ReShare

Abstract

The ReShare system constitutes a uniform approach to ensure accountable and trustworthy data sharing and collaboration in Open Data ecosystems based on Digital Transmission Contracts (DTCs). DTCs are bilaterally signed digital records immutably certifying the data and context of a data transmission without the typical overhead of distributed ledger technologies. By leveraging open Web technologies, a simple and common cryptography architecture, and a bilateral signature paradigm, the system promises superior performance and scalability to common approaches such as manual records management or blockchain-based solutions while providing immutability and fraud protection guarantees sufficient for a variety of use cases, such as data accountability and liability assurance in aircraft manufacturing. In this document, we specify (1) the structure and representations of DTCs, (2) the ReShare ontology used to embed DTCs into the Semantic Web, and (3) the protocol and necessary mechanisms to create and verify DTCs.

This section is non-normative.

DTCs leverage digital signatures to create strong data immutability within a defined scope, which we further describe below. DTCs deviate from the common paradigm of document signatures by enforcing the signatures to be created during data transmission, thus allowing to involve a second party, the receiver, in the signature process.

For a clear differentiation, we can classify common uses of signatures into one of the following two paradigms:

pre-created signatures: Also known as document signatures, are signatures that are created by the data source (or publisher) and are not bound to a specific transmission. Thus, such signatures can be efficiently created on publication and only need to be created once in the lifetime of the document. This type of signatures is usually used on data platforms, document stores, etc.
on-demand signatures: Also known as message signatures, are signatures that are specific to a single data transmission or communication process. Therefore, On-demand signatures cannot be pre-computed in most cases, as they are bound to that specific transmission or communication process. On-demand signatures are commonly used to establish authenticity and non-repudiation in messaging and communication protocols, e.g., OpenPGP [RFC4880].

Note

The terms of pre-created and on-demand signatures are not canonical, as a clear differentiation between these signature paradigms can rarely be found in literature.

DTCs are linked to a specific data transmission and comprise a signature by both the sender and the receiver. Therefore, the signatures cannot be pre-computed during publishing, i.e., they are on-demand signatures.

Because the receiver signs the state of the data, the sender alone cannot forge a valid DTC by itself. Therefore, as long as sender and receiver do not collude to forge rogue signature pairs, the valid DTC can unambiguously be determined by the pair of valid signatures by both parties. Thus, this approach provides strong data immutability under the assumption of no inter-party collusion.

While the assumption of no inter-party collusion may seem limiting at first, it still covers a substantial set of use cases, i.e., inter-party conflicts of sender and receiver. Thus, DTCs can be applied wherever sender and receiver do not trust each other and want to have mutual proof of the data sharing process. In our example from Section 3.3 Example Scenario, this assumption covers a variety of possible scenarios, including proving data authenticity in liability conflicts and creating secure and non-repudiable product conformance and quality certificates between C-Aviation and the two suppliers.

If the receiver would not sign the DTC, the sender could create signatures for arbitrary data. If a rogue sender would now sign different versions of the same fact, the correct version of the fact would become ambiguous, thus violating the data immutability.

In the example from Section 3.3 Example Scenario, the production data of a propeller supplied by B-Tech may hint at a production fault that leads to an incident with the respective airplane. During the incident inspection and liability process, B-Tech might now supply corrected data together with valid certificates and thereby claim that the supplied parts were not faulty to the best of their knowledge. The data immutability is violated in this case, as one cannot unambiguously determine the original version of B-Tech's production data.

This section is non-normative.

In Section 3.3 Example Scenario, we introduced an exemplary scenario from the aviation industry. The original process relied on costly and management-intensive paper-based contracting and archiving methods.

If the concept of DTCs is applied to the exemplary data sharing process, substantial parts of the system can be implemented digitally. These parts comprise of

the contracts, in which an agreement about the data transmission is made, including the signatures by both parties, and
the storage system for storing and archiving the transmission contracts.

The application of DTCs within the data sharing process is visualized below.

Application of DTCs to the example scenario in aviation.

Figure 2 The application of DTCs to the example scenario in the aviation industry. DTCs (1) are certified by sender and receiver, (2) secure the transmitted data, and (3) are stored (longtime) in digital secure storage systems.

In the example scenario, a DTC is linked to all three layers of the data sharing process:

Physical layer:
The parties A-Corp and C-Aviation both certify (1) the DTC by adding a digital signature. Both parties are linked to their physical identities by a public key certificate (see Section 4.3 DTC Data Structure for details). Further, the production data produced by factories is secured in the DTC (2).
Data Storage layer:
Both parties can store the DTC to profit from its benefits in later situations, including audits and liability conflicts. In the example of aircraft manufacturing, the parties are even required legally to securely store the contracts for several years.
Dataflow layer:
The DTC itself is constructed in parallel to the underlying production data transmission in a generation handshake (see Section 6.1 DTC Generation Handshake for details).

DTCs have a defined object structure. Its components are defined as contract fields.

In the following, we define the content and substructure of the contract fields. All fields not explicitly marked as optional MUST be present in any valid DTC. A valid DTC MUST NOT contain any fields which are not specified below.

Note

To disambiguate between the terms defined in Section 3.2 Terminology and the contract fields above, contract fields are always typeset as red-orange monospace font, e.g., sender vs sender).

baseIRI

The base IRI which can be used to uniquely identify the DTC.

The base IRI is selected by the sender or receiver during the DTC generation handshake (see Section 6.1 DTC Generation Handshake) and is used as both the IRI for the DTC itself, as well as an IRI prefix for its subcomponents in the JSON-LD representation (see Section 4.4.2 JSON-LD)

The base IRI SHOULD end with a # delimiter, i.e., the "#" ifragment part, where ifragment is empty, such that the sub-IRIs assigned in the JSON-LD representation (Section 4.4.2 JSON-LD) use the ifragment part to identify the subcomponent.

sender

Identity of the sender, i.e., the sender's IRI and a public key certificate. The IRI uniquely links the DTC to the sender, and the public key certificate contains the public key needed to verify the sender's signature contained in senderSig.

The sender field has the following subcomponents:

authID: The IRI of the sender. SHOULD be related to the public key certificate contained in the cert field. A discussion on linking the certificate to the authority IRI can be found in Section A.2 Identity Management.
cert: An X.509 public key certificate or certificate chain of the sender. The verification of the certificate (chain) requires a shared trust anchor (e.g., a commonly trusted root CA).
type: "X509"/"X509-single" for a single X.509 certificate, "PKCS7"/"X509-PKCS7-chain" for a certificate chain bundled into a PKCS #7 message [RFC2315]. These two types MUST be implemented. While we do not specify other types in this document, this field can be used to implement different certificate types in future extensions.
encoding: Encoding of the certificate. Always set to "base64", which refers to the certificate (chain) in DER notation encoded using Base64 [RFC4648]. The purpose of this field is both for the data structure to be self-describing and to allow for possible extensions of other encodings.

receiver

Identity of the receiver, i.e., an IRI and a public key certificate. The IRI uniquely links the DTC to the receiver, and the public key certificate contains the public key needed to verify the receiver's signature contained in receiverSig.

The substructure is equivalent to the sender field.

senderSig

The contract signature created by the sender according to Section 4.5.3 Signature Creation.

The senderSig field has the following subcomponents:

sig: The signature data, encoded as a string according to the encoding field (see below).
type: The signature type used. MUST always be set to "urn:oid:1.2.840.113549.1.1.10", which is the Object Identifier (OID) [RFC3061] of the RSASSA-PSS signature scheme as defined in PKCS #1 v2.2 [RFC8017]. We use the URN Namespace of Object Identifiers [RFC3001] to make the identifier interpretable as an IRI. The purpose of this field is both for the data structure to be self-describing and to allow for possible extensions of other signature schemes.
encoding: Encoding of the signature data. MUST always be set to "base64", specifying that the signature value is encoded using Base64 [RFC4648] according to Section 4.5.3 Signature Creation. The purpose of this field is both for the data structure to be self-describing and to allow for possible extensions of other encodings.

receiverSig

Contract signature created by the receiver. Analogous to senderSig.

facts

A set of one or more fact checksums.

This field binds the DTC to the state of the transmitted data by including fact checksums, which are implemented using cryptographic hash functions.

Any implementation SHOULD interpret this field as an unordered list. Whenever a canonical representation is needed, the set MUST be transformed into an ordered list by sorting the elements lexicographically by factID in the UTF-8 encoding [RFC3629] (e.g., see Section 4.5.2 Pre-Processing).

A single fact checksum has the following subcomponents:

factID

The IRI of the fact. MUST be unique in the set of facts.

requestedID

(Optional) During the DTC generation mechanism (cf. Section 6.1 DTC Generation Handshake), the sender MAY update the IRI in factID (e.g., in order to provide a persistent fact IRI for long-term referenceability). In this case, this field contains the IRI which was originally requested.

Note

The procedure of updating the factID is included to support factID negotiation. Example scenarios:

The receiver does not know the revision ID, which transforms a resource to a fact by means of an immutable revisioning scheme, and thus only requests the latest revision of a resource. The sender adds the latest revision ID to the factID to identify an immutable fact.
The receiver uses a deprecated fact identification scheme. The sender can transform the deprecated factID into a new one.

<alg>

The checksum, created by hashing a serialization of the fact.

The hash algorithm MUST be specified through the field name, i.e., <alg> MUST be replaced by one of the supported algorithms listed below.

The hash values MUST be encoded as a hexadecimal string, i.e., using digits and the letters a-f or A-F. The encoding SHOULD use lowercase letters.

The supported hash algorithms are cryptographic hash functions, so that an attacker cannot forge data that collides with the checksum. Such a vulnerability could lead to misuse of existing DTCs, or ambiguity w.r.t. the verifiability of the underlying data.

Currently supported algorithms:

sha256, sha384, sha512: Variants of SHA-2 FIPS PUB 180-4: Secure Hash Standard (SHS)

serialization

A serialization identifier. In this document, we specify a baseline set of serialization identifiers. Every implementation MUST be able to interpret these serialization identifiers. Extensions to these identifiers MAY be specified in the future.

"binary": A (trivial) binary representation of the fact
"string": A (trivial) string representation of the fact
"canonical_json": A representation of the fact as canonicalized JSON according to the JSON Canonicalization Scheme (JCS) [RFC8785].
"URDNA2015": The Linked Data associated with a fact, serialized as normalized N-Quads [N-Quads] according to the URDNA2015 algorithm.
Note
We recognize that Linked Data canonicalization is an open issue, and the specification of the specified algorithm is at a draft status. As the algorithm is not a direct component of ReShare, and we argue for an extensible serialization identifier scheme, we consider this remark to be tolerable.

A trivial serialization of a given resource MUST be interpretable without the need to perform any transformations. E.g., if the fact is a JPEG image, the binary serialization (identified by the "binary" identifier) can be considered trivial, as JPEG is a binary file format and does not need to be transformed. A JSON document, however, cannot be trivially serialized as a binary object without transformations, as the choice of the character set, the canonicalization scheme, etc. are ambiguous.

senderCustomContent/receiverCustomContent

(Optional) DTC fields that MAY be used to add custom content or metadata to a DTC as a JSON object.

If one of these fields is present, it MUST contain exactly one JSON object (i.e., enclosed by curly brackets).

timestamp

A timestamp that binds the DTC to the time of transmission. Specifically, it binds to the point in time during DTC generation, where one of the two involved parties adds the fact checksums to the DTC. The timestamp is encoded as a string in the Internet date/time format [RFC3339], which is a profile of ISO 8601 [ISO8601].

By default, DTCs are represented as JSON [RFC8259]. To make DTCs interpretable as Linked Data, we further define an associated JSON-LD [JSON-LD11] context. We deem JSON the default representation, as it can be transformed to the JSON-LD representation without context by the procedure defined below, and thus reduces the overhead in storage and transmission of (partial) DTCs.

Any implementation MUST support the creation, validation, and interpretation of the JSON DTC representation, which we describe in Section 4.4.1 JSON.

Implementations MAY support the transformations from and to JSON-LD. In this case, these transformations MUST be implemented according to Section 4.4.2 JSON-LD.

