chore: sanitize Credentials and export Postman Environments

README.md

@@ -14,12 +14,12 @@
         - [1. Build the runtime images](#1-build-the-runtime-images)
     - [Executing REST requests using Postman](#executing-rest-requests-using-postman)
     - [Other caveats, shortcuts and workarounds](#other-caveats-shortcuts-and-workarounds)
-      - [1. In-memory stores in local deployment](#1-in-memory-stores-in-local-deployment)
-      - [2. Policy Extractor](#2-policy-extractor)
-      - [3. Scope-to-criterion transformer](#3-scope-to-criterion-transformer)
-      - [4. DID resolution](#4-did-resolution)
-        - [4.1 `did:web` for participants](#41-didweb-for-participants)
-        - [4.2 `did:example` for the dataspace credential issuer](#42-didexample-for-the-dataspace-credential-issuer) \* [5. No issuance (yet)](#5-no-issuance-yet)
+        - [1. In-memory stores in local deployment](#1-in-memory-stores-in-local-deployment)
+        - [2. Policy Extractor](#2-policy-extractor)
+        - [3. Scope-to-criterion transformer](#3-scope-to-criterion-transformer)
+        - [4. DID resolution](#4-did-resolution)
+            - [4.1 `did:web` for participants](#41-didweb-for-participants)
+            - [4.2 `did:example` for the dataspace credential issuer](#42-didexample-for-the-dataspace-credential-issuer) \* [5. No issuance (yet)](#5-no-issuance-yet)
   <!-- TOC -->
 
 ## Introduction
@@ -70,35 +70,48 @@ Consumer Corp has a connector plus its own IdentityHub.
 ### Data setup
 
 "provider-qna" and "provider-manufacturing" both have two data assets each, named `"asset-1"` and `"asset-2"` but
-neither
-"provider-qna" nor "provider-manufacturing" expose their
-catalog endpoint directly to the internet. Instead, the catalog server (provider company) provides
-a catalog that contains special assets (think: pointers) to both "provider-qna"'s and "provider-manufacturing"'s
-connectors. We call this a "root catalog", and the pointers are called "catalog assets". This means, that by resolving
-the root catalog, and by following the links in it, "Consumer Corp" can resolve the actual asset from "provider-qna" and
-"provider-manufacturing".
+neither "provider-qna" nor "provider-manufacturing" expose their catalog endpoint directly to the internet. Instead, the
+catalog server (provider company) provides a catalog that contains special assets (think: pointers) to both "
+provider-qna"'s and "provider-manufacturing"'s connectors. We call this a "root catalog", and the pointers are called "
+catalog assets". This means, that by resolving the root catalog, and by following the links in it, "Consumer Corp" can
+resolve the actual asset from "provider-qna" and "provider-manufacturing".
 
 ### Access control
 
 Both assets of "provider-qna" and "provider-manufacturing" have some access restrictions on them:
 
-- `asset-1`: requires a membership credential to view and a PCF Use Case credential to negotiate a contract
-- `asset-2`: requires a membership credential to view and a Sustainability Use Case credential to negotiate a contract
+- `asset-1`: requires a membership credential to view and a Data Processor credential with `"level": "processing"` to
+  negotiate a contract and transfer data
+- `asset-2`: requires a membership credential to view and a Data Processor credential with a `"level": "sensitive"` to
+  negotiate a contract
 
 These requirements are formulated as EDC policies. In addition, it is a dataspace rule that
-the `MembershipCredential` must be presented in _every_ request.
+the `MembershipCredential` must be presented in _every_ request. This credential attests that the holder is a member of
+the dataspace.
 
-Furthermore, all connectors are in possession of the `MembershipCredential` as well as a `PcfCredential`. _Neither has
-the `SustainabilityCredential`_! That means that no contract for `asset-2` can be negotiated!
-For the purposes of this demo the VerifiableCredentials are pre-created and are seeded to the participants' credential
-storage (no issuance).
+In this fictitious dataspace, the DataProcessorCredential attests to the "ability of the holder to process data at a
+certain level". The following levels exist:
+
+- `"processing"`: means, the holder can process non-sensitive data
+- `"sensitive"`: means, the holder has undergone "some very highly secure vetting process" and can process sensitive
+  data
+
+The information about the level of data a holder can process is stored in the `credentialSubject` of the
+DataProcessorCredential.
+
+All participants of the dataspace are in possession of the `MembershipCredential` as well as
+a `DataProcessorCredential` with level `"processing"`.
+_None possess the `DataProcessorCredential` with level="sensitive"_. That means that no contract for `asset-2` can be
+negotiated. For the purposes of this demo the VerifiableCredentials are pre-created and are seeded to the participants'
+credential storage ([no issuance](#5-no-issuance-yet)).
 
