CX-0135 BP Company Certificate Management v2.1.0
ABSTRACT
In the world of business, company certificates are often mandatory for conducting transactions between two companies. However, the process of provisioning, maintaining, and validating these certificates can be a major challenge. For example, if a company has 100 customers, they may need to provide their company certificates in 100 different ways and maintain them at 100 different points.
To address this issue, a use case has been developed that provides a standardized but generic data model for company certificates. This allows companies to provide and exchange certificates on a defined standard within the scope of the Catena-X data space.
This standard is intended for participants in the data space who wish to provide their company certificates as a digital asset that can be exchanged via the Eclipse Data Space Connector. By adhering to this standard, companies can ensure the secure and efficient sharing of their certificates within the data space.
FOR WHOM IS THE STANDARD DESIGNED
COMPARISON WITH THE PREVIOUS VERSION OF THE STANDARD
The previous version of the standard was designed for an API. This standard has been updated to a semantic data model.
1 INTRODUCTION
This component is used to standardize the way in which a semantic model for certificate management should be designed. This ensures that services and products consuming data can function effectively and enabling interoperability.
This standard is crucial for data providers and consumers who want to exchange company certificates through the Catena-X data space. By complying with this standard, companies can ensure seamless certificate management, thereby streamlining their overall operations.
1.1 AUDIENCE & SCOPE
This section is non-normative
List for which roles the standard is relevant:
- Data Provider and Consumer
- Business Application Provider
- Enablement Service Provider
This standard applies to business application providers and enablement service providers who aim to offer a solution for managing and exchanging company certificates, and returning them to customers. It is also important for data providers and consumers who need to manage and exchange certificates through a solution provider.
1.2 CONTEXT AND ARCHITECTURE FIT
This section is non-normative
The establishment of various industry networks, such as Catena-X, has significantly increased the need for data standards across the entire automotive value chain. To promote industry-wide, international data exchange and facilitate networking between OEMs, suppliers, customers, and industrial partners, it is essential to define and introduce a cross-industry standard for the provisioning, exchanging and maintenance, of company certificates. This standard ensures interoperability and data sovereignty, while also increasing trust in certificates.
By implementing this standard, companies can streamline the process of managing and exchanging certificates, reducing the burden of maintaining multiple certificates for different customers. Additionally, the standard ensures that certificates are exchanged in a secure and reliable manner, enhancing trust and confidence in the data exchange process. Overall, the introduction of a cross-industry standard for company certificates is a crucial step towards achieving seamless and secure data exchange across the automotive industry.
This aspect model is written in SAMM 2.1.0 as a modeling language conformant to CX-0003:1.1 SAMM Semantic Aspect Meta Model.
SAMM is used to create data models, which are attached to e.g. digital twins in the form of an Asset Administration Shell (AAS) submodel or exchanged as JSON-File.
All submodels in Catena-X are managed in the Tractus-X GitHub repository. A data model is requested and exchanged via Catena-X using an Eclipse Dataspace Connector (CX-0001:1.0 EDC Discovery API), which is a separate Catena-X standard.
1.3 CONFORMANCE AND PROOF OF CONFORMITY
This section is non-normative
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD and SHOULD NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
All participants and their solutions will need to proof, that they are conform with the Catena-X standards. To validate that the standards are applied correctly, Catena-X employs Conformity Assessment Bodies (CABs).
1.4 EXAMPLES
A company that has 100 customers, they may need to provide their company certificates in up to 100 different ways and maintain them manually at 100 different points (typically proprietary customer portals). A company has 100 customers, that provide different certificates, from different countries and they need to validate them.
1.5 TERMINOLOGY
This section is non-normative.
In this section the different parts of the data model are explained.
1.5.1 BPNL BUSINESS PARTNER NUMBER LEGAL ENTITY
A Business Partner Number Legal Entity (BPNL) represents and uniquely identifies a Legal Entity, which is defined by its legal name (including Legal Form, if registered), legal Address and Tax Number. For further details on BPNLs please see standard CX-0010:2.0 Business Partner Number.
For this standard and the data model the BPNL is the BPN id of the certified legal entity.
Attribute: businessPartnerNumber
1.5.2 CERTIFICATE TYPE
The attribute CertificationType refers to the type of the certificate the BPN is certified for. This data model is generic and currently supports, but is not limited to, the following list of certificate types. Additional certificate types will be validated in the future, and others may already be compatible with this generic model:
- IATF 16949 (International Automotive Task Force) is a standard that defines the requirements for a quality management system in the automotive industry.
- ISO 14001 is a standard that outlines the requirements for an environmental management system to help organizations minimize their impact on the environment.
- ISO 9001 is a standard that sets out the requirements for a quality management system to help organizations consistently provide products and services that meet customer and regulatory requirements.
- ISO 45001, OHSAS 18001 or national certification are occupational health and safety management system standards that help companies identify and manage workplace hazards to prevent accidents and injuries.
- ISO/IEC 27001 is an information security management system standard that provides a framework for companies to manage and protect their sensitive information.
- ISO 50001 or national certification is an energy management system standard that helps companies improve energy efficiency and reduce costs.
