Skip to content

6. Gaia-X Trust Anchors

Gaia-X Trust Anchors are bodies, parties, i.e., Conformity Assessment Bodies or technical means accredited by the bodies of the Gaia-X Association to be parties eligible to issue attestations about specific claims.

For each accredited Trust Anchor, a specific scope of attestation is defined.

The Trust Anchors are not necessarily Root Certificate Authorities as commonly understood, but they can be relative to different properties in a claim.

6.1 Overall decision flowchart

The decision flowchart below is used to determine what type of Trust Anchor must be defined for a given criteria objective.

6.2 Trust Anchors

6.2.1 Signee’s role

In the Gaia-X Ontology, for specific attributes which are linked or dependent from each other, a criteria can mandate that an attribute must be signed by the same issuer - or signee - of another attribute.

For example, in the Gaia-X Trust Framework 22.10, it is mandatory for the information whether or not a Data Product contains PII that the attribute dataProduct.containsPII is signed by the Producer of this Data Product dataProduct.produceBy.

6.2.2 Trust Service Provider

By default, for the claims to be legally relevant, all claims must be signed with one or more cryptographic material which can be traced back to a Trust Anchor, which is in most case a Trust Service Provider (TSP).

The Trust Service Providers (TSP) accredited by Gaia-X must be entities issuing cryptographic material based on documented Know Your Business/Know Your Customer (KYB/KYC) processes. Those processes must verify the identity of the party requesting the digital certificate associated to the cryptographic material, such as, and not limited to:

  • Business registration or license verification
  • Physical address verification
  • Phone number verification

The non-exclusive list of accepted Trust Service Providers belong to these categories: - EEA 🇪🇺, Iceland 🇮🇸, Liechtenstein 🇱🇮, Norway 🇳🇴: eIDAS Regulation (EU) No 910/2014. (Homepage, Trusted Data Source) - India 🇮🇳: eMuhdra (Homepage, Trusted Data Source) - South Korea 🇰🇷: KTNET (Homepage) - United Arab Emirates (UAE) 🇦🇪: PASS (Homepage)

To have a global reach, and only if there is no alternative specified in the Gaia-X Registry for the country of the business registration, Gaia-X allows the use of Extended Validation (EV) Secure Sockets Layer (SSL) certificate to sign attributes. (Homepage, Trusted Data Source)

The accepted TSP categories are determined within the Gaia-X Compliance document, while the detailed list of valid TSP belonging to these categories resides in the Gaia-X Registry.

6.3 Trusted Data Sources and Notaries

When an accredited Trust Anchor is not capable of issuing cryptographic material nor signing claim directly, the Gaia-X Association accredits one or more Notaries which convert “not machine readable” proofs into “machine readable” proofs. A Gaia-X Notary must be a Gaia-X participant capable of translating an unsigned evidence to a signed machine readable evidence. For signing, the Gaia-X Notary must use a cryptographic material issued by a Trust Anchor.

Notaries perform validations and issue attestations based on objective evidences from Trusted Data sources. The Verifiable Credentials issued by the Notaries contain the evidences of the validation process.

The following Trusted Data Sources have been accredited by Gaia-X and are currently used by the Gaia-X Notary Service to validate and issue attestations on the Participant’s Legal Registration Number:

  • EORI: the European Commission API.
  • leiCode: the Global Legal Entity Identifier (GLEIF) API
  • local: the OpenCorporate API
    • the returned claim will also contain information about headquarterAddress.countryCode
  • vatID: for the European member states or North Ireland, the VAT Information Exchange System (VIES) API
    • the returned claim will also contain information about headquarterAddress.countryCode

The accepted Trusted Data Source categories and Notaries are determined within the Gaia-X Compliance document, while the detailed list of valid Trusted Data Sources and Notaries resides in the Gaia-X Registry.

6.4 CAB, “Equivalence CAB”, “Gap CAB

All CABs which are accredited to attestate conformity against a permissable standard by the respective oganizations body are accepted by Gaia-X.

An “Equivalence CAB” is an identified entity approved by Gaia-X to verify that one or more issued certifications cover the entirety of a given criteria scope.

A “Gap CAB” is an identified entity approved by Gaia-X to issue a certification for a scope identified as not covered by an “Equivalence CAB”.

The full list of valid CAB, “Equivalence CAB”, “Gap CAB” is kept up-to-date and made available via the Gaia-X Registry.

CABSchema

Scenario The certification covers, at least, the entirety of the criterion’s scope. Overlap of the various certification’s scope to be assessed by an equivalence CAB. The certification(s) don’t cover the entirety of the criterion’s scope, requiring the gap to be assessed separately.
Trust Anchors type List of CAB per certification scheme. List of Gaia-X equivalence CAB List of Gaia-X gap CAB
## How to use CAB certifications ?

CAB certifications issued by a CAB listed in the GAIA X Registry can be used to validate all criterions fully compliant covered by CAB certificate’s perimeter as described in this document.

CABcertifusageschema

Suggest a modification