1 of 48

BDI Reference Architecture

Reference Architecture

Introduction BDI Reference Architecture

BDI: An Infrastructure Framework for Operations and Supply Chain Data Spaces

Operations and Supply Chain Management (OSCM) represents the science and expertise of value creation in the production and distribution networks of goods and services. Effective information sharing is an operational necessity within and across these networks for:

Core Principles

1. Introduction

Based on the observations mentioned in the Introduction, seven principles were formulated to guide the design of the architecture. The seven principles are given below, and explained separately afterwards.

Principle 1: Connect Physical to Digital

Sharing data via the BDI allows for a direct connection between physical processes and digital information. Physical processes — such as the delivery of materials to a construction site, the processing of an agricultural product, the transport of raw materials, or the delivery of goods to a warehouse — are supported by data and information exchange. While such communication used to occur via manual registrations, phone calls or single documents, the BDI allows for it to be structured completely digitally through connected IT systems.

How does it work?

After the occurrence of a physical event, such as

the delivery of hot asphalt on an infrastructure project;
the harvesting and processing of a agricultural product;

What does that mean in practice?

Greater control over physical processes through direct, automatic support with up-to-date data
Transparency in supply chains and networks, where authorized parties have insights into relevant data

Principle 2: Event-driven Coordination

In many sectors, timing is of the essence. Whenever a schedule changes, a delivery arrives, a process step is completed or a malfunction occurs, the involved parties wish to be notified as soon as possible. With the use of the BDI, organizations and professionals are automatically informed via systems about events relevant to them, even when the parties do not have a direct contractual relationship. This can be referred to as event-driven coordination: the proactive, trusted and automatic sharing of information as soon as something happens that influences a process, schedule or result.

How does it work?

In complex processes, a lot happens simultaneously. Activities quickly follow one another, sometimes run in parallel and are often interdependent. Proper coordination is only possible if the right information is available at the right time.

With the BDI, this coordination happens as follows:

Every relevant event in a process generates its own digital notification

What does that mean in practice?

For every relevant event, such as

finishing a product order;
delivering material to a project location;

Principle 3: Dynamic Data

Static processes rarely occur. Instead, the status of activities, deliveries, measurements or maintenance is constantly changing. Consider a changed schedule, an accelerated or delayed process, or new measurements.

With the use of the BDI these changes are shared in real-time through dynamic data: small, up-to-date data packages that follows the real events. This ensures all relevant parties always have the most up-to-date view.

How does it work?

Every status-change results in an update that is shared with the relevant, involved parties. Examples of these generic statuses are:

requested
accepted

What does that mean in practice?

Changes in processes are directly visible (e.g. in case of delays, accelerations or deviations).
Involved parties work with the same definitions, terms and meanings.

Principle 4: Zero Trust

Frequently, not all the parties involved in chains and networks are familiar with each other. This is the case for many sectors, including construction, industries, defense, governance, agri-food and logistics. Regardless, secure and responsible data sharing is important. Therefore, the BDI is based on the Zero Trust principle: trust is never automatically granted, but based on rules, context and control. Within the BDI, trust is not assumed, but a controlled and retraceable decision.

How does it work?

Organizations decide:

with whom;
under what conditions;

What does that mean in practice?

One can securely collaborate with unknown parties.
Data is only shared after authentication and authorization.

Principle 5: Data at the Source

Collaborating requires data sharing. This does not mean, however, that one must transfer their data to the other party. Within the BDI an organization remains the owner of their own data. This principle is also known as data sovereignty: the data stays at the source, under the owner's control.

How does it work?

When a relevant event happens — such as a delivery, measurement, registration or a completed process — no complete dataset is distributed. Instead, only a notification with a reference (metadata) is shared. Only authorized parties (that adhere to the conditions set by the data sharer) can use this reference to request additional information.

As a data owner, one can always:

see who is requesting access to the data;

What does that mean in practice?

Complete control over your own data.
One reliable source (single source of truth)

Principle 6: Local Decision-making

Organizations, regions and sectors all differ from one another. Legislation, culture, processes and ways of working are not the same everywhere. Therefore, the BDI supports local decision-making within a common set of rules. This idea is based on the subsidiarity principle: decisions are made on the lowest possible, most involved level.

How does it work?

The BDI agreement framework contains a shared foundation. Within this foundation it is possible for:

sectors to determine their own agreements;
regions to apply their own agreements;

What does that mean in practice?

Freedom in process design
Room for innovation and customization

Principle 7: Coherent Security

In order to safely share data, technology, humans and processes should be coordinated. The BDI therefore focuses on Coherent Security: security on every single level and as a whole.

How does it work?

The BDI maintains security on three levels:

Technical security: Each component (from applications till connections) adheres to high security norms.
Secured collaboration

What does that mean in practice?

Secure data sharing, even with new or unknown parties
Reduced change of errors or data leakage

Stack and KITs

1. BDI Stack and KITs

To assist the creation of applications according to the architectural principles, BDI defines a set of building blocks. Each building block provides tools and guidelines to implement parts of the required functionality. The building blocks are shown in the BDI stack:

Implementation of the principles by means of parts of the stack is aided by the definition of KITs. A KIT is a subset of the BDI stack that forms a coherent capability. Implementing a KIT makes it easier to start with a minimal viable subset and add additional functionality later as the need for it arises.

BDI Technical Roles

1. Introduction

The building block aims to define BDI's technical roles, including Identity Provider, Identity Broker, Association Administrator, Data Owner, Data Service Provider, and Data Consumer. Each role plays a crucial part in managing identity, data control, and service provision within BDI's framework.

2. Purpose of this building block

The purpose of this building block is to define the technical roles in BDI.

3. Concepts

The technical roles of the BDI are given and explained below.

Role

Description

4. Implementation Considerations

Implementation of the basic BDI mechanisms assumes the existence of these technical roles.

5. Interactions with other building blocks

6. Further reading

BDI Maintenance and Community Contributions

To file a change request, submit an issue here: https://github.com/Basic-Data-Infrastructure/BDI-change-requests

1. Introduction

This page describes the BDI Change and Release Management Process for maintaining the BDI Architecture Documentation. As BDI transitions into a maintenance phase, a thorough process for change and release management is becoming increasingly important.

Both the associations that follow the BDI and the BDI itself exist in an environment subject to continuous change due to:

Legislative and regulatory changes
Technological advances
Emergence of new application areas
Previous experience and lessons learned from previous projects

Such environmental changes may call for changes in the BDI Reference Architecture. However, as these changes could impact many stakeholders, careful change management is important. The BDI Change Management and Release Management Processes are introduced for this purpose.

1.2 Scope

The Change and Release Management applies to the following assets:

, including example IT components provided by BDI

Explicitly out of scope are any third party IT components mentioned in the BDI Framework documentation or BDI Developer Portal. These components are subject to their own change and release management processes.

1.3 Core principles

The Change and Release Management Process must be transparent, predictable and fair. Each of these principles is discussed below.

Transparency

Predictability

Fairness

1.4 Change management process

A change can be either a Request for Change (RfC) or a Minor Change, the difference being the impact of the change to the community. An accepted RfC requires BDI-based associations to take action to remain compliant with the new BDI version, whereas Minor Changes do not. However, associations, at their discretion, can decide not to comply with the new BDI version but rather follow the old one.

1.4.1 RfCs

1.4.1.1 Process for RfCs

The following diagram describes the process for managing RfCs.

Roughly the RfC transitions through the following phases:

Identification

A stakeholder — such as the BDI Product Owner — identifies a required change or opportunity for improvement.

Registration

The stakeholder — possibly supported by the Product Owner — describes the RfC and registers it.

The result of this process is an accepted RfC, with a clearly described impact on the reference architecture.

1.4.1.2 Templates

The RfC process is supported by the following templates:

RfC Description Template [to be drafted]
RfC Impact Analysis Template [to be drafted]

The decision making process is supported by:

RfC Decision Guidelines [to be drafted]

1.4.2 Minor Changes

Minor Changes (MCs) are defined as changes in the managed assets that do not impact the community. These changes can for example be:

Spelling mistakes
Text improvements
Reordering of information
Other minor improvements

1.4.2.1 Process for Minor Changes

The following diagram describes the process for Minor Changes (MCs).

Roughly the MC transitions through the following phases:

Identification

A stakeholder identifies a potential change and notifies the Product Owner.

Description & Registration

The stakeholder registers and describes the required MC.

1.4.1.2 Templates

The MC process is supported by the following templates:

MC Description [to be drafted]

1.4.3 Release management

The Change Management Process results in a backlog of RfCs and MCs that require implementation. To process this this backlog efficiently, the Release Management Process was created. This process defines the procedures for selecting changes to be implemented and for consolidating those changes into releases (versions).

