Trust Framework Documentation

The technical Specifications for IB1 (IB1) Trust Framework are published at specification.trust.ib1.org. These are designed as a modular set of small, focused specifications. Trust Frameworks and Schemes select the Specifications that define their architecture, and may also introduce their own where appropriate. This site provides an overview of the available specifications, and describes how they fit together.

Note: These documents use US English. To align with W3C and other prevalent standards, IB1 uses US English in its technical specifications and technical documentation.

Trust Framework Architecture

IB1 Trust Framework Architecture Diagram

Registry

Registry: Defines a machine-readable RDF Registry for describing Trust Frameworks, Schemes, standards, roles, agreements, policies, and other entities.
Registry Versioning: Provides a method for versioning RDF resources within the Registry, maintaining immutability while allowing changes via linked versions and Registry Change records.
Registry Process Resources: Specifies how formally defined data processing activities are described using Registry resources with stable URLs.

Identity, Certificates & Security

Baseline TLS Configuration: Establishes mandatory TLS settings and cryptographic profiles for secure communication within the Trust Framework.
Member Identity Digital Certificates: Describes digital certificates issued to Members for authentication, enabling secure decentralised identification within the Trust Framework.
Directory Issued Server TLS Certificates: Defines short-lived TLS server certificates issued by the Directory.
Public CA Issued Server TLS Certificates with Directory Allowlist: Specifies requirements for public CA-issued TLS certificates and how the Directory maintains an allowlist of permitted DNS names for Member servers.

Access Control & Permission

Role-based Access Control: Access to data sources is governed by assigned roles and licenses, managed through Data Catalog Entries specifying who can access or publish data.
Message Delivery to Applications: Specifies how Applications exchange JSON messages outside of data transfers, with MTLS authentication and delivery endpoints defined in the Directory.
OAuth with Member Identity Certificates: An OAuth Profile which requires mutual TLS (MTLS) using Member identity from Directory issued certificates.
Permission Records: Defines how OAuth Issuers provide records containing details of permissions granted by end users, including evidence of consent.
Withdrawal of Permission: Specifies processes for users to withdraw permission, how Members revoke permissions, and cascading revocation of linked permissions.

Data Catalog & Licenses

Data Catalog Records: Specifies how metadata describing datasets and APIs is structured using DCAT, enabling discovery, access, and licensing information.
Data Catalog Publishing: Methods for publishing dataset and API metadata to the Directory, and how records are validated.
Machine-Readable Data Licenses: Defines how data licenses are published in the Registry as machine-readable RDF resources.

Open Data

Open Data Publication: Defines how datasets are published as Open Data within a Trust Framework.
Assured Open Data Publication: Builds on Open Data Publication by introducing dataset assurance levels and strict choice of licenses.

Provenance & Assurance

Provenance Records: Captures the origin, processing, transfers, licenses, and permissions associated with data within the Trust Framework.
Generic Dataset Assurance Levels: Establishes standardized levels of dataset assurance, indicating the quality, completeness, and governance applied to published datasets.
Generic Organizational Assurance Levels: Specifies levels of organizational assurance, reflecting the verified trustworthiness and compliance posture of Trust Framework participants.
Generic Sensitivity Classes: Defines standard sensitivity classes (e.g., Open Data, Shared, Personal) with corresponding access, security, and consent requirements.