6. Credential format
This section extends the information that the following documents provide about Self-Descriptions:
- the Gaia-X Architecture Document, which
- defines the Conceptual Model of entities that can have Self-Descriptions (ServiceOfferings, their Providers, and the Resources they aggregate), and
- introduces Self-Descriptions and their lifecycle on a high level, and
- the Gaia-X Trust Framework, which defines
- the schema against which claims in Self-Descriptions shall be validated, e.g., whether mandatory attributes are present and whether attribute values have the correct datatypes, as well as
- the trust anchors to which the identity of issuers of signatures must be traceable.
6.1 Introduction
Gaia-X Self-Descriptions are tamper-proof documents that contain the description of Gaia-X entities such as Participant (including Provider), Service Offering, compositions of services, and the aggregation of Resources by Service Offerings.
6.2 Self-Description Format and Structure
The serialization format of Verifiable Presentations, Verifiable Credentials and Credentials is JSON-LD and defined as follows.
Gaia-X Self-Description documents are Verifiable Presentations following the W3C Verifiable Credentials Data Model.
One such Verifiable Presentation contains one or more Verifiable Credentials.
Each Verifiable Credential contains claims about one or more credential subjects.
The Verifiable Credentials Data Model is defined as a vocabulary for the W3C RDF Resource Description Framework graph data model.
Gaia-X uses the JSON-LD serialization of RDF.
In the most typical situation in Gaia-X, a Provider P presents to another Participant, or to a Federation Service acting on behalf of an actual or potential Participant, a Verifiable Presentation of P itself or of a ServiceOffering provided by P. In this case, all Verifiable Credentials in the Verifiable Presentation contain claims about the same subject.
Gaia-X also allows Verifiable Presentations to contain Verifiable Credentials that contain claims about multiple different subjects. Such a Verifiable Presentation may, e.g., have been produced by an Issuer who assessed multiple ServiceOfferings made by a Provider, or multiple Resources owned by a Provider, for conformance with some standard, in one bulk assessment.
All objects exchanged and referenced in Gaia-X require Web-scalable identifiers, i.e., URIs. It is recommended to use Decentralized Identifiers (DIDs).
Example of the Self-Description
The following listing shows an example of a Self-Description. For brevity, the claims about the credential subjects are placeholders.{
"@id": "http://example.org/verifiablePresentation/1",
"@context": [ "https://www.w3.org/2018/credentials/v1" ],
"@type": [
"VerifiablePresentation"
],
"issuer": "https://example.org/issuers/565049",
"issuanceDate": "2010-01-01T00:00:00Z",
"expirationDate": "2033-01-01T00:00:00Z",
"verifiableCredential": [
{
"@id": "http://example.org/verifiableCred/1",
"@type": [ "VerifiableCredential" ],
"issuer": "https://example.org/issuers/565049",
"issuanceDate": "2010-01-01T00:00:00Z",
"expirationDate": "2033-01-01T00:00:00Z",
"credentialSubject": [
{
"@id": "did:example:cred1.1",
"@context": {
"gx": "https://registry.gaia-x.eu/22.04/schema/gaia-x"
}
"@type": "gx:Participant",
"gx:registrationNumber": "...",
...
},
{
...
}
],
"proof": { ... }
},
{
...
}
],
"proof": { ... }
}
6.3 Decentralized Identifiers
This section extends the W3C Decentralized Identifiers to specify how it shall be applied in the scope of Gaia-X.
6.3.1 Verification Methods
To ensure a Self-Description’s integrity and authenticity, its claims must be cryptographically signed by the Participant that is issuing them.
This is done to avoid tampering and to technically allow to check the origin of the claims.
The supported verification methods are described below.
6.3.1.1 JSON Web Key 2020
This section extends the specification from the W3C JSON Web Key 2020.
A Verifiable Credential is Gaia-X conformant if the issuer of the Verifiable Credential itself has an identity coming from one of the Trust Anchors.
Without a means to link the issuer’s verification method to a Gaia-X Trust Anchor, the Gaia-X Compliance verification will fail.
To be able to assess the chain of trust, the publicKeyJwk
property should include the RFC7517 x5c
(X.509 Certificate Chain) parameter or RFC7517 x5u
(X.509 URL) parameter.
The x5u
parameter should be resolvable to a X509
.crt
, .pem
, .der
or .p7b
file which contains a valid Gaia-X Trust Anchor eligible for the signed claims.
Example of verificationMethod
{
"..."
"verificationMethod": [
{
"@context": "https://w3id.org/security/suites/jws-2020/v1",
"id": "did:web:vc.gaia-x.eu:issuer#JsonWebKey2020-Ed25519",
"controller": "did:web:vc.gaia-x.eu:issuer",
"type": "JsonWebKey2020",
"publicKeyJwk": {
"crv": "Ed25519",
"x": "ecBxqTm7YKx9lja3U-EzxMGLNz4xzBTm_iki3LUA-zc",
"kty": "OKP",
"x5u": "did:web:vc.gaia-x.eu:issuer#svc-fullchain"
}
}
]
}
6.4 Use of Identifiers in Self-Descriptions
Each of the following must have a different identifier:
- a Verifiable Presentation
- a Verifiable Credential inside a Verifiable Presentation
- the subject of a Verifiable Credential, i.e., the Conceptual Model entity that claims are made about.