 If the consumer wants to view the consolidated catalog (containing assets from the provider's Q&A and manufacturing
 departments), then negotiate a contract for an asset, and then transfer the asset, she needs to present several
 credentials:
 
 - catalog request: present `MembershipCredential`
-- contract negotiation: `MembershipCredential` and `PcfCredential` or `SustainabilityCredential`, respectively
+- contract negotiation: `MembershipCredential` and `DataProcessorCredential(level=processing)`
+  or `DataProcessorCredential(level=sensitive)`, respectively
 - transfer process: `MembershipCredential`
 
 ## Running the demo (inside IntelliJ)
@@ -439,8 +452,7 @@ schema of the credentials' subjects is not yet implemented.
 
 This is similar to the [policy extractor](#5-policy-extractor), as it deals with the reverse mapping from a scope string
 onto a `Criterion`. On the IdentityHub, when the VP request is received, we need to be able to query the database based
-on the scope string that was received. This is currently a very Catena-X-specific solution, as it needs to distinguish
-between "normal" credentials, and "use case" credentials.
+on the scope string that was received. 
 
 ### 4. DID resolution
 

deployment/assets/credentials/k8s/consumer/dataprocessor-credential.json

@@ -0,0 +1,39 @@
+{
+  "id": "40e24588-b510-41ca-966c-c1e0f57d1b15",
+  "participantId": "did:web:consumer-identityhub%3A7083:consumer",
+  "timestamp": 1700659822500,
+  "issuerId": "did:example:dataspace-issuer",
+  "holderId": "did:web:consumer-identityhub%3A7083:consumer",
+  "state": 500,
+  "issuancePolicy": null,
+  "reissuancePolicy": null,
+  "verifiableCredential": {
+    "format": "JWT",
+    "rawVc": "eyJraWQiOiJkaWQ6ZXhhbXBsZTpkYXRhc3BhY2UtaXNzdWVyI2tleS0xIiwidHlwIjoiSldUIiwiYWxnIjoiRWREU0EifQ.eyJpc3MiOiJkaWQ6ZXhhbXBsZTpkYXRhc3BhY2UtaXNzdWVyIiwiYXVkIjoiZGlkOndlYjphbGljZS1pZGVudGl0eWh1YiUzQTcwODM6YWxpY2UiLCJzdWIiOiJkaWQ6d2ViOmFsaWNlLWlkZW50aXR5aHViJTNBNzA4MzphbGljZSIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly93M2lkLm9yZy9zZWN1cml0eS9zdWl0ZXMvandzLTIwMjAvdjEiLCJodHRwczovL3d3dy53My5vcmcvbnMvZGlkL3YxIix7Im12ZC1jcmVkZW50aWFscyI6Imh0dHBzOi8vdzNpZC5vcmcvbXZkL2NyZWRlbnRpYWxzLyIsImNvbnRyYWN0VmVyc2lvbiI6Im12ZC1jcmVkZW50aWFsczpjb250cmFjdFZlcnNpb24iLCJsZXZlbCI6Im12ZC1jcmVkZW50aWFsczpsZXZlbCJ9XSwiaWQiOiJodHRwOi8vb3JnLnlvdXJkYXRhc3BhY2UuY29tL2NyZWRlbnRpYWxzLzIzNDciLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiaHR0cDovL29yZy55b3VyZGF0YXNwYWNlLmNvbSNEYXRhUHJvY2Vzc29yQ3JlZGVudGlhbCJdLCJpc3N1ZXIiOiJkaWQ6ZXhhbXBsZTpkYXRhc3BhY2UtaXNzdWVyIiwiaXNzdWFuY2VEYXRlIjoiMjAyMy0wOC0xOFQwMDowMDowMFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDp3ZWI6Y29uc3VtZXItaWRlbnRpdHlodWIlM0E3MDgzOmNvbnN1bWVyIiwiY29udHJhY3RWZXJzaW9uIjoiMS4wLjAiLCJsZXZlbCI6InByb2Nlc3NpbmcifX0sImlhdCI6MTcyMTM4NTQ3N30.4GxNoNT9to7tlKfddUk5_fjAyetNH7FBkKNJui3Q_672IorxR43ztuRTOqgyoF_hNzN-fMkTYrwrLZaLhRYSDg",
+    "credential": {
+      "credentialSubject": [
+        {
+          "claims": {
+            "id": "did:web:consumer-identityhub%3A7083:consumer",
+            "contractVersion": "1.0.0",
+            "level": "processing"
+          }
+        }
+      ],
+      "id": "http://org.yourdataspace.com/credentials/1235",
+      "type": [
+        "VerifiableCredential",
+        "DataProcessorCredential"
+      ],
+      "issuer": {
+        "id": "did:example:dataspace-issuer",
+        "additionalProperties": {}
+      },
+      "issuanceDate": 1702339200.000000000,
+      "expirationDate": null,
+      "credentialStatus": null,
+      "description": null,
+      "name": null
+    }
+  }
+}