Version types

The Release Management Process results in two types of version:

Major new version: a version that contains changes with potential impact on stakeholders.

1.4.3.1 Release process for major versions

The following diagram describes the process for scoping and producing a major version.

The release process for major versions is as follows:

Scoping

The Product Owner selects the initial scope for the major version by selecting RfCs and MCs from the backlog. The product strategy and/or product roadmap are guidelines for selection.

Informing

The Product Owner informs stakeholders and the Expert Group and schedules the release scope as a topic for the Architecture Board agenda.

Timing requirements

The minimum time between step 3 (final scoping) and 6 (release) must be 3 months.

1.4.3.2 Release process for minor releases

The following diagram describes the process for scoping and producing a minor version.

The release process for minor versions is as follows:

Scoping

The Product Owner selects the initial scope for the minor version, by selecting MCs from the backlog.

Implementation

The selected RfCs and MCs are implemented in the assets.

1.4.3.3 Release and version guidelines

The release schedule guidelines for releases of major versions is as follows:

Maximum release frequency: quarterly
A quarterly release may be skipped if there are no changes with potential impact on stakeholders are selected and implemented

In special circumstances the Product Owner can decide to create an extra major version release using a fast-track release process.

1.4.4 Roles and responsibilities

The following roles are recognized in the Change and Release Management processes:

Association Register

1. Summary

The building block Association Register has the basic function of registering:

identities of recognized legal entities
digital proof of the identity (credentials, for example certificates)
the roles these entities can have
the trust level of each entity

The Association Register is an operational building block that is called during the zero-trust authentication and authorization process.

The richness of the building block is governed by the subsidiarity principle: in its most simple and limited form an Association Register is maintained by and for a Data Service Provider, in its most rich form it is maintained by a BDI Association that federates with other BDI Associations.

Optional functions that are expected when a BDI Association administers their own Association Register are:

keeping a reputation score per entity
registering onboarding agreements
perform federated verification checks of unknown legal identities that are Member of another BDI Association

2. Purpose of the building block

The purpose of the Association Register is to automate and facilitate trust assessments of entities in the sequence of Authentication – Trust Assessment – Authorization as performed by a Zero Trust endpoint.

A shared Association Register reduces costs and combines experiences in shared dynamic reputation scores.

A shared Association Register in a legal entity (BDI Association) can be augmented by onboarding procedures, including the signing of legal documents, including terms and conditions.

A federated Association Register automates the basic trust checks of entities that claim to be a Member of another BDI Association, by verifying the other BDI Association and verifying the membership.

A federated Association Register automates the registering of preferred Business Partners: members of other BDI Associations that have a special status.

An Association Register is considered a technological solution to facilitate the role of the Association Administrator.

3. Concepts

The following concepts (from the BDI Glossary) are particularly relevant in this building block:

4. Risks

An Association Register is a core part of automated trust assessment. This requires both:

Rigorous design and testing for IT-security weaknesses (cryptographic libraries, protocols, penetration testing, supply chain attacks etc.)
An operational security process that minimizes the risk of humans as attack vector (social engineering, pressure) to compromise the integrity of the register

The human attack vector is considered to be the most risky: onboarding should therefore be a one-way automated process in three separate steps (see also onboarding T&Cs Association articles):

Collecting information (automated and/or manual)
Verifying information and test trust chain (automated)
Committing to the register (manual action by functionary)

Modification of information should only be possible by deleting or deprecating information, followed by a new onboarding process.

5. Interlinkages with other building blocks

This building block provides the technical implementation supporting the building block “Onboarding Terms and Conditions”, in which the operational processes and requirements regarding the onboarding of a BDI Association are described.

Furthermore, it particularly supports the building blocks “Authentication” and “Certified roles” (but not limited to) by providing trust about Members and their roles.

In fact most building blocks will have some form of link with this building block, since the Association Register is a core topic of the BDI.

Stages of implementation

In its most simple form a data service provider has its own private Association Register to recognize data consumers. The limitations of such an implementation are obvious, yet it may be a stage to reach the next level.

A shared Association Register adds the benefit of cost reduction, and trust/reputation sharing.

An Autorization Register may be shared as well.

A federated Association Register allows in principle an unlimited universe of parties that can check each other credentials as Member of their particular BDI Association, vice versa.

The principles of by discovery through a standard _bdi subdomain to facilitate federation are depicted below.

Extra function in existing trade body (Governance)

The benefits of shared services, shared standards, shared Terms and Conditions and increasing the negotiation power by coordinating as a group are known in the "analog" world. A large number of trade associations already exist, specific to a sector/region. These trade associations are natural hosts for Association Register functions. The assumption is that in most cases existing trade associations will upgrade their service offerings to include support for the BDI, instead of creating a new legal entity specifically for support of the BDI.

6. Elements and their key functions

An Association Register can have the following functions

An Association Administrator can register Members after executing the onboarding process as defined by the particular Association
An Association Administrator can deregister a Member, for instance when the Member requires it to do so, when a membership expires, or when a Member is to be excluded from membership due to a breach of terms and conditions.
An Association Administrator can delete or deprecate the registration of a Member, to be superseded by an improved registration. Deprecation is preferred as the historical information may be useful in autopsies of security incidents.

7. Core design decisions

The following design decisions form the basis for this building block:

An Association Register can operate standalone, without federation.
An Association Register can be shared between parties in a BDI Association, or shared by multiple BDI Associations (database or shared ledger).
An Association Register can be federated with other Association Registers, without being connected or known beforehand: there is no global register of Association Registers. The discovery mechanism is DNS based.

8. Future topics

To be discovered is how the Association Register can technically support the building block “Business Partner Reputation model”.

The federation of Association Registers might also be based on the proposals of Open-ID on federation.

The identification of Outsiders and its Root Association needs to be detailed.

Implications on trust when a member is a member of multiple associations.

9. Further reading

This building block has been derived but modified from the following sources, that provide opportunity for further reading:

Onboarding Terms and Conditions

1. Introduction

1.1 Purpose

This building block guides organizations to establish a form of governance for their data exchange activities in accordance with the BDI framework. This building block provides reasons and options to establish this governance.

2. Concepts

Some relevant concepts for the BDI onboarding are given below.

Perimeterless trust

The BDI framework emphasizes perimeterless trust, allowing each data owner to determine who they trust. Trust registers and identity mechanisms are both local and adaptable, offering flexibility in interoperability and endpoint discovery.

No overarching authority

There is no overarching authority to enforce the certification of interfaces, manage onboarding processes, or ensure adherence to data licenses. Compliance within the BDI framework is entirely voluntary, motivated by the practical benefits and business value it offers. The framework supports varying global and local adaptations in identity verification and trust levels.

Registers of trusted entities

Registers of trusted entities are typically local or individual. For example, a platform or company may maintain its own register of trusted partners. If the need for interoperability within a group grows, a common register can be established, often through a BDI Association. (Association Register).

Federated identity mechanism

The BDI framework provides a federated mechanism for previously unknown entities to identify themselves to a data-owning party. This allows the data owner to verify the entity’s claims and decide whether sufficient trust exists to proceed with the interaction.

Governance recommendations

Although it is possible to start without any governance structure, it is recommended but not required to develop a formal governance structure per group of entities that share common agreements, terms and conditions, policies, data licenses, semantics of events, trust scores and so on.

A “Group of groups” as an overarching governance structure may also be a beneficial option to consider.

2.1 BDI Association

A BDI Association is a local entity formed by a group of participants within the framework. The legal structure of an Association can vary, as it could for example be a foundation or cooperative. Irrespective of its legal structure, the Association serves as the operational anchor for both federated trust/authentication and local onboarding within the BDI Framework. Members of a BDI Association can engage in multiple sectors and data exchanges, participating in dynamic virtual networks composed of members from different Associations. These networks operate on zero-trust principles (see ...), treating members from other Associations as untrusted by default until trust is established.

2.1.1 Local nature

The local nature of BDI Associations is important, but associations are not by definition local. Some arguments for the importance of this local nature are the following:

Trust and reputation are often tied to proximity and frequency of interaction. The economic gravity-effect shows that geographical proximity has a causal relationship with the level of trade.
Legal systems tend to be national or trade-bloc dependent, making localized Associations more effective in managing trust and reputation within these frameworks.
The local BDI Association can be the foundation of effective and efficient trust management in a perimeterless, zero-trust environment.

2.1.2 BDI Framework

The BDI Framework assumes that many associations are formed and changed, split or merged in a natural manner, as their members see fit.
The BDI framework defines how federated trust, federated reputation and federated authentication are created spanning multiple associations.

2.2 Efficient trust management

Zero-trust principles mean that BDI Associations do not trust anyone outside their own members and use all four pillars of trust to assess interactions with others outside of their community.

