Update Readme

jason-fox · jason-fox · commit 066398283595 · 2025-08-01T15:54:40.000+02:00
diff --git a/README.md b/README.md
@@ -45,16 +45,146 @@ commands used to generate credentials using a REST API
 > ― Remarks on Signing the Intermediate-Range Nuclear Forces Treaty
 
 
-## What are Verifiable Credentials
+## What are Verifiable Credentials?
+
+Verifiable credentials are the digital equivalent of something like a membership card or a drivers
+license. They are a representation of some sort of ownership or rights that a user claims to hold.
+Verifiable credentials follow an international W3C standard and are cryptographically secure, so they
+can be checked much like in the real world.
+
+The idea behind verifiable credentials is that they can be issued and verfied by anyone - that is that there is no centralised owner of all of the information. This contrasts with the standard OAuth2
+Authorization Code Grant flow which relies on a user logging in somewhere to prove who they are.
+
+For example in the physical world, when a tourist enters new a country, they typcially need to pass through border control, where they are asked to provide a valid identity document or passport. The border guard needs to check both that the passport is real, and that the passport actually belongs to the tourist himself. Other requirements may also need to be met, maybe a specific visa or vaccination certificate is required.
+
+Now, the tourist's passport has been provided by their own national government, so the border guard,
+as well as checking that the photo matches the recipient,  is implicitly checking that a document provided by a third party is real, without necessarily directly contacting the country concerned.
+
+With Verifiable credentials, a check for the validity of the document can be made based on the some sort of agreed cryptographic proof, the decoded document holds the claimed rights and also connects directly to both the subject of the credential (similar to the passport photograph) and the identity of the issuer  (similar to the origin country of origin the passport itself). In both cases this identity needs to resolve to a unique id, where the id has been pre-generated by the owner.
+
+
+## What are Decentralised Identifiers?
+
+[Decentralised Identifiers](https://www.w3.org/TR/did-1.0/) are a mechanism to create verifiable, persistent identifiers without the need to defer to a central authority. A digital identifier consists of a URN made up of several sections,
+each separated by a colon. They start with the namespace `did` , followed by a decentralised identifier method (such as `web` or `ethr`,  `key`). The method defines how the rest of the identifier can be decoded and resolved.  For example the term [`did:web`](https://w3c-ccg.github.io/did-method-web/)  refers to a method for creating decentralized identifiers that are hosted on a publicly accessible web domain, `did:ethr` is used by [Etherium-based identities](https://github.com/uport-project/ethr-did-registry) and a [`did:key`](https://w3c-ccg.github.io/did-key-spec/) holds an encoded public key. the remaining sections of the URN will resolve to allow a verifier to check if the identity has been used correctly.
+
+For example `did:web:fiware.github.io:tutorials.Step-by-Step:alice` is referring to a document found at
+[`https://fiware.github.io/tutorials.Step-by-Step/alice/did.json`]
+
+```json
+{
+  "@context": [
+    "https://www.w3.org/ns/did/v1",
+    "https://w3id.org/security/suites/jws-2020/v1"
+  ],
+  "id": "did:web:fiware.github.io:tutorials.Step-by-Step:alice",
+  "verificationMethod": [
+    {
+      "id": "did:fiware.github.io:tutorials.Step-by-Step:alice#owner",
+      "type": "JsonWebKey2020",
+      "controller": "did:web:fiware.github.io:tutorials.Step-by-Step:alice",
+      "publicKeyJwk": {
+        "kty": "EC",
+        "crv": "secp256k1",
+        "x": "Nd3DeQ7G/1pTeYM6viWK6plbSD9E7cA9C2ONG9qG3CQ=",
+        "y": "LuMt0dFWni1/fs/VqfjNOHAZT3PWGxKU8kUlLffGtjM="
+      }
+    }
+  ],
+  "authentication": [
+    "did:web:fiware.github.io:tutorials.Step-by-Step:alice#owner"
+  ],
+  "assertionMethod": [
+    "did:web:fiware.github.io:tutorials.Step-by-Step:alice#owner"
+  ]
+}
+```
 