In other words, the identity of a Self-Description (a Verifiable Presentation) is different from the identity of the thing that it describes (e.g., a ServiceOffering).
Self-Descriptions may reference other Self-Descriptions. Consider, for example, a ServiceOffering that:
- is provided by a Provider,
- is a composition of other ServiceOfferings, or
- is an aggregation of Resources.
On the level of the graph of information about Gaia-X entities, which is formed by these claims, these relationships are between Gaia-X entities. That is, the subject and object of such a claim are IDs of Gaia-X entities. Thus, when the Self-Description S_S (a Verifiable Presentation) of a ServiceOffering states that the offering is made by some Provider P, the Self-Description S_S does not provide attestations of any claims about P. Instead, these attestations must be provided in a dedicated Self-Description S_P of P, i.e., a Self-Description containing claims about the credential subject P. The link from S_S to S_P is not explicit, but can be discovered by any Participant or Federation Service (e.g., a Federated Catalogue) that receives S_S as well as S_P and thus notices that their claims both refer to the same ID of P.
6.5 Verifiable Credential and Verifiable Presentation
This section extends the W3C Verifiable Credentials Data Model to specify how it shall be applied in the scope of Gaia-X.
6.5.1 Namespace Bindings and Contexts
On the level of the Verifiable Presentation and the Verifiable Credentials contained in the Verifiable Presentation, a Self-Description MUST adhere to the vocabulary of the Verifiable Credentials Data Model, i.e., use terms from the https://www.w3.org/2018/credentials#
namespace.
To enable human authors of Self-Descriptions to write down these terms conveniently, they MAY, by using the @context
keyword on the level of the Verifiable Presentation, e.g.:
- reference the JSON-LD context provided by the Verifiable Credentials Data Model (https://www.w3.org/2018/credentials/v1) like in the initial example listing, or
- define their own context, which
- defines the above namespace as the default vocabulary using the
@vocab
keyword, or - maps the above namespace to a designated prefix, e.g.,
"cred"
.
- defines the above namespace as the default vocabulary using the
Similarly, the claims about any credential subject MUST adhere to the vocabulary of the Gaia-X Self-Description Schemas published in the Gaia-X Registry, or to Federation-specific specializations of this vocabulary.
6.5.2 Identifiers
The @id
MUST be present and unique for a given issuer
.
It is up to the issuer
to decide if the @id
is a resolvable URI or not.
6.5.3 Types
The @type
MUST be present in Verifiable Presentation, Verifiable Credentials, and Credentials. The only expected values for the @type
property are
"VerifiablePresentation"
for a Verifiable Presentation"VerifiableCredential"
for a Verifiable Credential
The expected values for the @type
property of a credential subject are given by the taxonomy of classes defined in the Gaia-X Trust Framework, having the superclasses Participant
, ServiceOffering
and Resource
.
A Federation MAY define additional subclasses of these by further shapes hosted in its Catalogue(s). In future, Gaia-X and federations MAY also define additional, more specific credential types.
6.5.3.1 Schema Validation
A Schema for Self-Descriptions, to be used as the vocabulary of the claims about credential subjects, MUST be available in the form of SHACL shapes (cf. the W3C Shapes Constraint Language SHACL) in the Gaia-X Registry or in the Catalogue of a Federation.
At any point where Self-Descriptions are created or received, a certain set of SHACL shapes is known, which forms a shapes graph.
A Self-Description forms a data graph. For compliance with Gaia-X and/or a specific Federation, this data graph MUST be validated against the given shapes graph according to the SHACL specification.
6.5.4 Issuers
The issuer
property MUST be present in Verifiable Credential and Verifiable Presentation. The value of the issuer
property must be a resolvable URI.
The supported schemes for issuer
‘s URI are:
https
did
. The supported DID methods are:web
6.5.5 IssuanceData
The issuanceDate
is MANDATORY for Verifiable Credential and Verifiable Presentation.
6.5.6 ExpirationDate
The expirationDate
is RECOMMENDED for Verifiable Credential and Verifiable Presentation.
6.5.7 Verifiable Credential
If the @type
is "VerifiablePresentation"
, the property verifiableCredential
MUST be defined. The value of verifiableCredential
can be a Verifiable Credential or an array of Verifiable Credentials. A Verifiable Credential MUST have
- an
@id
, - an
issuer
, - a
@type
, and - a ‘credentialSubject
6.5.8 Credential Subject
The credentialSubject
can be an object or array of objects, containing claims.
The claims about one Gaia-X entity MAY be spread over multiple Credentials and their subjects.
Each credential subject MUST have an @id
.
A credential subject MAY be described by value, i.e., by stating one or more claims about it in place.
In this case, it MUST have a @type
as specified below.
Alternatively, a credential subject MAY be described by reference.