The strong social control pillar is supported by a reputation scheme:

Members of the same association are considered trusted insiders.
Members of other associations are considered untrusted outsiders at the outset, but that position can change when:
- a shared reputation scheme builds experience with outsiders,

2.3 Onboarding

It is recommended that an onboarding mechanism is introduced for new members, if the Association desires to raise the standards for its members.

The following aspects can be taken into consideration:

vetting the member
checking roles the member wants to fulfil
verifying credentials and certificates (trust chain)

The result of onboarding is an entry in the local Association Register.

2.4 Coherent security

The registrations stored in the Association Register need to be secured against tampering. The process outlined in this section reduces the possibility of attack vectors directed to the staff of the Association Administration (social engineering, blackmail etc.), the most common attack vector in these cases.

The following steps apply to new registrations, updates to registrations and depreciation.

Prepare

A complete set of attributes is prepared; for updates, this includes all data in the registration (including any attributes that haven't changed).

During preparation attributes can be added, removed and modified freely. Ideally, there is a way to validate the dataset during preparation, but it must be possible to work with intermediate/incomplete data until submitting for verification

Verify

Shared terms and conditions, data access policies, and data licenses are essential for enhancing interoperability within the BDI Framework.

3. Core design decisions

The implementation of the BDI Framework should consider existing sector-specific terms, conditions, and practices. Many trade and standardization organizations are transitioning from paper-based practices to digital ones. It is recommended to build upon the existing body of knowledge and trade practices, per sector.

4. Interactions with other building blocks

Digital Identity

See Digital Identity M2M and Digital Identity H2M

Terminology in the field of digital identity can be confusing as different sources use terms in slightly different meaning. To deal with this confusion, we define some terms that are used in the description of the BDI Digital Identity.

The physical world is populated by persons and objects that can be recognized and distinguished from one another by their Physical Identity. Although the notion of physical identity is heavily debated in philosophy, we will not discuss this further beyond the observation that identities are unique and constant over time. In a sense, a physical identity determines the "sameness" of a person or object over time.

Although persons and objects are of course entirely different categories, much of what is written here about persons also holds for objects.

A person that is identified through its physical identity can have many attributes such as a name, date of birth, address, eye color and so on. Some of these attributes are unique for a given person and hence can be used for identification. It is however important to note that a physical identity is not the same as this unique set of attributes. A Digital Identity is a record in an information system, describing certain attributes of a person in the physical world. The digital identity can be used by information processing systems to determine e.g. access rights.There are several issues that must be dealt with when managing digital identities:

At creation time of the digital identity it must be certain that it indeed corresponds to the right person (the onboarding problem)
It must not be possible to use the digital identity for any purpose without the explicit consent of the holder of the physical identity.
The digital identity must contain sufficient information to uniquely identify the person.

Digital Identity H2M

1. Summary

This building block supports trust among participants by defining how digital identities play a role in BDI in human-to-machine (H2M) interactions.

Digital identifiers for IT-processes acting on behalf of an organization/legal entity are described in Digital Identity (M2M).

2. Purpose of the building block

The purpose of this building block is to support the framework for trust in Boundary Management, where humans are acting as a representative of a legal entity by means of (digital) devices and telecommunication.

3. Concepts

Boundary Management for humans relates to:

This building block ensures that the digital identity of the human involved in (digital) interactions can be authenticated. In addition, it ensures a relation between the digital identity and

the Representation evidence, i.e. in what role and capacity, on behalf of which legal entity, with a specific mandate
the Professional Qualification evidence, i.e. evidence of professional qualifications

The core concept is that identity is dynamically related to (potentially multiple concurrent) representations for (potentially multiple concurrent) legal entities. The legal entity assumes liability and accountability for actions of the human.

3.1 Identity

Identity is a legal concept defined by a nation state and assigned to a human by that nation state. Nation States issue Passports and ID-cards to humans which they can use to "prove" their identity. Driving licenses are also used in some states (e.g. the Netherlands) as a proof of identity.

Digital identities are related to that core identity by Identity Providers which are used in B2B processes.

Identity Providers can choose to increase the assurance level of an identity, for example by requesting live verification of an identity paper. This can be done face-to-face or remote. Typically, this is executed once at the initiation of a new identity.

3.2 Authentication

Identity Providers can also provide additional assurance at the (continuous) use of the identity, e.g. when a managed boundary must be crossed. The human user can be authenticated by a username, password and an additional 2FA / MFA. More advanced devices can also use biometric identification parameters. Biometric identification can also be used for accessing a physical location. One such example is using the Secure Logistics smart card to access a Terminal.

3.3 Identifiers

Identity Providers typically use an internal numbering scheme for identifying users which are enriched with more public identifiers like email addresses and telephone numbers. Some details regarding different identifiers are given below.

As mentioned, identity is a legal concept defined by a nation state and assigned to a human by that nation state. State issued identifiers (e.g. the Dutch BSN) are often not allowed to be used outside the Government.

In B2B processes, business email addresses are preferred. These should be using an organizational domain name (e.g. @myorganization.com) and a personal prefix (e.g. piet.jansen@ or s.jones@). The use of shared email accounts must be avoided. Also the use of general domains (e.g. @gmail.com) should be avoided. Typically, the user must demonstrate during the setup of the account that she has access to the business email address. This provides additional trust that the user has a business relation with the organization which owns the domain name.

(Mobile) telephone numbers can also be used to identify / verify the user. During the setup the user demonstrates that they have access to the number. At a later moment, the user can once again demonstrate the access to this number.

3.4 Representation

B2B Identity Providers identifies a human user in the context of an organization. Additionally, the role/mandate of the user can be defined at the Identity Provider so it can be used in all connected services. An alternative is that the service itself has local authorizations which must be managed by an administrator of the organization.

Users could represent more than one organization, and there are several approaches Identity Providers can take to manage this scenario. They could for example assign different identities for each of the represented organizations (e.g. applying different business email addresses or issuing separate secure cards per organization). An alternative is that the human user selects the represented organization in each specific use case.

3.5 Professional Qualifications

In many cases the human needs to have adequate professional qualifications for the task at hand, such as a professional drivers license, safety training or dangerous goods handling. The B2B Identity Provider could store and share these professional qualifications of the user, for example in an electronic wallet. The qualifications are typically represented as verifiable credentials.

4. Risks

Some possible risks that are important to consider for this building block, are the following:

An insufficient framework for digital identity might lead to a lower level of trust among parties and will harm the overall trust in BDI.
Non-compliance to applicable privacy laws (e.g. GDPR, AVG) can hamper the implementation or adoption of services and can cause reputation risks or fines.

5. Interlinkages with other building blocks

The related building blocks are:

The most important related Kits and concepts are:

6. Core design decisions

Please note the following design decisions:

Parties choose their Identity Providers fitting to the requirements.
The BDI adds the link to representation and professional qualifications.
In Europe the eIDAS regulation is a solid foundation for the identity ecosystem.

Authentication

See Authentication M2M and Authentication H2M

In the context of the BDI, the user is a representative of a legal entity (organization). Authentication is required in both H2M (Human to Machine) and M2M (Machine to Machine) use cases.

Discovery

1. Summary

This building block defines how BDI supports organizations (Data Providers and Data Consumers) in discovering other organizations, services and endpoints by either

utilizing discovery-aspects of the iSHARE Trust Framework, or
defining a standard for discovery using the DNS Protocol.

2. Purpose of this building block

In the BDI, the discovery process is recommended for enabling connections between data providers and consumers. Unlike traditional data marketplaces, where the primary focus is on matching providers with potential consumers to establish new data-sharing relationships, BDI focuses on optimizing existing data exchanges. These exchanges often support operational logistics in the supply chain, where different parties are already connected but more efficient methods for data exchange are required.

Option 1: Discovery using DNS

The Domain Name System (DNS) is a foundational protocol in internet infrastructure, serving as a directory that translates human-readable domain names into IP addresses. In the context of federative data sharing networks like the BDI, DNS plays a crucial role in enabling data consumers and providers to discover each other's service endpoints. By utilizing DNS for service endpoint discovery, organizations can publish and find endpoints, thereby facilitating data exchange within the network. This building block outlines the purpose, concepts, implementation considerations, key elements, and recommended standards for using DNS in the BDI discovery building block.

The purpose of using DNS in the BDI discovery building block is to provide a standardized method for publishing and discovering service endpoints. This allows data consumers to easily find the endpoints of data providers without the need of a common shared register, assess their trust level, and establish connections for data exchange. The use of DNS ensures that the discovery process is both scalable and compatible with existing internet infrastructure. Discovery based upon DNS allows for a perimeter-less federation of BDI users and Associations.