deployment/assets/credentials/k8s/consumer/pcf_vc.json → deployment/assets/credentials/k8s/consumer/dataprocessor_vc.json

@@ -4,23 +4,21 @@
     "https://w3id.org/security/suites/jws-2020/v1",
     "https://www.w3.org/ns/did/v1",
     {
-      "cx-credentials": "https://w3id.org/catenax/credentials/",
-      "contractTemplate": "cx-credentials:contractTemplate",
-      "contractVersion": "cx-credentials:contractVersion",
-      "holderIdentifier": "cx-credentials:holderIdentifier"
+      "mvd-credentials": "https://w3id.org/mvd/credentials/",
+      "contractVersion": "mvd-credentials:contractVersion",
+      "level": "mvd-credentials:level"
     }
   ],
   "id": "http://org.yourdataspace.com/credentials/2347",
   "type": [
     "VerifiableCredential",
-    "http://org.yourdataspace.com#PcfCredential"
+    "http://org.yourdataspace.com#DataProcessorCredential"
   ],
   "issuer": "did:example:dataspace-issuer",
   "issuanceDate": "2023-08-18T00:00:00Z",
   "credentialSubject": {
     "id": "did:web:consumer-identityhub%3A7083:consumer",
-    "contractTemplate": "https://public.catena-x.org/contracts/pcf.v1.pdf",
     "contractVersion": "1.0.0",
-    "holderIdentifier": "BPN000000XYZ"
+    "level": "processing"
   }
 }