We define a default JSON representation for DTCs. Every contract field is represented by a root-level submember of a JSON object. The content of each field and sub-field is described above in Section 4.3 DTC Data Structure.

To specify the structure of the JSON representation of a DTC, we build upon the specification of JSON Schema [JSON-SCHEMA][JSON-SCHEMA-VALIDATION]. While we recognize that this specification is still in a draft state, we find this tolerable due to the nature of this document being a member submission. We further specifically use the 2020-12 version of the draft of JSON Schema to avoid ambiguities.

We define three schemas: The schema for a partial DTC, the schema for a complete DTC, and the schema for a partial DTC, where only the two signatures may be missing. The two latter schemas extend the partial DTC schema by requiring the fields to be present.

For a JSON representation of a DTC to be syntactically valid, a JSON schema validator implemented according to the 2020-12 version of JSON schema MUST successfully test the JSON representation to the JSON schema of a complete DTC.

In the following, we give an example of a complete DTC as a JSON object, according to the descriptions above. The contract contains four fact checksums (in facts), where the fact itself could trivially be serialized as a string. The public key certificates (in sender and receiver) are single X.509 certificates directly signed by an imaginary root CA.

Example 1: Example DTC (JSON) (non-normative)

{
  "baseIRI": "https://example.com/contracts/2021-09-24/134",
  "sender": {
    "type": "X509",
    "encoding": "base64",
    "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi38wDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExMTExWhcNMjIwNDE1MjExMTExWjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvw8C6sqLUVSOwFPbZsqS/1cL/+7aaaxVPwXs7TjPVombwNLyJW8yPyyQLbsTN5evVCpNdzciYc9Nhh77AYrqCiOsZBb7hu/PMqNqDvU2FAHeTH9KZ1PSpsOdgzG4i9widL6FBKGrxvlyj0G5ztQoGtymJFdmQ8K/ZN2W5Bi27H24UgITO+mX5MGmzFfyib7bDnvNqZUMJEgpSGt+jUf/7pMtuQqusrE1bfg5vvCbHIPHx2KXqzQEjNiioDafzKjIY2NSakis1AZe+J46o/Za0L8TUMXPvO1nSX4VMm9w5Qqf8auKdlUnT7fVqGKxQvPgX/JM/ksduZqZdTE1giWDgQIDAQABo4GDMIGAMB0GA1UdDgQWBBQtTnbTodwlQnP0QXA2VRv6DBWgzzAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAG47hxcjEY6kXojCadK15iW5t6P2p2NCfXpymeRuVaHiI7hhMwQEPymGqXZe0MKUKaRxb9BssG9UvndJw7PWdLx55Y498dgEVXWp7UWUg+VmLxE0wrS+7odJ6ZwsSTPhlgQVF3y9SOP18UX1Iy+ipkdPVbeiQB2QJOYLdxj3h26a/BevyWJU7jTbZO9fNX3FlopyQbB64QPJKJyQiYrT1td7lOcreyBJUS2e5p+hifW/ukxHQ9QtfN+mE/MlnUSHar6LgXPX3AoiVKc14L5E7jRHLDCvFWO1PfVCsS6RWIKdoWsEUytDnMYLHb2TmMJWQf8S69BLyqgEhKXNS9hZceGr32jM9O6TepYKZNH5A1QLjZcuHHKUAzXMjM9loNLra/VGcqrMTdZYautGl8EdEURqE063qDd+Hsp3Vqw0iALQHcbEb6R1b2o5dIrczo+PINTSvnFv+4GyqznXEYjcueLrR/R6kE9GNOiPUxpont+0s1JCAKPaaZk97Z09ldtD47rPQLQgWopDadVOm3Gu9+ef7uqqpJw9+q384mqgw4P1Yws6aVkXLdvh8MCXcMEYi2AeQVCCZv2CjAh8CZQC+0P2JtkhWlCxPoSDk4jbm6koCxcpL3CRcc5LtTTrev5+Mi0oDMiLzx09GNls3SQzdKdP9PM+Y7E7y4Xi2LW3FtoG",
    "authID": "http://example.com/sender"
  },
  "receiver": {
    "type": "X509",
    "encoding": "base64",
    "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi4AwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExNDM1WhcNMjIwNDE1MjExNDM1WjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKe4H5GwuaKS02s6oAnQF0e30TLyB3joT5GNzwa94WXuLjU8SWKqOjLQyIN2ZBtZW1jNI3By6nsPoU3t181SBStFI25JZ8PUvJ9/Skf/adRmrtXHX8MYRBqN4d1JIRdOoLxwq+bI0UIyMmMNMTjvhnWwTx4FkXwup5fna9FFBbtOGP+7vMVl98L2/bDMJwwLdnzUs0CKLyqDRx0XWAnp6R6CN9YDeMgpdDviMkBfeY74AJ084v6pWnx+K0PlUuQAkiuPvcRsDxgjHRO18rq4wA6Dxh6My7Xh/uHFzb5cmLT7C7kfr+WN26va8IRGCF8NWdOYQ0HSo/vbY/eIOB/G0wIDAQABo4GDMIGAMB0GA1UdDgQWBBSmlyw0Ht9gF3rnI42Us1dK9+jZ/DAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBABMLMfSOAwk34LEK9L/A1qtHTJPQ2BF3XjnbswINNao0oOI3PSWKU0weWYlITH29hgyzrwO8A9ifaOFPtsRxe9/UNv6RNqwObLpxF+f2U3ulu2hTzd7l/ZXUGYaBUHLL3Cu1JlZWMRoTUBUHAvkwnQlUkQLJZ7A+N9y+FfV5apIMTwPA+C2lwiVtEd3Hje5Z9lUmjwiARRnsliRuCm2ZY0IHvneQN7NnOFCFFQQnu/7wMEywNWR3NMtj5AcMugs56OqcAglwq+HqYNCUkelt1/I7A/NwitaPEYu/1TDjQBckR6nbtJwHKFx2M9heB+E5iMI65r+ae01jBr+r7tes6UdEz7SCF3xHks3ubKfRQykZzTZ7ixeHYG5XjaUSSk8EDuBCdZOJ/AUAA+Rar/UPODUd1YQUZDUqs0MvB9zXQYBtEhwii75pCmkFBpZewo6xyktdP3964q7MZPZQZTZimh02CxcWdXZj6JkoL6ihuM36UciS9rXUgIGGdJcbhC5mP/PqRYsAzipOvQiRL7mGRB9L8H0Wt08yl3H0KFwGcgasML8tOOkf+4MsGIHJZaJ20cVfdWm1StOtLN1Bn+gAppq8nlvDgPiQ3NxSsvY+Qpb0WSVWknc1VyOPKexKaM20/alMv/fykVhVmmAcNVshIMAuKV5TnhqeZyg8L02pVAHL",
    "authID": "http://example.com/receiver"
  },
  "senderSig": {
    "type": "urn:oid:1.2.840.113549.1.1.10",
    "encoding": "base64",
    "sig": "S82Al/YgpfjywjagQ03tjr8WT2oiMSkuYGA5hoXL/LCZHJhR4UGuXyQe1lJ6+yDRiN8FbKcp6ZrClb645rKpIK9UP/Y50wOo/vXCdeUGRqWj4NduoJsBKAP9O4QfQQkT9POHwcbYDsbvEGm3M7fh7mrOn6PzQQgq8vNGayVP5VmFLofxhArc2cy7/TthDl5sBwngpIokHUGOIE+RXasifJ/KS+DALU2s51EZzP2NuTbOvC2328UD5yhvHTopwqn3OrMWbKjF8UUDFjQHYx383hrK3VPjqfrMMNT3OHiJB6t9pJwZ3lmD3PV0Axp6k1XV+oxckBaYN7dCNneQn+zkcw=="
  },
  "receiverSig": {
    "type": "urn:oid:1.2.840.113549.1.1.10",
    "encoding": "base64",
    "sig": "P70POEihM3V+pX+lPmvyoDzhERRuuat4P+jGIN/ME1n4hrl9vHb7l8yXy04iT2lNRXv2wkPfPC55nNCTCjWkPhF9Ca6KM6km0BHanPT9J7DZYuCes3RiPwEqO2UsVVZMxj/kMpwu0X23+SHjpAycGY7M/ZRG5iasQiu4N4f/O6pmNTOE6AqpgdhqACqUInbCN3afbdIUnFdbQSRn16VKmrmgUtus5XrVMsCEEZ3xlw8Pl+1toHgWllK4bnm3+DO4wdNb9wvM5TMrqCGHGZOkkxdlZ2pK3uSHuWtvifA49Ks113giNz6ZNjbWvmq9AJRY8/qVQUCBwZaBeSBqZRUMMw=="
  },
  "facts": [
    {
      "factID": "http://example.com/facts/fact1",
      "sha256": "5fc62b0e99a143ff2b99b56a6953f07e96f52023aa3739bba3fec1194292f48e",
      "serialization": "string"
    },
    {
      "factID": "http://example.com/facts/fact2",
      "sha256": "828bbc97b5b866992dc8bc532265e3094bc9e17cce05e16d90844d2160ad99cf",
      "serialization": "string"
    },
    {
      "factID": "http://example.com/facts/fact3",
      "sha256": "c646cfa0feda9af766e6eca97f8578f3eb2b126d2349ea7ce1fd2d3b3fe2d456",
      "serialization": "string"
    },
    {
      "factID": "http://example.com/facts/fact4",
      "sha256": "5845f61bccd9c5631dee29f9e87830b11eb5b531081a8888db42e80e2f153fc0",
      "serialization": "string"
    }
  ],
  "timestamp": "2021-04-15T21:50:29.940Z",
  "senderCustomContent": {
    "authMethod": "PublicKey",
    "authSuccessful": true,
    "authUserId": "user123456"
  },
  "receiverCustomContent": {
    "dbStorageId": "StorageCluster5"
  }
}

We use the ReShare ontology v0.3, which we describe in Section 5. The ReShare Ontology, for defining the semantics of the JSON structure in a JSON-LD [JSON-LD11] representation for DTCs.

Instead of defining a schema for the JSON-LD representation of DTCs, we specify a procedure to transform a JSON representation of a DTC into a JSON-LD representation, and a procedure to transform a JSON-LD representation to a JSON representation.

To raise a valid JSON DTC serialization to JSON-LD, the following transformation steps MUST be conducted:

Add the static @context object
Add @type keywords to the non-literal (sub-)objects
Add the contract base IRI to the @context object as an IRI prefix
Add @id keywords to the non-literal sub-objects

Details about the steps are presented in the following and MUST be followed when creating a JSON-LD representation of a DTC.

Note

In the following examples, the misuse of the triple-dot notation denotes that the rest of the JSON structure is not changed. As it is only used in informative examples, it does not violate the normative character of this section.

