Outside of data space

The reality in the business arena is that in most cases business relationships are created outside a data space. A new vendor or client is vetted (credit rating, for example) and onboarded in sales/finance/purchasing systems (basis reference data entry, reference numbering, roles, type of service/product offered or purchasable, prices, etc.). Only after this step are business transactions and interactions initiated within the limits set during the onboarding process. Business to government relationships are also set up beforehand, outside of the data space.

Entity endpoints

The question of discovery in this case is reduced to discovery of endpoints particular to an entity, such as:

• API or connector endpoints (data);
  • Optional data license endpoint
• authorization Register endpoint;
• representation Register endpoint;
• professional Qualification Register endpoint;
• pub/sub Event endpoints;
• association
  • Association Register endpoint

DNS as scalable discovery mechanism

The Internet Domain Name System is an existing discovery mechanism suitable for this demand. A standard sub-domain (for example, “_bdi.acme.com” ), secured by DNSSEC can be used to discover endpoints of an organization owning an URL. The URL is ‘discovered’ (manually) during the initial onboarding of a new client or vendor and added to the initial registration in corporate purchasing systems.

This method using a subdomain and TXT-SRV records for discovering a series of different types of endpoints has been successfully tested. A SRV record such as “ _pubsub._bdi.acme.com”  points to a specific URI to be used for pubsub subscriptions, for example.

Limiting access with BDI authentication

For organizations that do not want to expose their endpoints for all the world to see, it is possible to limit access using the BDI authentication mechanism, limiting access to parties on an allow list maintained locally, and/or in an Association, and/or in a data space.