provides a clear overview and lowers the risk of exchanging sensitive data with unauthorized entities. A risk analysis is part of the data classification process.
Data exchange is the process of supplying data and receiving (an)other (set of) data in return.
A data space is an ecosystem or soft infrastructure where data can be shared between trusted partners who adhere to the same standards and guidelines. In the context of the iSHARE Trust Framework, a data space can have a single or multiple Participant Registries that operate and work together.
Delegation is the act of empowering someone or something to act for another or to represent other(s).
eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. The regulation provides important aspects related to electronic transactions, such as qualified electronic certificates.
Encryption is the process of converting data from plaintext to ciphertext. Plaintext (also called cleartext) represents data in its original (readable) format, whereas ciphertext (also called cryptogram) represents data in encrypted (unreadable) format.
Decryption is the process of converting data from ciphertext to plaintext.
The algorithm represents the mathematical or non-mathematical function used in the encryption and decryption process.
A cryptographic key represents the input that controls the operation of the cryptographic algorithm. With symmetric encryption the same key is use for encryption and decryption, whereas with asymmetric encryption two different, but mathematically related keys are used for either encryption or decryption, a so-called public key and a private key.
A crypto system represents the entire cryptographic environment, including hardware, software, keys, algorithms and procedures.
The Human Service Consumer is not a separate role, but belongs to the Adhering Party Service Consumer.
The Identity Provider:
Issues credentials to Human Service Consumers;
Checks on the basis of the provided credentials and the registered permission(s) whether a Human Service Consumer (role) Service Consumer is authorized to take delivery of the requested service, and;
Possibly provides other information (which are frequently referred to as attributes) about the user that is known to the Identity Provider.
Password authentication;
Hardware-based authentication (e.g. smartcard, token);
Biometric authentication;
Attribute-based authentication.
In the context of information security, integrity refers to the protection of information from being modified by unauthorized parties.
Integrity can be achieved by a.o. hash functions (hashing the received data and comparing it with the hash of the original message); the message the recipient receives from the sender can be proven not to have been changed during the transmission.
iSHARE ID enables identity interoperability and discoverability of participants across multiple data ecosystems which can be verified.
The iSHARE network or ecosystem is the collection of participants, Data Space Governance Bodies and data spaces that are established, maintained, and governed accordingly with the iSHARE Trust Framework. The complete decentralised trust ecosystem that is established using the iSHARE Trust Standard for data sharing.
JSON is short for 'JavaScript Object Notation' and is an open standard data format that does not depend on a specific programming language. This compact data format makes use of human-readable (easy to read) text to exchange data objects (structured data) between applications and for data storage.
JSON is most commonly used for asynchronous communication between browsers and servers.
The Machine Service Consumer is not a separate role, but it belongs to the Adhering Party Service Consumer (role).
In the context of information security, non-repudiation (Dutch 'onweerlegbaarheid') refers to the fact that the sending (or broadcast) and receipt of the message cannot be denied by either of the involved parties (sender and recipient).
It specifies a method for resource owners to authorize third parties access to their resources without exchanging their credentials (username, password). Authorization servers (of the platform) issue access tokens to third party clients (applications or websites) with the approval of the resource owner (= end user). The third party client needs the access token to get access to the resources that are stored on the resource server (of the master system).
The OIN format is used to uniquely identify organisations. OIN stands for Organization Identifying Number. An OIN consists of the following concatenated elements:
An 8-digit prefix that tells the register where the number is defined (e.g. Chamber of Commerce, RSIN etc.)
A number whose value depends on the register
A Party ID is typically a unique identifier issued to a natural person or legal person. A data space may require one or more such identifiers during onboarding a participant. A data space may even define its own identifier. The Party ID facilitates the accurate identification and authentication of the relevant entity.
A PKI is a system for distribution and management of digital keys and certificates, which enables secure authentication of parties interacting with each other.
Generally, three different methods exist for creating trust within PKI's. These are through 'Certificate Authorities', 'Web of Trust' and 'Simple PKI'. Within iSHARE the 'Certificate Authority' approach is used, and as such the other methods will not be discussed.
