iSHARE in practice
How does iSHARE work?
iSHARE is not a platform, system or software. Instead, iSHARE is a scheme for identification, authentication and authorization which describes how organizations can share logistics data in a uniform, simple and controlled way, including with new and previously unknown partners. They do so by upholding mutual agreements. Because all the participants work based on the same approach, iSHARE is a trustworthy and reliable way of sharing data with one another.
What is meant by identification, authentication and authorization?
Identification means presenting a particular identity, such as a user name or device name.
Authentication means validating whether the identity of the user or of the device does indeed match the identity presented. Think of a passport, for instance: ‘identification’ is when you show your passport (because you ‘present’ an identity), and ‘authentication’ is when you are compared against the photo in your passport (validating whether you match the identity presented in the passport).
Authorization is the process of giving someone or something certain access rights. To come back to the passport example again: if it is authenticated that a person is over 18 years of age, that person is authorised to purchase products with a minimum legal age of 18.
What is meant by delegation of rights?
iSHARE makes it possible to ‘delegate’ authorizations. This enables an organization that outsources certain activities to another organization to also give that organization the necessary rights in order to view data. For an everyday example, think of a political election. As a voter (someone who is authorised to vote), you can empower someone else to cast your vote on your behalf. In this case, you delegate your right to vote to someone else who is allowed to cast your vote for you.
If you share data using iSHARE, you can delegate your rights too. Needless to say, this can only be done with the approval of the data owner, who – when managing the access rights to their data – also determines whether those rights may be delegated.
How can I be sure I can trust other iSHARE participants?
All organizations that join the iSHARE Scheme know they can trust one another because they have all signed the Accession Agreement, which legally binds them all to comply with the same terms and conditions.
In order to be accepted for the iSHARE Scheme, all organizations first have to complete a number of technical tests and then – even more importantly – sign the iSHARE Accession Agreement. This is how organizations demonstrate that they comply with the security requirements for providing access to data and that they will uphold the agreements related to data-sharing. In order to be allowed to join the scheme, an organization must sign a contract with the Scheme Owner and that contract legally commits the organization to the iSHARE agreements.
How can I control who has access to my data?
As the data owner, you always remain in full control of your data within the iSHARE Scheme. You are the one who decides which other organizations have a right to your data, and you arrange this either in your own software solution or in an iSHARE-certified Authorization Registry. These so-called authorizations are always authenticated first before data can be shared.
Who manages iSHARE?
The iSHARE Scheme Owner manages the Scheme and the network of participating organizations. Thanks to the governance structure of the Scheme Owner, participating organizations have a say in things like the future development of the Scheme. The organization is independent and transparent, and is not aimed at maximizing profit.
The decision-making process relating to the Scheme Owner must be carefully considered and transparent, and the first preparations for this got under way in early 2018.
For now, INNOPAY is temporarily taking care of the management aspects within the framework of the iSHARE project so that logistics organizations can already start making use of iSHARE. Both the interim and the permanent Scheme Owner will comply fully with the Scheme’s operational agreements.
What is meant by authorization registries and identity providers?
The iSHARE Scheme includes so-called Authorization Registries and Identity Providers. They play an important role, since they are independent parties that provide key information for the purpose of performing identification, authentication and authorization activities.
The identities of devices/systems are checked fully digitally based on digital certificates. Checking a person’s identify is more complex. However, rather than having to present their passport or comparable ID document every time, there are other ways that people can identify themselves, such as a combination of user name and password or an ID card plus PIN number.
Within iSHARE it is also possible to work with certified partners that issue such tools to users. These partners are called Identity Providers. Using an Identity Provider relieves you of the burden associated with setting up and updating your own identification and authentication software. Additionally, for your partners’ employees, it means that they can use the same identity to log in with multiple organizations.
After log-in, the organization in charge of the requested data checks whether the other organization is authorised to receive it. It does this either in an iSHARE Authorization Registry or directly with the data owner, if the data owner has made that technically possible in line with the iSHARE specifications.
Organizations that wish to fulfil the role of Identity Provider or Authorization Registry themselves are subject to strict certification, including tight checks on the quality and security of their services. After all, they provide a service within the iSHARE network that all participating organizations must be able to trust.
Who can see my messages and data using iSHARE?
In iSHARE, messaging data is not handled by an intermediate. Instead, communication traffic and data passes directly from one partner to the other, which means that the messages and data can only be seen by the organizations themselves. However, it can be necessary to involve additional third-party information for the purpose of identification, authentication and authorization. These so-called Identity Providers and Authorization Registries cannot view the data itself; they are merely involved in validating identities and authorised rights.
How can I tell whether organizations already use iSHARE?
You can recognize users of iSHARE by the iSHARE logo. Even more importantly, however, you can verify an organization’s status by checking with the iSHARE Scheme Owner. That way, you are always fully aware of the organization’s most recent status and whether they comply with all the iSHARE agreements.
How do I know that partners are using my data as agreed?
iSHARE gives you, the data owner, full control over not only who has access to your data, but also what that partner is allowed to do with your data and for how long. You formalize this in iSHARE licences that relate to a dataset.
Can iSHARE be used worldwide?
Yes. Although iSHARE is a Dutch initiative, it is not restricted to the Netherlands. During the co-creation process of the Scheme, the co-creation partners took account of the fact that international organizations should also be able to implement and utilize the agreements. As a result, the iSHARE Scheme includes standardized and widely used techniques such as OAuth and OpenID Connect as well as international identifiers such as the EORI number.
What is the relationship between iSHARE and new technologies?
iSHARE has been developed based on consideration of all existing technologies as well as technologies that could play a role in the near future.
What is the relationship with blockchain?
All kinds of agreements are necessary in order for blockchain technology to work in practice, such as who is allowed to do what, which software is used, who makes that software, which computers it runs on and who can access them.
Furthermore, the answers to a number of key questions, such as ‘Who can access which blockchain data?’ and ‘Where does the data in the blockchain come from?’ have a link to data control. The iSHARE agreements on data-sharing and control are therefore relevant in blockchain projects and can also be utilized in them.
How can I start using iSHARE?
The first participants have already started using the iSHARE set of uniform agreements. Some organizations implement iSHARE themselves, while others ask their software supplier to include the iSHARE API in their solutions.
If you want to join the iSHARE Scheme, you will have to comply not only with iSHARE’s technical specifications but also with the operational and legal agreements.
Once the iSHARE Scheme Owner has verified that you do indeed comply with all the necessary agreements, you will be admitted into the iSHARE network.
What must I do from a technical perspective in order to use iSHARE?
If you want to join the iSHARE Scheme and start using iSHARE, you must comply with the Scheme’s technical API specifications. An API is an easy-to-implement and accessible communication solution that only provides access to the data that you are willing to share (and not to the underlying systems).
Once you have implemented the iSHARE API, other iSHARE participants can utilize this to request your data. After all, these partners have also implemented the iSHARE specifications as agreed. Whether these partners will actually be allowed access to your data is another matter, however.
For more detailed information and API specifications per role, please refer to the ‘Technical’ chapter of the iSHARE Scheme v1.5.
Can I continue to use my current systems once I join iSHARE?
iSHARE is not a replacement for your existing software, but rather an addition to your existing software – which means you can enhance your current systems and continue to use them.
Do you want to start using iSHARE? Go to ‘Getting started’.