Skip to content

Commit

Permalink
Merge pull request #151 from w3c/4_gs1_identification
Browse files Browse the repository at this point in the history 
GS1 identification use case
Ok. The source looks good. You did resolve my comments. They just weren't showing up in the preview.
  • Loading branch information
@jandrieu
jandrieu authored Feb 2, 2024
2 parents 0f7b6f4 + 9e0951e commit f3c4952
Show file tree
Hide file tree
Showing 3 changed files with 449 additions and 1 deletion.
350 changes: 350 additions & 0 deletions focal/4_gs1_identification.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,350 @@
<section>
<h3>Chain of GS1 Credentials to Identify a Trade Item</h3>
<h4>Background</h4>
<p>
This use case has been provided by <a href="https://www.gs1.org/" rel="nofollow">GS1</a>.
</p>
<p>
GS1 is the global supply chain standards development organization behind the retail barcode. The content of
the barcode, the Global Trade Item Number (GTIN), is a 13-digit string composed of a GS1 Company Prefix (a
unique string of 4-12 digits), a trade item reference (a numeric string unique within the GS1 Company Prefix to bring
the length up to 12 digits), and a check digit (a mathematical calculation to detect keying errors).
</p>
<p>
The GS1 Company Prefix is licensed to a user company by a local GS1 Member Organization. The license gives
the user company the right to issue GS1 identification keys within the range of the GS1 Company Prefix and
to issue Verifiable Credentials referring to the license Verifiable Credential.
</p>
<p>
The license Verifiable Credential may be revoked if the user company fails to abide by the terms and
conditions or may be transferred to another user company as part of a merger and acquisition.
</p>
<p>
If the license is revoked, no new Verifiable Credentials derived from it may be issued. If the license is
transferred, existing derived Verifiable Credentials remain valid, and the new user company may issue new
Verifiable Credentials, including some that refer to Verifiable Credentials issued by the previous user
company.
</p>
<div class="note">
<p>
The core GS1 standard is the identification of objects in the supply chain, typically trade items, but also
locations, shipping containers, and much more. Every object is identified using a GS1 identification key,
sometimes alongside a secondary key for higher granularity (e.g., a serial number alongside a GTIN to
identify a specific instance of a trade item). Much of the text in this use case refers to keys and key
credentials. These are the GS1 identification keys, <strong>not</strong> cryptographic keys.
</p>
</div>
<h4>Distinction</h4>
<p>
This differs from other focal use cases in that the rights granted by a Verifiable Credential can be
transferred
to another subject, without invalidating other Verifiable Credentials created by the original subject.
</p>
<h4>Scenario</h4>
<p>
Healthy Tots, a baby food manufacturer, wishes to list its products on the Sell Anything &amp; Everything
(SA&amp;E) marketplace. As a global marketplace, SA&amp;E requires unique identification for products listed
on its site, and has chosen the GTIN as the preferred identification key. To ensure uniqueness, SA&amp;E
requires that companies listing products prove that they have the right to issue the GTINs they are using.
</p>
<h4>Verifiable Credentials</h4>
<dl class="dl-horizontal">
<dt>
GS1 Prefix license
</dt>
<dd>
Issued by GS1 Global Office to GS1 Utopia (a GS1 Member Organization operating in the region of Utopia). Grants GS1 Utopia the right to
issue GS1 Company Prefix licenses within the range of the GS1 Prefix in the license.
</dd>
<dt>
GS1 Company Prefix license
</dt>
<dd>
Issued by GS1 Utopia to Healthy Tots. Grants Healthy Tots the right to issue GS1 identification keys
within the range of the GS1 Company Prefix in the license.
</dd>
<dt>
Key (GTIN)
</dt>
<dd>
Issued by Healthy Tots to declare the existence of a GS1 identification key, typically a GTIN, within
the range of the GS1 Company Prefix.
</dd>
</dl>
<p>
For details, refer to
<a href="#example-verifiable-credentials">Example Verifiable Credentials</a>
in <a href="#focal-use-case-chain-of-gs1-credentials-to-identify-a-trade-item">Appendix B2.</a>
</p>
<h4>Actors</h4>
<ul>
<li>
GS1 Global Office, the trusted root of the GS1 identification system
</li>
<li>
GS1 Utopia, a GS1 Member Organization, a country-based member of the GS1 federation, also a GS1 Prefix
licensee
</li>
<li>
Healthy Tots, a baby food manufacturer, also a GS1 Company Prefix licensee
</li>
<li>
Sell Anything &amp; Everything (SA&amp;E), a global marketplace
</li>
<li>
A trade item manufactured and sold by Healthy Tots, represented as a <a
href="https://www.gs1.org/standards/gs1-digital-link" rel="nofollow">GS1 Digital Link</a> URI
</li>
<li>
Benevolent Conglomerate, a company that acquires Healthy Tots and, optionally, its GS1 licenses
</li>
</ul>
<h5>Issuer</h5>
<ul>
<li>
For the GS1 Prefix license Verifiable Credential, the issuer is GS1 Global Office.
