10/31/24 

2 Consulting, Workshops and Reviews What we do? Software Modernization We develop cloud software solutions: We increase the efficiency of your IT-department: Cloud-native Software Development Data insights Platform Engineering Cloud Infrastructure 

3 POSEDIO’S TOOLSTACK 

4 Product Carbon Footprint Estimation for Plastic Injection Molding Project with four use cases from the production domain • Component matching • Validation platform • Mobile processing machines • Carbon footprint in production engineering and manufacturing 

5 MAIN CHALLENGES • Give participants control over and understanding of what can happen to their data. • Maturity and specialization of tools. • Main Requirements • Protect data and the know-how/value it includes. • Maintainable system that can be adapted to the changing needs of participants. • Understandable and maintainable by non-programmers! • Reusable across multiple data ecosystems. • Non-Functional: • Authorization checks needs to be fast. 

6 POTENTIAL SOLUTIONS We looked at • Own know-how (Rego/OPA) • Gaia-X (participation, blog, academy) • GXFS-DE (XFSC) implementation • EDC Connector implementation • FIWARE implementation (XACML) • Rego and Open Policy Agent • Mature but no Gaia-X (or JsonLD, VC/VP) support • Trust Server API (GXFS-DE) is based on OPA • ODRL: Open Digital Rights Language (later chosen by Gaia-X as standard) • Specification without a reference implementation • Supports customization through profiles like Gaia-X’s OVC • Multiple implementations • Gaia-X “Policy Reasoning Engine” • Uses Graph Database – not fast enough for our needs • EDC Connector implementation • Complex to use: See Access Policies Tutorial – therefore hard to get right. • FIWARE: Keyrock, Wilma PEP Proxy, and Authzforce • XACML (eXtensible Access Control Markup Language) • IMHO: Unpleasant to create and maintain as text. See Example from Docs. It makes it hard to get policies right. 

7 OUR APPROACH: REGO BASED SOLUTION • It started before Gaia-X settled on ODRL • Added extensions to OPA: vc.verify() • Provide building blocks to work with Gaia-X and Data Spaces • Presented at Gaia-X Tech-X 2024 

8 OUR APPROACH: REGO BASED SOLUTION • Integrate ODRL as OPA Extension: gxi.odrl_evaluate() function • Work in progress 

9 EMBEDDABLE ODRL ENGINE 1. Look at existing ODRL engines • EDC-Connector: Java – needs a runtime. • Gaia-X Policy Reasoning engine – needs a database for reasoning. • Announced Gaia-X ODRL Library: Risk it comes too late for our project • Other ODRL implementations we found are either outdated or private 2. Started our own embeddable ODRL engine with support for Gaia-X OVC profile • https://gitlab.euprogigant.kube.a1.digital/ paul.weissenbach/ohdrl/-/tree/main • To use ODRL within our framework, we need it to be embeddable. 

10 OUR ODRL ENGINE / LIBRARY • More info about our solution and why it‘s good • Developed in Rust • Early days • Doesn’t implement the full ODRL spec • Follows ODRL’s formal semantics draft relatively closely • Support for Gaia-X OVC Profile • Code architecture and the ability to extend it is similar to the EDC’s implementation 

11 NEXT STEPS People with domain and contractional knowledge are rarely also software developers. • Improvements • Templates and building blocks for policy development • Tooling (for ODRL): • linter, • debugger, • audit trail (replay), • UIs, • etc. • Work on simplifying policy languages. • We are looking for cooperation opportunities! • Continue developing our ODRL engine/library. • Research how policies, their creation, and maintenance can be made simpler. 

THANK YOU! Paul Weißenbach [email protected] POSEDIO GMBH Weyringergasse 1-3, 1040 Wien, Austria Millenium Park 4, 6980 Lustenau, Austria www.posedio.com THANK YOU!