Option 2: Discovery using the iShare specifications

3. Concepts

4. Implementation Considerations

When implementing DNS for service discovery in BDI, several factors need to be considered:

Zone management

Organizations must manage their DNS zones effectively to ensure accurate and up-to-date information is available for discovery. This involves maintaining the appropriate DNS records and ensuring that the DNS infrastructure is reliable and secure.

Security

To secure the discovery process, DNSSEC (DNS Security Extensions) should be implemented. DNSSEC adds a layer of security to DNS by enabling the authentication of DNS data, preventing tampering, and ensuring the integrity of the information provided in DNS records.

5. Elements and Their Key Functions

A predictable subdomain, such as _bdi.acme-corp.com, serves as a central point for service discovery. This subdomain is used to organize DNS records related to BDI services, making it easy for data consumers to find relevant endpoints.

SRV records are used to locate the actual endpoints where services are hosted. These records specify the hostname or IP address, port number, protocol, and other parameters necessary to connect to the service.

Key Fields:

target (hostname/IP)

Boundary Management

1. Introduction

Usually, many parties are involved in a logistic process. Each of these parties maintains a set of valuable assets that they needs to protect. In abstract terms, this protection is realized by creating an perimeter, a boundary around the assets that is controlled by the party. Other parties can not cross the boundary without permission of the owner, hence the value is protected. However it is often required that parties do cross the boundary to facilitate cooperation.

Three different kinds of assets and their associated boundaries are distinguished:

Digital assets, such as IT systems (applications, processes) and data
Physical assets, such as distribution centers and production facilities
Legal (ownership, liability and accountability) assets, such as responsibilities for and ownership of cargo

The nature and implementation of the protecting boundaries is different for each kind of assets and each one requires specific measures to allow third parties to cross them in order to cooperate in a logistic process.

There are two reasons to allow others (representatives as in human and IT-processes) to cross a boundary:

To allow them to use an asset
To transfer an asset between parties

Boundary Management is about managing boundaries in practice.

2. Interlinkages with other building blocks

Digital Asset Boundaries

1. Introduction

The following can be considered as Digital Assets:

Applications and processes
Data

Allowing humans to login to your IT systems (applications, processes), or allowing a process owned by another party to access (read and maybe modify) your data is the subject of Digital Asset Boundary Management.

2. Interlinkages with other building blocks

Physical Asset Boundaries

1. Introduction

The BDI framework includes support for the authentication of a representative (human or machine) and verification of their mandate, safeguarding the non-repudiation of the liability their principal (the entity who is represented) takes for their actions.

In the physical operation of our economy many activities are outsourced. Supplying services on-premise requires access to a guarded location. For example: a maintenance sub-contractor for a vendor of video security systems is commissioned to perform maintenance at a customer's site. The subcontractor is contracted to perform regular maintenance . At regular intervals a maintenance engineer shows up at the gate of the premises and claims access to the premises, to perform preventive maintenance on a security video system on behalf of the vendor that delivered the security system.

The security guard of the company where the security system is installed needs to verify the following:

Has this person indeed been sent by the OEM (original equipment manufacturer)?
Can this person be authenticated and verified as being mandated by the sub-contractor>
Does this person have the required professional qualifications?

2. User Journey

In the example of the engineer of the maintenance sub-contractor, the user journey starts when the engineer shows up to the gate. The security guard needs to be able to authenticate the person and verify the representation claim. The approach for this check is as follows:

Authentication

The engineer presents a form of ID (proof for authentication). The ID can be standard, fitted with additional safeguards such as biometrics, or digital (Wallet).

For real-life applications it is necessary to be able to operate (temporarily) offline. It should be possible to verify the Representation Evidence, even when validation by the issuer is delayed. Whether a delayed verification is acceptable, depends on the involved parties. This could for example be acceptable when the party checking the Representation Evidence has already received a prior notification. The data in this pre-notification can then be matched with the data in the actual evidence.

3. Nested JWT as carrier of claims

The use of JSON Web Tokens (JWT, RFC 7519) is ubiquitous: the support in tools and knowhow is well developed. Expand the following elements to learn more about the different uses of JWTs.

JWTs for claim sets

A JWT is a compact, URL-safe way to represent claim sets which are to be transferred between two parties. A claim set is a set of claims, where each claim is a piece of information asserted about a subject. A claim is represented as a name/value pair consisting of a claim name (always a string) and a claim value (can be any JSON value).

Unsecured JWTs

Unsecured JWTs are standardized claim sets. However, many if not most JWTs need to be signed and encrypted. The claim set in a JWT can be used as the payload of a JSON Web Signature (JWS, RFC 7515) structure or as the plaintext of a JSON Web Encryption (JWE, RFC 7516) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

Nested JWTs

The result nesting of a JWT in a JWS or in a JWE (or both!) is called a Nested JWT. (Note that this is a different kind of nesting than the nesting/embedding of representation evidences that are the topic of this note). The resulting JSON object is encoded using a Base64URL encoding, which produces a URL-safe plain ASCII string.

Embedded JWTs

Because JWTs are in the end just ASCII strings, they can be used as the value of a claim in another JWT. This kind of nesting can be referred to as embedded JWTs. This feature is the basis for representation hierarchies, where a representation is based on another representation.

A defines how to implement selective disclosure of information. Selective disclosure would be a excellent feature in business environments.

3.1 JWT types of claims

There are two types of JWT claims:

Registered: standard claims registered with the and defined by the to ensure interoperability with third-party, or external, applications.
Custom: non-registered public or private claims. Public claims are collision-resistant while private claims are subject to possible collisions.

The lists the registered claims. (Claim Name “vc”) and Verifiable Presentations (Claim Name “vp”) are registered claims. The use of nested JWTs supports the future use of VC’s and VP’s. The JWT structure makes it therefore possible to include claims of Professional Qualifications.

3.2 Using JWT's as carrier of Representation claims

The most simple approach is that the Principal issues the JWT. The payload of the JWT is:

identity information of the human (ID #, name, digital identity etc.)
identity information of the Principal
order information (order reference, type of activity, location, data)

The issuer of the JWT (Principal) can add a link to the payload. The link allows for a real-time confirmation that the claims in the JWT are still valid.

When the Principal commissions a subcontractor, the identity of the human is replaced by the identity of the subcontractor. The subcontractor creates a new JWT, with the payload:

the JWT as sent by the Principal
identity information of the human (ID #, name, digital identity etc.)
identity information of the Subcontractor)

4. Application in practice

An embedded JWT claim can be created recursively by each layer of the (subcontracting) chain, starting with a Principal. This show the Representation chain.

The human requesting access can carry the JWT (for instance in a Wallet), or carry a link to an online API that can transfer the JWT to an evaluation service/application. The security guards use the service or application to evaluate the JWT, verify the signing of its claims and show the content to the guard. The guard can authenticate the human and verify the representation chain.

5. Further reading

Event Choreography

Choreography of Principals and subcontractors: balancing effectivity with security.

1. Choreography of event distribution

In supply chains the chain of business activities starts when a Seller and Buyer agree upon the transaction. This agreement typically includes terms related to transport, insurance, customs, the handover of responsibilities, and payments. The successful execution of this agreement often requires coordination among a large set of actors, including authorities and their subcontractors. This coordination is managed through a "choreography" of actions, where each action is triggered by planned or executed events.

2. Subcontractors and principals

In this context, the Seller and Buyer serve as the Principals, each responsible for their part of the agreement. Typically, each Principal selects preferred contractors to fulfil their portion of the agreement. These main contractors, in turn, become Principals to their own subcontractors, and this chain continues down the line.

The key challenge here is distributing notifications within this dynamic and temporary data exchange network, to ensure effective and efficient coordination of activities, without overburdening the network with traffic.

3. Provisioning an instance

The BDI framework assumes that commercial relationships between Principals and Subcontractors are established before any actual orders are placed. In this setup, URLs are known, and through the DNS discovery mechanism, the URIs of endpoints for each party are also known. Digital identity and trust are established within the respective associations of each party.

Each Principal is responsible for provisioning a temporary network of subcontractors associated with a specific order.

4. Channels

Principals and their subcontractors communicate through channels (a.k.a. topics in a pub/sub setting). There are three kinds of channels:

Subcontractor specific - often a principal works for different orders with a limited set of partners (preferred suppliers). There is a private channel between the principal and each partner. These channels are bidirectional (both the principal and the subcontractor can post notifications). A subcontractor specific channel exists as long as the relation between principal and subcontractor exists and hence may exceed the lifetime of a specific order.
Order specific - a principal creates a channel specific to the execution of a particular order. Such a channel is unidirectional: the principal is the only party who is allowed to post notifications, all involved subcontractors subscribe to this channel and are therefore notified of each message sent by the principal. Order specific channels exist for the duration of the order only.
Subject specific - often orders get bundled and unbundled during transport, for instance, being added to a container or ship. In these cases, the subject of the events shift from order to container to ship and, eventually, back to container and order. These are unidirectional channels: the origin (transporter, terminal etc.) of the events is the only producer on these channels. It's up to the consumer of the events to switch channels when the subject shifts, for instance, when a container is loaded on a ship. The duration of the channel depends on the lifetime of the subject.

