How does iSHARE work?
iSHARE is not a platform, system or software. Instead, iSHARE is a scheme for identification, authentication and authorization which describes how organizations can share logistics data in a uniform, simple and controlled way, including with new and previously unknown partners. They do so by upholding mutual agreements. Because all the participants work based on the same approach, iSHARE is a trustworthy and reliable way of sharing data with one another.
What is meant by identification, authentication and authorization?
Identification means presenting a particular identity, such as a user name or device name.
Authentication means validating whether the identity of the user or of the device does indeed match the identity presented. Think of a passport, for instance: ‘identification’ is when you show your passport (because you ‘present’ an identity), and ‘authentication’ is when you are compared against the photo in your passport (validating whether you match the identity presented in the passport).
Authorization is the process of giving someone or something certain access rights. To come back to the passport example again: if it is authenticated that a person is over 18 years of age, that person is authorised to purchase products with a minimum legal age of 18.
What is meant by delegation of rights?
iSHARE makes it possible to ‘delegate’ authorizations. This enables an organization that outsources certain activities to another organization to also give that organization the necessary rights in order to view data. For an everyday example, think of a political election. As a voter (someone who is authorised to vote), you can empower someone else to cast your vote on your behalf. In this case, you delegate your right to vote to someone else who is allowed to cast your vote for you.
If you share data using iSHARE, you can delegate your rights too. Needless to say, this can only be done with the approval of the data owner, who – when managing the access rights to their data – also determines whether those rights may be delegated.
How can I be sure I can trust other iSHARE participants?
All organizations that join the iSHARE Scheme know they can trust one another because they have all signed the Accession Agreement, which legally binds them all to comply with the same terms and conditions.
In order to be accepted for the iSHARE Scheme, all organizations first have to complete a number of technical tests and then – even more importantly – sign the iSHARE Accession Agreement. This is how organizations demonstrate that they comply with the security requirements for providing access to data and that they will uphold the agreements related to data-sharing. In order to be allowed to join the scheme, an organization must sign a contract with the Scheme Owner and that contract legally commits the organization to the iSHARE agreements.
How can I control who has access to my data?
As the data owner, you always remain in full control of your data within the iSHARE Scheme. You are the one who decides which other organizations have a right to your data, and you arrange this either in your own software solution or in an iSHARE-certified Authorization Registry. These so-called authorizations are always authenticated first before data can be shared.
Who manages iSHARE?
The iSHARE Scheme Owner manages the Scheme and the network of participating organizations. Thanks to the governance structure of the Scheme Owner, participating organizations have a say in things like the future development of the Scheme. The organization is independent and transparent.
Both the interim and the permanent Scheme Owner will comply fully with the Scheme’s operational agreements.
What is meant by authorization registries and identity providers?
The iSHARE Scheme includes so-called Authorization Registries and Identity Providers. They play an important role, since they are independent parties that provide key information for the purpose of performing identification, authentication and authorization activities.
The identities of devices/systems are checked fully digitally based on digital certificates. Checking a person’s identify is more complex. However, rather than having to present their passport or comparable ID document every time, there are other ways that people can identify themselves, such as a combination of user name and password or an ID card plus PIN number.
Within iSHARE it is also possible to work with certified partners that issue such tools to users. These partners are called Identity Providers. Using an Identity Provider relieves you of the burden associated with setting up and updating your own identification and authentication software. Additionally, for your partners’ employees, it means that they can use the same identity to log in with multiple organizations.
After log-in, the organization in charge of the requested data checks whether the other organization is authorised to receive it. It does this either in an iSHARE Authorization Registry or directly with the data owner, if the data owner has made that technically possible in line with the iSHARE specifications.
Organizations that wish to fulfil the role of Identity Provider or Authorization Registry themselves are subject to strict certification, including tight checks on the quality and security of their services. After all, they provide a service within the iSHARE network that all participating organizations must be able to trust.
Who can see my messages and data using iSHARE?
In iSHARE, messaging data is not handled by an intermediate. Instead, communication traffic and data passes directly from one partner to the other, which means that the messages and data can only be seen by the organizations themselves. However, it can be necessary to involve additional third-party information for the purpose of identification, authentication and authorization. These so-called Identity Providers and Authorization Registries cannot view the data itself; they are merely involved in validating identities and authorised rights.
How can I tell whether organizations already use iSHARE?
You can recognize users of iSHARE by the iSHARE logo. Even more importantly, however, you can verify an organization’s status by checking with the iSHARE Scheme Owner. That way, you are always fully aware of the organization’s most recent status and whether they comply with all the iSHARE agreements.
How do I know that partners are using my data as agreed?
iSHARE gives you, the data owner, full control over not only who has access to your data, but also what that partner is allowed to do with your data and for how long. You formalize this in iSHARE licences that relate to a dataset.
Can iSHARE be used worldwide?
Yes. Although iSHARE is a Dutch initiative, it is not restricted to the Netherlands. During the co-creation process of the Scheme, the co-creation partners took account of the fact that international organizations should also be able to implement and utilize the agreements. As a result, the iSHARE Scheme includes standardized and widely used techniques such as OAuth and OpenID Connect as well as international identifiers such as the EORI number.