RFC043: Introduce role of "Certification Body"
Background and rationale
The iSHARE Trust Framework is designed around roles. These roles include three certified roles: Identity Provider, Identity Broker and Authorisation Registry. Currently the Scheme Owner (iSHARE Foundation) is the only party that is allowed to certify participants for these roles.
As iSHARE continues to evolve as a framework for federated data exchange, the need to increase assurance and formalize onboarding processes has become critical—particularly for high-assurance sectors such as mobility, energy, and manufacturing. While iSHARE currently supports self-assessments and validations, the emergence of cross-sectoral and cross-border data spaces demands independent and auditable trust mechanisms. At the same time, in light of the increasing number of iSHARE participants, a more scalable certification process would support data spaces in expanding more rapidly.
iSHARE therefore proposes the introduction of a new role in the iSHARE Framework: the Certification Body. This role enables formal trust assessments during the onboarding process by third parties and supports scalable and secure growth of the ecosystem.
Proposed change
Purpose
The Certification Body (Certifying Authority) performs independent validation or certification of organizations applying for membership in a data space. This enhances trust, ensures legal and operational conformance, and supports federated onboarding. The introduction of a role "Certification Body" would allow for a more decentralized and scalable model.
Description and principles
Principles:
-
Role: Independent third-party authorized to perform trust assessments and validate the fulfillment of iSHARE and sector-specific criteria.
-
Accreditation: Must be certified by the Scheme Owner.
-
Schemes: Executes certification based on predefined schemes governed by the iSHARE Foundation and/or sector-specific Data Space Administrators.
-
Ecosystem Fit: Plays a core role in the onboarding process of members in Ecosystems. Works in tandem with the Data Space Administrator and Participant Registry.
-
Transparency: Must maintain clear documentation on certification scope, outcomes, and duration.
-
Output: Issues certificates, reports, or attestations stored in registries accessible to ecosystem participants.
Certification in the Glossary is currently defined as:
Certification (iSHARE): Roles for which certification is required facilitate certain functions for the iSHARE Scheme that every party within iSHARE must able to rely upon. An iSHARE Certified Party MUST apply to the Scheme Owner (role) for certification and, after providing sufficient proof, MUST sign a certification agreement with the Scheme Owner (role).
This description in the gloassary must be changed. Furthermore the role must be added tot he overview of the Framework and roles and the Admission process must be altered.
Furthermore the certification process and evidence must be described based on the principes above.
Current solution
The current solution is that Participant Registries can certify parties on behalf of the Scheme Owner. This is a semi-scalable solution and requires a lot of in depth knowledge from Participant Registries, so that in practice the Scheme Owner is currently involved in all certifications.
Impact on the ecosystem
The following table lists the impact of this RFC on the formal iSHARE roles (excluding the Scheme Owner role).
| Formal role | Technical impact | Business / legal / functional / operational impact |
|---|---|---|
| Service Consumer | No | |
| Service Provider | No | |
| Entitled party | No | |
| Authorization Registry | No | |
| Identity Provider | No | |
| Identity Broker | No | |
| Data Space Administrator | No | |
| Participant Registry | No | Yes, must be able to accept certification from a Certification Body |
| Data Space Governance Body | No | No |
Impact iSHARE Foundation (Scheme Owner)
- The iSHARE Trust Framework
- Yes, as descirbed under Description and principles.
- The developer documentation (as an extension of the iSHARE Trust Framework)
- No
- The OpenAPI definitions on Swaggerhub
- No
- Example implementation in Postman Collections
- No
- Code that is published on Github:
-
iSHARE Satellite reference implementation
- No
-
eSEAL certificate procurement guide
- No
-
iSHARE.NET service consumer core components
- No
-
Python iSHARE package
- No
-
iSHARE code snippets
- No
-
Reference implementation for Authorization Registry
- No
-
Reference implementation for Service Provider
- No
- Onboarding portal
- No
-
iSHARE Satellite reference implementation
- The implementation of the iSHARE satellite for iSHARE as the Scheme Owner on https://sat.ishare.eu and https://sat.uat.isharetest.net
- No
- The public website
- No
- Internal documentation
- No
-
Authorization Registry test implementation
- No
- The Conformance Test Tool, tests listed on https://ctt.isharetest.net/admin/test-cases
- No
- iSHARE test satellite (used for conformance testing): https://scheme.isharetest.net/
- No
- iSHARE test certificate authority: EJBCA Public Web
- No
-
iSHARE Change Management documentation
- No
Implementation
Release schedule
This RFC will either be released as part of iSHARE 3.0, or as part of iSHARE 2.2.
Communication
No specific requirements.