Credential Monitoring and Expiration

bluesteens commented 2 years ago

para 6.3 Identity Credential Monitoring and Expiration para 6.6 ATP Credential Monitoring and Expiration

... require the VC to be valid and monitored for 1 year. I feel this requirement is arbitrary and goes beyond the scope OCI because:

what is the basis for 1 year? should the duration not be defined by the expiry of the underlying real-world evidence or the monitoring contract duration (see point below)?
what if the customer ends the contract with the issuer before the year is up? the OCI wording currently does not explicitly cater for such a scenario, as it insists on 1 year.

In my opinion, OCI should not define expiration dates or minimum periods, as these depend on legal and commercial factors outside OCI's and the CI's influence. Any arbitrary period seems meaningless. The job of the CI is to keep monitoring for as long as needed (i.e. customer pays) or until VC revocation on any of the grounds specified in the conformance criteria.

britpayson commented 2 years ago

During early discussion’s within OCI, the collective group agreed that Credentials should have an expiration date; however, it would not be determined by the expiry date of the underlying evidence as it could be as short as one day (ie – State BOP license expiration) or have no set expiration (ie – corporate documentation). At that point it was recommended that 1-year be established as the default knowing this might change later down the road.

With that being said, I would agree that having OCI specify a specific validity time period would simply be an arbitrary number. I believe the intent is to make it clear that during the given validity period, an Issuer must perform ongoing monitoring (according to the Conformance Criteria) which as Issuer could associate to a service contract / agreement for credentialing services.

Should the issue be raised further in the future, I would recommend that the wording be updated to reflect this intent – for example:

Identity:

Current Wording - 6.3 Identity Credential Monitoring and Expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

ATP:

Current Wording - 6.6 ATP Credential Monitoring and Expiration An ATP Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

Suggested Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

bluesteens commented 2 years ago

I agree with this re-wording and suggest it to be considered a change request for OCI's consideration.

britpayson commented 1 year ago

Triage:

[x] Is Issue appropriate for OCI Architecture
[ ] Create Steering-level Summary of request
[x] Assign Size
[x] Assign Priority
[x] Assign Label (if needed)
[x] OCI affected Artifacts Identified
[X ] Assign Triage - Artifact Version Target (v x.x.x Milestone)
[ ] Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
[ ] Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

[x] Trading Partners
[x] Issuers
[x] Wallet Solutions
[ ] PI Verification Solutions

Affected OCI Artifact

[ ] Schema Document
[ ] Identity Schema
[ ] ATP Schema
[x] Issuer Conformance Criteria
[ ] Wallet Conformance Criteria
[ ] VRS Solution Conformance Criteria
[ ] Wallet API Specification
[ ] Governance Document
[ ] Conformance Program
[ ] OCI Website
[ ] Internal Process
Change Category (Guides Steering Review)

- Steering/Industry Review
[x] Business-Level (May affect business operations)
[ ] OCI Governance, Policy or website feature

- Steering/Industry Notification

[ ] Technical-Level (Does not affect business operations)
[ ] OCI Internal Process or Infrastructure

bluesteens commented 1 year ago

consider adding recommendation for length of VC, possibly based on real-world license validity time consider adding different reasons for revocation (license failure, commercial contract ends

rceleste125 commented 1 year ago

Recommendation / Best practice: shorter expirations help with new schema versions of credentials.

May want another "Issue" to address revocation "reason" (in revocation list or described in documentation).

ewaldorf commented 1 year ago

Recommend to include that Credential Issuer is setting expiration date based on services agreement between Credential Issuer and trading partner.

lleifermann commented 1 year ago

I don't think we should mix credential expiration with the business value we might impose on the field.

An example for usage in SSL certificates. They also have an expiration date which just presents the lifetime of the certificate, not bound to agreements of Root CAs or other things.

IMHO the expiration should always be some hardcoded equal value for all credentials in the OCI. For expressing the relationship of license revocation and credential revocation we should rather rely on the revocation mechanism of W3C credentials.

(The proposed Ethereum revocation mechanism may be extended to also include a reason. See https://en.m.wikipedia.org/wiki/Certificate_revocation_list "Reasons for Revocation" as a reference)

rceleste125 commented 1 year ago

Steering Summary:

The current Credential Issuer Conformance Criteria document specifies that credentials are to expire 1 year from the time of issue. This is arbitrary on behalf of OCI. The recommendation is to change the wording to allow flexibility.
Consider whether to add a revocation reason to the credential revocation list. there are innocuous reasons (replacement, detail change, etc.) and revocation should not be interpreted as a problem with the Subject.

britpayson commented 1 year ago

What about the below wording:

Identity:

Current Wording - 6.3 Identity Credential Monitoring and Expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

ATP:

Current Wording - 6.6 ATP Credential Monitoring and Expiration An ATP Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

Suggested Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

ewaldorf commented 1 year ago

Hi Brittany,

I’m good with the suggested wording changes.

Best Regards,

Elizabeth Waldorf

Director, Global Traceability and StandardsTraceLink m: +1-818-203-9080

www.tracelink.com

[image: tracelink_logo_tag_EvergreenCobalt-HEX_transparent-email]

From: Brittany Payson @.> Sent: Thursday, July 27, 2023 8:17 AM To: Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria < @.> Cc: ewaldorf @.>; Comment @.

Subject: Re: [Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria] Credential Monitoring and Expiration (Issue #4)

What about the below wording: Identity:

Current Wording - 6.3 Identity Credential Monitoring and Expiration https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#identity-credential-monitoring-and-expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification. ATP:

Current Wording - 6.6 ATP Credential Monitoring and Expiration https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#atp-credential-monitoring-and-expiration An ATP https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-authorized-trading-partner Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

Suggested Wording: An ATP https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-authorized-trading-partner Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential SHALL expire upon the expiration date set by the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

— Reply to this email directly, view it on GitHub https://github.com/Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria/issues/4#issuecomment-1653832482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEN7VPBHY7P4VQZ2ECX5ZZTXSKA7PANCNFSM53HYMEPA . You are receiving this because you commented.Message ID: < @.***

britpayson commented 1 year ago

@bluesteens or @lleifermann, do you have time to walk with me on how make the below edits?

For 6.3 Identity Credential Monitoring and Expiration.

Updated Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.

For 6.6 ATP Credential Monitoring and Expiration

Updated Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.

Open-Credentialing-Initiative / Credential-Issuer-Conformance-Criteria