Blockchain
Contents
DG CNECT
DG FISMA - OTC trading
Demonstrator (2017-2018)
Demonstrator (2018)
Google Cloud Deployment (PwC)
OAM DLT nodes
EFTG portal
OAM client application (Java simulator)
Sourcecode
Public portal for for January 26, 2018 demonstration (AWS, managed by EC)
Other info
Other
PwC
- FIDES - blockchain notary by PwC
Energy and utilities
Customs
- DG TAXUD - customs on Hyperledger Fabric - Excise Movement Control System
- DG TAXUD - Excise Movement Control System (accijns)
European Blockchain Partnership (EBP)
- CEF Digital EBP homepage
- Policy Group, Technical Group (including TechGov/Security)
- Legal Social Economic Group
- Use Case Groups
- Node overview
- And more: common documents, terminology, early adopters, ...
Conferences
EBSI public domain info
EBSI homepage
EBSI Early Adopters
Social media
CEF (legacy, migrated to Digital Building Blocks)
EBSI API
Other EBSI public info
EBSI v2 Early Adopter Program
Program
DIGIT
DIGIT admin
EBSI project management
Organisation
Implementation/Sprints
Progress tracking
OMB and EBP
CEF BBs and EBSI governance
CEF BBs governance
Blockchain governance
EBSI service desk
CEF EBSI support and status info
DIGIT EBSI software assets
EBSI cloud (AWS, Azure)
EBSI DevOps
EBSI console, Grafana, ...
EBSI trust
EBSI knowledge management
EBSI legal
Trusted Issuer Registry legal analysis and agreement
Verifiable Attestation Diploma Service Agreement
GDPR: SSI user's information notice
EBSI legal WIP (sieux)
EBSI legal landing pages
Basics
Terms and Conditions, SLA
Legal 'Get started with EBSI' - legal assessment reports
- Legal assessment reports
- ESSIF Onboarding Service (EOS) legal analysis
- For the scope of EBSI 2.0 the service of onboarding users to self-create the DIDs will be referred to semantically as “ESSIF onboarding service”, not as “Trusted Registration Authority" which insinuates the involvement of a public authority.
- For the scope of EBSI 2.0 it will not be required that the onboard service involves a real name identification of users to create DIDs. It will be a service, not a certification.
- SSI eIDAS report - drill down
- Part 1 Introduction to SSI
- Part 2 eDIAS
- Part 3 Legal scenarios related to SSI and eIDAS
- General considerations:
- extend ESSIF to legal persons
- assert VC as equal to electronic documents
- a NP's DID is a pseudonym
- a LP's DID is most likely an asset property of the legal person
- it can be imagined DID are used for authentication or signing
- Very short term: use of notified eID means/QCs to issue VCs, role of eIDAS bridge and eIDAS nodes
- Short term: use of Verifiable IDs as eIDAS means, issuance of QCs based on DIDs
- Mid-to-Long term:
- Extension of eIDAS notification to Verifiable Attestations
- Issuance of Verifiable Attestations as a trust service
- Regulation of Identity Hubs as a trust service
- Regulation delegated key management as a trust service
- Regulation of specify types of DLT-Nodes as a trust service
- GDRP report - drill down
Overview of actors - 'Use case governance/trust model'
Agreements
Legal/technical
EBSI versions, environments and architecture
EBSI versions
- EBSI V1
EBSI V1 node consists of 3 VMs (application, besu, fabric)
- EBSI V2 initial set-up
EBSI V2 node consists of 3 hosts (V1 Test, V2 Pilot, V2 Production). Such host is called 'All In One(AIO)'.
Ten validating nodes is the minimum number according the Decentralized Governance Model.