Role-Based Access Control. Assigning authorizations through business roles. An RBAC role represents a set of tasks or activities translated into authorizations, reflecting one or more of the following:
Organisational structure
Business processes
Policies (rules)
RBAC authorizations can either give access to the front door of the information system or can be translated to access rights within the information system (often through application roles or groups).
Responsibility can be described as tasked with getting the job done. Someone or something who is responsible performs the actual work effort to meet a stated objective.
Responsibility may be delegated, but accountability cannot.
A scheme can be defined as a collaborative effort to establish and maintain a set of agreements, to achieve a common goal. The iSHARE Scheme is also known as the iSHARE Trust Framework.
The Scheme Owner represents the body that governs the iSHARE Trust Framework and its participants.
Something that serves as a verifiable representation of some fact, e.g. an identity or entitlement.
Zero Trust is a principle by which trust is not automatically assumed based on a participant’s presence within a network but verified just in time(of use). Trust can be evaluated using credentials or dynamically verified trust criteria, ensuring each interaction is authenticated based on current, context-sensitive information. Zero trust principles are rooted in the iSHARE Trust Framework and its components like the Participant Registry.
ABAC (Attribute-Based Access Control) is assigning authorizations based on attributes (contextual pieces of information that are relevant to an access decision, such as device type, role, time, location, or level). The attributes can be associated with all entities that are involved with certain actions, such as the subject, the object, the action itself and the context (e.g. time, location). The attributes are compared with policies to decide which actions are allowed in which context, granting access based on the policy outcomes.
There is a clear distinction between accountability and .
An iSHARE Adhering Party adheres to the . An iSHARE Adhering Party MUST sign an Accession Agreement with the .
Authenticity can be achieved by digitally a message with the private key from the sender. The recipient can verify the digital signature with the matching public key. Certificates containing public and private keys are issued by a
Authorization is the process of giving someone or something permission to something, for example to access to services, data or other functionalities. Authorization is enabled by . Policies and attributes determine what types of activities are permitted by an entity.
Manages records of and of and/or ;
Checks on the basis of the registered permission(s) whether a Service Consumer is authorized to take delivery of the requested service, and;
Confirms the established powers towards the
Within the iSHARE Scheme, the term always refers to an external Authorization Registry (not part of the or ).
The Authorization Registry is a role for which iSHARE is REQUIRED.
Roles for which certification is required facilitate certain functions for the iSHARE Scheme that every party within iSHARE must able to rely upon. An iSHARE Certified Party MUST apply to the for certification and, after providing sufficient proof, MUST sign a certification agreement with the .
In the context of information security, credentials are used to control access of someone or something to something, for example to services, data or other functionalities. The right credentials validate (i.e. ) the identity claimed during .
CRUD (acronym for Create, Read, Update, Delete) are considered to be basic functions regarding stored data. In computer programming, possible actions are often mapped to these standard CRUD functions in order to clarify the actions. For example, standard actions GET and POST refer to Read and Create functions regarding stored data.
The classification of data in categories is an important pre-requisite for proper . Data can be classified in categories defining their type, location, sensitivity and protection level.
The Data owner is the legal person for the , , and accurate reporting of data.
The Data Owner can be the . In this case, he is not only accountable for the availability of data, but also .
The Data Space Governance Body is an entity that is the main representative of a data space and responsible for the including the defining, evolving & maintaining and governing of participant lifecycle processes.
In the iSHARE network, a delegated acts on behalf of an .
The Entitled Party is the legal entity that has one or more rights to something, e.g. to data at a that it has a legal agreement with. The Entitled Party is either the same entity as the , or delegates its rights to another Service Consumer. In the latter case, this other Service Consumer('s machines and humans) can consume services on the Entitled Party's behalf.
The Entitled Party is a role for which iSHARE is REQUIRED.
HTTP stands for 'Hypertext Transfer Protocol', and when secured via or SSL it is referred to as HTTPS (HTTP Secure). It is a protocol for (secure) communication over a computer network and is widely used on the Internet.
