The Afsprakenstelsel Elektronische Toegangsdiensten uses Assertions provided by multiple issuers, from various roles applicable for the particular use case (e.g. with Respresentation). This page explains how these Assertion (declarations) are linked together.
Throughout a Herkenning, various roles may provide some of the information required for the complete result presented to the Dienstverlener (DV). These Assertions are linked based on the relationship between the User and the Dienstafnemer.
The Herkenningsmakelaar will return an Assertion with the combined result of a Herkenning. This Assertion will hold all underlying Assertions under an element <Advice>.
The initial Assertion of a chain is the Assertion by the AD authenticating the User. Subsequent related Assertions are linked to this Assertion.
Each linked Assertions is linked to another using the AssertionIDRef under Advice and bound through inclusion of the SignatureValue of the linked Assertions, using a LinkedDeclarationSignatureValue attribute. By including the SignatureValue in this way, the Assertion is linked cryptographically and secured against modifications.
Each underlying Assertion will hold information about the Subject of that Assertion. Assertions part of a single Herkenning stating information about the exact same Subject, will all have a NameID with the same 'transient' ID created by the Authenticatiedienst upon authentication of the User. Assertions part of a single Herkenning stating information about distinct other Subjects – i.e. those about the User and about the entity represented – will have a different transient NameID. Each new Herkenning will result in new transient identifiers for each Subject.
Representation
In case of representation, the various Assertions will by definition not describe the same Subject. Each new authorization in an authorization chain will therefore introduce a different transient Subject to describe the new entity in the authorization chain.
The Assertions are themselves are linked in the same way as described above, using the AssertionIDRef to link them and an attribute LinkedDeclarationSignatureValue to cryptographically bind them.