- EBSI V2 set-up 2021-05
- EBSI v1 -> We don't care we will not use anymore -> it is named Testnet (api.ebsi.xyz)
- EBSI v2 (today 2 env deployed plus 1 planned)
- Dev Environment (api.test.intebsi.xyz) -> deployed, only on DIGIT Machines
- Pre-Prod Env (api.preprod.ebsi.eu) -> deployed, for MS
- Prod Env (api.prod.ebsi.eu) -> Planned - for MS but not yet there
- EBSI 'phase 3' - as per JF
EBSI scope
EBSI architecture
EBSI operational management board
EBSI V1 on CEF Digital wiki (eu login)
EBSI V2 on CEF Digital wiki (eu login)
EBSI V2 Functional aspects
High Level Scope/subscopes
CEFdigital wiki
EBSIdoc
Data model
CEFdigital wiki
EBSI V2 RFCs
EBSI V2 Architecture
EBSI V2 RFCs/transition
Functional documentation for all UCs (table of content provides a detailed breakdown)
Functional documentation ESSIF
Some materials related to the topic of correlation/traceability-related:
- Business-level -- On DID-correlation:
- https://www.w3.org/TR/did-core/#did-document-correlation-risks
- https://www.w3.org/TR/did-core/#herd-privacy
- https://www.w3.org/TR/did-core/#service-privacy
- Blockchain-/Transaction-level – On anonymity of blockchain transactions:
- https://arxiv.org/ftp/arxiv/papers/1510/1510.07782.pdf
- https://ieeexplore.ieee.org/document/9012681
- https://ledgerops.com/blog/blockchains-arent-anonymous-but-they-can-be-05-01-2019/
- https://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin
Functional documentation Diploma
Functional documentation Notarisation
See webex slides.
Functional documentation TDS
This use-case was originally proposed by the European Court of Auditors (ECA) with the aim to develop a blockchain-based
Registry that could provide beneficiaries of EU funds with a tool to systematically notarise audit-relevant documents
(e.g. invoices, proof of payments, supporting documents, bids, etc.), thus creating a trusted, fully digital audit-trail linked to the EU budget spending. Such a registry, which acts as a TDS service, can be generalised and its use can be extended beyond the scope of the audit of EU funds.
TDS:for the purposes of this use case, the TDS of a certain input (document and its metadata) shall be intended as the recording on blockchain(s) of an hash generated from that input. The imprint can be used at a later stage as immutable proof of authenticity/integrity of a given file.
(source: https://ec.europa.eu/cefdigital/wiki/display/EBP/7.+TDS_Use+Cases+Requirements+Submission+Template+Document)
Originally started by the ECA, later extended to TAXUD's IOSS-DR (Import One-Stop Shop).
Wallet
eIDAS bridge/sealing
EBSI V2 semantics
EBSI V2 Ledger
Besu
Fabric
EBSI Risk management
DIGIT ITSRM2 material
EBSI RM
EBSI V2 Testing
Jara Quintana
EBSI V2 Production
EBSI V2 DG TAXUD IOSS
EBSI V2 Technical governance and security
EBSI Open-SCAP
- EBSI Open-SCAP - local/desktop(Guacamole)
- Apache Guacamole is a clientless remote desktop gateway, supporting VNC, RDP, and SSH. Clientless because no plugins or client software are required. Thanks to HTML5, once Guacamole is installed on a server, all the desktop needs is a browser.
EBSI V2 Technical governance
- EBSI Technical Governance WG
- EBSI TechGov drafts at EBP
- EBSI TechGov - RFCs and discussions
- EBSI TechGov - meeting minutes
- EBSI security governance - follow-up minutes 18/11/2021
- EBSI TechGov - RFC TechGov Responsibilities & Lifecycle Processes
- Proposal for 'Detailed Procedures' by Technical Office
- Decentralised Governance Model
- Node Operator Guidelines
- EBSI TechGov protocol evaluations - 2020-06
- 1 ARK Ecosystem - UniLille
- ark.io
- ARK Core written in TypeScript, using Lerna to manage the development and publication of its packages and uses Node.js as execution environment
- Includes a cryptocurrency
- On the mainnet, consensus is Delegated Proof of Stake: Holders of ARK vote through their wallets for delegates who
secure the network. By fixing the number of forging nodes at 51, the ARK mainnet strikes a balance between decentralization and
performance. Consensus by 26/51.
- 2A Dune Networks - UniLille
- Tezos fork, node code is written in OCaml
- OCaml - Wikipedia- extends the Caml dialect of ML (Meta Language, 'Lisp with types') with object-oriented features, created in 1996
- a free and open-source software project INRIA
- in the early 2000s, elements from OCaml were adopted by many languages, notably F# and Scala
- OCaml wikibook
- Consensus: reuse of existing Tezos Emmy+ consensus protocol
- Called 'LDPOS' consensus for Liquid Delegated Proof of Stake
- Token owners are responsible for creating ('baking') new blocks, and for endorsing blocks from other bakers
- Banking and endorsing is jointly referred to as 'validating'
- Random bakers of new blocks, e.g. 32 endorsers
- 10.000 tokens are deposit per baker/endorser
- Proof of Authority can be used for private chains
- DunScan.io - Dune network
- Liquidity a high-level typed smart-contract language that compiles to Michelson (for Dune Network and Tezos) and to Love for Dune Network.
