How to locally preview changes to https://github.com/SovereignCloudStack/website/

Start in the repository on your branch:

1. Make NodeJS executables available, e.g. nix-shell -p nodejs_21
2. Build Node modules: npm install (this will make the symlinks in _assets/vendor work)
3. Build Docker image: sudo docker build -t scs-website .
4. Remove the "PLATFORMS" section from Gemfile.lock (including the nested entry)
5. Execute the container:

   sudo docker run -it --rm -p 4000:4000 \
       --network host \
       -e TARGET_UID="$(id -u)" -e TARGET_GID="$(id -g)" \
       -e LC_ALL=C.UTF-8 \
       -e LANG=C.UTF-8 \
       -e USER_ID="$(id -u)" \
       -v $(pwd):/site scs-website bash

6. Within the running container, execute:

   cd /site/
   bundle install
   bundle exec jekyll serve config _config.yml,_config.dev.yml  --incremental -H 0.0.0.0

7. Open http://localhost:4000/ in your browser

Step 6 will take some time at first (several minutes) but will live-reload on changes afterwards which will take less than a minute each.

Things to clarify for the blog post

I need to answer some open questions resulting from my experiments with Credential compliance in SovereignCloudStack/gx-credential-generator#70 (comment)

1. is it possible to use ECDSA key pairs of Let's Encrypt instead of RSA for JWS signing the VCs?
   • I had errors during JWS signing with ECDSA so I quickly switched to RSA to avoid lengthy debugging
2. the gaia-x-101.ipynb creates a Participant VC issued for bakeup.io; is this supposed to be a trustee third-party or represent the provider issuing the whole VP itself?
   • in other terms: what is the trust anchor model here? is a third-party participant different from both provider and GXDCH necessary to attest the VP or is it the provider himself?
3. where are the mandatory contents of the VP defined? is there a minimal set of required VCs?
4. is a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC required? where is its structure specified?

Answers

1. is it possible to use ECDSA key pairs of Let's Encrypt instead of RSA for JWS signing the VCs?

Yes this works. However, the utils.py:sign_doc() of gaia-x-101 must be adjusted to pass "alg": "ES256" instead of "alg": "PS256" to the jwcrypto library.

2. [...] a Participant VC issued for bakeup.io; is this supposed to be a trustee third-party or represent the provider issuing the whole VP itself?

So far, I haven't been able to find a documented statement on this but several resources strongly hint at it being something the provider is issuing itself:

• https://wizard.lab.gaia-x.eu/ - there is a guided process about "issue the Verifiable Credentials required to pass compliance" where the Participant VC is issued for oneself
• the API Readme of the Compliance Service shows the User which issues the VP being the same lifeline as the one issuing the Participant VC

3. where are the mandatory contents of the VP defined? is there a minimal set of required VCs?

There is a figure in the API Readme of the Compliance Service that lists LRN, LegalParticipant and Terms & Conditions as parts of the VP. The Participant seems to represent and be signed by the provider itself, it does not seem to be a 3rd party.

Based on live testing the Compliance API:

• VP only containing the Terms & Services: works
• VP only containing the LRN: works
• VP only containing the Participant: fails
  • the returned error suggests that the LRN which is referenced in the Participant schema must be present
• VP containing both Participant & LRN: works

It seems that there is no strict set of mandatory/minimum contents of a VP other than any of the possible content VCs having to adhere to their individual schema (e.g. Participant including the LRN).

4. is a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC required? where is its structure specified?

???

Why are VCs self-signed by the provider?

Intuitively I'd think that claims made by the provider would need to be verified by a 3rd party in order to have any value.
However, that does not seem to be the case (anymore¹).

As Anja already pointed out in SovereignCloudStack/gx-credential-generator#70, the Gaia-X Credentials seem to be defined as special Verifiable Credentials where the issuer is the holder itself¹:

Gaia-X Self-Descriptions is a legacy term still used in different Gaia-X documents and refers to a self-signed set of claims.
This is equivalent to a Verifiable Credential where the holder is the issuer. In general, the term “Gaia-X Self Description” is replaced by “Gaia-X Credential”

However, the official glossary entry² does not mention this detail.