The Human Service Consumer is a role that represents a human (person) who requests, receives, and uses certain services, such as data, from a on behalf of and authorized by the .
Identification is the process of someone or something claiming an identity by presenting characteristics called identity attributes. Such attributes include a name, user name, e-mail address, etc. The claimed identity can be validated (i.e. ) with the right .
If multiple distinct exist where each data set is protected under a distinct trust domain, multiple may be needed. Moreover, the iSHARE Scheme may require different for specific data and may wish to designate specific Identity Providers for specific services.
In order to support multiple Identity Providers (with possible multiple rules) and Service Providers, an Identity Broker is required. An Identity Broker allows to select the Identity Provider they prefer to themselves at. It prevents the need for a direct relationship between all Service Providers and all Identity Providers.
The Identity Broker is a role for which iSHARE is REQUIRED.
Provides identifiers for ;
Manages records of of the ;
Identifies and authenticates based on provided credentials
Confirms the established powers towards the
In the iSHARE environment an Identity Provider could support various methods of , such as:
Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an Identity Provider can provide a client with a high or low confidence in the claimed identity of the user which is known to the Identity Provider. This is also known as the .
The Identity Provider is a role for which iSHARE is REQUIRED.
An iSHARE ID is a Decentralized Identifier (DID) derived based on the existing and pre-validated (by Trust Service Provider) identifier of a party. All participant registries must derive and register an iSHARE ID for each participant they onboard. iSHARE ID is typically derived from a PKI certificate or a signed token from a certified identity provider. Please refer to for ishare DID method specifications.
A JSON Web Token (JWT) is used when between parties is required. A statement, of which the data is encoded in , is digitally to protect the and of the statement.
Within online , depending on the authentication protocol used, the server is to some extend assured of the client's identity. Depending on parameters such as the quality of the registration process, quality of credentials, use of biometrics or multiple authentication factors and information security, an authentication protocol can provide a server with a high or low confidence in the claimed identity of the client. For low-interest products, a low certainty might be sufficient, while for sensitive data it is essential that a server is confident that the client's claimed identity is valid.
The Machine Service Consumer is a role that represents a machine that requests, receives, and uses certain services, such as data, from a Service Provider (role) on behalf of and authorized by the .
Non-repudiation is closely related to and can be achieved by digital in combination with message tracking.
OAuth is an open standard for which is used by i.e. Google, Facebook, Microsoft, Twitter etc. to let their users exchange information about their accounts with other applications or websites. OAuth is designed to work with . Within iSHARE, a modified version of OAuth 2.0 is used.
Through OAuth users can authorize third party applications or websites to access their account information on other 'master' systems without the need of exchanging with them their to login onto the platform. OAuth provides a 'secure delegated access' to resources (email accounts, pictures accounts, etc.) on behalf of the resource owner.
OpenID Connect (OIDC) is the authentication layer that is built on top of 2.0 protocol which is an authorization framework. The OIDC authentication layer allows clients to verify the ID and obtain basic profile information of their end-users
The authentication is performed by the authorization server (managing the access rights and conditions) in an interoperable and -like manner. Within iSHARE, OpenID Connect 1.0 is used.
The Participant Administrator is an entity, delegated by the data space, that is responsible for assessing, certifying and admitting new parties to the data space. This role is not and is defined by the data space.
The Participant Registry ensures smooth onboarding and membership management in a data space. All participants within the Data Space/iSHARE network will be explicitly linked to the Participant Registry responsible for their admission. The Participant Registry is a certified party and can also be the for the data space. The Participant Registry plays a fundamental role in any iSHARE use case. As part of the , parties will need to register themselves as with a Participant Registry. They will also need to consult the Participant Registry to check whether their counterparty is adherent or certified.
The serves as a specific type of Party ID enabling interoperability of identity across various data ecosystems in a verifiable and trusted manner.
Policy Decision Point. Entity that evaluates access requests that are received from the policy enforcement point (). Subsequently an answer is sent back to the PEP.
Policy Enforcement Point. Entity that determines whether an action is permitted or not. It takes any access requests and forwards these to the policy decision point ().