The following static @context object (corresponding to version 0.3 of the ReShare ontology) MUST be added to the root of the DTC object:

Example 2: DTC JSON-LD context

{
  "@context": {
    "fc": "https://w3id.org/reshare/ontology/0.3/#",
    "xsd": "http://www.w3.org/2001/XMLSchema#",
    "facts": {
      "@id": "fc:fact",
      "@context": {
        "factID": {
          "@id": "fc:factOrigin",
          "@type": "@id"
        },
        "sha256": {
          "@id": "fc:sha256Sum",
          "@type": "xsd:hexBinary"
        },
        "sha384": {
          "@id": "fc:sha384Sum",
          "@type": "xsd:hexBinary"
        },
        "sha512": {
          "@id": "fc:sha512Sum",
          "@type": "xsd:hexBinary"
        },
        "serialization": "fc:serialization"
      }
    },
    "sender": {
      "@id": "fc:sender",
      "@context": {
        "authID": {
          "@id": "fc:identifies",
          "@type": "@id"
        },
        "type": "fc:certType",
        "cert": {
          "@id": "fc:x509Cert",
          "@type": "xsd:base64Binary"
        },
        "encoding": "fc:certEncoding"
      }
    },
    "receiver": {
      "@id": "fc:receiver",
      "@context": {
        "authID": {
          "@id": "fc:identifies",
          "@type": "@id"
        },
        "type": "fc:certType",
        "cert": {
          "@id": "fc:x509Cert",
          "@type": "xsd:base64Binary"
        },
        "encoding": "fc:certEncoding"
      }
    },
    "senderSig": {
      "@id": "fc:senderSig",
      "@context": {
        "type": {
          "@id": "fc:sigType",
          "@type": "@id"
        },
        "sig": {
          "@id": "fc:sigData",
          "@type": "xsd:base64Binary"
        },
        "encoding": "fc:sigEncoding"
      }
    },
    "receiverSig": {
      "@id": "fc:receiverSig",
      "@context": {
        "type": {
          "@id": "fc:sigType",
          "@type": "@id"
        },
        "sig": {
          "@id": "fc:sigData",
          "@type": "xsd:base64Binary"
        },
        "encoding": "fc:sigEncoding"
      }
    },
    "senderCustomContent": {
      "@id": "fc:senderCustomContent",
      "@type": "@json"
    },
    "receiverCustomContent": {
      "@id": "fc:receiverCustomContent",
      "@type": "@json"
    },
    "timestamp": {
      "@id": "fc:timestamp",
      "@type": "xsd:dateTimeStamp"
    }
  }
}

The following (sub-)objects of the DTC object MUST be typed explicitly with the following types by adding a @type attribute to their root-level attributes:

JSON object Type IRI

Root DTC object fc:DTC

Each entry of facts fc:Fact

sender fc:Sender

receiver fc:Receiver

senderSig fc:Signature

receiverSig fc:Signature

Note
All other contract fields do not need to be typed, as they are represented as literals in JSON-LD, and are typed through the @context objects.

The assignment of @type attributes is illustrated with the following example.
Example 3: Explicitly typing a DTC using @type (non-normative)
```
{
  "@type": "fc:DTC",
  "facts": [
    {
      "@type": "fc:Fact",
      ...
    },
    ...
  ],
  "receiver": {
    "@type": "fc:Receiver",
    ...
  },
  "receiverSig": {
    "@type": "fc:Signature",
    ...
  },
  "sender": {
    "@type": "fc:Sender",
    ...
  },
  "senderSig": {
    "@type": "fc:Signature",
    ...
  },
  ...
}
```
An IRI prefix for the keyword contract MUST be added to the @context object. The prefix MUST be set to the baseIRI of the contract.

The step is illustrated with the following example. Note that the baseIRI attribute existed beforehand. Its value is simply copied to the IRI prefix definition.
Example 4: Adding the base IRI of the DTC to its context as an IRI prefix (non-normative)
```
{
  "@context": {
    "contract": "http://example.com/contracts/1#",
    ...
  },
  "baseIRI": "http://example.com/contracts/1#",
  ...
}
```

JSON object	Type IRI
Root DTC object	`fc:DTC`
Each entry of `facts`	`fc:Fact`
`sender`	`fc:Sender`
`receiver`	`fc:Receiver`
`senderSig`	`fc:Signature`
`receiverSig`	`fc:Signature`

The following (sub-)objects of the DTC object MUST be made identifiable with the following IRIs (relative to the root DTC IRI) by adding a @id attribute to their root-level attributes:

JSON object	Resource IRI
Each entry of `facts`	`contract:fact-<i>`, where `<i>` is the index of the entry within `facts` when sorted lexicographically by `factID` (starting with `contract:fact-0`)
`sender`	`contract:sender`
`receiver`	`contract:receiver`
`senderSig`	`contract:senderSig`
`receiverSig`	`contract:senderSig`

Note

All other contract fields are not assigned an IRI, as they are represented as literals in JSON-LD, and thus do not have their own IRIs. Instead, they can be queried through the data properties of the DTC resource.

The assignment of @id attributes is illustrated with the following example.

Example 5: Explicitly adding IRIs to the DTC subcomponents using @id (non-normative)

{
  "facts": [
    {
      "@id": "contract:fact-0",
      ...
    },
    {
      "@id": "contract:fact-1",
      ...
    },
    {
      "@id": "contract:fact-2",
      ...
    },
    {
      "@id": "contract:fact-3",
      ...
    }
  ],
  "receiver": {
    "@id": "contract:receiver",
    ...
  },
  "receiverSig": {
    "@id": "contract:receiverSig",
    ...
  },
  "sender": {
    "@id": "contract:sender",
    ...
  },
  "senderSig": {
    "@id": "contract:senderSig",
    ...
  },
  ...
}

In the following, we give the example of a DTC represented in JSON-LD, where the static part of the @context object is omitted for readability.

Example 6: Example DTC (JSON-LD) (non-normative)

{
  "@context": {
    ...
  },
  "@id": "http://example.com/contracts/1",
  "@type": "fc:DTC",
  "facts": [
    {
      "@id": "contract:fact-0",
      "@type": "fc:Fact",
      "factID": "http://example.com/facts/fact1",
      "serialization": "string",
      "sha256": "5fc62b0e99a143ff2b99b56a6953f07e96f52023aa3739bba3fec1194292f48e"
    },
    {
      "@id": "contract:fact-1",
      "@type": "fc:Fact",
      "factID": "http://example.com/facts/fact2",
      "serialization": "string",
      "sha256": "828bbc97b5b866992dc8bc532265e3094bc9e17cce05e16d90844d2160ad99cf"
    },
    {
      "@id": "contract:fact-2",
      "@type": "fc:Fact",
      "factID": "http://example.com/facts/fact3",
      "serialization": "string",
      "sha256": "c646cfa0feda9af766e6eca97f8578f3eb2b126d2349ea7ce1fd2d3b3fe2d456"
    },
    {
      "@id": "contract:fact-3",
      "@type": "fc:Fact",
      "factID": "http://example.com/facts/fact4",
      "serialization": "string",
      "sha256": "5845f61bccd9c5631dee29f9e87830b11eb5b531081a8888db42e80e2f153fc0"
    }
  ],
  "receiver": {
    "@id": "contract:receiver",
    "@type": "fc:Receiver",
    "type": "X509",
    "encoding": "base64",
    "authID": "http://example.com/receiver",
    "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi4AwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExNDM1WhcNMjIwNDE1MjExNDM1WjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKe4H5GwuaKS02s6oAnQF0e30TLyB3joT5GNzwa94WXuLjU8SWKqOjLQyIN2ZBtZW1jNI3By6nsPoU3t181SBStFI25JZ8PUvJ9/Skf/adRmrtXHX8MYRBqN4d1JIRdOoLxwq+bI0UIyMmMNMTjvhnWwTx4FkXwup5fna9FFBbtOGP+7vMVl98L2/bDMJwwLdnzUs0CKLyqDRx0XWAnp6R6CN9YDeMgpdDviMkBfeY74AJ084v6pWnx+K0PlUuQAkiuPvcRsDxgjHRO18rq4wA6Dxh6My7Xh/uHFzb5cmLT7C7kfr+WN26va8IRGCF8NWdOYQ0HSo/vbY/eIOB/G0wIDAQABo4GDMIGAMB0GA1UdDgQWBBSmlyw0Ht9gF3rnI42Us1dK9+jZ/DAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBABMLMfSOAwk34LEK9L/A1qtHTJPQ2BF3XjnbswINNao0oOI3PSWKU0weWYlITH29hgyzrwO8A9ifaOFPtsRxe9/UNv6RNqwObLpxF+f2U3ulu2hTzd7l/ZXUGYaBUHLL3Cu1JlZWMRoTUBUHAvkwnQlUkQLJZ7A+N9y+FfV5apIMTwPA+C2lwiVtEd3Hje5Z9lUmjwiARRnsliRuCm2ZY0IHvneQN7NnOFCFFQQnu/7wMEywNWR3NMtj5AcMugs56OqcAglwq+HqYNCUkelt1/I7A/NwitaPEYu/1TDjQBckR6nbtJwHKFx2M9heB+E5iMI65r+ae01jBr+r7tes6UdEz7SCF3xHks3ubKfRQykZzTZ7ixeHYG5XjaUSSk8EDuBCdZOJ/AUAA+Rar/UPODUd1YQUZDUqs0MvB9zXQYBtEhwii75pCmkFBpZewo6xyktdP3964q7MZPZQZTZimh02CxcWdXZj6JkoL6ihuM36UciS9rXUgIGGdJcbhC5mP/PqRYsAzipOvQiRL7mGRB9L8H0Wt08yl3H0KFwGcgasML8tOOkf+4MsGIHJZaJ20cVfdWm1StOtLN1Bn+gAppq8nlvDgPiQ3NxSsvY+Qpb0WSVWknc1VyOPKexKaM20/alMv/fykVhVmmAcNVshIMAuKV5TnhqeZyg8L02pVAHL"
  },
  "receiverCustomContent": {
    "dbStorageId": "StorageCluster5"
  },
  "receiverSig": {
    "@id": "contract:receiverSig",
    "@type": "fc:Signature",
    "sig": "JepGwNLofxFFCvewKe+OBFm7G+YOvfqrAz3+z+jEAiPlpNtuXrQo3WM8g9SHyMpccu4BBPlKflSynI/OC6X7JL9kuJchg93gRBk/PjfTj8bUSaewCW3CVPe50zznJC7R9rcjUVtyLDIva558RJaJwVzgwO6YH+1/+hU4qKVHUyUuxBJSbWrBuOHBjavQQdq2utaja6h8dx1bLcBHAMjKxM4rIfUzXgjzkJk/D/DEZvSIRMnBafnqDQFvjB/eSZQa+oSSxKXS6dXskOKlxS9HvnRn2CsWEjhDrCIyphwEUj8qqhv1rsPWpiIXYVewWcsRxaYDfoe6+5hgquXR1i3nrg==",
    "type": "urn:oid:1.2.840.113549.1.1.10",
    "encoding": "base64"
  },
  "sender": {
    "@id": "contract:sender",
    "@type": "fc:Sender",
    "type": "X509",
    "encoding": "base64",
    "authID": "http://example.com/sender",
    "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi38wDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExMTExWhcNMjIwNDE1MjExMTExWjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvw8C6sqLUVSOwFPbZsqS/1cL/+7aaaxVPwXs7TjPVombwNLyJW8yPyyQLbsTN5evVCpNdzciYc9Nhh77AYrqCiOsZBb7hu/PMqNqDvU2FAHeTH9KZ1PSpsOdgzG4i9widL6FBKGrxvlyj0G5ztQoGtymJFdmQ8K/ZN2W5Bi27H24UgITO+mX5MGmzFfyib7bDnvNqZUMJEgpSGt+jUf/7pMtuQqusrE1bfg5vvCbHIPHx2KXqzQEjNiioDafzKjIY2NSakis1AZe+J46o/Za0L8TUMXPvO1nSX4VMm9w5Qqf8auKdlUnT7fVqGKxQvPgX/JM/ksduZqZdTE1giWDgQIDAQABo4GDMIGAMB0GA1UdDgQWBBQtTnbTodwlQnP0QXA2VRv6DBWgzzAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAG47hxcjEY6kXojCadK15iW5t6P2p2NCfXpymeRuVaHiI7hhMwQEPymGqXZe0MKUKaRxb9BssG9UvndJw7PWdLx55Y498dgEVXWp7UWUg+VmLxE0wrS+7odJ6ZwsSTPhlgQVF3y9SOP18UX1Iy+ipkdPVbeiQB2QJOYLdxj3h26a/BevyWJU7jTbZO9fNX3FlopyQbB64QPJKJyQiYrT1td7lOcreyBJUS2e5p+hifW/ukxHQ9QtfN+mE/MlnUSHar6LgXPX3AoiVKc14L5E7jRHLDCvFWO1PfVCsS6RWIKdoWsEUytDnMYLHb2TmMJWQf8S69BLyqgEhKXNS9hZceGr32jM9O6TepYKZNH5A1QLjZcuHHKUAzXMjM9loNLra/VGcqrMTdZYautGl8EdEURqE063qDd+Hsp3Vqw0iALQHcbEb6R1b2o5dIrczo+PINTSvnFv+4GyqznXEYjcueLrR/R6kE9GNOiPUxpont+0s1JCAKPaaZk97Z09ldtD47rPQLQgWopDadVOm3Gu9+ef7uqqpJw9+q384mqgw4P1Yws6aVkXLdvh8MCXcMEYi2AeQVCCZv2CjAh8CZQC+0P2JtkhWlCxPoSDk4jbm6koCxcpL3CRcc5LtTTrev5+Mi0oDMiLzx09GNls3SQzdKdP9PM+Y7E7y4Xi2LW3FtoG"
  },
  "senderCustomContent": {
    "authMethod": "PublicKey",
    "authSuccessful": true,
    "authUserId": "user123456"
  },
  "senderSig": {
    "@id": "contract:senderSig",
    "@type": "fc:Signature",
    "sig": "XW5nUNXY+06Llu9i4vUABpm4CpTHTPBy7rAYjGV/FG8CIuYffr4xYZkm6VIDApWQ3F38CwLDzEgy4bAT/u+kQshCM4MzIyGnqTzatvV8ZM3gfBJ6307h+t8VdBW3siXYcqexpA5CWVtqNWhCIme/sXEXkJQDQl1q5NljIcWiaJMHNUwg0IvCP1LLL8fcMr0Yj0sVKN5l8WuBpr6lLIsxOJgN6iWt/wM43pBO2G62/BR7FCWY1jE72gedGy16BBpn/KNkCRIr0ACcZNArZPYlISsHXpjOk3QoiUMakxgvdbdlpKZNFchbXU6ZlZTu3xyc67uddy6QzNID3yJ35Kcp3w==",
    "type": "urn:oid:1.2.840.113549.1.1.10",
    "encoding": "base64"
  },
  "timestamp": "2021-04-15T21:53:24.446Z"
}