¹ Note: an older version of the architecture document³ stated "Each Gaia-X entity makes Claims, which are validated and signed by 3rd parties." which has been removed from the newer version¹.

Open Questions

Hashed Terms & Conditions

The documentation about Issuer Participants states:

Each issuer shall issue a GaiaXTermsAndCondition verifiable credential [...] SHA512 of the Generic Terms and Conditions

This isn't accounted for in the gaia-x-101.ipynb example where the T&Cs are encoded in a verbatim fashion. As the documentation uses the "shall" keyword this doesn't sound like a strict requirement though. The Compliance Service API is fine with the non-hashed version currently.

What should we do in the blog post?

LRN Reference

The gaia-x-101.ipynb uses a LRN VC template which encodes a direct lrn.json URL into it:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "https://bakeup.io/lrn.json#cs",
  "gx:vatID": "..."
}

In contrast, the Notary API docs suggest a DID reference:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "did:web:gaia-x.eu:legalRegistrationNumber.json",
  "gx:vatID": "FR79537407926"
}

Should we promote the DID reference and hosting of the LRN within /.well-known/ just like the did.json?

Open Questions

LRN Reference

The gaia-x-101.ipynb uses a LRN VC template which encodes a direct lrn.json URL into it:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "https://bakeup.io/lrn.json#cs",
  "gx:vatID": "..."
}

In contrast, the Notary API docs suggest a DID reference:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "did:web:gaia-x.eu:legalRegistrationNumber.json",
  "gx:vatID": "FR79537407926"
}

Should we promote the DID reference and hosting of the LRN within /.well-known/ just like the did.json?

VC standard version v1.0 imposes id MUST be a URI, whereas version V2 requires an URL. Gaia-X describes format in Gaia-X Credentials VCs in ICAM and does not limit this specification further.

did:web:gaia-x.eu:legalRegistrationNumber.json is a URI and valid with respect to VC model v1. The same applies to https://bakeup.io/lrn.json#cs. However, in case of VC model v2, only the id used in gaia-x-101.ipynb is valid, as did:web:gaia-x.eu:legalRegistrationNumber.json is not an URL.

As ICAM changes from VC model v1 to v2 in Loire release, I suggest we promote URL, not DID to be compliant with Gaia-X Loire release coming in November '24 latest.

Open Questions

Hashed Terms & Conditions

The documentation about Issuer Participants states:

Each issuer shall issue a GaiaXTermsAndCondition verifiable credential [...] SHA512 of the Generic Terms and Conditions

This isn't accounted for in the gaia-x-101.ipynb example where the T&Cs are encoded in a verbatim fashion. As the documentation uses the "shall" keyword this doesn't sound like a strict requirement though. The Compliance Service API is fine with the non-hashed version currently.

What should we do in the blog post?

We have to look carefully on the versions of Gaia-X documents. The current version is Tagus. Tagus refers to Trust Framework 22.11, which uses verbatim encoded Terms- and Conditions. That's why Compliance service is fine without hash. In Loire release, there will be a conjunction of Trust Framework document and Policy Rules Conformity Document. The new document is called Gaia-X Compliance Document. It Gaia-X Compliance Document. points out

Each issuer shall issue a GaiaXTermsAndCondition verifiable credential as follows:

Attribute	Cardinality	Trust Anchor	Comment
termsAndConditions	1	issuer	SHA512 of the Generic Terms and Conditions for Gaia-X Ecosystem as defined below

Hence, Loire release requires a hash. And you arr right, keyword "shall" sound wrong. IMO, signing Gaia-X terms and conditions is a strict requirement. I opened an issue, to clarify this. See https://gitlab.com/gaia-x/policy-rules-committee/compliance-document/-/merge_requests/258
update from 16.08.24: According to RCF2119 "SHALL" is equivalent to "MUST" and "REQUIRED" and defines a strict requirment.

As there is no fix release date for Loire, I suggest to use guidelines in Tagus release, i.e. using verbatim terms and conditions.