The latter subject specific channel may be considered a low-level channel. The events on these channels need more advanced tracking, due to the shifting subject, and may end up repackaged on the subcontractor / order specific channels.

5. Semantics and Lifecycle

In order to allow a consuming party to correctly interpret events, the publishing party must clearly document:

Which events are published;
When events are published;
What it means when they are published;
What sequences of events can be expected;

Translating, repackaging, and/or combining events for consumption by other systems will rely heavily on the above documentation and need documentation of their own. In addition these processes also need to document:

What information is lost and what is the consequence of that loss;
What information is added, for example, to fulfil a constraint to the target system.

6. Bootstrapping

The Principal publishes a specific notification to a subcontractor, with metadata on “Request order”. The data accessed by the subcontractor includes the details of the order request. The subcontractor responds with a notification containing metadata on order acceptance. The Principal then accesses the data to confirm the subcontractor's acceptance and any additional details provided.

7. Common Order Log

Upon confirmation, the Principal adds the subcontractor as a subscriber to the common Order Log and posts this event in the Common Order Log. The Common Order Log creates notifications to all relevant parties when an event is posted by (or on behalf of) the Principal.

8. Provisioning of Closed Network

To secure and streamline interactions within the temporary network, the Principal sends a JWT (JSON Web Token) to the subcontractor. This "Subco" JWT contains:

Order Information: Specific details about the order.
Role of the Subcontractor: Defining the subcontractor's role within the order.
Data Access Rights: Permissions tied to the subcontractor’s role, aligned with an agreed-upon or standardized semantic model.

The subcontractor uses this JWT token when interacting with other subcontractors within the context of the order. This token allows other subcontractors to:

Validate the Subcontractor’s Role: Confirming that the subcontractor is part of the temporary network set up by the Principal.
Verify Access Rights: Ensuring that the subcontractor has the appropriate rights to access data associated with the order.

The Principal repeats this process with all subcontractors until the provisioning of the network is complete.

9. Dynamic modification

In real-world operations, it may become necessary to change subcontractors dynamically; removing one subcontractor from the network and replacing them with another.

To facilitate this, the Principal posts a notification of the change to the Order Log. This notification is then distributed to all parties involved in the network. The following steps are taken:

Remove the old subcontractor: The old subcontractor is removed from the subscription lists, cutting off their access to further notifications and data.
Revoke the old JWT Token: The JWT token that was issued to the old subcontractor is revoked, ensuring that they no longer have access to the network's resources.
Add the new subcontractor: The new subcontractor is added to the network, receiving the necessary notifications and access rights.

10. Managing the number of interactions

One potential pitfall of distributing notifications of events is the exponential increase in the number of interactions (API-calls, identity checks, authorization checks) with the number of participants/subcontractors in the temporary network.

There are three strategies to manage the number and costs of interactions.

10.1. Star-like interactions with Principal

A subcontractor communicates most of the notifications to the Principal, one-on-one. The Principal filters notifications and posts only relevant events or notifications from all parties to the Common Order Log.

This limits the information overload while ensuring that all relevant parties are informed of relevant events.

10.2. Low-risk data in notification

Notifications are sent to a closed network of parties. Some data of an event may be low-risk and can be embedded in the notification within the closed network: for example "ETA delayed by 12 hrs". The straightforward embedding reduces the need to collect the information at the source.

In this strategy, the value of the data is used to simplify the process, increasing efficiency and reducing costs. It is a business decision to balance the loss of value of the data and the gains of increased efficiency.

10.3. Caching authorization results for common roles

Common roles have known authorization rules. The results of data selection for these roles may be cached near the BDI-API, reducing the need to evaluate policies in the Authorization Register.

10.4. Subject versus Order / Subcontractor specific channels

The use of subject specific channels (see also ) can drastically reduce the amount of events triggered because, for instance, an event about transport equipment relates to multiple orders and (in some cases) subcontractors.

11. Creating an auditable log

Once all tasks related to the order have been completed, the Principal generates a signed log. This log serves as an official record of all events and actions that took place during the order's execution.

Notification of Log Availability: A notification is sent to all parties involved, informing them that the signed log is available.
Access and Retention: Subcontractors can access this signed log and retain a copy for future reference, whether for compliance purposes or in the event of a dispute.

This structured audit trail ensures transparency, accountability, and the ability to review and verify all actions taken during the course of the order, providing a solid foundation for trust and compliance in the BDI framework.

12. Closing the Order and Dissolving the Network

Once all tasks related to the order have been executed, the Principal initiates the closure of the order by:

Distributing a Closure Notification: Informing all parties that the order is complete.
Removing Subscriptions: Subscriptions to the Order Log are removed after a specified period.
Revoking JWT Tokens: Invalidating the JWT tokens to dissolve the temporary network.

This process ensures the temporary network is securely dismantled, preserving the integrity and confidentiality of the data exchanged during the order's execution.

13. Querying for missed events

Parties may be late subscribing to channels for different reasons or need to recover from system failures, in those cases these systems need to have access to earlier events they have missed to (re)build their state.

14. Audit trail

Event driven coordination requires a means to “go back in time”, inspect earlier events and have an audit trail. One obvious reason is when a subcontractor is changed: the new subcontractor has to be able to quickly come up to speed on the history of events. The second is to have a common reference for either compliance or settling of disputes.

Notification pub/sub service

1. Summary

Notifications of events are the digital representation of the result of events in the physical world: for example, ‘expected arrival time issued’, ‘container has been unloaded’. So, a notification of an event is the result of an event, not the event itself, events occur in the physical world, notifications of events occur in the digital world.

Notifications are published on channels (a.k.a. topics), to which all involved parties can subscribe. Following a publication of a notification, all subscribers will receive it.

Take the event that a full container has been loaded onto a container ship in China. All parties involved in the Netherlands, from the port authority, the container terminal, forwarders/processors, Customs, hinterland transporters to the shipper that ordered the goods, want to track the status of the ship and this container from that moment onward. And they create events because of this knowledge: a declaration, reservation of capacity, etc.

An important concept of the BDI is that involved parties can subscribe to channels and their ‘daughters’: they receive all notifications of events that are published to that channel. If required (and permitted) a party can request more data from the source. The concept of notifications of events and subscribing to them is broadly applicable: take the schedule for a building site for example. It is highly effective for all the suppliers and subcontractors if new things or changes to the schedule are automatically identified.

2. Purpose of the building block

‘Event-driven’ communication is a way of restructuring the logistics of the information exchange between the IT systems of companies. Instead of a data owner sending messages when something of importance needs to be communicated (‘fire and forget’, ‘messaging’), all parties involved receive a signal (‘notification’) from the data owner that something relevant has happened (‘publish event to subscribers’).

That event contains metadata and a link to the source of the data. The receiving party evaluates the metadata and decides whether to follow the link to the source and access the data.

The Event Pub-Sub Service handles the centralized parts of this event-based communication. The actual data exchange happens directly between the parties in a federated manner.

3. Concepts

Consider the following concepts that play a role in the notification pub/sub service:

Notifications and channels

Notifications trigger communication between decoupled services and are common in modern applications built with microservices. In the BDI, a notification corresponds to an event in the physical world.

Notifications are published to channels of the pub/sub service and are delivered to all subscribers on the channel.

Events

Events occur in the physical world and are changes of state like a container being unloaded from a ship or a parcel delivered to its destination. Events can also be of a more administrative nature, such as the signing of a contract or the publication of a new expected arrival time.

Notifications may or may not carry data about the event (the item purchased, its price, or a delivery address).

Producers and consumers

A party that publishes a notification is called the producer, parties that receive the notification are called consumers.

Router

The part of the infrastructure that is responsible for managing channels and notifications is called the router.

A producer publishes an event to the router, which filters and pushes the events to consumers. Producer services and consumer services are decoupled, which allows them to be scaled, updated, and deployed independently. This approach has many advantages, such as:

Efficiency

No polling needed.
Low load on resources.

4. Choreography

The choreography describes which channels there are and which parties can subscribe to them. As the design of an appropriate choreography can be challenging and has major impact on the efficiency of the pub/sub service, this subject is discussed in detail in a separate .

5. Implementation Considerations

According to EPCIS (ISO/IEC 19987), a notification contains at least the following four aspects: what, where, when, and why and an optionally fifth: how.