To transfer a JSON-LD representation of a DTC to a JSON representation, one MUST execute the following steps:

Build the @context object by adding a contract IRI prefix to the static @context object from the JSON-to-JSON-LD transformation by copying the IRI of the DTC, similarly to step 3 of the JSON-to-JSON-LD transformation.
Use the JSON-LD compaction algorithm [JSON-LD11-API] to compact the JSON-LD document together with the context built in Step 1.
Remove all @type, @id, and @context attributes. Note: The baseIRI of the DTC is unaffected by this, as it is aliased as @id, and thus is not removed!

A valid DTC MUST always contain two signatures, one by the sender, and one by the receiver. These signatures constitute a central component of the trust chain of a DTC, connecting the information included in DTCs (e.g., the checksums in facts) to the public keys of sender and receiver. The signatures are included in the DTC itself in the senderSig and receiverSig fields (see 4.3 DTC Data Structure).

The processes of creating and verifying DTC signatures, which are specified in the following, are the same for any party (sender or receiver). Thus, we only consider the sender in the following. For receiver signatures, analogous steps apply.

Each party (sender and receiver) MUST have an RSA public/private key pair which they use for creating DTC signatures. The public key of the key pair used to create DTC signatures MUST be included in the cert property of the respective identity field of the DTC, i.e., sender or receiver (see 4.3 DTC Data Structure).

The processes of signature creation and verification can be divided into three low-level processes: A pre-processing pipeline for generating a normalized binary serialization of a DTC (further described in Section 4.5.2 Pre-Processing), and both a signature creation and verification process based on the pre-processed form of a DTC (further described in Sections 4.5.3 Signature Creation and 4.5.4 Signature Verification respectively).

The integration of said low-level processes into the high-level processes of signature creation and verification is visualized in the two figures below.

DTC signature creation process (high-level)

Figure 3 The high-level process of creating a DTC signature. The DTC is pre-processed first before creating the DTC signature using the signer's private key.

DTC signature verification process (high-level)

Figure 4 The high-level process of verifying a DTC signature. The DTC is pre-processed first before verifiying the given DTC signature using the signer's public key.

The DTC pre-processing pipeline, as visualized below, consists of four steps and starts with the implementation-dependent internal representation of the DTC.

The pre-processing steps for creating and verifying DTC signatures

Figure 5 The pre-processing steps for creating and verifying DTC signatures. The internal DTC is serialized as specified by the JSON DTC represenation, pruned by removing unsigned material, normalized, and encoded as a UTF-8 string [RFC3629].

The four pre-processing steps MUST be executed as follows in order to uniquely serialize and normalize the DTC.

Serialize: The (potentially incomplete) DTC MUST be serialized as JSON according to Section 4.4 DTC Representations. This representation MUST match the schema of a partial DTC, where only the two signatures may be missing, as defined in Section 4.4 DTC Representations.
Remove unsigned content: To not impose a dependency on the ordering of signatures by the parties, pre-existing signature material MUST NOT be included in the signature. Thus, both the senderSig and receiverSig fields (if existing) MUST be removed in this step.
Normalize: First, in order to achieve a unique order of the included facts, the facts array MUST be sorted by the ascending lexicographic order of the factID subproperty in UTF-8 encoding [RFC3629]. Afterward, the JSON document MUST be canonicalized according to the JSON Canonicalization Scheme (JCS) [RFC8785].
Encode: To discretize the string encoding of the normalized JSON contract, it MUST be encoded using UTF-8 [RFC3629].

The process of creating a DTC signature, based on its pre-processed form.

Figure 6 The process of creating a DTC signature, based on its pre-processed form. Using said pre-processed DTC and its own private key, the signing party creates an RSA signature, which is encoded as Base64 [RFC4648].

The signature MUST be created using the pre-processed form of the DTC as described in Section 4.5.2 Pre-Processing as the input to the RSASSA-PSS-SIGN operation specified in PKCS #1 [RFC8017].

For the EMSA-PSS-ENCODE encoding operation used in the RSASSA-PSS-SIGN operation, the following parameters MUST be selected:

Hash function (Hash): SHA-256 [FIPS-180-4]
Mask generation function (MGF): MGF1 [RFC8017]
Salt length (sLen): 32 (=hLen, i.e., the length of a SHA-256 hash in octets)

The binary output of the RSASSA-PSS signature creation primitive MUST be encoded as Base64 [RFC4648].

The encoded signature can be used as the sig subfield of the senderSig or receiverSig DTC fields (the field associated with the signer), as specified in Section 4.3 DTC Data Structure.

The process of verifying a DTC signature, based on its pre-processed form.

Figure 7 The process of verifying a DTC signature, based on its pre-processed form. Requires said pre-processed DTC, the DTC signature encoded as Base64 [RFC4648], and the signing party's public key. The signature is first decoded into a binary form, and then verified using the pre-processed DTC and the public key.

To verify a given signature, as included in the senderSig or receiverSig DTC fields (see 4.3 DTC Data Structure), the encoded signature (here: senderSig) MUST be decoded as Base64 [RFC4648].

The DTC MUST be pre-processed according to 4.5.2 Pre-Processing.

Together with the pre-processed DTC, and the public key associated with the signature, the signature MUST then be verified according to the RSASSA-PSS-VERIFY operation as specified in PKCS #1 [RFC8017].

For the EMSA-PSS-VERIFY operation, which is used in the RSASSA-PSS-VERIFY operation, the same parameters as for EMSA-PSS-ENCODE (see 4.5.3 Signature Creation) MUST be used.

Two core mechanisms are defined as part of ReShare:

A generation mechanism to generate valid DTCs between parties.
A verification mechanism to reliably verify both the validity of the dtc and the contained resource checksums.

Any implementation MUST implement the verification mechanism mechanism according to Section 6.2 DTC Verification.

The generation mechanism, which is specified in Section 6.1 DTC Generation Handshake, follows a client-server-paradigm. To allow for application-dependent lightweight implementations, the client and server parts of the generation mechanism MAY not be implemented. The following combinations are possible:

Server implemented	Client implemented	Description
Yes	Yes	Full implementation
Yes	No	Only supports sender role & DTC verification
No	Yes	Only supports receiver role & DTC verification
No	No	Only supports DTC verification

The DTC generation mechanism constitutes a handshake, in which sender and receiver jointly create and sign a DTC in a client-server paradigm.

We specify two versions of this generation handshake: A complete 3-way version, which can be carried out completely in parallel to the underlying data transmission, and an abbreviated 2-way handshake, which can be used if the receiver has access to the complete underlying data of the DTC (i.e., the data transmission has to be completed already).

The benefits of the independence of DTC generation to the data transmission are expected to outweigh the effects of the increased overhead in most use cases. Thus, we consider the complete 3-way handshake the default handshake version. A brief elaboration on this discussion can be found in Section A.3 DTC Generation: Two Handshake Versions.

We do not specify any mechanism to separate handshake versions or negotiate the handshake version. Instead, such a mechanism MAY be implemented on a lower layer (e.g., by using HTTP content negotiation or using two ports for separating the two handshake versions).

This section is non-normative.

The specification of the DTC generation mechanism is divided into the following components:

Client and server implementations: Define the behavior which implements the handshake itself, depending on the handshake version (i.e., complete or abbreviated). The client and server implementations receive messages from the abstraction components for the lower-layer communication stack, build new messages, and send these messages to the abstraction components of the communication stack.
Helper components: We define a message builder, a message validator, and an error message builder, which are used by the client and server implementations to validate and build message objects.
Communication abstraction components: Directly communicate with the deployment-specific communication stack, such that the client and server implementations can be transparent w.r.t. the underlying communication stack.

The DTC generation components are visualized in the following figure.

Overview of the components of the DTC generation mechanism.

Figure 8 A schematic overview of the components of the DTC generation mechanism.

The complete DTC generation handshake consists of the following three steps, which are described in detail in the following:

The receiver initiates the DTC generation by stating its identity and the set of facts to be included in the DTC. The current version of the DTC only contains the receiver, facts (only IRIs, no checksums), and receiverCustomContent fields.
Upon receipt of the initiation message, the sender compiles and signs the contract. The current version of the DTC is only missing the receiverSig field.
Upon receipt of the sender-signed (partial) DTC, the receiver verifies the current state of the DTC and signs it afterward. The DTC is now complete and valid, and is sent back to the sender for mutual storage.

The following figure gives an overview of the handshake messages and computations. Note that only the differential message contents are listed, as the previously existing DTC content is carried over to the next messages. The caption includes a mapping from the message abbreviations used in the figure to the message identifiers defined in Section 6.1.4 Message Identifiers.

The 3-way contract generation handshake

Figure 9 A message diagram of the 3-way contract generation handshake, initiated by the receiver (R). Upon a request (R1=ContractRequest), the sender (S) assembles the DTC, signs it, and sends it to the receiver (S1=SenderContract). Finally, the receiver verifies and signs the DTC, and sends its own signature to the sender (R2=ReceiverContract).

In the following, we define the behavior of client and server implementations in detail.

The client is responsible for initiating the DTC generation handshake. For this, an appropriate user interface (manual trigger) or interface to the data-sharing system (automatic trigger) SHOULD be implemented.

To initiate the DTC generation, the client MUST first compile a partial DTC only consisting of the receiver, the facts, and the (optional) receiverCustomContent fields. The content of the receiver and receiverCustomContent fields MUST comply with the contents specified in Section 4.3 DTC Data Structure. The content of facts MUST comply with its definition in Section 4.3 DTC Data Structure, except that the requestedID, <alg>, and serialization sub-fields MUST NOT be present for any entry.

The client then MUST use the partial DTC to build the ContractRequest message by passing the partial DTC to the message builder defined in Section 6.1.5 Message Builder, and use the outgoing message interface (see Section 6.1.9 Protocol Stack) to send it to the server.

Once the client implementation is called by the incoming message handler (see Section 6.1.9 Protocol Stack), the following procedure MUST be carried out.

Start with step 1. If no "continue with step x" phrase is hit, the procedure is finished.