Open Questions

LRN Reference

The gaia-x-101.ipynb uses a LRN VC template which encodes a direct lrn.json URL into it:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "https://bakeup.io/lrn.json#cs",
  "gx:vatID": "..."
}

In contrast, the Notary API docs suggest a DID reference:

{
  "@context": [
    "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/participant"
  ],
  "type": "gx:legalRegistrationNumber",
  "id": "did:web:gaia-x.eu:legalRegistrationNumber.json",
  "gx:vatID": "FR79537407926"
}

Should we promote the DID reference and hosting of the LRN within /.well-known/ just like the did.json?

VC standard version v1.0 imposes id MUST be a URI, whereas version V2 requires an URL. Gaia-X describes format in Gaia-X Credentials VCs in ICAM and does not limit this specification further.

did:web:gaia-x.eu:legalRegistrationNumber.json is a URI and valid with respect to VC model v1. The same applies to https://bakeup.io/lrn.json#cs. However, in case of VC model v2, only the id used in gaia-x-101.ipynb is valid, as did:web:gaia-x.eu:legalRegistrationNumber.json is not an URL.

As ICAM changes from VC model v1 to v2 in Loire release, I suggest we promote URL, not DID to be compliant with Gaia-X Loire release coming in November '24 latest.

Thank you. I researched this a bit more in SovereignCloudStack/gx-credential-generator#70 (comment) because even if the format is clear, the purpose (to me) is not. I failed to figure out the intended workflow and created an issue requesting clarification at Gaia-X.

Things to clarify for the blog post

2. [...] a Participant VC issued for bakeup.io; is this supposed to be a trustee third-party or represent the provider issuing the whole VP itself?

So far, I haven't been able to find a documented statement on this but several resources strongly hint at it being something the provider is issuing itself:

* https://wizard.lab.gaia-x.eu/ - there is a guided process about "issue the Verifiable Credentials required to pass compliance" where the Participant VC is issued for oneself

* the [API Readme of the Compliance Service](https://gitlab.com/gaia-x/lab/compliance/gx-compliance/-/blob/development/README-api.md#simplified-usage-flow) shows the User which issues the VP being the same lifeline as the one issuing the Participant VC

In general, it's up to the verifier of a VC, which issuer he threats as is truth-worthy. This is also the case in context of Gaia-X. However, Gaia-X is operationalized by GXDCH and dictates in Trust Framework (Tagus release) and Compliance Document](https://gaia-x.gitlab.io/policy-rules-committee/compliance-document) rules to be Gaia-X compliant. This rules are checked by Gaia-X Compliance Service as part of GXDCH. And you are right, there is an official statement missing, who acts as trustworthy issuer for which property. I opened an issue for clarification, see Compliance Service ä67https://gitlab.com/gaia-x/lab/compliance/gx-compliance/-/issues/67

3. where are the mandatory contents of the VP defined? is there a minimal set of required VCs?

There is a figure in the API Readme of the Compliance Service that lists LRN, LegalParticipant and Terms & Conditions as parts of the VP. The Participant seems to represent and be signed by the provider itself, it does not seem to be a 3rd party.

Based on live testing the Compliance API:

* VP only containing the Terms & Services: **works**

* VP only containing the LRN: **works**

* VP only containing the Participant: **fails**
  
  * the returned error suggests that the LRN which is referenced in the Participant schema must be present

* VP containing both Participant & LRN: **works**

It seems that there is no strict set of mandatory/minimum contents of a VP other than any of the possible content VCs having to adhere to their individual schema (e.g. Participant including the LRN).

There is a strict set of mandatory attributes in (Trust Framework for Tagus release and Compliance Document for Loire release. There is no strict rule for the number of VCs within a VP, however to be Gaia-X compliant, all mandatory attributes must be part (as VC) in VP. That's why VP only containing the Participant fails, as registration number is a mandatory attribute.

4. is a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC required? where is its structure specified?

???

According to ICAM Tagus Release and ICAM Loire Release id can but need not to be resolvable. Hence, at least according to the official documents, a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC is not required. Does Compliance Service requires one?