What — to which object or entity does this event primarily relate (e.g. pallet, order, truck, wagon, etc.)?
Where — at which location did the event take place (warehouse receipt door, terminal access)?
When — on what date and time did the event take place?

However, in line with BDI federation rules, data on these aspects is not always added directly to the notification. In instead, only a link to the source may be included, and interested parties can get the necessary data at the source.

6. Interlinkages with other building blocks

There are links with the following building blocks:

7. Elements and their key functions

The following pattern describes the typical interaction with the Pub-Sub service. First, we enter a configuration phase:

The data owner creates a new notification channel at the service. The channel name is the EventType, in this example, of the data the owner wants to share.
A data consumer asks permission to subscribe to the channel “EventType from Data Owner” using the service. The data consumer will then be notified if the data owner triggers a signal on the event channel he is interested in.
The request for subscription is communicated back to the data owner. The data owner decides if the request should be granted. Fi. based on several queries to the different registers part of the BDI like the Reputation and Qualification registers. Data and trust sovereignty means, in this case, that the owner always has control over who has access to his data.

In this case the data owner grants permission to the data consumer to subscribe to his EventType channel.

All is now setup for the actual event-based communication:

An event occurs at the data owner, and he sends a trigger through the channel “EventType from Data Owner” to all his subscribers.
The trigger is also sent to the data consumer who can use the embedded meta-data in the event trigger to decide if he wants to request the associated data of the event at the data owner.
The data consumer decides to request the data at the owner’s location using the link sent along as part of the trigger.

8. Core design decisions

Granularity of event channels: The granularity of the event channel is an important issue. Depending on the chosen strategy one would either create the need for extra filtering logic at the consumer or at the owner. The specific use case should be leading on how fine-grained the channels should be setup.
Multiple event brokers in a network: It is yet unclear how multiple event brokers, from different suppliers, would work together in a decentralized network. Most available open and commercial solutions do support multiple brokers but typically only the ones from the same supplier.

9. Further reading

EPCIS (ISO/IEC 19987:2024)
DCSA:

Representation Chain

1. Summary

The Representation Chain is a building block in the BDI framework. It enables third parties to verify representation mandates — confirming whether a person, legal entity, or automated process is genuinely acting on behalf of another.

A mandate is a formal, authoritative assignment of responsibility from a mandator (the assigning party) to a mandatee (the acting party). It transfers accountability and liability for actions from the mandatee back to the mandator.

To function securely and flexibly across different contexts, the Representation Chain uses Representation Evidence — typically implemented using nested JSON Web Tokens (JWTs). These can be verified both online (e.g., via issuer services) and offline (e.g., on a warehouse floor via a QR scan).

2. Introduction

In today’s increasingly interconnected and regulated economy, businesses and authorities are facing a growing need for robust digital proof in everyday interactions. Whether it’s verifying that a subcontractor is authorized to collect a shipment, confirming a driver’s professional qualification, or demonstrating compliance with regulations during an inspection, organizations must often rely on people or systems that act on their behalf. In most cases, liability for these actions lies with the organization, not the individual. This creates a pressing demand for a mechanism that can reliably prove — both legally and practically — that the person or machine performing a task has been officially mandated to do so.

Traditional methods such as paper documents or verbal confirmations are no longer sufficient. A modern solution must be secure, flexible, scalable, and usable in low-tech environments by people with little IT training. It must also support dynamic staffing models and allow independent IT providers to build competitive solutions without vendor lock-in. The JSON Web Token (JWT) standard, originally designed for secure information exchange between systems, offers a strong foundation for such a solution. Its format allows for verifiable digital claims, time-bound validity, cryptographic integrity, and issuer authentication — all critical features for establishing trust in operational contexts.

What makes JWT particularly valuable in this setting is its ability to be embedded within other tokens. This “nesting” allows multiple layers of representation to be encapsulated in a single digital envelope — from a principal organization, through subcontractors, down to the individual or system actually performing the task. Combined with high-trust digital certificates like eIDAS, JWT-based evidence can meet the highest legal standards for electronic signatures while still being compact enough for mobile use.

The approach supports both high-security and user-friendly versions. For example, a delivery driver might receive a QR code and PIN via text, which they present at a loading dock. The system verifies their credentials — offline if necessary — with minimal friction. This combination of simplicity and cryptographic strength makes JWT-based representation not only viable but ideal for logistics, compliance, and other sectors where verifiable delegation and operational practicality must coexist.

3. Purpose of the building block

The Representation Chain supports both:

Human-to-Machine (H2M) and Machine-to-Machine (M2M) delegation, and
Real-time human access or authority validation, such as in logistics, compliance inspections, or cargo handovers.

It is crucial in:

It provides a verifiable, decentralised mechanism for confirming:

Who gave the mandate
To whom
For what role or task
For what duration

4. Interactions with other building blocks

The Representation Chain is conceptually and operationally connected to:

5. Elements & Core Functions

A Representation Chain maintains:

The digital identity of the mandator
The digital identity of the mandatee
The scope of the mandate (role-based, order-based, or otherwise contextual)

The Representation Evidence is typically a nested JWT structure, passed to the mandatee. This token is then presented to a verifying party — such as a loading dock, customs authority, or inspection officer.

The verifier checks the signature chain, timestamps, and optionally contacts the issuer(s) to confirm current validity.

The third party verifier does not need to be a member of a BDI Association, which lowers the barrier for wide-scale adoption and integration.

6. Business Need for Digital Representation

Supporting business interactions digitally, requires digital proof of authority, particularly in interactions between:

Individual companies
Companies and supervisory/government bodies

The most common scenarios include:

Proof of representation (someone acts on behalf of an organisation)
Transfer of cargo (pickup or delivery confirmation)
Proof of qualifications (such as handling dangerous goods)

People or systems acting on behalf of others must carry digital proof of their mandate. Traditional methods — paper slips, phone calls, or emails — are not scalable, secure, or auditable.

To meet modern requirements, we need a solution that is:

Legally and practically robust
Easy to use in varied operational environments
Broadly applicable across sectors

7. JWT as a Representation Mechanism

After 2010, JSON Web Tokens () became a widely adopted standard for representing verifiable claims digitally.

Each JWT contains:

A payload with the actual claims (who, what, when, for whom)
A hash to confirm that the payload hasn’t been tampered with
A digital signature by the issuing party (e.g., via eIDAS or trusted cert)

Nested JWTs: The Representation Chain in Action

JWTs support wrapping (embedding), meaning one JWT can include another inside its payload. This enables building multi-level chains of delegation — for example:

There’s no formal limit to the number of layers. For legal-grade use (e.g., cross-border logistics or compliance), JWTs can be signed with high-quality certificates such as eIDAS seals.

Example: Machine-to-Machine Access to Sensitive Operational Data

This example demonstrates how a chain of representation and delegation is managed digitally when data, is the asset being accessed — and when systems, not people, are the ones performing the action.

Scenario: Delegated Data Access via a Subcontractor System

A company called SmartWater Solutions manages water quality sensors across industrial facilities. A major client, ChemCo Industries, contracts SmartWater to monitor chemical runoff levels at their facilities. However, SmartWater does not have a data analysis platform robust enough for ChemCo's specific requirements. To meet the SLA, SmartWater subcontracts DeepSignal Analytics, a specialized AI firm, to process and analyze the raw data streams.

Now, DeepSignal’s automated system (an API client) must retrieve sensitive sensor data from ChemCo’s secure telemetry endpoint. However, ChemCo’s API is configured to only accept requests from authorized systems — specifically those acting on behalf of contractual parties.

To make this delegation verifiable and non-repudiable, SmartWater issues a Representation JWT to DeepSignal. This token proves that DeepSignal has been delegated the right to act on SmartWater’s behalf. It includes an embedded JWT from ChemCo to SmartWater, establishing the upstream mandate.

JWT Chain Construction (M2M)

ChemCo Industries issues a JWT authorizing SmartWater Solutions to retrieve and process sensor data on its behalf. The token includes:
- Scope (sensor IDs, data types)
- Validity window (nbf, exp

The JWT is cryptographically signed by SmartWater and includes ChemCo’s original JWT inside its payload.

Machine Request and Verification

When DeepSignal’s system sends a request to ChemCo’s API, it attaches the nested JWT as its digital proof of mandate. ChemCo’s API performs the following checks:

Validates both signatures (SmartWater and ChemCo)
Verifies token expiry and start time
Confirms that DeepSignal's system is the intended subject

If all checks succeed, the API grants access and returns the requested sensor data.

This JWT-based method ensures that:

SmartWater retains liability for DeepSignal’s actions
DeepSignal cannot misuse or forward the token, as the claims are specific and signed
ChemCo has an audit trail of who requested what data and on whose authority

Example: Transporting Hazardous Materials Using JWT Representation Evidence

This example illustrates how a chain of representation is securely and digitally established using embedded JWTs in a real-world logistics setting.