</li>
<li>
For the GS1 Company Prefix license Verifiable Credential, the issuer is GS1 Utopia, which is the subject of
the corresponding GS1 Prefix license Verifiable Credential.
</li>
<li>
For the trade item Verifiable Credential, the issuer is Healthy Tots, which is the subject of the
corresponding GS1 Company Prefix license Verifiable Credential.
</li>
</ul>
<h5>Subject</h5>
<ul>
<li>
For the GS1 Prefix license Verifiable Credential, the subject is GS1 Utopia.
</li>
<li>
For the GS1 Company Prefix license Verifiable Credential, the subject is Healthy Tots.
</li>
<li>
For the trade item Verifiable Credential, the subject is the GTIN represented as a <a
href="https://www.gs1.org/standards/gs1-digital-link" rel="nofollow">GS1 Digital Link</a> URI.
</li>
</ul>
<h5>Holder</h5>
<ul>
<li>
For the GS1 Prefix license Verifiable Credential, the holder is GS1 Utopia.
</li>
<li>
For the GS1 Company Prefix license Verifiable Credential, the holder is Healthy Tots.
</li>
<li>
For the trade item Verifiable Credential, the holder is Healthy Tots.
</li>
</ul>
<h5>Verifier</h5>
<ul>
<li>
Sell Anything &amp; Everything, a trading partner of Healthy Tots that needs to validate the identification
of an object (typically a trade item) and the data associated with it.
</li>
</ul>
<h4>Validation Requirements</h4>
<p>
The validity of a credential often depends on the validity of a prior credential and on comparison of data between
the credential of interest and its prior credential. The validation process is recursive, ending only when there is
no further prior credential and the first credential (the one with no prior credential) is issued by GS1 Global
Office.
</p>
<p>
Within the GS1 vocabularly, a credential that depends on a prior credential is said to extend the prior credential.
Accordingly, every such credential has an "extendsCredential" property that references the ID of the prior
credential; the absence of this property indicates the first credential.
</p>
<p>
A GS1 Prefix license Verifiable Credential is valid if it is issued by GS1 Global Office.
</p>
<p>
A GS1 Company Prefix license Verifiable Credential is valid if:
</p>
<ul>
<li>
the issuer is the same as the subject of the "extendsCredential";
</li>
<li>
the GS1 Company Prefix in "licenseValue" ("9521234" in the examples) starts with the same digits as
the GS1
Prefix in "licenseValue" of the "extendsCredential" ("952" in the examples); and
</li>
<li>
the credential was issued after the "extendsCredential" was issued and, if applicable, before the
"extendsCredential" was revoked or transferred.
</li>
</ul>
<p>
A key (GTIN) Verifiable Credential is valid if:
</p>
<ul>
<li>
the issuer is the same as the subject of the "extendsCredential";
</li>
<li>
the key (GTIN) in "credentialSubject.id" ("09521234555551" in the examples) is properly based on the
GS1 Company Prefix in "licenseValue" of the "extendsCredential";
</li>
<li>
the credential was issued after the "extendsCredential" was issued and, if applicable, before the
"extendsCredential" was revoked or transferred; and
</li>
<li>
the GS1 Company Prefix license Verifiable Credential is valid.
</li>
</ul>
<h4>Verifiable Presentation</h4>
<p>
Healthy Tots presents the credential for the key (GTIN) that it has issued to identify its product as well as the GS1 Company
Prefix license credential to prove that it has the right to issue the key to SA&amp;E. To complete the
validation, SA&amp;E requires the GS1 Prefix license credential issued to GS1 Utopia, which is publicly
accessible and discoverable via the GS1 Company Prefix license credential.
</p>
<h4>Trust Hierarchy</h4>
<ul>
<li>
GS1 Global Office is responsible for management of the GS1 identification system as a whole. It is
liable for ensuring that the GS1 Prefix licenses that it issues are unique.
</li>
<li>
GS1 Utopia is responsible for management of the GS1 identification system within the range(s) of the
GS1 Prefix(es) issued to it. It is liable for ensuring that the GS1 Company Prefix licenses that it
issues are unique.
</li>
<li>
Healthy Tots is responsible for management of the GS1 identification system within the range(s) of the
GS1 Company Prefix(es) issued to it. It is liable for ensuring that the GS1 identification keys that
it issues are unique.
</li>
<li>
SA&amp;E is responsible for ensuring that no two products listed on its website carry the same GTIN.
</li>
</ul>
<h4>Variation - License Transfer</h4>
<p>
GS1 license Verifiable Credentials are issued with a <code>validFrom</code> property but not a
<code>validUntil</code>
property. Licenses are renewable as long as the licensee abides by the terms and conditions of the GS1 Member
Organization that issued the license, including regular license payment if required. Accordingly, the only way for
a
trading partner to know that a license is no longer valid is to check its status for revocation.
