LogoLogo
How to Build Dataspaces?Main IDSA AssetsOther ResourcesManifesto for International Data Spaces
IDS-G
IDS-G
  • Changelog
  • Code of Conduct
  • Contributing to IDS-G-pre
  • LICENSE
  • International Data Spaces Global (IDS-G)
  • Overview
    • Message Structure/Format
    • Message Types
    • media
    • Communication Protocols
      • IDS REST
        • header
        • IDS Linked Data Notification (IDS-LDN)
          • IDS-REST requests
            • IDS-LDN, send a PUT request
      • IDS Communication Protocol Version 2 (IDSCP2)
        • IDSCP2 Application Layer
          • Examples
        • IDSCP2 Transport Layer
          • Examples
      • multipart
    • sequence-diagrams
      • Message Flows for Connector to Clearing House Communication
      • IDS Connector Communication
        • images
      • IDS Metadata Broker Communication
  • Components
    • IDS App Store (IDS-CH)
    • ClearingHouse
    • IDS Connector
    • IDS Identity Provider
      • Connector Identifiers (Connector IDs)
      • Certificate Authority (CA)
      • Dynamic Attribute Provisioning Service (DAPS)
        • requests
          • DAPS DAT request (root POST)
      • ParIS
        • ParIS requests
          • IDS-ParIS GET root request
    • IDS Meta Data Broker
      • General Overview
      • Introduction
      • Annex
        • HTTP API
        • Removed Requirements
      • Functions and Correlated Messages
        • Messages received by a Broker
        • Messages send by a Broker as Response
      • IDS Meta Data Broker Profiles
        • Advanced Information Profile
        • Usage Control Profile
      • IDS Meta Data Broker Requirements
        • Behavioral Requirements
        • Business Requirements
        • Conditional Requirements
        • Connector Requirements
        • Functional Requirements
        • Informational Requirements
        • Interface Requirements
        • Message Requirements
        • Role of an IDS Meta Data Broker
      • IDS-MDB requests
        • IDS-MDB GET root request
  • Glossary
    • IDS Shortcuts
  • Handbook to IDS-G
    • Specification
  • IDS Information Model
    • ids:Message
      • DescriptionRequestMessage POST
      • Message requests
  • Overview of the IDS Architecture
    • References
    • Relevant Documents
      • IDS Repositories
  • IDS Usage Control
    • IDS Usage Control Contract
      • Policies
      • images
    • IDS Policy Enforcement
      • System Adapter Technical Documentation
      • Concepts
        • Concepts for Data Sharing
    • Specification
      • Concepts
        • Access Control for the Contract Metadata
        • T7_ODRL_policies
        • Interfaces Standardization for Context Information (PIPs) and Actions to be Performed (PXPs)
        • Concepts for Participant-restricted policies and reselling data
  • .github
    • ISSUE_TEMPLATE
      • content-change-request
      • epic
      • feature-request
      • topic--code
      • topic--documentation
      • topic--quickfix
      • topic--structure
Powered by GitBook

Links:

  • IDSA Website
  • IDSA Github
  • Legal Notice
  • Privacy Policy

© 2016 – 2025 | All Rights Reserved | International Data Spaces Association

On this page
  • Construction
  • Examples
  • Raw construction
  • Simplified Construction using the OpenSSL CLI
  • Notes
Edit on GitHub
  1. Components
  2. IDS Identity Provider

Connector Identifiers (Connector IDs)

Last updated 1 year ago

Each connector in the IDS needs a valid, outlasting and unique identifier, never be re-used for any other resource inside the IDS ecosystem.

The architecture aims to be open to multiple (CAs) issuing certificates. This means, a truly unique identifier needs to consist of the issuer of the certificate and the subject identifier. For an easy machine readable identifier, two ´X.509v3´ extensions will be used:

  • Subject Key Identifier (SKI)

  • Authority Key Identifier (AKI)

The AKI MUST include a key identifier according to . Key identifiers MUST be obtained as the 160-bit SHA-1 hash of the value of the BIT STRING subjectPuclicKey (excluding the tag, length, and number of unused bits) for the SKI and as a similar hash of the issuing public key for the AKI. The concatenation of ´SKI´ and ´AKI´ according to the encoding below provides a unique identifier - even if multiple CAs are able to issue valid certificates. We note that the construction presented below corresponds to the textual representation for certificates used by OpenSSL.

Construction

Let ski be the binary representation of the "raw" SKI (i.e. the 160 Hash bits), aki the binary representation of the "raw" AKI, '|' denote string concatenation, a[n] denote n-th byte (zero-indexed) of a in Network Byte Order, and Hex(x) the hexadecimal representation of the byte x using capital letters.

The connector ID is

connector_id := skiHex | ':keyid:' | akiHex

where

skiHex := Hex(ski[0]) | ':' | Hex(ski[1]) | ':' | [omitted for brievity] | ':' | Hex(ski[19])

akiHex := Hex(aki[0]) | ':' | Hex(aki[1]) | ':' | [omitted for brievity] | ':' | Hex(aki[19])

Examples

Raw construction

Let the Subject Key Identifier (in Hex notation) be

DDCBFD0B9384330111EB5D949488BE787D57FC4A

and the Key Identifier of the Authority Key Identifier be

CB8CC7B68579A823A6CB15AB17502FE665435DE8

Then

skiHex = DD:CB:FD:0B:93:84:33:01:11:EB:5D:94:94:88:BE:78:7D:57:FC:4A
akiHex = CB:8C:C7:B6:85:79:A8:23:A6:CB:15:AB:17:50:2F:E6:65:43:5D:E8
connector_id = DD:CB:FD:0B:93:84:33:01:11:EB:5D:94:94:88:BE:78:7D:57:FC:4A:keyid:CB:8C:C7:B6:85:79:A8:23:A6:CB:15:AB:17:50:2F:E6:65:43:5D:E8

Simplified Construction using the OpenSSL CLI

The following is a snippet from a X.509 certificate in text format obtained via openssl x509 -in your_certificate -noout -text:

...
X509v3 extensions:
    X509v3 Subject Key Identifier:
        DD:CB:FD:0B:93:84:33:01:11:EB:5D:94:94:88:BE:78:7D:57:FC:4A
    X509v3 Authority Key Identifier:
        keyid:CB:8C:C7:B6:85:79:A8:23:A6:CB:15:AB:17:50:2F:E6:65:43:5D:E8
...
DD:CB:FD:0B:93:84:33:01:11:EB:5D:94:94:88:BE:78:7D:57:FC:4A:keyid:CB:8C:C7:B6:85:79:A8:23:A6:CB:15:AB:17:50:2F:E6:65:43:5D:E8

Notes

In examples and for reasons of readability editors might use

SKI:AKI

See also:

Concatenating the values with ':' leads to the unique identifier:

Certificate Authorities
RFC 5280
connector
X.509 certificates