Remove SKI/AKI usage #805
Labels
area/technical-improvements
core-edc-/ catena-/ infrastructure- / architecture-related improvements
component/ap
Impacts Authority Portal or requires development on Authority Portal.
component/edc-ce
affected software component
component/edc-ee
affected software component
Feature Request
Description
SKI/AKI is a relict of from the first days of IDS. We want to discuss, if the SKI/AKI can be removed and replaced with a custom ID coming from a data space authority in control of DAPS. For those tagged, please (if you can) edit this issue and add information on where and how SKI/AKI is used.
Which Areas Would Be Affected?
KC DAPS
Management CLI uses SKI/AKI by default to generate client ID, but can be overridden.
EDC
EDC_OAUTH_CLIENT_ID
fieldEDC_OAUTH_CLIENT_ID
is used to receive a DAT from DAPS, who compares this ID with Subject field.Referring-Connector-Policy
will check thereferringConnector
-Claim of the DAT. However this does not affect the connector implementation, but the configuration of the DAPS. DAPS implementations which are not capable of setting thereferringConnector
-Claim may be incompatible afterwards. @SebastianOprielBroker
At its base, the Broker is an EDC connector which means that same rules apply. A client ID is needed to register the Broker in DAPS, but it's not generated in the Broker itself but rather provided by the host via environment variables.
Since the clientID is just an identifier for DAPS, dropping the AKI/SKI generation method should not affect the Broker in any way
Clearing House
We are currently exploring replacing the SKI/AKI as the client_id in the clearing-house-server with the participantId. The clearing-house-server, if possible, should no longer depend on the SKI/AKI.
Authority Portal
In the AP, we use AKI and SKI to generate the client ID (for registering the connector at the DAPS) of self-hosted connectors. Since we already use a different method (deriving it from the connector ID/participant ID) to generate client IDs for CaaS connectors, which is also applicable to self-hosted connectors, this would be a very quick adjustment.
Addition (April 9th): We use the client ID (AKI/SKI), which is stored in our database, to check if a connector with the given certificate is already registered. So in some form, this information would still be needed to be saved, though not used as the client ID.
Why Is the Feature Desired?
SKI/AKI is always an issue. The overall trust chain might simply rely on another ID, as SKI/AKI coming from the X509 certificate is not used for checks.
Solution Proposal and Work Breakdown
EDC
Authority Portal
The text was updated successfully, but these errors were encountered: