Tender WP4 Compliance

Lot NumberNameStart DateLink to contracting portal
Lot 10Continuous Automated Monitoring27-MAY-2021DTVP GXFS Lot 10

In this tender the lot “Continuous Automated Monitoring” (CAM) is being awarded. The purpose of the service functions to be implemented is to provide transparency to the users of Gaia-X about the compliance of the individual services, offered in the Gaia-X Federated Catalogue (the Federated Catalogue is being awarded in a separate tender). The basis for this compliance are certain requirements and rules that Gaia-X itself has imposed on its system, i.e., requirements coming from the field of security, such as encryption, data privacy or interoperability.
The CAM service automatically gathers evidence that hint to a fulfillment of those requirements by a certain Gaia-X service as a whole or by a concrete instantiation of a particular service by a user.
This is achieved by automatically interacting with the service-under-test using standardized protocols and interfaces to retrieve technical evidence. For example, to check for the fulfillment of requirements regarding transport encryption, the CAM service might interact with the service using the TLS protocol and gather technical evidence regarding the used TLS version as well as employed cipher suites. This evidence is then later compared, e.g., evaluated, against a set of common best practices.

Lot NumberNameStart DateLink to contracting portal
Lot 11Onboarding & Accreditation Workflow27-MAY-2021DTVP GXFS Lot 11

In this tender the lot “Onboarding & Accreditation Workflows” (OAW) is being awarded. The purpose of the service functions to be implemented is to safeguard that all participants and offerings within the Gaia-X ecosystem are subject to a validation process before entering the Federated Catalogue (the Federated Catalogue is being awarded in a separate tender).
Basis for the assessment of compliance for Release 1 is the minimum viable set (MVS) of policy rules developed in the Gaia-X Policy Rules Committee and approved by the Board of Directors of the Gaia-X AISBL. Those are based on accepted standards and established conformity assessment tools ensuring that the additional effort for the provider to enter Gaia-X is kept at a minimum.
Upon successful completion of the validation process Verifiable Credentials (vCs) will be issued representing the assurance levels of the service offering and registered in the Gaia-X Federated Catalogue. Those VCs can be used to automatically indicate the compliance level across different federations.
Part of the OAW is the documentation of the validation process and the generation of an audit trail to guarantee adherence to generally accepted practices in conformity assessment.
The OAW comprises furthermore special elements for:

  • Monitoring of the compliance relevant basis (e.g., expiration dates of certificates)
  • Update of the data of the service offering (the provider has the obligation to put forward substantial changes to the offering for compliance checks
  • Suspension of offerings (e.g., in case of pending investigations of possible infractions)
  • Revocation of offerings (e.g., in case of proven infractions)

The OAW will be designed in a way that it can be used by different accredited stakeholders in different federations. Furthermore, it will enable Federations to add e.g., domain-specific compliance criteria to the “common core”.

Lot NumberNameStart DateLink to contracting portal
Lot 12Notarization API27-MAY-2021DTVP GXFS Lot 12

In this tender the lot “Notarization API” is being awarded. The purpose of the service functions to be implemented is to attest given master data and transform it to W3C compliant digital Verifiable Credential representation. These made tamper-proof digital claims about certain attributes are central to gain the desired trust in any provided self-descriptions of assets and participants in the distributed GAIA-X ecosystem. Examples of verification and digital attestation are:

  • transform classic certificates of any 3rd party certifier to digital verifiable credential formats with desired signatures
  • GAIA-X participants and associated master data (e.g., address, name, tax identification number etc.)
  • ownership of the given organization DID – relates it to the real verified organization
  • business owner (e.g., by eID) to bridge SSI with eIDAS regulations
  • Organizations acting as trust anchor. E.g., Governments, Gaia-X AISBL, etc.

This service must include interfaces (APIs) to integrate the notarization component smoothly in existing software for Non-IT operator usage (e.g., lawyers, notaries, governments, certifiers …).
The scope also includes necessary tools (e.g., Command Line Scripts, API’s, etc.) to operate and maintain the created software components in an enterprise environment with focus on high-availability, security and monitoring and logging based on common standards.
The Notarization API utilizes other components like GXFS Organizational Credential Manager or Trust Services with its offered basic decentralized functionalities to gain an interoperable trust ecosystem.