Add signing of Identifiables #523
Conversation
aorzelskiGH
requested review from
BirgitBoss,
alexgordtop,
danielporta,
g1zzm0,
mjacoby,
sebbader-sap,
waltersve and
zrgt
as code owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| |<<asset-administration-shell-repository-service-specification-service-specification-ssp-001,AssetAdministrationShellRepositoryServiceSpecification/SSP-001>> |Full feature set | ||
| |<<asset-administration-shell-repository-service-specification-service-specification-ssp-002,AssetAdministrationShellRepositoryServiceSpecification/SSP-002>> |Only read operations; is included in the profile AssetAdministrationShellRepositoryServiceSpecification/SSP-001 | ||
| |<<asset-administration-shell-repository-service-specification-service-specification-ssp-003,AssetAdministrationShellRepositoryServiceSpecification/SSP-003>> |Query operations | ||
| |<<asset-administration-shell-repository-service-specification-service-specification-ssp-004,AssetAdministrationShellRepositoryServiceSpecification/SSP-004>> |Signature operations |
Check failure
Code scanning / QDJVMC
Link Resolve inspection Error documentation
| This work is licensed under a [Creative Commons Attribution 4.0 International License]( | ||
| https://creativecommons.org/licenses/by/4.0/). | ||
|
|
||
| SPDX-License-Identifier: CC-BY-4.0 |
Check warning
Code scanning / QDJVMC
Typo Warning documentation
| //// | ||
|
|
||
| [#signatures] | ||
| = Signatures |
Check warning
Code scanning / QDJVMC
Description exists inspection for Antora page Warning documentation
| Some use cases of the Asset Administration Shell require the proof that data has not been changed and that it is still the original data of the AAS originator. | ||
| An example is a device manufacturer supplying to an integrator supplying to a plant operator. The plant operator wants to check the remained integrity of the device manufacturer's AAS. | ||
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. |
Check warning
Code scanning / QDJVMC
Typo Warning documentation
| Some use cases of the Asset Administration Shell require the proof that data has not been changed and that it is still the original data of the AAS originator. | ||
| An example is a device manufacturer supplying to an integrator supplying to a plant operator. The plant operator wants to check the remained integrity of the device manufacturer's AAS. | ||
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. |
Check warning
Code scanning / QDJVMC
Typo Warning documentation
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. | ||
|
|
||
| Different levels of API signatures have been investigated by the IDTA TF Security, including JWS (JSON Web Signature) or JAdES (JSON advanced digital signature). This version explains and defines new endpoints /$signed for AAS, Submodel and ConecptDescription, which provide a plain text JWS. |
Check warning
Code scanning / QDJVMC
Typo Warning documentation
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. | ||
|
|
||
| Different levels of API signatures have been investigated by the IDTA TF Security, including JWS (JSON Web Signature) or JAdES (JSON advanced digital signature). This version explains and defines new endpoints /$signed for AAS, Submodel and ConecptDescription, which provide a plain text JWS. |
Check warning
Code scanning / QDJVMC
Typo Warning documentation
BirgitBoss
left a comment
BirgitBoss
left a comment
There was a problem hiding this comment.
section https://industrialdigitaltwin.io/aas-specifications/IDTA-01002/v3.1.1/general.html#_design_principles also needs to be updated:
new naming convention to add "Signed"
<Interface Operation> ::= <Method Verb><Model Element Name>[<Modifier>]["By"<By-Qualifier>]["Signed"]
- update text
BirgitBoss
left a comment
BirgitBoss
left a comment
There was a problem hiding this comment.
missing: signed calls for AAS and Submodel Registry.
missing: updated changelog
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. | ||
|
|
||
| Different levels of API signatures have been investigated by the IDTA TF Security, including JWS (JSON Web Signature) or JAdES (JSON advanced digital signature). This version explains and defines new endpoints /$signed for AAS, Submodel and ConecptDescription, which provide a plain text JWS. |
There was a problem hiding this comment.
bad style: do not mention that something was discussed, of course alternatives were discussed. remove mentioning of any task force etc. in normative text, this can only be done in the Preamble
3 participants
Adding JWS signed data by new endpoints /$signed