- 2B Tolar HashNET - Slovenian Government
- Meeting 1 of 3 - 2020-10-12
- Meeting 2 of 3 - 2020-10-15
- Meeting 3 of 3
EBSI V2 internal processes and procedures
EBSI V2 Security
EBSI V2 Security - overall - top level
EBSI V2 security - preparation
EBSI V2 wallet
EBSI V2 vulnerability management (VMP)
EBSI V2 DRP/BCM/BCP
DIGIT BCM
EBSI V2 DRP/BCM general
EBSI V2 DRP/BCM for DG TAXUD
EBSI V2 Nebula
Nebula is an overlay networking tool designed to be fast, secure, and scalable. Connect any number of hosts with on-demand, encrypted tunnels that work across any IP networks and without opening firewall ports.
EBSI V3
Jira
Overviews
- JIRA - Tracker - System Dashboard, beyond EBSI
- Select 'Boards' then 'EBSIINT-scrum'
- On the left then select 'backlog', 'active sprints' or 'reports'
- JIRA - EBSIINT tracker includes Kanban board, issues, tests, reports, ...
- Two views: Activity and Statistics (from where you can drill down)
- JIRA - EBSIINT tracker RapidBoard, Product Backlog
Issues - EBSI V1
- Components i.e. EBSI network, Diplomas, ESSIF, Notarisation, TDS
- EBSIINT-1 Big Picture (closed)
- EBSIINT-2 All core component development tasks
- EBSIINT-3 Scope EBSI 1
- EBSIINT-4 DLT comparison matrix
- EBSIINT-17 Blockchain protocol configurations
- EBSIINT-25 Decide on technology stack
- EBSIINT-81 Application security requirements
- EBSIINT-82 Core security requirements
- EBSIINT-87 Verifiable Credentials (VC) Types / Formats for DIPLOMA use case
- EBSIINT-97 Decentralized storage options for EBSI
- EBSIINT-122 ESSIF: eIDAS bridge for VC-eSealing
- EBSIINT-123 ESSIF: eIDAS-IDP integration
- EBSIINT-128 Issuance of Verifiable IDs and Attestations based on eIDAS-authentication (incl listing needed services)
- EBSIINT-129 Issuance of Verifiable Attestations based on Verifiable ID (incl listing needed services)/li>
- EBSIINT-244 Test plan
- EBSIINT-253 Security testing plan
- EBSIINT-291 Security Infrastructure testing from outside
- EBSIINT-292 Security Infrastructure testing from inside
- EBSIINT-295 Security Capabilities testing from outside
- EBSIINT-293 EBSI Microservice for EIDAS Bridge
- EBSIINT-332 Infrastructure stabilisation (including security)
- EBSIINT-362 Code review V1 Master Ticket
- EBSIINT-372 Revision of components' security and compliance for production
- EBSIINT-374 Security review
- Document decisions we took during Drosbach workshop: off-chain storage protection, smart contract life cycle/capabilities
- Create RFC EBSI V1 Security Guidelines: requirements and safeguards, gaps and improvements
- Take into consideration
Issues - EBSI ITSRM2
- EBSIINT-635 creation of
the EBSI ITSRM2 documentation processes for P1 (System Security Characterisation) and P2 (Primary Assets),
and the creation of an initial first Security Plan.consists of subtasks (which are issues themselves):
- -833 P1 System description, -834 P1 Roles and organisation, -835 P1 Constraints and measures
- -836 P2 Primary assets, inventory, -837 Impact scenarios
- -838 Security plan, risk acceptance criteria, -839 Security plan
Issues - EBSI V2
- EBSIINT-1309- brief developers on security
- EBSIINT-827- Tech Governance definition
with EBP Tech Reps and EBSI Architecture, should produce:
- EBSI Technical Governance Guiding Principles
- EBSI TechGov Decision-making bodies
- EBSI V2 Technical Governance Rules
- EBSI V2 Technical Governance Operational Guidelines
- EBSI V2 Technical Governance Node Operator Terms & Conditions Guidance
- EBSIINT-1323 - approach 'from business to technology'
- EBSIINT-592 - EBSI V2 mapping component to capabilities (+gap analysis).