Policy Information Point. Entity that holds policy information and is contacted as a source of information regarding / information.
A PKI can be considered as a chain of certificates. At the beginning of the chain is the root ' (CA), a public trusted party which is allowed to digitally their own certificates (SSC, self-signed certificate). This ' CA' distributes certificates and encryption keys to organisations. The certificate is signed by the 'root CA' as proof that the owner of the certificate is trusted. These organisations can start distributing certificates as well, if allowed by their root. They become CA's, and as such sign the certificates that they distribute. Repeating these steps, a chain of certificates is created, with each certificate signed by the CA who distributed the certificate.
Parties need to trust a certificate for purposes. Instead of trusting individual certificates of organisations, root certificates can be trusted. By trusting a root, all certificates that have the root within their PKI chains are automatically trusted. Most large root CA's are automatically trusted within web browsers, enabling computers to safely interact with most web servers.
A PKI root is another term for root certificate, and stands for a self-signed public key certificate that identifies the , the party who is trusted by all members in the trust framework. The most common type of PKI certificates are based on the standard and normally include the digital signature of the Certificate Authority. The certificate authority issues digital certificates to all members in the trust framework.
There is a clear distinction between responsibility and .
REST stands for 'Representational State Transfer' and is an architectural style for building systems and services, systems adhering to this architectural style are commonly referred to as 'RESTful systems'. REST itself is not a formal standard, but it is an architecture that applies various common technical standards such as , and URI.
A RESTful indicates that the API architecture follows REST 'constraints'. Constraints restrict the way that servers respond and process client requests, in order to preserve the design goals which are intended by applying REST. Goals of REST are, among others, performance and scalability. Both are of utmost importance in iSHARE.
iSHARE is a scheme with . Other schemes include credit card schemes such as MasterCard and Visa, payment scheme iDEAL and identity scheme eHerkenning.
The Service Consumer is the legal entity that consumes the 's service on the basis of the 's rights to that service. It can do so because the Service Consumer is either the same legal entity as the Entitled Party (i.e. it already has these rights), or because the Entitled Party has delegated rights to the
The Service Consumer interacts with the Service Provider; in the form of a or .
The Service Consumer is a role for which iSHARE is REQUIRED.
The Service Provider is a role that provides certain services, such as data, to a . In case the service pertains to data provisioning, the Service Provider is either the Data Owner, or has explicit consent of the to provide the services.
The Service Provider is for the availability of services, and for these services if it is also the Data Owner.
The Service Provider is a role for which iSHARE is REQUIRED.
Service provision is the act of providing or supplying something for consumption or use. One of the most common forms of service provision is the .
Signing is the process of data (message, document, transaction) with the private key of the sender. It enables a receiver to confirm the of the data. Signing also provides for , so that it is ensured that a sender cannot deny having sent a message.
In most cases, a hash of the data is encrypted. Thus, both the and the of the data can be verified. Confirmation takes place by the receiver using the public key of the sender. The public key is contained in the digital certificate that is sent by the sender along with the signed data. The association of the key pair with the sender MUST be assured by a .
After sending a request to a server, the server responds with (among others) a Status Code which indicates the outcome of the request made to the server. A well known response is 404 Not found, indicating that the requested location or resource is not (yet) found.
In the context of the iSHARE Trust Framework, System Services are catered by the use of systems like APIs, portals or IoT devices. The service levels for Availability and Performance mainly applies to system services provider, irrespective of their role. Thus organisations providing only business services are exempt from these service level requirements (like and ).
TLS (Transport Layer Security) is a set of protocols that provides for secure communication in computer networks. TLS makes use of cryptography and is widely used by a variety of applications such as web browsing, email and voice-over-IP. Securing communication via (among others) TLS results in the HTTP(S) protocol. Securing communication with TLS v1.2 is mandatory for all iSHARE communication.
Within iSHARE, Tokens are issued after successfully completing requests which are then used to process the next request. For example, to access a certain service, first an access token is required. Upon receiving this access token, it can be used to request the service itself.