The client MUST pass the received message, together with an arbitrarily ordered list of the tuples (id,schema) of all error message identifiers (defined in Section 6.1.4 Message Identifiers) and their respective schemas (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If the validation returns None, continue with step 2. If the validation returns one of the error message identifiers, the implementation MAY behave arbitrarily (see the discussion and behavior recommendation in Section 6.1.8 Error Message Builder & Error Handling).
The client MUST pass the message, along with the schema for an S1 message (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If None is returned by the message validator, the client SHOULD send an UnknownMessage error to the server according to Section 6.1.8 Error Message Builder & Error Handling. If the validator returns S1, continue with step 3.
The client SHOULD check whether the received S1 message belongs to an unanswered previous ContractRequest message. The implementation of this check is not further specified, but MAY be implemented by matching HTTP requests and responses (see Section 6.1.9 Protocol Stack for a specification of the protocol stack) or by implementing a custom caching mechanism. If the check fails, the client SHOULD send an UnexpectedSenderContract error to the server according to Section 6.1.8 Error Message Builder & Error Handling. If the check succeeds, or if no check was executed, continue with step 4.
The client MUST extract and parse the partial DTC contained in the content attribute of the JSON message, and verify
- that the sender's identity (in sender) is as expected
- that the sender's public key certificate (in sender) is valid and trusted
  Note
  This step SHOULD include checking whether the public key certificate has been issued for the authority identified by the IRI contained in the sender field. We further discuss this verification step in Section A.2 Identity Management.
- that the sender's signature (in senderSig) is valid by verifying the signature according to Section 4.5.4 Signature Verification. The sender's public key contained in the public key certificate in sender MUST be used for the verification procedure.
- (optional) that the fact checksums contained in facts are valid. This is dependent on a completed data transaction and an interface to the data within the client-side handshake implementation, and thus, is not mandatory to implement.
If any of these verifications fail, the client MUST send an InvalidSenderContract error message to the server according to Section 6.1.8 Error Message Builder & Error Handling, and SHOULD consider the ContractRequest message, to which the S1 message was matched, as unanswered, such that the server can retry sending a valid matching S1 message. If all of the verifications succeeded, continue with step 5.
The client MUST create a signature according to Section 4.5.3 Signature Creation using the partial DTC from the S1 message and the private key associated with the public key included in the public key certificate in the receiver field, and add it as the receiverSig field according to Section 4.3 DTC Data Structure. The client SHOULD accept the complete DTC and SHOULD forward it so a DTC storage system. Finally, the client MUST build the R2 message by passing the now-complete DTC to the message builder (see Section 6.1.5 Message Builder), and use the outgoing message interface (see Section 6.1.9 Protocol Stack) to send it to the server.

Once the server implementation is called by the incoming message handler (see Section 6.1.9 Protocol Stack), the following procedure MUST be carried out.

Start with step 1. If no "continue with step x" phrase is hit, the procedure is finished.

The server MUST pass the received message, together with an arbitrarily ordered list of the tuples (id,schema) of all error message identifiers (defined in Section 6.1.4 Message Identifiers) and their respective schemas (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If the validation returns None, continue with step 2. If the validation returns one of the error message identifiers, the implementation MAY behave arbitrarily (see the discussion and behavior recommendation in Section 6.1.8 Error Message Builder & Error Handling).
The server MUST pass the message, together with the list containing the ContractRequest and R2 message schemas (in this order, defined in Section 6.1.6 Message Schemas) to the message validator (see 6.1.7 Message Validator). If the validator returns None, the server MUST send an UnknownMessage error to the client according to Section 6.1.8 Error Message Builder & Error Handling. If the validator returns ContractRequest, continue with step 3. If the validator returns R2, continue with step 6.
The server MUST parse the partial DTC in the contract attribute of the JSON message. Then, the server MAY verify that the client is authorized to request the DTC for the facts contained in the facts field.
Note
Such an access-control mechanism is not specified, but could be implemented on a lower layer (e.g., using the HTTP Authorization header). Therefore, error handling for access control should also be implemented on a lower layer.
Subsequently, the server compiles the DTC. Therefore, it MUST carry out the following steps on the received partial DTC in any order:
- The server adds the sender field with its own information, such that the content complies with Section 4.3 DTC Data Structure.
- The server looks up or computes the checksums for the facts identified by the IRIs contained in the factID sub-fields of the entries of facts. During this process, the server MAY resolve some of the IRIs to concretized IRIs (see the documentation requestedID for details). In this case, the server MUST copy the content of factID to requestedID, and subsequently overwrite the content of factID with the new IRI in accordance with Section 4.3 DTC Data Structure. It then adds each checksum to the <alg> sub-field of the respective facts entry in accordance with Section 4.3 DTC Data Structure. As specified in Section 4.3 DTC Data Structure, the checksum is associated with a specific serialization of the fact. The server MUST add the serialization identifier to the serialization sub-field of each entry of facts according to Section 4.3 DTC Data Structure.
- The server creates a timestamp of its current time and adds it to the timestamp field according to Section 4.3 DTC Data Structure.
- The server creates a base IRI, which can be used to uniquely identify the created DTC. For this, the server MAY use the previously created timestamp, or any other custom identification scheme. The server then adds the IRI to the baseIRI field according to Section 4.3 DTC Data Structure.
- (Optional) The server adds content to the senderCustomContent field according to 4.3 DTC Data Structure.
Continue with step 4.
The server creates a signature according to Section 4.5.3 Signature Creation for the compiled DTC and the private key associated with the public key included in the public key certificate in the sender field. The server then adds it as the senderSig field according to Section 4.3 DTC Data Structure. Continue with step 5.
The server MUST build the S2 message by passing the compiled (partial) DTC to the message builder (see Section 6.1.5 Message Builder), and MUST then use the outgoing message interface (see Section 6.1.9 Protocol Stack) to send the resulting message to the client.
The server MUST parse the DTC contained in the contract field of the JSON message. Then, the server MUST verify that its own public key certificate is contained in the sender field. If not, the server MUST send a BogusSenderCert error to the client according to Section 6.1.8 Error Message Builder & Error Handling.
Note
This step prevents the client from simply replacing the sender's public key certificate with a bogus certificate, for which it controls the private key, and can thus create a signature (and thus a valid DTC) independent of the sender. While such an attack would not lead to a valid DTC issued by the sender, it would lead to an invaluable DTC, which is not recognized by the sender by simply verifying the DTC using the procedure specified in Section 6.2 DTC Verification.
If the public key certificate is correct, continue with step 7.
The server MUST verify
- that the receiver's identity (in receiver) is as expected
- that the receiver's public key certificate (in receiver) is valid and trusted
  Note
  This step SHOULD include checking whether the public key certificate has been issued for the authority identified by the IRI contained in the receiver field. We further discuss this verification step in Section A.2 Identity Management.
- that the receiver's signature (in receiverSig is valid by verifying the signature according to Section 4.5.4 Signature Verification. The receiver's public key contained in the public key certificate in receiver MUST be used for the verification procedure.
If any of these verifications fail, the server MUST send an InvalidReceiverContract error message to the client according to 6.1.8 Error Message Builder & Error Handling. Otherwise, the server SHOULD accept the DTC and SHOULD forward it to a DTC storage system.

The abbreviated handshake assumes that the receiver has full access to the underlying data of the DTC, i.e., that the data transmission is completed. Further, it assumes that the receiver has access to the sender's identity and public certificate, i.e., the contents of the sender field according to Section 4.3 DTC Data Structure.

If these two assumptions hold, the receiver is able to compile the DTC except for the sender's signature. In this case, only two messages are necessary to establish a valid DTC.

Note that if the senderCustomContent is to be used, its content MUST be pre-shared before the receiver initiates the handshake, such that the client has access to it when initially compiling the DTC.

A shortened 2-way handshake dependent on a completed data transmission is shown below:

The transmission-dependent 2-way contract generation handshake

Figure 10 A message diagram of the 2-way contract generation handshake, initiated by the receiver (R). The receiver compiles the complete DTC, and the sender (S) verifies and signs it afterward. Message abbreviations: R1'=AbbrevContractRequest, S1'=AbbrevContract.

In the following, we define the behavior of client and server implementations in detail.

To initiate the DTC generation, the client MUST first compile a partial DTC. For this, the following steps MUST be carried out in any order:
- The client adds the receiver field with its own information, such that the content complies with Section 4.3 DTC Data Structure.
- The client adds the sender field with the sender's information, such that the content complies with Section 4.3 DTC Data Structure.
  Note
  As mentioned above, the content of the sender field needs to be pre-shared between sender and receiver for the abbreviated handshake.
- Based on the set of IRIs of the underlying data transmission, the client compiles the facts field in compliance with Section 4.3 DTC Data Structure. For this, the client looks up or computes the checksums for the facts identified by the IRIs of the data transmission. It then adds each checksum to the <alg> sub-field of the respective facts entry in accordance with Section 4.3 DTC Data Structure. As specified in Section 4.3 DTC Data Structure, the checksum is associated with a specific serialization of the fact. The client MUST add the serialization identifier to the serialization sub-field of each entry of facts according to Section 4.3 DTC Data Structure. The requestedID subfield SHOULD NOT be present for any entry of facts.
  Note
  Note that in the abbreviated handshake, the sender cannot update the entries of factID, as the receiver's signature already exists in the first message addressed to the sender. Instead, an IRI negotiation, as discussed in Section 4.3 DTC Data Structure SHOULD be implemented together with the data transmission, as this has to be completed before the handshake if using the abbreviated handshake version.
- The client creates a timestamp of its current time and adds it to the timestamp field according to Section 4.3 DTC Data Structure.
- The client assigns a base IRI to the baseIRI field according to Section 4.3 DTC Data Structure, which can be used to uniquely identify the created DTC. This IRI MAY be created by the receiver itself, or negotiated or created by the sender during the transmission of the data subject to the DTC.
- (Optional) The client adds content to the receiverCustomContent and senderCustomContent fields according to 4.3 DTC Data Structure.
  Note
  As mentioned above, the content of the senderCustomContent field has to be pre-shared before the abbreviated handshake.
Continue with step 2.
The client MUST create a signature according to Section 4.5.3 Signature Creation for the compiled DTC and the private key associated with the public key included in the public key certificate in the receiver field. The client then MUST add it as the receiverSig field according to Section 4.3 DTC Data Structure. Continue with step 3.
The client then MUST use the partial DTC to build the AbbrevContractRequest message by passing the partial DTC to the message builder defined in Section 6.1.5 Message Builder, and pass it to the outgoing message interface (see Section 6.1.9 Protocol Stack).

Once the client implementation is called by the incoming message handler (see Section 6.1.9 Protocol Stack), the following procedure MUST be carried out.

Start with step 1. If no "continue with step x" phrase is hit, the procedure is finished.

The client MUST pass the received message, together with an arbitrarily ordered list of the tuples (id,schema) of all error message identifiers (defined in Section 6.1.4 Message Identifiers) and their respective schemas (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If the validation returns None, continue with step 2. If the validation returns one of the error message identifiers, the implementation MAY behave arbitrarily (see the discussion and behavior recommendation in Section 6.1.8 Error Message Builder & Error Handling).
The client MUST pass the message, along with the schema for an AbbrevContract message (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If None is returned by the message validator, the client SHOULD send an UnknownMessage error to the server according to Section 6.1.8 Error Message Builder & Error Handling. If the validator returns S1, continue with step 3.
The client MUST parse the DTC contained in the contract field of the JSON message. Then, the client MUST verify that its own public key certificate is contained in the receiver field. If not, the client MUST send a BogusReceiverCert error to the server according to Section 6.1.8 Error Message Builder & Error Handling.
Note
This step prevents the server from simply replacing the receiver's public key certificate with a bogus certificate, for which it controls the private key, and can thus create a signature (and thus a valid DTC) independent of the receiver. While such an attack would not lead to a valid DTC issued by the receiver, it would lead to an invaluable DTC, which is not recognized by the receiver by simply verifying the DTC using the procedure specified in Section 6.2 DTC Verification.
If the public key certificate is correct, continue with step 4.
The client MUST verify
- that the sender's identity (in sender) is as expected
- that the sender's public key certificate (in sender) is valid and trusted
  Note
  This step SHOULD include checking whether the public key certificate has been issued for the authority identified by the IRI contained in the sender field. We further discuss this verification step in Section A.2 Identity Management.
- that the sender's signature (in senderSig is valid by verifying the signature according to Section 4.5.4 Signature Verification. The sender's public key contained in the public key certificate in sender MUST be used for the verification procedure.
If any of these verifications fail, the client MUST send a InvalidAbbrevContract error message to the server according to 6.1.8 Error Message Builder & Error Handling. Otherwise, the client SHOULD accept the DTC and SHOULD forward it to a DTC storage system.