</p>
<h5>Revocation</h5>
<p>
Once a license credential is revoked, any extension credentials (those that extend the revoked credential or that
extend other extension credentials) created after the revocation are invalid. For example, a GTIN key credential
created after the revocation of the underlying GS1 Company Prefix license credential is invalid because the
company no longer has the right to issue GTINs, or any other key, within the scope of the GS1 Company Prefix.
Other dependent credentials that are created after revocation may be valid, such as a product recall notice linked
to a GTIN key credential created before the revocation.
</p>
<p>
Extension credentials created prior to the revocation of an extended credential may be considered valid for
certain use cases. The key credential used to identify a trade item with a GTIN, for example, will remain valid in
perpetuity, long after trade items identified by the GTIN are no longer in the supply chain. Some of the data
credentials associated with the GTIN, such as those that describe the product or that provide information such as
recycling instructions, may also be valid well beyond the revocation of the GS1 Company Prefix license credential.
</p>
<h5>Suspension</h5>
<p>
Suspension of a license is an intermediate step for some GS1 Member Organizations, to give the licensee the
opportunity to come back into compliance with the terms and conditions of their agreement. In general, a suspended
credential should be treated as revoked, with the caveat that the suspension status could be removed entirely or
replaced with the revocation status. Verifiers should therefore check the credential status periodically until one
or the other occurs.
</p>
<h5>Replacement</h5>
<p>
Replacement is similar to revocation in that it invalidates the credential, but it indicates that there is
another, equivalent credential available. The most common use case for this is in acquisitions and mergers, as
defined in the GS1 General Specifications:
</p>
<p>
<em>
During an acquisition or merger, a company may assume responsibility for the acquired company's GS1 Company
Prefix and/or individual GS1 identification key licences. In the situations where the licences transfer, the
acquiring company can:
</em>
</p>
<ul>
<li>
<em>
Use the acquired company's GS1 Company Prefix(es) and GS1 identification key(s
</em>
</li>
<li>
<em>
Issue GS1 identification keys using the newly acquired GS1 Company Prefix(es)
</em>
</li>
</ul>
<p>
<em>
For example, products that the acquired company identified using its GS1 Company Prefix or individual GS1
identification key licences can still be produced using the same GTINs after the merger. Additionally,
parties, locations, assets, and other objects identified with GS1 identification keys can continue to use
those keys after the merger.
</em>
</p>
<p>
<em>
If a partial purchase occurs, where only a segment of a larger entity is acquired, the involved companies must
determine whether GS1 identification licences are transferred based on their specific business
requirements.
</em>
</p>
<p>
In such a situation, the acquiring company takes over the licenses of the acquired company and should be issued
the appropriate credentials. Those originally issued to the acquired company are no longer valid, but simple
revocation could be highly disruptive as there may be thousands of extension credentials that could be invalidated
by the business rules that apply to revocation. Instead, the replacement status indicates that the licence
credential has been replaced. As with revocation, any new extension credentials that directly reference the
replaced credential are invalid, but pre-existing extension credentials should be validated against the
replacement credential using the normal business rules.
</p>
<p>
Suppose that Healthy Tots is acquired by Benevolent Conglomerate. Benevolent Conglomerate may decide on a
hands-off approach and leave Healthy Tots to continue its operations much as before, with no impact on the way
that the GS1 identification keys are managed. It's possible, though, that Benevolent Conglomerate will decide to
discontinue Healthy Tots as a separate entity and instead absorb its products into a central catalogue. The GS1
Company Prefix license, originally issued to Healthy Tots, will be transferred by GS1 Utopia to Benevolent
Conglomerate.
</p>
<p>
In this case, a status check of the original GS1 Company Prefix license Verifiable Credential must indicate a
status of "replaced" and, potentially, include the ID of the replacement. Regardless of whether the status
indicates the ID of the replacement credential, the replacement must reference the credential it replaced. The
maintain continuity of supply chain management, the following must be supported:
</p>
<ul>
<li>
The original key credentials issued by Healthy Tots remain valid, as:
<ul>
<li>
they were issued prior to the replacement;
</li>
<li>
the replacement references the original license credential;
</li>
<li>
using a combination of the original and replacement credentials, the key credentials can be validated according to
the business rules; and
</li>
<li>
the replacement GS1 Company Prefix license Verifiable Credential has not been revoked.
</li>
</ul>
<li>
Benevolent Conglomerate can issue new key Verifiable Credentials based on the GS1 Company Prefix license Verifiable
Credential.
</li>
<li>
Benevolent Conglomerate can issue additional Verifiable Credentials based on the key Verifiable Credentials issued
by Healthy Tots, as the transfer (replacement) of the GS1 Company Prefix license Verifiable Credential provides an
authenticated chain of responsibility.
</li>
</ul>
</section>
Loading

0 comments on commit f3c4952

Please sign in to comment.