Scenario: Chemical Pickup by a Subcontracted Driver

A large industrial buyer has purchased hydrofluoric acid and the supplier — Acne Inc. — arranges for the pickup to occur at Lets-B-Chemical. However, Acne does not have its own transport capacity and therefore contracts the trusted logistics firm Van Gend & Loos to execute the pickup and delivery.

Van Gend & Loos does not have a truck available on the required date. Instead, it chooses to subcontract the pickup task to De Snelle Visser, a regional carrier already scheduled to pass by Lets-B-Chemical. Dolly Driver, an employee of De Snelle Visser, is tasked with executing the collection.

Now Dolly must be able to prove the following:

That she has a valid, authorized assignment from her employer De Snelle Visser.
That De Snelle Visser was subcontracted by Van Gend & Loos.
That Van Gend & Loos was originally contracted by Acne Inc.

At the pickup location, Lets-B-Chemical needs to verify her mandate and qualifications before releasing the acid. This must be done quickly, securely, and ideally without needing complex systems or manual calls. To enable this, a chain of JWTs is created and passed down from Acne Inc. to Dolly Driver.

JWT Chain Construction

Acne Inc. issues a signed JWT that authorizes Van Gend & Loos to collect the hydrofluoric acid.
Van Gend & Loos issues a JWT to De Snelle Visser, embedding Acne's original JWT inside. This proves that Van Gend had authority to subcontract and passes the responsibility trace.
De Snelle Visser creates a JWT embedding both upstream tokens and includes Dolly's:

Field Presentation and Validation

Dolly arrives at Lets-B-Chemical and presents a QR code on her mobile phone. This QR code contains the fully nested JWT. The security officer scans it using a standard or BDI-enabled app.

The system:

Verifies the cryptographic signature chain
Checks timestamps (validity, expiry, issuance)
Confirms Dolly’s identity and employer

If all criteria are met, the acid is released.

This chain-of-proof allows the liability and mandate to be fully tracked and provable, including post-facto audits. The information can be viewed via a link (e.g., "bdidrop.link/124V") or through integration with back-office systems.

The structure is robust enough for secure transport of sensitive cargo and simple enough to be used by temporary staff with minimal digital training.

Representation for transactions by IT-applications : DigiDrop

The most common transaction in logistics is the handover of goods (cargo on its way through the supply chain) between entities. Part of the handover is associated with trade (buyer-seller), part of the handover is about liability (transporter taking cargo on board of a vessel, plane, railcarriage or truck).

The "Digidrop" approach to executing transactions (such as transfer of goods) shifts the legal "signing" of a transaction to IT-systems on behalf of the companies involved. The human involvement is supportive and indirect, instead of acting as a representative of the entity. The IT-systems involved act as the representatives of the legal entities involved.

This approach circumvents the issues and obstacles that rise if humans need digitally "sign" a transaction. The Digidrop document outlines the approach.

Fallback

BDI’s method accounts for non-ideal environments — e.g., no internet, broken devices, or limited IT skills. Many (SME) actors in logistics are not yet able to integrate themselves in a more advanced IT-interaction framework such as the BDI.

In such a case the most valuable piece of information that needs to be digitally available is the visbility of a handover event. A fallback methode has been designed for such use cases, minimizing the requirements. Such a method is not a replacement of the traditional "paper-based" processes: it only creates more visbility in the supply chain.

High leven overview of DigiDrop fallback:

QR Code + PIN Workflow

The driver receives a QR code and PIN via WhatsApp or SMS
The warehouse scans the QR code using the DigiDrop app
The driver verbally gives the PIN to authorize data viewing

This process:

Works offline
Prevents showing data without consent (PIN as consent barrier)
Adds traceability

Short URL Fallback

If QR scanning fails:

A short link is provided to the warehouse via text
They can type this into a browser
The PIN unlocks the relevant information

No DigiDrop Provider Scenario

If a warehouse does not use DigiDrop:

The driver presents the URL and PIN
A trusted backend (e.g., TMSX) provides a basic web interface
Security is reduced, but functionality is preserved

8. Summary

The Representation Chain provides a flexible, secure, and verifiable method for proving authority in business interactions — whether digital or physical. Its implementation via JWTs is:

Scalable
Legally robust
Compatible with low-tech environments
Designed for both machines and people

Combined with fallback workflows and hybrid adoption pathways, this method is ready for real-world logistics, compliance, and digital service chains.

9. Further Reading

BDI Edge Agreements

Documents

BDI Terms

Adherence

A BDI Adhering Party adheres to the principles of the BDI.

Association

Legal entity that serves as trust anchor for both federated trust/authentication and local onboarding.

BDI Association

A BDI Association is the “root Association” for its Members

Association Administrator, Association Authority

Functionary responsible for operating the services of a BDI Association reporting to its Members.

Association Articles (BDI agreement system, Association T&C’s)

Legal terms and conditions a Member has to agree on when joining a specific Association.

Association Register (Branch Register)

Authentication

Authentication involves validating the Digital Identity of an entity, person or Process

Authorization

Authorization ensures that the authenticated entity, person or Process has been granted permission to gain access to the specific (data) resource requested.

Authorization Register Data Management (AR-DM)

Holds authorization policies for one or more Data Owners on access to data

Basic Data Infrastructure

The Basic Data Infrastructure (BDI) is a framework for controlled data sharing, supporting automated advanced information logistics within next-generation OSCM networks. Departing from traditional messaging paradigms, the BDI shifts towards event-driven information collection at the source, fostering efficient and secure communication through proven publish-and-subscribe architectures.

BDI Framework

The Basic Data Infrastructure (BDI) framework defines the creation of a perimeterless data grid supporting multiple concurrent ODS, enabling controlled system-to-system automation of processes initiated by event-based notifications.

BDI Authentication Processor

Standard software to make APIs BDI compliant

Processing of part of protocol: client assertion to token.

BDI Network

The BDI network is the collection of participants and associations that are established, maintained and governed accordingly with the principles of the BDI Framework.

Business Partner Reputation Model

Business Partners

Member of a different BDI Association than the root. Note: this a relative perspective, from the position of a Member of a given instance (BDI Association).

Certified Roles

Roles for which certification is required. Facilitate certain functions for BDI that every member within the Association must be able to rely upon.

Credentials

In the context of information security, credentials are used to control access of someone or something to something, for example to services, data or other functionalities. The right credentials validate (i.e. Authentication) the identity claimed during Identification.

The best-known example of credentials is a password, but other forms include electronic keycards, biometrics and, for machines, public key certificates.

Data Consumer, Data User

Requests access to data and/or Representation Register and/or Professional Qualification Register of the Data Owner
Controls discovery and endpoints

Data Custodian

Similar to . A data custodian...

Regulates the data access
Provides the data to recipients that should have access

Data Licenses

Descriptions of terms and conditions of using data

Either in free form text, of in ODRL

Data Model

The semantic model used to describe the data to be exchanged

Data Owner

The data Owner is a legal entity who:

Has control over data and access to data
Controls decisions on Data Sovereignty and Trust Sovereignty

Data Protocol

The protocol used to exchange the data

Data Service Provider

A Data Service Provider that acts under supervision and on behalf of the Data Owner

Data Sovereignty

Delegation

Delegation is the act of empowering someone or something to act for another or to represent others.

Discovery

Means to identify specific endpoints of a given party.

Edge Agreements

Standards on interacting with entities and/or persons that have IT-systems that are less mature or not BDI-compliant.

· Processes, technology, terms and conditions, liabilities

Event

· Structured data set, describing an action in physical world, or an administrative milestone

· Multiple statuses are possible: e.g. planned, in transit, historic

Event Pub/Sub Service

· Accepts subscription to Event Pub/Sub Service managed by or on behalf of the Data Owner

· Sends pulses that the Data Owner sends to topics to subscribers of topics

· Manages a list of topics as identified by the Data Owner as channels for pulses.

Federation of Associations

A series of collaborating BDI associations

Governance

The BDI Framework recognizes three interacting voluntary governance structures: Data exchange space governance, BDI Association (local trust and onboarding anchor) governance and BDI Framework governance.

Identification

Identification is the process of someone or something claiming an identity by presenting characteristics called identity attributes. Such attributes include a name, user name, e-mail address, etc. The claimed identity can be validated (i.e. Authentication) with the right credentials.

Identity Broker

In order to support multiple Identity Providers (with possible multiple rules) and Data Service Providers, an Identity Broker is required. An Identity Broker allows Data Consumer to select the Identity Provider they prefer to authenticate themselves at. It prevents the need for a direct relationship between all Data Service Providers and all Identity Providers.

