Representation versus Delegation
- Representation: Involves verifying that an individual or entity has the authority to act on behalf of a legal entity. This verification ensures that the legal entity, not the individual, is held accountable and liable for actions taken by their representatives.
- Delegation: Involves granting subcontractors access to the Data Owner’s data, typically recorded in the Authorization Register. This is focused on data access rather than verifying authority to act on behalf of an entity.
Subcontractors
In the physical operation of our economy, the question of authentication of a representative and verification of their mandate is much more widespread and not limited to employees or contractors. The same applies to sub-contractors that perform business functions on someone else’s premises.
For example: a maintenance sub-contractor for a vendor of video security systems is commissioned to perform maintenance at a customer’s site. The subcontractor is contracted to perform regular maintenance . At regular intervals a maintenance engineer shows up at the gate of the premises and claims access to the premises, to perform preventive maintenance on a security video system on behalf of the vendor that delivered the security system.
The security guards of the company where the security system is installed needs to verify: has he/she indeed been sent by the OEM? And can he/she indeed be authenticated and verified as being mandated by the sub-contractor, and does he/she have the required professional qualifications? And can that mandate be verified in a non-repudiable manner?
Nested Representation
In case of humans, the assumption is that a human presents an ID and Representation Evidence. The ID can be standard, or fitted with additional safeguards such as biometrics. The Representation Evidence should be able to show:
- The chain of subcontracting, with enough detail for security purposes.
- Confirmation of the identity of the individual as a representative.
- Verification of the individual’s professional qualifications.
- Time limits on the representation’s validity.
- Links to the subcontracting orders, allowing real-time validation of the representation’s status.
- Non-repudiable evidence to ensure that the representation cannot be denied later.For real-life applications it is necessary to be able to operate (temporarily) offline: the check of the Representation Evidence without real-time validation at the issuers should be possible.
Representation Evidence
JSON Web Token (JWT) is a compact, URL-safe means of representing claim sets between two parties and is a strong candidate for Representation Evidence. JWTs can be nested to reflect the subcontracting chain, ensuring that the entire chain of authority is captured in a secure, verifiable manner.
Registers
The BDI framework defines a Representation Register and Professional Qualification for this type use case. The Registers are under the control of a Data Owner/Data Service Provider. These registers are accessible via a published endpoint. Authenticated third parties can verify:
- Representation Register: Maintained by the Data Owner or Data Service Provider, this register allows authenticated third parties to verify the representation mandate of individuals and organizations acting on behalf of the Data Owner.
- Professional Qualification Register: This register stores and verifies the professional qualifications of individuals.