3. Gaia-X Conceptual Model
3.1 Main Concepts
3.1.1 Gaia-X ecosystems
Gaia-X Credentials provide the necessary trust elements to create ecosystems that operate under a commonly defined governance. The Gaia-X credentials ensure that the policy rules agreed upon between the participants are verified and can be validated at any time.
Components of such ecosystems typically are:
- the ecosystem governance: defining the set of rules agreed upon by the parties in the ecosystem - which must be operationalised.
- infrastructure - i.e., hardware and software for computing, storage, and network services - adopting the rules defined by the governance. This includes services which support a federation of providers (“Federation Services”)
- data ecosystems and data spaces, where participants adopt the governance, using the infrastructures “to access and use data in a fair, transparent, proportionate and/non-discriminatory manner with clear and trustworthy data governance mechanisms.” 1
The ecosystem governance typically defines a set of providers, who are providing services to enable basic ecosystem services (like trust services, catalogues – see chapter Enabling and Federation Services) which we define as “Federation Services”.
Data Spaces can span across several Infrastructure and Data Ecosystems.
3.1.2 Decentralised trust framework for ecosystems
In this challenging environment where each Data Space wants to both be interoperable and yet adapts their governance to their vertical, domain-specific needs, local market regulation, the Gaia-X Trust Framework provides a set of world-wide applicable rules and specifications usable by:
- the ecosystem governance (e.g.: Data Spaces authorities, such as Data Intermediaries from the Data Governance Act).
- also for ecosystems seeking interoperability and technical compatibility of their services.
The ecosystem governance defines the applicable policy rules to participate in the digital (infrastructure, data or services) ecosystem, together with the Trust Anchors and Schema Extensions policy rules which apply to operators of services in the specific ecosystem.
The interoperability in terms of technical compatibility is assessed by the Gaia-X Testbed.
184.108.40.206 NIST Cloud Federation Reference Architecture
The three planes from the above picture can be mapped on the three planes described in the NIST Cloud Federation Reference Architecture chapter 2:
- The Trust plane: this plane represents the global digital governance that is shared across Data Spaces and Federations.
- The Management plane: this plane represents an extension of the common digital governance to answer specific business needs.
- The Usage plane: this plane captures the technical interoperability, including the one between Service Offerings and Products.
3.1.3 The Gaia-X model building block
The building block of the Gaia-X model is based on policy expressions attached to each entity of the model.
policies are expressed by one or more
parties about one or more
asset can also be a
party, making this simple model recursive and capable of handling the most complicated user scenario, with multiple providers, consumers, federators, data intermediaries, data subjects, business legal representatives, employer/employee and much more.
flowchart TD party(Party) policy(Policy) rule(Rule) asset(Asset) action(Action) %% party -- expresses --> policy policy -- a non-empty set of --> rule rule -- ability/inability/obligation to exercise --> action action -- is an operation on --> asset asset -- subjects to --> rule party -- has role in --> rule asset -. can also be a .-> party
The workflow above is the generic representation of the Open Digital Rights Language (ODRL) model, which is used in the rest of this document.
3.2.1 Trust Anchor
Trust Anchors are accredited by the ecosystem to be trustworthy anchors in the cryptographic chain of keypairs used to digitally sign statements or claims about an object.
A Participant is an entity, as defined in ISO/IEC 24760-1 as an “item relevant for the purpose of operation of a domain that has recognisably distinct existence”2, which is onboarded and has a Gaia-X Participant Credential. A Participant can take on one or more of the following roles: Provider, Consumer, Operator (a Provider that has the specific role to provide Federation Services).
Provider and Consumer present the core roles that are in a business-to-business relationship while the Operators enable their interaction.
A Provider operates Resources in the Gaia-X Ecosystem and offers them as services through Gaia-X Servicer Offering credentials. For any such service, the Gaia-X Provider defines the Service Offering including terms and conditions as well as technical policies. Furthermore, it provides the Service Instance that includes a Credential and associated policies. A Gaia-X Provider is responsible for conformity to the claims made. If third-party data, services or infrastructure are part of the service offerings the Gaia-X Provider can make those resources available (e.g., through Service Composition) but remains responsible and shall ensure coverage through appropriate back-to-back coverage.