- ISO/IEC 17025 is a laboratory accreditation standard that ensures the accuracy and reliability of testing and calibration results.
- ISO 15504 (SPICE) is a process assessment model that helps companies improve the quality and efficiency of their software development processes.
- ISO 20000 is an IT service management system standard that helps companies deliver high-quality IT services to their customers.
- ISO 22301 is a business continuity management system standard that helps companies prepare for and respond to unexpected disruptions to their operations.
- AEO (Authorized Economic Operator), CTPAT (Customs-Trade Partnership Against Terrorism), Security Declaration is an internationally recognized certificate that confirms a company's compliance with customs regulations and supply chain security standards. CTPAT (Customs-Trade Partnership Against Terrorism) is a voluntary program that promotes supply chain security and trade compliance with U.S. Customs and Border Protection. Security Declaration is a document that outlines a company's security measures and procedures for the transportation of goods.
- VDA6.4 is a standard that defines the requirements for a quality management system in the automotive industry, with a focus on process auditing.
Note: The spelling of the certificate type may vary slightly on the user interface or within the data model.
1.5.3 REGISTRATION AND ISSUING
The issuing authority is the authority that issues a certificate - e.g. TUEV Sued. The registration number is the unique identifier of the certificate at the certification authority / issuing body.
Example: ISO 9001 certificate is issued by TUEV Süd, which is the certification authority.
1.5.4 AREA OF APPLICATION
The attribute areaOfApplication refers the area of applications for the given certification i.e. additional details.
1.5.5 ENCLOSED SITES / ADDRESSES
This attribute enclosedSites is closely linked to the Business Partner Number (BPN) and indicates additional sites, such as production or engineering sites, that are covered by the certificate. In other words, the certificate is valid not only for the primary BPN, but also for any associated sites (BPNS). This attribute is particularly useful for companies with multiple locations or business units, as it allows them to manage certificates more efficiently and ensures that all relevant sites are covered by the certificate.
Note: If no BPNS is available, the use of the Business Partner Number Address (BPNA) is also allowed within this attribute.
1.5.6 VALIDITY
The attribute validity refers to the date from which the certificate is valid. If it is not defined, it is recommended to use the date of issue/signature of the document. In connection with the valid-from date, there is the valid-to date for a certificate - 31.12.9999 for no expiration date.
1.5.7 TRUST LEVEL
This data object defines the trust level of the certificate.
The certificates are provided in the business context by the company itself - they are showing their certificates to other companies. Not every certificate can be directly validated by the issuing authority. That is why there are different trust levels defined: none / low / high / trusted.
None: no validation check at all, just uploaded / provided by the company Low: manual validation check done by human after upload Medium: certificate provided by trusted issuer and manually checked (as low) High: automated cross check via some database (e.g. TÜV, IATF) Trusted: directly provided by issuer (e.g. TÜV)
1.5.8 VALIDATOR
The validator is the one who can validate certificate information. In the best way it is the authority that is issuing the certificates but there can be other validators. This attribute has a relation to the trust level.
E.g. Business service providers that offer a validation service for company certificates.
Note: The property validatorBpn expects the BPNL as the default. However, if deemed necessary, this property can be used as a free text field (string).
1.5.9 CERTIFICATE UPLOADER
The attribute uploader defines the company (uploader) who originally provided the given certificate (e.g. company A provided it to business application provider B, business application provider B is a trusted validator). This company is also identified by a BPN.
1.5.10 ID
The internal reference id to request a certificate document.
2 ASPECT MODELS
2.1 ASPECT MODEL "BusinessPartnerCertificate"
This section is normative
This aspect model is written in SAMM 2.1.0 as a modeling language conformant to [CX-0003:1.1] as input for the semantic driven workflow.
Like all Catena-X data models, this model is available in a machine-readable format on GitHub conformant to [CX-0003:1.1].
2.1.1 LICENSE
This Catena-X data model is made available under the terms of the Creative Commons Attribution 4.0 International (CC-BY-4.0) license, which is available at Creative Commons.
2.1.2 IDENTIFIER OF SEMANTIC MODEL
The semantic model has the unique identifier
urn:samm:io.catenax.business_partner_certificate:1.0.0
This identifier MUST be used by the data provider to define the semantics of the data being transferred.
2.1.3 FORMATS OF SEMANTIC MODEL
The RDF turtle file, an instance of the Semantic Aspect Meta Model, is the master for generating additional file formats and serializations.
The open source command line tool of the Eclipse Semantic Modeling Framework is used for generation of other file formats like for example a JSON Schema, AASX for Asset Administration Shell Submodel Template or a HTML documentation.
3 REFERENCES
3.1 NORMATIVE REFERENCES
- CX-0003:1.1 SAMM Aspect Meta Model
- CX-0010:2.0 Business Partner Number
3.2 NON-NORMATIVE REFERENCES
This section is non-normative
- CX-0001:1.0 EDC Discovery API
3.3 REFERENCE IMPLEMENTATIONS
This section is non-normative
not applicable
ANNEXES
FIGURES
This section is non-normative
not applicable
TABLES
This section is non-normative
not applicable
Legal
Copyright © 2024 Catena-X Automotive Network e.V. All rights reserved. For more information, please visit here.