This building block supports trust among participants by defining how digital identities play a role in BDI in machine-to-machine (M2M) interactions. The digital identifiers for natural persons are described in Digital Identity (H2M).
In its implementation, BDI aligns with iSHARE's implementation of digital identities, preferring PKI (public key infrastructure) certificates issued by a reputable identity provider as digital identity of parties like Service Providers. In Europe the eIDAS regulation is a solid foundation for the identity ecosystem.
The purpose of this building block is to support the framework for trust among parties, by ensuring that parties can provide and receive a verified digital identity. An authenticated digital identity is the prerequisite for determining trust and subsequent authorization.
The building block ensures that interactions within BDI (onboarding, offboarding, data exchange, service consumption, etc.) will take place between identified and authenticated parties.
The following concepts (from the BDI Glossary), all regarding legal entities, are particularly relevant in this building block:
The figure below shows how a business partner from another BDI association can become a preferred Business partner of a BDI association.
An insufficient framework for digital identity might lead to a lower level of trust among parties and will harm the overall trust in BDI.
This building block describes the BDI principles for digital identity for M2M interactions.
The related building blocks are:
The most important related Kits and concepts are:
A digital identity has to be linked with the legal identifier of the legal entity that controls and takes responsibility and accountability for the IT-process that uses the digital identity in interactions with other IT processes.
A digital identity has to be linked with the legal identifier of the legal entity that controls and takes responsibility and accountability for the IT-process that uses the digital identity in interactions with other IT processes. For more details about possible identifiers, view the information below.
The EORI-identifier is the standard defined by the EC Customs for European entities. EORI stands for “Economic Operators Registration and Identification”. Not all European entities are required to register an EORI. Therefore, only a subset have registered an EORI.
Europe has also introduced an "EUID". This identifier is based on the local European Business Registries and will be used for the eIDAS 2 European Wallet.
VAT-numbers can also be used to identify organizations. European VAT-numbers can validated on a central site.
Other identifier standards that are in use worldwide are:
LEI
DUNS (Dunn and Bradstreet Unique Number System)
In practice it may be necessary for a party or an association to create a cross-reference register that relates an internal (unique) identifier with multiple external identifiers of a legal entity. One legal entity may have an EORI, LEI and DUNS identifier, or more.
The following should be noted regarding identifiers in the BDI:
The BDI prefers PKI certificates issued by a reputable identity provider as digital identity of parties like Service Providers.
In Europe the eIDAS regulation is a solid foundation for the identity ecosystem.
Self-signed certificates for digital identities are a low-barrier entry level solution, with serious limitations on trust, federation and scaling
, specifically on the topic of identities
Business Partners
Members of other BDI Associations than the “home” BDI Association
Preferred Business Partners
Outsiders who have agreed to the specific terms and conditions of the local BDI Association, which maintains its own Business Partner Reputation Model
Outsider
Anyone who is not a member of a BDI Association
Visitor
Outsider with a better reputation score than a set minimum
See Digital Identity M2M and Digital Identity H2M
Terminology in the field of digital identity can be confusing as different sources use terms in slightly different meaning. To deal with this confusion, we define some terms that are used in the description of the BDI Digital Identity.
The physical world is populated by persons and objects that can be recognized and distinguished from one another by their Physical Identity. Although the notion of physical identity is heavily debated in philosophy, we will not discuss this further beyond the observation that identities are unique and constant over time. In a sense, a physical identity determines the "sameness" of a person or object over time.
Although persons and objects are of course entirely different categories, much of what is written here about persons also holds for objects.
A person that is identified through its physical identity can have many attributes such as a name, date of birth, address, eye color and so on. Some of these attributes are unique for a given person and hence can be used for identification. It is however important to note that a physical identity is not the same as this unique set of attributes. A Digital Identity is a record in an information system, describing certain attributes of a person in the physical world. The digital identity can be used by information processing systems to determine e.g. access rights.There are several issues that must be dealt with when managing digital identities:
At creation time of the digital identity it must be certain that it indeed corresponds to the right person (the onboarding problem)
It must not be possible to use the digital identity for any purpose without the explicit consent of the holder of the physical identity.
The digital identity must contain sufficient information to uniquely identify the person.
This building block supports trust among participants by defining how digital identities play a role in BDI in human-to-machine (H2M) interactions.