Operators are Gaia-X Providers that have been approved by the ecosystem governance to operate Federation Services and the Federation, which are independent of each other. There can be one or more Operators per type of Federation Service. Ecosystem Participants refer to the loose set of interacting actors that directly or indirectly consume, produce, or provide related Resources.
A Consumer is a Participant who searches Service Offerings and consumes Service Instances in the Gaia-X Ecosystem to enable digital offerings for End-Users.
3.2.3 Basic Interactions of Participants
This section describes the basic interaction of the different Participants in an ecosystem based on the Gaia-X model.
Providers and Consumers within the ecosystem are identified and well described through their valid Credentials, which are initially created before or during the onboarding process. Providers define their Service Offerings and publish them in a Catalogue. In turn, Consumers search for Service Offerings in Gaia-X Catalogues that are coordinated by Operators and the Gaia-X Registry. Once the Consumer finds a matching Service Offering in a Gaia-X Catalogue, the Contract negotiation between Provider and Consumer determines further conditions under which the Service Instance will be provided. The Gaia-X Association does not play an intermediary role during the Contract negotiations but ensures the trustworthiness of all relevant Participants and Service Offerings.
The following diagram presents the general workflow for Gaia-X service provisioning and consumption processes. Please note that this overview represents the current situation and may be subject to changes. The technical specifications will provide more details about the different elements that are part of the concrete processes.
Figure 3.2 - Basic processes for provisioning and consumption of Gaia-X services
3.3.1 Gaia-X Credentials
Gaia-X Credentials - formerly known as Self-Descriptions (SD) - are cryptographically signed attestations describing Entities from the Gaia-X Conceptual Model in a machine-interpretable format.
The Gaia-X Credentials are the building blocks of a decentralized machine-readable knowledge graph of claims, each credential carrying a tamper-proof and authenticable part of the information of that graph.
The knowledge graph can be completed and extended by Federations and Data Spaces, which always keep control of what and how much information is being shared by implementing access control at the credentials level.
flowchart LR description(a description) credential(a credential) description -- once cryptographically signed is a --> credential
Other types of credentials or credentials not using the Gaia-X schema are out of the scope of Gaia-X.
220.127.116.11 Gaia-X schema
The Gaia-X members define the Schema for Gaia-X Credentials. It is used as the vocabulary of the claims about credential subjects and must be available in the form of SHACL shapes (cf. the W3C Shapes Constraint Language SHACL).
At any point where Credentials are created or received, a certain set of SHACL shapes is known, which forms a shapes graph. A Credential forms a data graph. For compliance with Gaia-X and/or specific ecosystem extensions, this data graph must be validated against the given shapes graph according to the SHACL specification.
The defined version of the Gaia-X Schema is maintained and made available through the Gaia-X Registry Service.
Realization of Policy Definition and Policy Enforcement follows the W3C ODRL specifications; the definition of the execution components follows NIST.
18.104.22.168 Policy Decision Point (PDP)
22.214.171.124 Policy Enforcement Point (PEP)
An Identity is composed of a unique Identifier and an attribute or set of attributes that uniquely describe an entity within a given context. Gaia-X uses existing Identities and does not maintain them directly.
Identities uniquely describe participants (natural persons, companies) and resources (e.g., machines, interconnection or data endpoints). Personal and Corporate Identities are validated by the Gaia-X Compliance Service and Gaia-X Participant credentials issued. Identities are represented using Party Credential specializations.
All offerings by Gaia-X providers are considered “Services” (these can be composed of different types of physical or virtual resources). A service description that follows the Gaia-X Schema and whose claims are validated by the Gaia-X Compliance Service becomes a Gaia-X Service-Offering Credential.
3.4 Overview picture
ISO/IEC. IT Security and Privacy — A framework for identity management: Part 1: Terminology and concepts (24760-1:2019(en)). ISO/IEC. https://www.iso.org/obp/ui/#iso:std:iso-iec:24760:-1:ed-2:v1:en ↩