deployment/assets/credentials/k8s/consumer/membership-credential.json

@@ -0,0 +1,41 @@
+{
+  "id": "40e24588-b510-41ca-966c-c1e0f57d1b14",
+  "participantId": "did:web:consumer-identityhub%3A7083:consumer",
+  "timestamp": 1700659822500,
+  "issuerId": "did:example:dataspace-issuer",
+  "holderId": "did:web:consumer-identityhub%3A7083:consumer",
+  "state": 500,
+  "issuancePolicy": null,
+  "reissuancePolicy": null,
+  "verifiableCredential": {
+    "rawVc": "eyJraWQiOiJkaWQ6ZXhhbXBsZTpkYXRhc3BhY2UtaXNzdWVyI2tleS0xIiwidHlwIjoiSldUIiwiYWxnIjoiRWREU0EifQ.eyJpc3MiOiJkaWQ6ZXhhbXBsZTpkYXRhc3BhY2UtaXNzdWVyIiwiYXVkIjoiZGlkOndlYjphbGljZS1pZGVudGl0eWh1YiUzQTcwODM6YWxpY2UiLCJzdWIiOiJkaWQ6d2ViOmFsaWNlLWlkZW50aXR5aHViJTNBNzA4MzphbGljZSIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly93M2lkLm9yZy9zZWN1cml0eS9zdWl0ZXMvandzLTIwMjAvdjEiLCJodHRwczovL3d3dy53My5vcmcvbnMvZGlkL3YxIix7Im12ZC1jcmVkZW50aWFscyI6Imh0dHBzOi8vdzNpZC5vcmcvbXZkL2NyZWRlbnRpYWxzLyIsIm1lbWJlcnNoaXAiOiJtdmQtY3JlZGVudGlhbHM6bWVtYmVyc2hpcCIsIm1lbWJlcnNoaXBUeXBlIjoibXZkLWNyZWRlbnRpYWxzOm1lbWJlcnNoaXBUeXBlIiwid2Vic2l0ZSI6Im12ZC1jcmVkZW50aWFsczp3ZWJzaXRlIiwiY29udGFjdCI6Im12ZC1jcmVkZW50aWFsczpjb250YWN0Iiwic2luY2UiOiJtdmQtY3JlZGVudGlhbHM6c2luY2UifV0sImlkIjoiaHR0cDovL29yZy55b3VyZGF0YXNwYWNlLmNvbS9jcmVkZW50aWFscy8yMzQ3IiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsImh0dHA6Ly9vcmcueW91cmRhdGFzcGFjZS5jb20jTWVtYmVyc2hpcENyZWRlbnRpYWwiXSwiaXNzdWVyIjoiZGlkOmV4YW1wbGU6ZGF0YXNwYWNlLWlzc3VlciIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDgtMThUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6d2ViOmNvbnN1bWVyLWlkZW50aXR5aHViJTNBNzA4Mzpjb25zdW1lciIsIm1lbWJlcnNoaXAiOnsibWVtYmVyc2hpcFR5cGUiOiJGdWxsTWVtYmVyIiwid2Vic2l0ZSI6Ind3dy53aGF0ZXZlci5jb20iLCJjb250YWN0IjoiZml6ei5idXp6QHdoYXRldmVyLmNvbSIsInNpbmNlIjoiMjAyMy0wMS0wMVQwMDowMDowMFoifX19LCJpYXQiOjE3MjEzODU0Nzd9.xJMVUqBGBu8idgFLWeRkPsCLRxihPC6ZEQT35lDB2U8O0NeU5VG2Ivd1fLlrsfZYC8kyE6IY1KnmCqvxQ-3ZDw",
+    "format": "JWT",
+    "credential": {
+      "credentialSubject": [
+        {
+          "claims": {
+            "membershipType": "FullMember",
+            "website": "www.some-other-website.com",
+            "contact": "[email protected]",
+            "since": "2023-01-01T00:00:00Z"
+          },
+          "id": "did:web:consumer-identityhub%3A7083:consumer"
+        }
+      ],
+      "id": "http://org.yourdataspace.com/credentials/2347",
+      "type": [
+        "VerifiableCredential",
+        "MembershipCredential"
+      ],
+      "issuer": {
+        "id": "did:example:dataspace-issuer",
+        "additionalProperties": {}
+      },
+      "issuanceDate": 1702339200.000000000,
+      "expirationDate": null,
+      "credentialStatus": null,
+      "description": null,
+      "name": null
+    }
+  }
+}

deployment/assets/credentials/k8s/consumer/membership_vc.json

@@ -4,12 +4,12 @@
     "https://w3id.org/security/suites/jws-2020/v1",
     "https://www.w3.org/ns/did/v1",
     {
-      "cx-credentials": "https://w3id.org/catenax/credentials/",
-      "membership": "cx-credentials:membership",
-      "membershipType": "cx-credentials:membershipType",
-      "website": "cx-credentials:website",
-      "contact": "cx-credentials:contact",
-      "since": "cx-credentials:since"
+      "mvd-credentials": "https://w3id.org/mvd/credentials/",
+      "membership": "mvd-credentials:membership",
+      "membershipType": "mvd-credentials:membershipType",
+      "website": "mvd-credentials:website",
+      "contact": "mvd-credentials:contact",
+      "since": "mvd-credentials:since"
     }
   ],
   "id": "http://org.yourdataspace.com/credentials/2347",
@@ -24,7 +24,7 @@
     "membership": {
       "membershipType": "FullMember",
       "website": "www.whatever.com",
-      "contact": "mix.max@whatever.com",
+      "contact": "fizz.buzz@whatever.com",
       "since": "2023-01-01T00:00:00Z"
     }
   }