Identity Provider

The Identity Provider:

Provides identifiers for Data Consumer;
Issues credentials to Data Consumers;

Member

Legal entity as member of a root BDI Association

Onboarding

Becoming part of a BDI association and accepting the relevant terms and conditions

Ontology

A semantic description of a standard with focus on making the meaning of the used concepts broadly accessible and understandable

Operational Data Store

An Operational Data Store (ODS) is designed to integrate data integrate from multiple sources for additional operations on the data, for reporting, controls and operational decision support.

In the BDI the ODS is intended to hold Logistics Event information, representing state, access (delegations) to source data for reliant parties etc. during the live transaction and distribute the relevant parts of this truth to the operationally involved or further eligible parties.

It enables controlled system-to-system automation of processes triggered by event-based notifications.

Operations and Supply Chain Data Spaces

Operations and Supply Chain Data Spaces (ODS) are logical constructs — networks of parties, both businesses and authorities, created to generate value from the production and distribution of goods and services. Parties may participate in multiple ODS concurrently, with participation frequency and duration varying based on business characteristics.

Operations and Supply Chain Management

Operations and Supply Chain Management (OSCM) represents the science and expertise of value creation in the production and distribution networks of goods and services.

Outsider

Anyone who is not a Member of a BDI Association.

Payload

The content of a message, could be Events, Data sets, streaming sensor data or any other type of data

Policies

· Definitions of access policies to data elements

· In operational data spaces, policies relate to role, (authenticated) organisation, and order-dependent authorization of access to data elements.

Policy Agreements

A basis set of policies which are agreed to when onboarding into an association

Preferred Business Partners

Business Partners who have agreed to specific terms and conditions of the local BDI Association that maintains its own Business Partner Reputation Model

Professional Qualifications Register

Holds proof of the professional qualifications (verifiable credentials of for instance licenses) of natural persons related to them acting as a representative of a legal entity

Provenance Traceability

Provenance is the chronology of the ownership of a data element allowing to trace back data to its original owner or creator

Publisher

· Publishes Pulses with Payload within a Topic

· Distributes Pulses To Subscribers to a Topic

· Any party can be a Publisher (unlimited number of publishers)

Pulse (Trigger)

· Datagram, distributed to Subscriber to a Topic

· A signal from the data Owner that there is data ready for the consumer to come and access

Representation

· When employees or contractors act on behalf of an organisation, the organisation mandates them up to a set limit. The organisation is accountable for their actions and is liable if they act outside the set limits.

Representation Register (Mandate register)

· Holds proof of the mandate of natural persons acting as a representative of a specific legal entity

· Holds proof of the mandate of organisations acting as a representative of a specific legal entity

Role-based Authorization

Access granted to data and services based on the Logistic Role a member or its representation has.

Root Association

The association to which a BDI participant belongs.

Stack

An architecture reference model. The stack builds up on both the management and technical level, offering a versatile architecture adaptable to the unique network requirements it serves.

Subscriber

· Subscribes to one of more Topics of a Publisher

· Has no knowledge of other Subscribers to a Topic (isolated)

· Receives Pulses distributed by a Publisher

· Any party can be a Publisher (unlimited number of Publishers)

Topic

· Subject or channel a Subscriber subscribes to, to receive Topis related events

· Defined by Publisher

· Used to limit amount of Pulses with non-information for Subscriber

Trust

Trust is the design and implementation of measures that evaluate the chain of trust per presented credential by any party; the decision to accept a certain level of trust is dependent on the risk of making a mistake.

Verifiable Credentials (Digital Identity)

Verifiable Credentials are digital credentials. They can represent information found in physical credentials, such as a passport or licence, as well as new things that have no physical equivalent, such as ownership of a bank account.

Visitor

Outsider with a better reputation score than a set minimum

Zero-trust check

When identity, authentication, trust and authorization is checked with every data exchange.

BDI Reference Architecture

Reference Architecture

hashtagBDI: An Infrastructure Framework for Operations and Supply Chain Data Spaces

Core Principles

hashtag1. Introduction

hashtagPrinciple 1: Connect Physical to Digital

hashtagPrinciple 2: Event-driven Coordination

hashtagPrinciple 3: Dynamic Data

hashtagPrinciple 4: Zero Trust

hashtagPrinciple 5: Data at the Source

hashtagPrinciple 6: Local Decision-making

hashtagPrinciple 7: Coherent Security

Stack and KITs

hashtag1. BDI Stack and KITs

BDI Technical Roles

hashtag1. Introduction

hashtag2. Purpose of this building block

hashtag3. Concepts

hashtag4. Implementation Considerations

hashtag5. Interactions with other building blocks

hashtag6. Further reading

BDI Maintenance and Community Contributions

hashtag1. Introduction

hashtag1.2 Scope

hashtag1.3 Core principles

hashtagTransparency

hashtagPredictability

hashtagFairness

hashtag1.4 Change management process

hashtag1.4.1 RfCs

hashtag1.4.1.1 Process for RfCs

hashtag1.4.1.2 Templates

hashtag1.4.2 Minor Changes

hashtag1.4.2.1 Process for Minor Changes

hashtag1.4.1.2 Templates

hashtag1.4.3 Release management

hashtag1.4.3.1 Release process for major versions

hashtag1.4.3.2 Release process for minor releases

hashtag1.4.3.3 Release and version guidelines

hashtag1.4.4 Roles and responsibilities

Association Register

hashtag1. Summary

hashtag2. Purpose of the building block

hashtag3. Concepts

hashtag4. Risks

hashtag5. Interlinkages with other building blocks

hashtagStages of implementation

hashtag6. Elements and their key functions

hashtag7. Core design decisions

hashtag8. Future topics

hashtag9. Further reading

Onboarding Terms and Conditions

hashtag1. Introduction

hashtag1.1 Purpose

hashtag2. Concepts

hashtag2.1 BDI Association

hashtag2.1.1 Local nature

hashtag2.1.2 BDI Framework

hashtag2.2 Efficient trust management

hashtag2.3 Onboarding

hashtag2.4 Coherent security

hashtag3. Core design decisions

hashtag4. Interactions with other building blocks

Digital Identity

Digital Identity H2M

hashtag1. Summary

hashtag2. Purpose of the building block

hashtag3. Concepts

hashtag3.1 Identity

hashtag3.2 Authentication

hashtag3.3 Identifiers

hashtag3.4 Representation

hashtag3.5 Professional Qualifications

hashtag4. Risks

hashtag5. Interlinkages with other building blocks

hashtag6. Core design decisions

Authentication

Discovery

hashtag1. Summary

hashtag2. Purpose of this building block

BDI: An Infrastructure Framework for Operations and Supply Chain Data Spaces

1. Introduction

Principle 1: Connect Physical to Digital

Principle 2: Event-driven Coordination

Principle 3: Dynamic Data

Principle 4: Zero Trust

Principle 5: Data at the Source

Principle 6: Local Decision-making

Principle 7: Coherent Security

1. BDI Stack and KITs

1. Introduction

2. Purpose of this building block

3. Concepts

4. Implementation Considerations

5. Interactions with other building blocks

6. Further reading

1. Introduction

1.2 Scope

1.3 Core principles

Transparency

Predictability

Fairness

1.4 Change management process

1.4.1 RfCs

1.4.1.1 Process for RfCs

1.4.1.2 Templates

1.4.2 Minor Changes

1.4.2.1 Process for Minor Changes

1.4.1.2 Templates

1.4.3 Release management

1.4.3.1 Release process for major versions

1.4.3.2 Release process for minor releases

1.4.3.3 Release and version guidelines

1.4.4 Roles and responsibilities

1. Summary

2. Purpose of the building block

3. Concepts

4. Risks

5. Interlinkages with other building blocks

Stages of implementation

6. Elements and their key functions

7. Core design decisions

8. Future topics

9. Further reading

1. Introduction

1.1 Purpose

2. Concepts

2.1 BDI Association

2.1.1 Local nature

2.1.2 BDI Framework

2.2 Efficient trust management

2.3 Onboarding

2.4 Coherent security

3. Core design decisions

4. Interactions with other building blocks

1. Summary

2. Purpose of the building block

3. Concepts

3.1 Identity

3.2 Authentication

3.3 Identifiers

3.4 Representation

3.5 Professional Qualifications

4. Risks

5. Interlinkages with other building blocks

6. Core design decisions

1. Summary

2. Purpose of this building block

3. Concepts

4. Implementation Considerations

5. Elements and Their Key Functions

1. Introduction

2. Interlinkages with other building blocks

1. Introduction

2. Interlinkages with other building blocks

1. Introduction

2. User Journey

Authentication

3. Nested JWT as carrier of claims

3.1 JWT types of claims