- Creates Functional and technical capability map
- Creates Requirements and Capability maps - terminology:
- Requirements are specified from Use Cases down to User Stories, made up of Steps (this is unsettled)
- EBSI V1 has 4 Use Cases: ESSIF, Diploma, Notarisation and TDS
- Use Cases are described in Journeys, providing an end-to-end description of the Use Case
- Journeys are made up of User Stories (e.g. request diploma, issue diploma, receive diploma) - e.g. In order to start using ESBI services, as a Legal Entity, I can Setup My EBSI Enterprise Wallet
- User Stories are made up of Steps, described in Gherkin:
- Feature: Setup My EBSI Enterprise Wallet
- Given I'm IT Administrator of the IT Infrastructure of the Legal Entity
- And I have the required administrative right on the servers
- And I have connection to Internet
- When I start the setup of my Enterprise Wallet
- And I download the EBSI Enterprise Wallet installation code on a specific URL
- And I launch the installation of the Wallet on my server
- And I define a new password to protect the access to the wallet
- And I write a recovery passphrase in case I lose my password
- And I receive setup successful message
- Then my EBSI Enterprise Wallet is installed
- Capabilities implement what is required. For this purpose, User Stories are mapped onto Capabilities of the EBSI platform
- EBSIINT-1030- ticket for Sprint 4 security work as per KA
- Oddly enought it's called 'DID-method / VC-Registries on Distributes Databases or Ledgers - security assessment', while it should be related to a user journey such as ESSIF onboarding of a natural/legal person
- EBSIINT-1048- ticket for Sprint 4 security work as per KA
- Oddly enought it's called 'As a user I can access the EBSI wallet (citizen) (configure ESSIF agent) - security assessment', while it should be related to a user journey ...
- EBSIINT-1381 - assessment of eIDAS impact on EBSI architecture
- EBSIINT-2639 - EBSI V2 Security Management Guidelines
- EBSIINT-2998- ticket for RFC on production 'dry-run' scoping as per KA
- EBSIINT-3017- ticket for RFC on production 'dry-run' scoping as per Guillem - disk-encryption
- EBSIINT-3049 cefdigital- Create EBSI v2 production ready image based on Security assessment - including disk-encryption
- EBSIINT-3049 digital-building-blocks- Create EBSI v2 production ready image based on Security assessment - including disk-encryption
- EBSIINT-3150- Hardening of node (Guillem)
- EBSIINT-3256- IOSS-DR IR002 RFC encrypted partition - MLS
- EBSIINT-3257- IOSS-DR IR003 RFC secure coding guidelines - MLS
- EBSIINT-3258- IOSS-DR IR004 RFC OS authentication improvement
- EBSIINT-3259- IOSS-DR IR010 RFC contingency plan with guidelines to setup backup node - MLS
- EBSIINT-3260- IOSS-DR IR013 resume HSM tests on AWS
- EBSIINT-3260- IOSS-DR IR013 resume HSM tests on AWS before ruling it out completely if it still doesn't work
- EBSIINT-3277- IOSS-DR IR010 MLS request to review processes for chain and storage
- EBSIINT-3276- Operational tooling
- EBSIINT-3191- Further security benchmarks Docker, VM, AWS, ...
- EBSIINT-4317 - analysis of automated security testing in CI - MLS/JaraQ
- RFC corresponding to EBSIINT-4317
OpenSCAP hardening
Other
- EBSIINT-3319 - architecture and security - CDN, Nebula, ...
- EBSIINT-3483- Wallet conformity assessment/security questions
- EBSIINT-3524- Security review DNS
- EBSIINT-3525- Security review of all open source components EBSI relies on (whitesource-style)
- EBSIINT-3526- create BCP (DRP)
- EBSIINT-4108- node logging (eIDAS inspiration)
- EBSIINT-4256- Information required for Web Application Penetration Test (Israel Pardo)
- EBSIINT-4257- Roles and constraints information required for IT Risk Security Plan (Israel Pardo)