In this case, the @id
MUST be resolvable to an RDF resource that has the same @id
, a @type
, and one or more claims.
The value of the @type
property dictates the vocabulary available in the Trust Framework document for the definition of claims about the credential subject. E.g., LegalPerson
, ServiceOffering
, DataResource
, …
Example of type in credentialSubject
{
"id":"did:example:cred2",
"@context": {
"gx": "https://registry.gaia-x.eu/22.04/schema/gaia-x/participant#",
"xsd": "http://www.w3.org/2001/XMLSchema#"
},
"@type":"gx:LegalPerson",
"gx:registrationNumber":{
"@value":"DEK1234R.HRB123456",
"@type":"xsd:string"
},
"gx:headquarterAddress": {
"gx:countryCode": {
"@value": "DE",
"@type": "xsd:string"
}
},
"gx:legalAddress": {
"gx:countryCode": {
"@value":"DE",
"@type":"xsd:string"
}
}
}
6.5.9 Proofs (Signatures)
If the @type
is "VerifiableCredential"
, then at least one proof
MUST be included.
The supported @type
of proof is JsonWebSignature2020
using JsonWebKey2020
verification method.
Before signing, the Self-Description must be normalised using the Universal RDF Dataset Canonicalization Algorithm 2015 (URDNA2015). Then, the normalised Self-Description must be hashed with SHA256
. Lastly, the hash (SHA256(normalisedSelfDescription)
) is signed resulting in a jws
. The signature must use the JWS Unencoded Payload Option (RFC7797) with detached payload.
6.6 Gaia-X compliance input/output
The Gaia-X Compliance service
flowchart LR
in[Verifiable Presentation]
compliance[Gaia-X Compliance]
out[Verifiable Credential]
in --> |input|compliance --> |output|out
6.7 Input
The input of the Gaia-X Compliance service is a Verifiable Presentation
that might contain:
- a Verifiable Credential by value
- a Verifiable Credential by reference
Such a Verifiable Credential may or may not be covered by the Gaia-X Compliance rules.
The following example contains fake, placeholder attributes for Participant
and ServiceOffering
, which are not valid against the Gaia-X Self-Description Schema.
Example of Compliance input
{
"@id": "http://example.edu/verifiablePresentation/1",
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": [
"VerifiablePresentation"
],
"issuer": "https://example.edu/issuers/565048",
"issuanceDate": "2010-01-01T00:00:00Z",
"verifiableCredential": [
{
"@id": "http://example.edu/VerifiableCred/1"
},
{
"@id": "http://example.edu/verifiableCred/2",
"type": [
"VerifiableCredential"
],
"issuer": "https://example.edu/issuers/565049",
"issuanceDate": "2010-01-01T00:00:00Z",
"credentialSubject": [
{
"@id": "did:example:cred1",
"type": "Participant",
"claim1": {
"@value": "foo",
"@type": "xsd:string"
},
"claim2": {
"@value": "bar",
"@type": "xsd:string"
}
},
{
"id": "did:example:cred2",
"type": "ServiceOffering",
"claim1": {
"@value": "foo",
"@type": "xsd:string"
},
"claim2": {
"@value": "bar",
"@type": "xsd:string"
}
}
],
"proof": {
"type": "JsonWebSignature2020",
"created": "2022-02-25T14:58:43Z",
"verificationMethod": "https://example.edu/issuers/565049#key-1",
"proofPurpose": "assertionMethod",
"jws": "z2iiwEyyGcqwLPMQDXnjEdQU4zGzWs6cgjrmXAM4LRcfXni1PpZ44EBuU6o2EnkXr4uNMVJcMbaYTLBg3WYLbev3S"
}
}
]
}
6.8 Output
The output of the Gaia-X Compliance service is a VerifiableCredential
containing the id
and hash
of the compliant VerifiableCredential
from the input.
Example of Compliance output
{
"id": "http://example.edu/complianceResult/1",
"type": [
"VerifiableCredential"
],
"issuer": "https://example.edu/issuers/565050",
"issuanceDate": "2010-01-01T00:00:00Z",
"expirationDate": "2010-03-01T00:00:00Z",
"credentialSubject": [
{
"type": "gaiaxCompliance",
"id": "http://example.edu/verifiableCred/1",
"hash": "0f5ced733003d11798006639a5200db78206e43c85aa0386d7909c3e6c8ed535"
},
{
"type": "gaiaxCompliance",
"id": "http://example.edu/verifiableCred/2",
"hash": {
"@value": "0f5ced733003d11798006639a5200db78206e43c85aa123456789789123456798",
"@type": "xsd:string",
"@checksumtype": "SHA-256"
}
}
],
"proof": {
"type": "JsonWebSignature2020",
"created": "2022-06-12T19:38:26.853Z",
"proofPurpose": "assertionMethod",
"jws": "z2iiwEyyGcqwLPMQDXnjEdQU4zGzWs6cgjrmXAM4LRcfXni1PpZ44EBuU6o2EnkXr4uNMVJcMbaYTLBg3WYLbev3S",
"verificationMethod": "did:web:compliance.gaia-x.eu"
}
}