Once the server implementation is called by the incoming message handler (see Section 6.1.9 Protocol Stack), the following procedure MUST be carried out.

Start with step 1. If no "continue with step x" phrase is hit, the procedure is finished.

The server MUST pass the received message, together with an arbitrarily ordered list of the tuples (id,schema) of all error message identifiers (defined in Section 6.1.4 Message Identifiers) and their respective schemas (defined in Section 6.1.6 Message Schemas), to the message validator (see Section 6.1.7 Message Validator). If the validation returns None, continue with step 2. If the validation returns one of the error message identifiers, the implementation MAY behave arbitrarily (see the discussion and behavior recommendation in Section 6.1.8 Error Message Builder & Error Handling).
The server MUST pass the message, together with the AbbrevContractRequest schema (see Section 6.1.6 Message Schemas) to the message validator (see 6.1.7 Message Validator). If the validator returns None, the server MUST send an UnknownMessage error to the client according to Section 6.1.8 Error Message Builder & Error Handling. If the validator returns AbbrevContractRequest, continue with step 3.
The server MUST extract and parse the partial DTC contained in the content attribute of the JSON message, and verify
- that the receiver's identity (in receiver) is as expected
- that the receiver's public key certificate (in receiver) is valid and trusted
  Note
  This step SHOULD include checking whether the public key certificate is issues for the authority identified by the IRI contained in the receiver field. We further discuss this verification step in Section A.2 Identity Management.
- that the receiver's signature (in receiverSig) is valid by verifying the signature according to Section 4.5.4 Signature Verification. The receiver's public key contained in the public key certificate in receiver MUST be used for the verification procedure.
- that the fact checksums contained in facts are valid. This verification step can be done by re-computing or looking up the fact checksums given the serialization identified by the serialization field.
  Note
  In contrast to the 3-way handshake (see Section 6.1.2 Complete (3-way) Handshake), this step is not optional, as the 2-way handshake requires a previously completed data transmission. Thus, making this step mandatory does not constrain the application of the procedure.
If any of these verifications fail, the server MUST send an InvalidAbbrevContractRequest error message to the client according to Section 6.1.8 Error Message Builder & Error Handling. If all of the verifications succeeded, continue with step 5.
The server MUST verify that its own identity and public key certificate are correctly included in the sender field.
Note
This information has to be pre-shared between sender and receiver for the abbreviated handshake. If this information is not correct, the signature in step 6 cannot be created with the matching private key.
If not, the server MUST send a BogusSenderCert error message to the client according to Section 6.1.8 Error Message Builder & Error Handling. If the information is correct, continue with step 6.
The server MUST create a signature according to Section 4.5.3 Signature Creation using the partial DTC from the AbbrevContractRequest message and the private key associated with the public key included in the public key certificate in the sender field, and add it as the senderSig field according to Section 4.3 DTC Data Structure. The server SHOULD accept the complete DTC and SHOULD forward it so a DTC storage system. Finally, the server MUST build the AbbrevContract message by passing the now-complete DTC to the message builder (see Section 6.1.5 Message Builder), and use the outgoing message interface (see Section 6.1.9 Protocol Stack) to send it to the client.

The defined message identifiers are partitioned into non-error message identifiers and error message identifiers.

We do not further specify the implementation of the message identifiers. They could, for example, be implemented using constant string values, or with an enum-like structure.

We define the following non-error message identifiers:

ContractRequest: Identifies the first message in the complete handshake defined in Section 6.1.2 Complete (3-way) Handshake.
SenderContract: Identifies the second message in the complete handshake defined in Section 6.1.2 Complete (3-way) Handshake.
ReceiverContract: Identifies the third message in the complete handshake defined in Section 6.1.2 Complete (3-way) Handshake.
AbbrevContractRequest: Identifies the first message of the abbreviated handshake defined in Section 6.1.3 Abbreviated (2-way) Handshake.
AbbrevContract: Identifies the second message of the abbreviated handshake defined in Section 6.1.3 Abbreviated (2-way) Handshake.

We define the following error message identifiers:

UnknownMessage: Indicates that the message could not be validated against any message schema.
UnexpectedSenderContract: Indicates that an S1 message was received by the client without expecting it (see Section 6.1.2 Complete (3-way) Handshake).
InvalidSenderContract: Indicates that the verification of an S1 message failed (see Section 6.1.2 Complete (3-way) Handshake).
BogusSenderCert: Indicates that the public key certificate contained in the sender field of an R2 message did not equal the sender's actual certificate (see Section 6.1.2 Complete (3-way) Handshake).
InvalidReceiverContract: Indicates that the verification of the previously transmitted ReceiverContract message on the server side failed.
BogusReceiverCert: Indicates that the receiver's certificate, as included in the receiver field of the partial DTC within the previously transmitted SenderContract message, was not the correct certificate of the handshake client.
InvalidAbbrevContract: Indicates that the client-side verification of the previously transmitted AbbrevContract message failed.
InvalidAbbrevContractRequest: Indicates that the server-side verification of the previously transmitted AbbrevContractRequest message failed.

The message builder is used to build JSON messages to be transmitted according to Section 6.1.9 Protocol Stack. Its behavior is the same for client and server implementations, and it provides an interface for the implementation of both server and client behavior, as specified in Sections 6.1.2 Complete (3-way) Handshake and 6.1.3 Abbreviated (2-way) Handshake.

If an implementation implements the client or server part of the generation handshake, it MUST also implement the message builder.

The message builder MUST implement the following functionality.

Input: A non-error message identifier (see Section 6.1.4 Message Identifiers) and a (partial) DTC
Note
Details about building error messages can be found in Section 6.1.8 Error Message Builder & Error Handling.
Behavior: The message builder MUST carry out the following steps:
1. Create an empty JSON object ({}), referred to as res.
2. Assign the message identifier to res as the string content of the messageType attribute.
3. Serialize the (partial) DTC as a JSON object according to Section 4.4.1 JSON, and assign it to res as the contract attribute.
4. Return res to the caller.

The following is an informative example of an S1 message (see Section 6.1.2 Complete (3-way) Handshake) as generated by the message builder.

Example 7: Example handshake message (SenderContract)

{
  "messageType": "SenderContract",
  "contract": {
    "baseIRI": "https://example.com/contracts/2021-09-24/134",
    "sender": {
      "type": "X509",
      "encoding": "base64",
      "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi38wDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExMTExWhcNMjIwNDE1MjExMTExWjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvw8C6sqLUVSOwFPbZsqS/1cL/+7aaaxVPwXs7TjPVombwNLyJW8yPyyQLbsTN5evVCpNdzciYc9Nhh77AYrqCiOsZBb7hu/PMqNqDvU2FAHeTH9KZ1PSpsOdgzG4i9widL6FBKGrxvlyj0G5ztQoGtymJFdmQ8K/ZN2W5Bi27H24UgITO+mX5MGmzFfyib7bDnvNqZUMJEgpSGt+jUf/7pMtuQqusrE1bfg5vvCbHIPHx2KXqzQEjNiioDafzKjIY2NSakis1AZe+J46o/Za0L8TUMXPvO1nSX4VMm9w5Qqf8auKdlUnT7fVqGKxQvPgX/JM/ksduZqZdTE1giWDgQIDAQABo4GDMIGAMB0GA1UdDgQWBBQtTnbTodwlQnP0QXA2VRv6DBWgzzAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAG47hxcjEY6kXojCadK15iW5t6P2p2NCfXpymeRuVaHiI7hhMwQEPymGqXZe0MKUKaRxb9BssG9UvndJw7PWdLx55Y498dgEVXWp7UWUg+VmLxE0wrS+7odJ6ZwsSTPhlgQVF3y9SOP18UX1Iy+ipkdPVbeiQB2QJOYLdxj3h26a/BevyWJU7jTbZO9fNX3FlopyQbB64QPJKJyQiYrT1td7lOcreyBJUS2e5p+hifW/ukxHQ9QtfN+mE/MlnUSHar6LgXPX3AoiVKc14L5E7jRHLDCvFWO1PfVCsS6RWIKdoWsEUytDnMYLHb2TmMJWQf8S69BLyqgEhKXNS9hZceGr32jM9O6TepYKZNH5A1QLjZcuHHKUAzXMjM9loNLra/VGcqrMTdZYautGl8EdEURqE063qDd+Hsp3Vqw0iALQHcbEb6R1b2o5dIrczo+PINTSvnFv+4GyqznXEYjcueLrR/R6kE9GNOiPUxpont+0s1JCAKPaaZk97Z09ldtD47rPQLQgWopDadVOm3Gu9+ef7uqqpJw9+q384mqgw4P1Yws6aVkXLdvh8MCXcMEYi2AeQVCCZv2CjAh8CZQC+0P2JtkhWlCxPoSDk4jbm6koCxcpL3CRcc5LtTTrev5+Mi0oDMiLzx09GNls3SQzdKdP9PM+Y7E7y4Xi2LW3FtoG",
      "authID": "http://example.com/sender"
    },
    "receiver": {
      "type": "X509",
      "encoding": "base64",
      "cert": "MIIEkTCCAnmgAwIBAgIUTpTAugWv4ZYQX9nk2zETfVcMi4AwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCkV4YW1wbGUgQ0EwHhcNMjEwNDE1MjExNDM1WhcNMjIwNDE1MjExNDM1WjAzMR0wGwYDVQQKDBRFeGFtcGxlIGNoYWluIGNlcnQgMTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKe4H5GwuaKS02s6oAnQF0e30TLyB3joT5GNzwa94WXuLjU8SWKqOjLQyIN2ZBtZW1jNI3By6nsPoU3t181SBStFI25JZ8PUvJ9/Skf/adRmrtXHX8MYRBqN4d1JIRdOoLxwq+bI0UIyMmMNMTjvhnWwTx4FkXwup5fna9FFBbtOGP+7vMVl98L2/bDMJwwLdnzUs0CKLyqDRx0XWAnp6R6CN9YDeMgpdDviMkBfeY74AJ084v6pWnx+K0PlUuQAkiuPvcRsDxgjHRO18rq4wA6Dxh6My7Xh/uHFzb5cmLT7C7kfr+WN26va8IRGCF8NWdOYQ0HSo/vbY/eIOB/G0wIDAQABo4GDMIGAMB0GA1UdDgQWBBSmlyw0Ht9gF3rnI42Us1dK9+jZ/DAfBgNVHSMEGDAWgBR+/85DLJ8v0EP1y6kv/I9XPsHQ5TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBABMLMfSOAwk34LEK9L/A1qtHTJPQ2BF3XjnbswINNao0oOI3PSWKU0weWYlITH29hgyzrwO8A9ifaOFPtsRxe9/UNv6RNqwObLpxF+f2U3ulu2hTzd7l/ZXUGYaBUHLL3Cu1JlZWMRoTUBUHAvkwnQlUkQLJZ7A+N9y+FfV5apIMTwPA+C2lwiVtEd3Hje5Z9lUmjwiARRnsliRuCm2ZY0IHvneQN7NnOFCFFQQnu/7wMEywNWR3NMtj5AcMugs56OqcAglwq+HqYNCUkelt1/I7A/NwitaPEYu/1TDjQBckR6nbtJwHKFx2M9heB+E5iMI65r+ae01jBr+r7tes6UdEz7SCF3xHks3ubKfRQykZzTZ7ixeHYG5XjaUSSk8EDuBCdZOJ/AUAA+Rar/UPODUd1YQUZDUqs0MvB9zXQYBtEhwii75pCmkFBpZewo6xyktdP3964q7MZPZQZTZimh02CxcWdXZj6JkoL6ihuM36UciS9rXUgIGGdJcbhC5mP/PqRYsAzipOvQiRL7mGRB9L8H0Wt08yl3H0KFwGcgasML8tOOkf+4MsGIHJZaJ20cVfdWm1StOtLN1Bn+gAppq8nlvDgPiQ3NxSsvY+Qpb0WSVWknc1VyOPKexKaM20/alMv/fykVhVmmAcNVshIMAuKV5TnhqeZyg8L02pVAHL",
      "authID": "http://example.com/receiver"
    },
    "senderSig": {
      "type": "urn:oid:1.2.840.113549.1.1.10",
      "encoding": "base64",
      "sig": "S82Al/YgpfjywjagQ03tjr8WT2oiMSkuYGA5hoXL/LCZHJhR4UGuXyQe1lJ6+yDRiN8FbKcp6ZrClb645rKpIK9UP/Y50wOo/vXCdeUGRqWj4NduoJsBKAP9O4QfQQkT9POHwcbYDsbvEGm3M7fh7mrOn6PzQQgq8vNGayVP5VmFLofxhArc2cy7/TthDl5sBwngpIokHUGOIE+RXasifJ/KS+DALU2s51EZzP2NuTbOvC2328UD5yhvHTopwqn3OrMWbKjF8UUDFjQHYx383hrK3VPjqfrMMNT3OHiJB6t9pJwZ3lmD3PV0Axp6k1XV+oxckBaYN7dCNneQn+zkcw=="
    },
    "facts": [
      {
        "factID": "http://example.com/facts/fact1",
        "sha256": "5fc62b0e99a143ff2b99b56a6953f07e96f52023aa3739bba3fec1194292f48e",
        "serialization": "string"
      },
      {
        "factID": "http://example.com/facts/fact2",
        "sha256": "828bbc97b5b866992dc8bc532265e3094bc9e17cce05e16d90844d2160ad99cf",
        "serialization": "string"
      },
      {
        "factID": "http://example.com/facts/fact3",
        "sha256": "c646cfa0feda9af766e6eca97f8578f3eb2b126d2349ea7ce1fd2d3b3fe2d456",
        "serialization": "string"
      },
      {
        "factID": "http://example.com/facts/fact4",
        "sha256": "5845f61bccd9c5631dee29f9e87830b11eb5b531081a8888db42e80e2f153fc0",
        "serialization": "string"
      }
    ],
    "timestamp": "2021-04-15T21:50:29.940Z",
    "senderCustomContent": {
      "authMethod": "PublicKey",
      "authSuccessful": true,
      "authUserId": "user123456"
    },
    "receiverCustomContent": {
      "dbStorageId": "StorageCluster5"
    }
  }
}