Credential Format

Gaia-X regulates descriptions of CSPs and services as Gaia-X Credentials. The credential format is defined in Identity, Credential and Access Management Document. The current release in Tagus. The next release is Loire, but has no official release date.

The format of Gaia-X Credentials follows the W3C Verifiable Credentials Data Model v1.1, with some limitations:

• serialization format is JSON-LD
• verification method type is JSON Web Key entailing JSON Web Signature as proof value
• Claims iMUST use the Gaia-X Onotology in their context.

In general, section on Credential Format seems to be unsorted with contradicting information. Is tried to sort this out and provided an MR in order to verify my findings.

Credential Format

Gaia-X regulates descriptions of CSPs and services as Gaia-X Credentials. The credential format is defined in Identity, Credential and Access Management Document. The current release in Tagus. The next release is Loire, but has no official release date.

The format of Gaia-X Credentials follows the W3C Verifiable Credentials Data Model v1.1, with some limitations:

* serialization format is [JSON-LD](https://json-ld.org/)

* verification method type is [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) entailing [JSON Web Signature](https://datatracker.ietf.org/doc/html/rfc7515) as proof value

* Claims iMUST use the [Gaia-X Onotology](https://gitlab.com/gaia-x/technical-committee/service-characteristics-working-group/service-characteristics) in their context.

In general, section on Credential Format seems to be unsorted with contradicting information. Is tried to sort this out and provided an MR in order to verify my findings.

Thank you! I added this information to a new introductory section called "Terminology" explaining the relationship between VCs, VPs, Self-Descriptions and Gaia-X Credentials.

4. is a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC required? where is its structure specified?

???

According to ICAM Tagus Release and ICAM Loire Release id can but need not to be resolvable. Hence, at least according to the official documents, a hosted JSON file (specified as 'id') for the Legal Registration Number (LRN) VC is not required. Does Compliance Service requires one?

According to my testing, simply linking the LRN VC in the Participant VC (under its gx:legalRegistrationNumber attribute) via the LRN VC's id and providing both in the same VP was not enough:

{"statusCode":409,"message":{"conforms":false,"results":["ERROR: https://gaia-x-testing.cloudandheat.com/.well-known/participant.json https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#legalRegistrationNumber: Less than 1 values"]},"error":"Conflict"}

It only worked when the gx:legalRegistrationNumber attribute was an actual URL pointing to a hosted JSON of the LRN VC.

Maybe there is some identifier reference magic that can cross-reference VCs within the same VP for this exact property but I wasn't able to find any. So for the time being I must assume that the LRN VC has to be publicly hosted and linked for the Participant VC, which is referencing it, to work.

The local preview instructions from #952 (comment) do not work anymore.

After a bit of fiddling I was able to adapt the process to the latest changes:

sudo docker build -f Containerfile.jekyll-action -t scs-website-jekyll-action .

sudo docker run -it --rm -p 4000:4000 \
    --network host \
    -e TARGET_UID="$(id -u)" -e TARGET_GID="$(id -g)" \
    -e LC_ALL=C.UTF-8 \
    -e LANG=C.UTF-8 \
    -e USER_ID="$(id -u)" \
    --entrypoint /bin/bash \
    -v $(pwd):/srv/jekyll scs-website-jekyll-action

In the running container execute:

mkdir -p /tmp/jekyll-build
mkdir -p /tmp/jekyll-vendor
bundle config path "/tmp/jekyll-vendor/vendor/bundle"
bundle config set force_ruby_platform true
cd /srv/jekyll
bundle install

bundle exec jekyll serve config _config.yml,_config.dev.yml \
    --source /srv/jekyll --destination /tmp/jekyll-build \
    --incremental --host 0.0.0.0

You can then open http://0.0.0.0:4000 in the browser.

Note: The bundle install process might take a long time! Omitting --entrypoint /bin/bash makes the container execute all the bundle and jekyll stuff automatically (through the included entrypoint.sh) and makes the manual execution of commands in the container unnecessary.
However, relying on that will crash the whole container if the jekyll serve process crashes (e.g. bad HTTP handshake) and makes you go through the whole bundle install again. It is advisable to execute jekyll serve manually within the container shell as shown above.