Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API for Collections of Statements #9

Open
SteveLasker opened this issue May 21, 2024 · 5 comments
Open

API for Collections of Statements #9

SteveLasker opened this issue May 21, 2024 · 5 comments
Assignees
@SteveLasker @JAG-UK
Labels
ready-for-pr
Milestone
Draft 03

Comments

@SteveLasker
Copy link
Collaborator

APIs which enables users to find a collection of signed statements based on protected, or unprotected header properties

A client may send any known or custom header property, or combination

TODO:

  • Better formated example
  • Add paging

Collection of Signed Statement Header Properties
REQUEST:

GET /findstatements?issuer=my-identity.me&subject=my-product-id HTTP/1.1
Host: transparency.example
Accept: application/json

RESPONSE:
a paged collection of references to Signed Statements, and the possible payload locations

{
   "signed-statements": [
      {
         "protected-headers": {
            "cwt_claims": {
               "iss": "my-identity.me",
               "sub": "my-product-id"
            },
            "content_type": "application/json",
            "alg": "1",
            "kid": "abc123",
            "location-hint": "service.storage/abc123",
            "detached-hash": "abc123...321cba"
         },
         "unprotected-headers": {
            "registered": "sometime"
         }
      },
      {
         "protected-headers": {
            "cwt_claims": {
               "iss": "my-identity.me",
               "sub": "my-product-id"
            },
            "content_type": "application/spdx+json",
            "alg": "1",
            "kid": "abc123",
            "location-hint": "service.storage/def456",
            "detached-hash": "def246...642fed"
         },
         "unprotected-headers": {
            "registered": "sometime+1"
         }
      }
   ]
}
@howethomas
Copy link

So, for the integration with vCon example, subject="my-product-id" could simply be the vcon uuid? So, an audit trail of a particular vCon could be supplied by this API endpoint?

@SteveLasker
Copy link
Collaborator Author

Yup, exactly. Any issuer that wants to make a statement about the vCon would use the identifie, enabling filtering on statements for the vCon, from different issuers, and even different content-types

@OR13
Copy link
Collaborator

OR13 commented Jul 2, 2024

Lets look at COAP / CORE / OSCORE / ACE for examples of good CBOR APIs, and copy them.

@OR13
Copy link
Collaborator

OR13 commented Jul 2, 2024

For some inspiration: https://datatracker.ietf.org/doc/html/draft-ietf-ace-revoked-token-notification-08#section-3.2.1

@JAG-UK JAG-UK self-assigned this Aug 6, 2024
@SteveLasker
Copy link
Collaborator Author

Resolve signed statement has the baseline.
However, it doesn't specify what parameters could be used, such as subject, cwt_claims.issuer or other parameters such as cose-meta-map

Marking ready-for-pr to incorporate into a PR.

@SteveLasker SteveLasker self-assigned this Dec 31, 2024
@SteveLasker SteveLasker added this to the Draft 03 milestone Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SteveLasker SteveLasker

@JAG-UK JAG-UK

Labels
ready-for-pr
Projects
None yet
Milestone
Draft 03
Development

No branches or pull requests
4 participants
@howethomas @SteveLasker @OR13 @JAG-UK