A CINECA deliverable describes the ELIXIR Passport Broker
In the Passport is the glue between the researcher, data and computing blog post I introduced GA4GH Passports as an enabler of “the bring compute to data” paradigm. CINECA WP2 also contributed to GA4GH Passport standard for Digital identity and access permissions publication in Cell Genomics in autumn 2021.
In December 2021, WP2 published a deliverable D2.2 which describes GA4GH Passports version 1.0 specification in more detail. The deliverable can be seen as an easy-to-read introduction to GA4GH Passports which introduces the Passport and the Visas in a hands-on way, with examples on real protocol flows and setups.
The deliverable focuses on describing how ELIXIR AAI implements the Passports as a Passport broker, including how it is able to pull and deliver data access rights for controlled access datasets from various sources and deliver them to the computing environment for enforcing access to the datasets. The deliverable also describes the three alternative approaches ELIXIR AAI has for registered access. The description of ELIXIR AAI’s Passport implementation may be a useful reference for anyone who wants to better understand how Passports work with ELIXIR AAI or who wants to have their own Passport broker implementation.
In the end of the deliverable, an experiment done by WP2 on a new identity management paradigm called Self-Sovereign Identity (SSI) is described. Self-sovereign identity contrasts the current broker-based Passport and AAI implementation; in SSI, no brokers draw the visas from different data access committees and other authorities to deliver them to the computing environment. Instead, the researcher has a digital wallet, an application potentially running in their smartphone where the data access permissions are stored as signed assertions called Verifiable Credentials (VC). When the researcher logs in to the computing environment, they release the VCs from their wallet directly to the computing environment.
For the deliverable, WP2 prepared a Proof of Concept where the researcher used the REMS tool of ELIXIR-Finland to apply for access to CINECA Synthetic cohort EUROPE UK1 and received the data access right as a VC in their wallet. The researcher then released the VC after logging in to ELIXIR-Finland’s computing environment for sensitive data. You can watch a screencast video below or follow these instructions to install a wallet on your smartphone and download a visa in your wallet by yourself.
Self-sovereign identity has recently got attention in the European Union where the European Commission has proposed an eIDAS regulation update that can be implemented using SSI. The EU Member States would have an obligation to deliver to their citizens a digital identity wallet where public and private organisations can write attributes describing the user. See this CSC blog post for more information on the eIDAS update.
Acronyms used:
AAI. Authentication and Authorisation Infrastructure
eIDAS. Electronic identification and trust services
GA4GH Global Alliance for Genomics and Health
REMS Resource Entitlement Management System
SSI Self-Sovereign Identity
VC. Verifiable Credentials
WP2. Work Package 2 of the CINECA project