-## What are Distributed Identifiers
 
+Which in turn is a JSON-LD document which holds a list of verification methods which can be used to valid the `id`. In this case `JsonWebKey2020` refers to a [JSON Web Signature](https://w3c-ccg.github.io/lds-jws2020/)
 
 # Architecture
 
+For the purpose of this tutorial, we will take the demo Farm Management Information System (FMIS)
+from the previous tutorial, and alter access to the vet's context broker. Remember that within our
+data space we effectively have three context brokers owned by the Farmer, a Vet and a Contract labourer
+respectively.
+
+- The default tenant which holds **Building** data and is used for collating data from all systems
+- The `farmer` tenant which holds **Animal**, **Device** and **AgriParcel** information
+- The `contractor` tenant holds **Animal** data about animals needing additional care.
+- The `vet` tenant which holds **Animal** data about new-born animals
+
+
+Within the data space, the **Vet** wishes to restrict access to her data to legitmate users only:
+
+-  Those who have bought access to her data, who are accredited users of **Vets Mart*
+-  Animal welfare officers who are legally alloweed access who are accredited by the national **Government**
+
+This tutorial will not complete the enforcement of access rules, but will show how accredited users would be
+able to demonstrate that they are legitimately from those organisations.
+
+
+
+Therefore the overall architecture will consist of the following elements:
+
+- The [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) which will send and receive requests
+  using
+  [NGSI-LD](https://forge.etsi.org/swagger/ui/?url=https://forge.etsi.org/rep/NGSI-LD/NGSI-LD/raw/master/spec/updated/generated/full_api.json).
+  This is split into the following systems, each running on their own tenant:
+  - The default tenant
+  - The `farmer` tenant
+  - The `contractor` tenant
+  - The `vet` tenant
+- The FIWARE [IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/) which will receive
+  southbound requests using
+  [NGSI-LD](https://forge.etsi.org/swagger/ui/?url=https://forge.etsi.org/rep/NGSI-LD/NGSI-LD/raw/master/spec/updated/generated/full_api.json)
+  and convert them to
+  [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)
+  commands for the devices
+- The underlying [MongoDB](https://www.mongodb.com/) database :
+  - Used by the **Orion Context Broker** to hold context data information such as data entities, subscriptions and
+    registrations
+  - Used by the **IoT Agent** to hold device information such as device URLs and Keys
+- An HTTP **Web-Server** which offers static `@context` files defining the context entities within the system.
+- The **Tutorial Application** does the following:
+  - Acts as set of dummy [agricultural IoT devices](https://github.com/FIWARE/tutorials.IoT-Sensors/tree/NGSI-LD)
+    using the
+    [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)
+    protocol running over HTTP.
+  - Displays a running Farm Management Information System (FMIS)
+
+In additionl, our **Vet** will be using a dummy data space connector, it includes:
+
+- A FIWARE [Credentials Configuration Service](https://github.com/FIWARE/credentials-config-service) to hold the location of services it should trust
+- A FIWARE [trusted-issuers-list]https://github.com/FIWARE/trusted-issuers-list/) which returns the list of trusted roles for each issuer's credentials
+
+Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run
+from exposed ports.
 
 # Start Up
 
+All services can be initialised from the command-line by running the
+[services](https://github.com/FIWARE/tutorials.Verifiable-Credentials/blob/NGSI-LD/services) Bash script provided within the
+repository. Please clone the repository and create the necessary images by running the commands as shown:
+
+```console
+git clone https://github.com/FIWARE/tutorials.Verifiable-Credentials.git
+cd tutorials.Linked-Data
+git checkout NGSI-LD
+
+./services orion|scorpio|stellio
+```
+
+> [!NOTE]
+>
+> If you want to clean up and start over again you can do so with the following command:
+>
+> ```
+> ./services stop
+> ```
+
+
 
 # Verifiable Credentials
 