We define one message schema per message identifier.

For this, we build upon the same specification of JSON Schema [JSON-SCHEMA][JSON-SCHEMA-VALIDATION] as in Section 4.4.1 JSON.

The message schemas can be obtained through the following links:

Abstract (generic) schemas:
- Generic message: Schema
- Generic error message: Schema
- Partial DTC: Schema
Non-error message schemas:
- ContractRequest: Schema
- SenderContract: Schema
- ReceiverContract: Schema
- AbbrevContractRequest: Schema
- AbbrevContract: Schema
Error message schemas:
- UnknownMessage: Schema
- UnexpectedSenderContract: Schema
- InvalidSenderContract: Schema
- BogusSenderCert: Schema
- InvalidReceiverContract: Schema
- BogusReceiverCert: Schema
- InvalidAbbrevContract: Schema
- InvalidAbbrevContractRequest: Schema

The message validator is used to validate a JSON message against an ordered list of schemas. It provides an interface to the client and server implementations specified in Sections 6.1.2 Complete (3-way) Handshake and 6.1.3 Abbreviated (2-way) Handshake.

Any implementation implementing the client or server part of the generation handshake MUST also implement the message validator.

The behavior of the message validator MUST be implemented as follows:

Input: A JSON object (referred to as msg) and a list of tuples (id_0,schema_0),...,(id_n-1,schema_n-1), where for i=0,...,n-1, id_i is a message identifier, and schema_i is the according JSON schema according to Section 6.1.6 Message Schemas.
Behavior: The validator tries to validate msg against the JSON Schemas, starting with schema_0, applying a first-match policy. That is, for the first tuple (id_i,schema_i), such that msg matches schema_i, the message validator terminates and returns id_i to the caller. If none of the schemas match msg, the validator returns None (which MAY be represented as a string or as a language-internal representation of a null value).

We define a special message builder for error message identifiers, which provides an interface to the client and server implementations in Sections 6.1.2 Complete (3-way) Handshake and 6.1.3 Abbreviated (2-way) Handshake.

Any implementation implementing the client or server part of the generation handshake MUST also implement the error message builder.

The error message builder MUST be implemented with the following functionality:

Input: An error message identifier
Behavior: The error message builder MUST carry out the following steps:
1. Create an empty JSON object ({}) referred to as res.
2. Assign the error message identifier as a string to the messageType attribute of res.
3. Assign an implementation-dependent error message as a string to the errorMessage attribute of res.
  Note
  This field can be used to carry further meta-information about the error occurrence, but is not further specified.
4. Return res to the caller.

The following is an informative example of an error message with the UnknownMessage message identifier as generated by the error message builder.

Example 8: Example error message (UnknownMessage)

{
  "messageType": "UnknownMessage",
  "errorMessage": "Unrecognized message format!"
}

Note that we do not specify how error messages are handled. However, we recommend that error messages SHOULD NOT simply be ignored, as this behavior MAY lead to invalid (and thus invaluable) DTCs. An implementation SHOULD instead decide to either repeat the handshake step which caused the error, or abort the generation handshake, such that a new handshake can be initiated.

The JSON messages are either transmitted directly on top of TCP [RFC793], via TLS directly on top of TCP, or wrapped into HTTP [HTTP11] requests, optionally over TLS (HTTPS) [HTTP-TLS].

In order for the lower protocol stack to be transparent for the client and server implementation, we define an additional abstraction layer. This abstraction layer MUST implement two components:

An outgoing message interface, which can be called using JSON objects to send messages.
An incoming message handler, which forwards valid JSON messages to the client or server implementation.

Depending on the protocol stack, these components are implemented differently, as we specify in the following.

If only TCP is used (no TLS or HTTP on top), the server MUST provide an open port that can be contacted by the client. Upon contract handshake initiation, the client MUST open a connection to the server, such that both the client and the server have an open bi-directional TCP socket. The two abstraction components MUST be implemented as follows for client and server:

Outgoing message interface: Whenever called with a valid JSON object, the implementation MUST serialize the JSON as a string in UTF-8 encoding [RFC3629] and send it through the TCP socket with a trailing newline character.
Incoming message handler: Whenever the incoming data can be aggregated to a valid JSON object, it MUST be parsed as a JSON object, and the associated client or server implementation MUST be called with said JSON object.

If TLS is used on top of TCP without HTTP, the server MUST provide an open TCP port that can be contacted by the client, but only accepts TLS traffic. Upon contract handshake initiation, the client MUST open a connection to the server and carry out a TLS handshake, such that a TLS-protected tunnel is established. Then, the abstraction components (i.e., the outgoing message interface and the incoming message handler) MUST be implemented as in the no-TLS case, but using the TLS tunnel instead.

If HTTP or HTTPS is used, the server MUST provide an HTTP(S) server to which the client can connect. Upon contract handshake initiation, the client MUST open a TCP connection (without TLS) or create a TLS tunnel through a TLS handshake (with TLS), through which HTTP traffic can be sent. For the abstraction components, we differentiate between client and sender.

The client-side abstraction components for HTTP(S) MUST be implemented as follows:

Outgoing message interface: Whenever called with a valid JSON object, the implementation MUST create and send an HTTP POST request through the established tunnel, containing the serialized JSON object as its body, and MUST set the Content-Type header to application/json. It MUST then install the incoming message handler, such that it gets called with the response to the request.
Incoming message handler: Is called with the response of a previously executed POST request. If the response Content-Type header does not indicate the application/json type, the implementation SHOULD initiate a retransmission of the previous message by either sending an UnknownMessage error message (see Sections 6.1.4 Message Identifiers and 6.1.8 Error Message Builder & Error Handling), or by retransmitting the previous message, using the outgoing message interface.
Note
Because the client is not simply able to provide feedback in the form of an HTTP status code, as it only performs requests, we leave error handling to the implementation. We refer to the general discussion of ReShare's approach on error handling in Section 6.1.8 Error Message Builder & Error Handling.

The server-side abstraction components for HTTP(S) MUST be implemented as follows:

Outgoing message interface: MUST be called with the context of a previously received incoming HTTP POST request. The implementation MUST create and send a response to the request in the context with which the outgoing message interface was called. The body of the response MUST be set to the JSON object, with which the outgoing message interface was called. The status code of a message with a non-error message identifier (see Section 6.1.4 Message Identifiers) MUST be set to 200. The status code of a message with an error message identifier (see Section 6.1.4 Message Identifiers) SHOULD be set to one of the acceptable status codes from the table below, depending on the message identifier. The Content-Type header MUST be set to application/json.
Note
A 200 status code is considered acceptable for every defined error message, as these higher-layer errors are already uniquely identified through their respective message schemas. Thus, using a 200 status code does not hinder an implementation's functionality, but we consider the usage of proper error status codes good practice.
Incoming message handler: MUST be called whenever an HTTP request is received from the client. If the Content-Type header of the request does not indicate the application/json type, the incoming message handler MUST respond with an empty response with a 406 status code, without calling the server-side implementation of the handshake. Else, the body of the request is parsed as a JSON object, and the server-side implementation of the handshake (defined in Sections 6.1.2 Complete (3-way) Handshake and 6.1.3 Abbreviated (2-way) Handshake) is called with the parsed JSON object. Additionally, the incoming message handler SHOULD store the context of the request, such that it can be passed to the outgoing message interface once it is called by the server implementation.

We define the following acceptable status codes for error messages based on the error message identifiers (see Section 6.1.4 Message Identifiers):

Note

We only define status codes for error messages which can be sent by the server during the handshake, as a client only sends HTTP requests, which do not carry a status code.

Message identifier	Recommended HTTP Status Codes
`UnknownMessage`	`200`, `400`
`BogusSenderCert`	`200`, `422`
`InvalidReceiverContract`	`200`, `422`
`InvalidAbbrevContractRequest`	`200`, `422`

DTC verification can be executed fully locally, as the DTC itself contains all information necessary for its verification. This self-containing property of DTCs allows for efficient and unambiguous verification without the need to directly communicate with the involved parties.

To verify a DTC and the resources for which it contains checksums, access to the following information is required:

The DTC itself
The resource(s) to be verified
A list of trusted root CAs (and their public keys)

The verification steps immediately emerge from the design of the trust chain of DTCs. In order to verify a syntactically valid DTC, one MUST execute the following verification steps in any order:

Verify the public key certificates by verifying the certificate chains in sender and receiver using a pre-installed trusted root CA's public key as the trust anchor.
Note
This step SHOULD include checking whether the public key certificates are issued for the respective authorities identified by the IRIs contained in the sender and receiver fields. We further discuss this verification step in Section A.2 Identity Management.
Verify the DTC signatures in senderSig and receiverSig using the public keys contained in the certificates in the sender and receiver fields and the signature verification process specified in Section 4.5.4 Signature Verification.
Verify the fact checksums using the original data. For this, the facts need to be serialized according to the serialization format identified in the serialization field. Subsequently, the checksums need to be re-computed given the serialized facts, and compared to the checksum included in the DTC.
Note
We do not further specify this verification step, as the process of serializing facts of different types is deemed out-of-scope for this document.

If any of the verification steps fail, the verification mechanism MUST terminate with a negative result.

Depending on the use case, it MAY be desirable to extend these verification steps, e.g., by verifying that the owner of the certificates in the receiver and sender fields are as expected. While such extensions are not part of this verification mechanism, we advise implementors to carefully review that no unverified assumptions are made about the contents of a DTC.