Digital identifiers for IT-processes acting on behalf of an organization/legal entity are described in Digital Identity (M2M).
The purpose of this building block is to support the framework for trust in Boundary Management, where humans are acting as a representative of a legal entity by means of (digital) devices and telecommunication.
Boundary Management for humans relates to:
This building block ensures that the digital identity of the human involved in (digital) interactions can be authenticated. In addition, it ensures a relation between the digital identity and
the Representation evidence, i.e. in what role and capacity, on behalf of which legal entity, with a specific mandate
the Professional Qualification evidence, i.e. evidence of professional qualifications
The core concept is that identity is dynamically related to (potentially multiple concurrent) representations for (potentially multiple concurrent) legal entities. The legal entity assumes liability and accountability for actions of the human.
Identity is a legal concept defined by a nation state and assigned to a human by that nation state. Nation States issue Passports and ID-cards to humans which they can use to "prove" their identity. Driving licenses are also used in some states (e.g. the Netherlands) as a proof of identity.
Digital identities are related to that core identity by Identity Providers which are used in B2B processes.
Identity Providers can choose to increase the assurance level of an identity, for example by requesting live verification of an identity paper. This can be done face-to-face or remote. Typically, this is executed once at the initiation of a new identity.
Identity Providers can also provide additional assurance at the (continuous) use of the identity, e.g. when a managed boundary must be crossed. The human user can be authenticated by a username, password and an additional 2FA / MFA. More advanced devices can also use biometric identification parameters. Biometric identification can also be used for accessing a physical location. One such example is using the Secure Logistics smart card to access a Terminal.
Identity Providers typically use an internal numbering scheme for identifying users which are enriched with more public identifiers like email addresses and telephone numbers. Some details regarding different identifiers are given below.
As mentioned, identity is a legal concept defined by a nation state and assigned to a human by that nation state. State issued identifiers (e.g. the Dutch BSN) are often not allowed to be used outside the Government.
In B2B processes, business email addresses are preferred. These should be using an organizational domain name (e.g. @myorganization.com) and a personal prefix (e.g. piet.jansen@ or s.jones@). The use of shared email accounts must be avoided. Also the use of general domains (e.g. @gmail.com) should be avoided. Typically, the user must demonstrate during the setup of the account that she has access to the business email address. This provides additional trust that the user has a business relation with the organization which owns the domain name.
(Mobile) telephone numbers can also be used to identify / verify the user. During the setup the user demonstrates that they have access to the number. At a later moment, the user can once again demonstrate the access to this number.
B2B Identity Providers identifies a human user in the context of an organization. Additionally, the role/mandate of the user can be defined at the Identity Provider so it can be used in all connected services. An alternative is that the service itself has local authorizations which must be managed by an administrator of the organization.
Users could represent more than one organization, and there are several approaches Identity Providers can take to manage this scenario. They could for example assign different identities for each of the represented organizations (e.g. applying different business email addresses or issuing separate secure cards per organization). An alternative is that the human user selects the represented organization in each specific use case.
In many cases the human needs to have adequate professional qualifications for the task at hand, such as a professional drivers license, safety training or dangerous goods handling. The B2B Identity Provider could store and share these professional qualifications of the user, for example in an electronic wallet. The qualifications are typically represented as verifiable credentials.
Some possible risks that are important to consider for this building block, are the following:
An insufficient framework for digital identity might lead to a lower level of trust among parties and will harm the overall trust in BDI.
Non-compliance to applicable privacy laws (e.g. GDPR, AVG) can hamper the implementation or adoption of services and can cause reputation risks or fines.
The related building blocks are:
The most important related Kits and concepts are:
Please note the following design decisions:
Parties choose their Identity Providers fitting to the requirements.
The BDI adds the link to representation and professional qualifications.
In Europe the eIDAS regulation is a solid foundation for the identity ecosystem.
A human, acting as representative for a legal entity desiring access to data or an application owned/controlled by another legal entity
For example: login to an application
A human, acting as representative for a legal entity desiring access to a location owned/controlled by another legal entity
For example: entering a protected zone
A human, acting as representative for a legal entity involved in transferring an asset (cargo) and/or liabilities for the asset between the two legal entities
For example: picking up cargo by a transporter
