RFC068: Non-repudiation improvements

Background and rationale

Currently, the iSHARE framework includes iSHARE JWT tokens for all framework services including parties, capabilities, delegation_evidence, and trusted list. All responses of these framework services are signed.

In other applications we see non-reputation not as the standard but more as an option. For example requesting data from the trade registry is possible without an official signature (inkijkexemplaar) or with an official signature (gewaarmerkte kopie). The trade registry even asks money for the signed version. This could also apply to the participant registry. You are allowed to see if a party is registered, but if you need a non-repudiant and signed answer, you have to request this. And maybe pay for it.

Proposed change: purpose

This RFC is therefore suggesting to offer service consumers an option to request a signed response. We propose to introduce a new header signed with the values True or False. This allows a service consumer to request a signed response or a plain response.

Moreover, we would like to add an optional attribute to the /capabilities endpoint in which a service provider can communicatie if a data service offers signed responses.

Proposed change: considerations and requirements

As DSGO we also have this RFC worked out in Dutch in RFC022: Attached onweerlegbaarheid JWT