ReShare with its specification of DTCs, the ontology, and the DTC creation and verification process, enables users to achieve data trustworthiness and reliability in a scalable manner. In this context, the central aspect not covered before by Web technology, but essential in the context of data-driven or industrial data sharing settings is the accountable involvement of both parties in the data transmission process, which is implemented using bilateral signatures in ReShare.

This section is non-normative.

In the following section, we briefly elaborate on some of the design decisions and considerations w.r.t. ReShare.

This section is non-normative.

In recent years, both W3C itself and W3C Community Groups have been quite active in the field of expressing cryptographically-backed claims or statements about data. To the best of our knowledge, the following three documents are especially noteworthy:

Verifiable Credentials [VC-DATA-MODEL],
Data Integrity [DATA-INTEGRITY], and
Decentralized Identifiers [DID-CORE].

ReShare was developed largely in parallel to these developments throughout years 2020 until early 2021, and the major parts of this document were created mostly from April to the end of 2021. ReShare was designed with backward-compatability with the existing Web infrastructure in mind and as such makes use of established standards at the time of design as a largely self-contained solution. That being said, future work, e.g., towards standardization, may potentially also make use of these related efforts. A potential role of Decentralized Identifiers in ReShare is discussed in Section A.2 Identity Management. In the following, we focus on Verifiable Credentials and the Data Integrity specification.

Verifiable Credentials (VC) [VC-DATA-MODEL] provide a cryptographically-secure and machine-readable approach to expressing credentials. An overview of conceivable use cases can be found in [VC-USE-CASES], and include a variety of claims in the areas of education, finance, healthcare and more.

The data model of a VC is defined independently from its representation. However, the specification defines both a JSON, and a JSON-LD representation, thus taking a very similar approach to ReShare.

As VCs represent very general means of expressing, presenting, and proving a set of claims in the form of credentials, it is conceivable that VCs could be used as a framework for an implementation of DTCs, together with a DTC generation mechanism similar to the one we currently specify.

However, the following two considerations have lead us to the decision of refraining from the use of VCs in ReShare as of now:

While a credential is defined as essentially consisting of metadata, one ore more claims, and one or more proofs, which is applicable to the model of a DTC, the use cases in [VC-USE-CASES] are very much centered around use cases of a single individual in everyday life.

This makes us wonder whether applicability in typical use-cases of inter-organizational data sharing of ReShare is given, as such scenarios might not have been considered in the design of the VC specification.
Probably the most essential design choice defining the paradigm of DTCs lies in the idea of bilateral on-demand signatures, as we describe in-detail in Section 4.1 Mutual Commitment through Bilateral Signatures.

In the VC specification, while multiple proofs within a single VC are supported, a VC always has one issuer by design (see 4.5 Issuer), which is incompatible with the paradigm of a DTC having two equally-involved parties, the sender and the receiver, whose signatures are both required for a DTC to be considered valid.

Of course, depending on future developments, the suitability of VC as a framework for DTCs should be re-assessed if a new version of ReShare is to be designed in future.

For example, as we discuss below, signature sets, as used in contracts, are included in the Data Integrity [DATA-INTEGRITY] specification, and could find their way into a future version of the VC specification, possibly expanding the set of use cases to those of DTCs.

The Data Integrity specification [DATA-INTEGRITY] strives to provide data models and representations of cryptographic proofs, such as signatures and integrity checksums, within the context of Linked Data.

Such mechanisms clearly find a promising use case in DTCs, as DTCs include integrity checksums of the data subject to the underlying data transmission (see facts), as well as digital signatures of both DTC parties (see sender and receiver). Even proof sets are already included in the Data Integrity specification (see 3.1 Proof Sets), for which we deem DTCs a very interesting use case.

Naturally, ReShare would greatly profit from employing a standardized mechanism of including and structuring these cryptographic proofs in DTCs. Therefore, we consider the Data Integrity specification as a promising mechanism to be used in a future version of ReShare.

As of now, ReShare uses a custom implementation of embedding signatures and checksums in DTCs, which has to be attributed to the temporal overlap of ReShare and the Data Integrity specification, as the Data Integrity specification is in a relatively early stage of standardization.

This section is non-normative.

Tackling the challenge of integrating a consistent and well-designed identity management approach, which also seamlessly interoperates within the ecosystem of common application contexts, clearly is a non-trivial task. We elaborate on our considerations w.r.t. an identity management system within ReShare in the following.

ReShare employs X.509 certificates for identity management. Parties of a contract are reliably linked to their signatures through their public key, which is contained in the DTC itself. Through this approach, we achieve a robust link between the party identified through an X.509 certificate to the signature that party creates.

However, the linking of an X.509 certificate to the party itself (e.g., a physical person or company) is also a major task in defining an identity management system. Here, we give recommendations on what such an approach should fulfill, but in general consider this task out of scope for ReShare.

The information about the two signing parties of a DTC include a public key certificate and an IRI - separated from the certificate - per party. These IRI and public key certificate of a party are included in the sender and receiver fields of a DTC, as described in Section 4.3 DTC Data Structure.

However, the IRI of a party should additionally be included in the subject part of a party's public key certificate. Thereby, the party identified through the IRI can be held accountable for the uses of the private key matching the public key provided in the X.509 certificate, as long as the certificate validity is trusted.

For this link of IRI to X.509 certificate to be trustworthy, self-signed X.509 certificates are only conceivable for testing purposes. In productive use, for the DTC to be valuable, certificates should always be valid within a certificate chain starting at a root certificate, which is commonly trusted by all conceivable verifiers of the DTC to be created.

As specified in Section 4.3 DTC Data Structure, we leave our system open to extensions w.r.t. other certificate technologies than X.509. Therefore, we also decided not to further specify a mechanism of mapping IRIs to parties such as phyisical persons or organizations, but consider it out of scope.

However, in the following, we discuss how new technologies and standardization approaches of W3C could be used in future to extend or improve identity management in ReShare.

We opted to use X.509 as our Public Key Infrastructure (PKI), as it is a commonly trusted system, and therefore does not hinder acceptability of ReShare.

However, X.509 is quite inflexible with the employed trust infrastructure, as it enforces a hierarchical trust structure by design. Furthermore, while it is a common use case of X.509 to verifiably link certificates to domain names, to the best of our knowledge, a mechanism to verifiably link certificates to parties such as persons or organizations can hardly be found.

For these reasons, deviating from pure use of X.509 certificates in ReShare may prove to be best in future. One technology is especially noteworthy with these regards, which is the Decentralized Identifiers specification [DID-CORE].

A Decentralized Identifier (DID) allows to identify an arbitrary entity, such as an individual or organization. Because DIDs themselves are URIs (Uniform Resource Identifiers), which in turn is a subset of IRIs, DIDs could be used within ReShare with ease.

However, the DIDs themselves only define a mechanism to access the DID document related to the DID, which contains the statements the DID makes, including the link to a physical identity, or the public key material. For the accountability and verifiability guarantees we deem crucial in ReShare, such information should be self-contained within a DTC itself. Now, while it is conceivable to directly include DID documents in a DTC, this conflicts with an essential design choice of [DID-CORE], that is, that the DID controller is in charge of altering, or more generally, controlling the DID document. When this DID document is included within the DTC, this makes the DID document immutable without the DTC losing its validity, and thus takes away the control from the DID controller. It is hard to say whether this deviation from the design of [DID-CORE] would be reasonable.

If one decides to employ DIDs in DTCs, and directly includes the attached DID documents in some representations, the DID document could completely replace the public key certificate of a party within ReShare. A public key can optionally be directly included within the DID document (see 5.2.1 Verification Material), making an external public key certificate unnecessary, as long as the trustworthiness of this public key can be guaranteed.

In our current approach, we have established verifiability independent of certificate availability by including the public key certificates directly within a DTC. For the use of DIDs to provide the same verifiability guarantees, the following points would have to be fulfilled:

The DID document has to be included in the DTC itself (see above),
the DID document has to contain a public key (as a JSON Web Key, JWK [RFC7517]), and
the JWK has to contain the X.509 certificate chain (see the x5c property).

Note that both the use of publicKeyJwk in [DID-CORE] and the use of x5c in [RFC7517] are optional, and thus would have to be enforced in a future version of ReShare.

Furthermore, as the use of JWKs is currently the only specified stable mechanism for including public keys in DID documents (see 5.2.1 Verification Material), and JWKs rely on X.509 certificates, we still find ourselves with the disadvantages of using an X.509 PKI when using DIDs as of now.

Because of the stated disadvantages of X.509 certificates, we see the need for a novel mechanism to prove possession of a public key, which clearly relates said key to an entity. Such a mechanism should integrate well within the modern ecosystem of Linked Data, while building upon a secure and trusted PKI with well-defined methods to register or create your own certificate, which is linked to you as a person, organization, or different entity.

This section is non-normative.

We have introduced the shortened 2-way handshake as a way to reduce the communication overhead in an application scenario with high communication latencies. However, this shortened version requires that the transmission of the data which is signed in a given DTC is completed before DTC generation. With the complete 3-way handshake, the DTC generation is completely independent of the underlying data transmission, except that the receiver has to know which resources are transmitted.

The sequentiality arising from a dependency on the data transmission has practical disadvantages in many cases, such as an increased management and implementation overhead by more closely integrating the data transmission process into the DTC generation mechanism. Given the context system, configuration or implementation changes in the data transmission backend might be necessary to implement the necessary pre-sharing to allow for a short handshake.

Therefore, we consider the complete 3-way handshake the default handshake, but still specify the shortened 2-way handshake for special high-latency environments. Without a strong argument against it, we advise to use the 3-way handshake.

ReShare

Scalable Reliability for Data Sharing on the Web

Abstract

Status of This Document

1. Introduction

2. Conformance

3. A Primer to Data Sharing

3.1 Background

The Challenge of Data Trustworthiness

The Challenge of Data Reliability

Relevance of the Web

3.2 Terminology

3.2.1 Concepts

3.2.2 Process and Agents of Data Sharing

3.3 Example Scenario

Setup

Trustworthiness & Reliability through Common Methods

4. Digital Transmission Contracts (DTCs)

4.1 Mutual Commitment through Bilateral Signatures

4.2 Application to the Example Scenario

4.3 DTC Data Structure

4.4 DTC Representations

4.4.1 JSON

4.4.2 JSON-LD

JSON to JSON-LD

JSON-LD to JSON

4.5 Signature Creation & Verification

4.5.1 Overview

4.5.2 Pre-Processing

4.5.3 Signature Creation

4.5.4 Signature Verification

5. The ReShare Ontology

5.1 Overview

Classes

Object Properties

Data Properties

5.2 Classes

Digital Transmission Contractc

Factc

Identityc

Receiverc

Senderc

Signaturec

5.3 Object Properties

fact originop

has factop

identifiesop

receiverop

receiver signatureop

requested fact originop

senderop

sender signatureop

signature typeop

5.4 Data Properties

certificate encodingdp

certificate typedp

custom contentdp

fact checksum (sha256)dp

fact checksum (sha384)dp

fact checksum (sha512)dp

fact serializationdp

receiver custom contentdp

sender custom contentdp

signature datadp

signature encodingdp

timestampdp

X.509 certificatedp

Legend

6. DTC Generation & Verification

6.1 DTC Generation Handshake

6.1.1 Overview

6.1.2 Complete (3-way) Handshake

Handshake Initiation (Client-side)

Client-side Incoming Message Handling

Server-side Incoming Message Handling

6.1.3 Abbreviated (2-way) Handshake

Handshake initiation (Client-side)

Client-side Incoming Message Handling

Server-side Incoming Message Handling

6.1.4 Message Identifiers

Digital Transmission Contract^c

Fact^c

Identity^c

Receiver^c

Sender^c

Signature^c

fact origin^op

has fact^op

identifies^op

receiver^op

receiver signature^op

requested fact origin^op

sender^op

sender signature^op

signature type^op

certificate encoding^dp

certificate type^dp

custom content^dp

fact checksum (sha256)^dp

fact checksum (sha384)^dp

fact checksum (sha512)^dp

fact serialization^dp

receiver custom content^dp

sender custom content^dp

signature data^dp

signature encoding^dp

timestamp^dp

X.509 certificate^dp