Overview¶
The system uses four independent components that together provide automated, policy-driven access control without requiring a central authority or blockchain.
Standards used¶
| Standard | Role | Specification |
|---|---|---|
| ODRL | Access policies (permissions, prohibitions, duties) | W3C Recommendation |
| Nanopublications | Immutable, signed policy and audit records | nanopub.net |
| DID | Decentralized identity (did:web) | W3C Recommendation |
| RO-Crate | Research object packaging and metadata | RO-Crate 1.1 |
| I-ADOPT | Variable semantics for automatic column mapping | I-ADOPT |
| AES-256-GCM | Authenticated encryption | NIST SP 800-38D |
| ECDH + HKDF | Key agreement for wrapping | RFC 6090 |
Encryption scheme¶
Data encryption¶
Each dataset is encrypted with a unique AES-256-GCM symmetric key:
Plaintext file Encrypted file
buildings.gpkg ──AES-256-GCM──► [12B nonce][ciphertext + 16B GCM tag]
│
key (32 bytes, stored as GitHub Secret)AES-256-GCM provides both confidentiality and integrity
The 12-byte nonce is randomly generated and prepended to the ciphertext
The 16-byte GCM authentication tag detects any tampering
Key wrapping¶
The dataset key is wrapped (encrypted) for each authorized recipient using an ECIES-like scheme:
1. Generate ephemeral EC P-256 keypair
2. ECDH shared secret = ephemeral_private × recipient_public
3. Wrapping key = HKDF-SHA256(shared_secret)
4. Wrapped key = AES-256-GCM(wrapping_key, dataset_key)
5. Output: { ephemeral_public_key, nonce, wrapped_key }Only the holder of the recipient’s private key can reverse step 2 to derive the wrapping key and unwrap the dataset key.
Access request flow¶
Why not blockchain?¶
The nanopublication network provides the same guarantees often attributed to blockchain:
| Property | Blockchain | Nanopublications |
|---|---|---|
| Immutability | Hash-chain consensus | Content-addressed URI + cryptographic signature |
| Decentralization | Distributed ledger | Peer-to-peer nanopub servers |
| Verifiability | Public ledger | Signed RDF, independently verifiable |
| Audit trail | Transaction log | Access grant nanopubs |
| Cost | Gas fees | Free |
| Science-ready | No | Yes (designed for scholarly communication) |
Migration paths¶
The architecture is modular — each component can be replaced independently:
| Component | Current | Alternative |
|---|---|---|
| Key server | GitHub Pages + Actions | FastAPI on LifeWatch / university server |
| Data storage | Zenodo + S3 | Any HTTP/S3-compatible storage |
| Identity | did:web | did:key, did:ethr, institutional SSO |
| Policy store | Nanopub network | Local JSON-LD files |
| Pipeline | urban_pfr | Any tool that reads GeoPackage/FlatGeobuf |