Closed bluesteens closed 1 year ago
During early discussion’s within OCI, the collective group agreed that Credentials should have an expiration date; however, it would not be determined by the expiry date of the underlying evidence as it could be as short as one day (ie – State BOP license expiration) or have no set expiration (ie – corporate documentation). At that point it was recommended that 1-year be established as the default knowing this might change later down the road.
With that being said, I would agree that having OCI specify a specific validity time period would simply be an arbitrary number. I believe the intent is to make it clear that during the given validity period, an Issuer must perform ongoing monitoring (according to the Conformance Criteria) which as Issuer could associate to a service contract / agreement for credentialing services.
Should the issue be raised further in the future, I would recommend that the wording be updated to reflect this intent – for example:
Current Wording - 6.3 Identity Credential Monitoring and Expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
Current Wording - 6.6 ATP Credential Monitoring and Expiration An ATP Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
Suggested Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
I agree with this re-wording and suggest it to be considered a change request for OCI's consideration.
Triage:
Affected Parties (help determine Sunrise/Sunset):
Affected OCI Artifact
[ ] Internal Process
Change Category (Guides Steering Review)
- Steering/Industry Review
- Steering/Industry Notification
consider adding recommendation for length of VC, possibly based on real-world license validity time consider adding different reasons for revocation (license failure, commercial contract ends
Recommendation / Best practice: shorter expirations help with new schema versions of credentials.
May want another "Issue" to address revocation "reason" (in revocation list or described in documentation).
Recommend to include that Credential Issuer is setting expiration date based on services agreement between Credential Issuer and trading partner.
I don't think we should mix credential expiration with the business value we might impose on the field.
An example for usage in SSL certificates. They also have an expiration date which just presents the lifetime of the certificate, not bound to agreements of Root CAs or other things.
IMHO the expiration should always be some hardcoded equal value for all credentials in the OCI. For expressing the relationship of license revocation and credential revocation we should rather rely on the revocation mechanism of W3C credentials.
(The proposed Ethereum revocation mechanism may be extended to also include a reason. See https://en.m.wikipedia.org/wiki/Certificate_revocation_list "Reasons for Revocation" as a reference)
Steering Summary:
What about the below wording:
Current Wording - 6.3 Identity Credential Monitoring and Expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
Current Wording - 6.6 ATP Credential Monitoring and Expiration An ATP Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
Suggested Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
Hi Brittany,
I’m good with the suggested wording changes.
Best Regards,
Elizabeth Waldorf
Director, Global Traceability and StandardsTraceLink m: +1-818-203-9080
www.tracelink.com
[image: tracelink_logo_tag_EvergreenCobalt-HEX_transparent-email]
From: Brittany Payson @.> Sent: Thursday, July 27, 2023 8:17 AM To: Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria < @.> Cc: ewaldorf @.>; Comment @.
Subject: Re: [Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria] Credential Monitoring and Expiration (Issue #4)
What about the below wording: Identity:
Current Wording - 6.3 Identity Credential Monitoring and Expiration https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#identity-credential-monitoring-and-expiration An Identity Credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
Suggested Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification. ATP:
Current Wording - 6.6 ATP Credential Monitoring and Expiration https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#atp-credential-monitoring-and-expiration An ATP https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-authorized-trading-partner Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential SHALL expire one year from the date it is issued. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this one-year term, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
Suggested Wording: An ATP https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-authorized-trading-partner Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential SHALL expire upon the expiration date set by the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#dfn-credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
— Reply to this email directly, view it on GitHub https://github.com/Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria/issues/4#issuecomment-1653832482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEN7VPBHY7P4VQZ2ECX5ZZTXSKA7PANCNFSM53HYMEPA . You are receiving this because you commented.Message ID: < @.***
@bluesteens or @lleifermann, do you have time to walk with me on how make the below edits?
For 6.3 Identity Credential Monitoring and Expiration.
Updated Wording: An Identity Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring (on at least a weekly basis) to identify possible triggers for revocation / recertification.
For 6.6 ATP Credential Monitoring and Expiration
Updated Wording: An ATP Credential SHALL expire upon the expiration date set by the Credential Issuer. The expiration date indicates when the credential is no longer monitored, after which it SHALL be considered invalid. During this validity period, the Credential Issuer SHALL perform continuous monitoring to identify possible triggers for revocation / recertification.
para 6.3 Identity Credential Monitoring and Expiration para 6.6 ATP Credential Monitoring and Expiration
... require the VC to be valid and monitored for 1 year. I feel this requirement is arbitrary and goes beyond the scope OCI because:
In my opinion, OCI should not define expiration dates or minimum periods, as these depend on legal and commercial factors outside OCI's and the CI's influence. Any arbitrary period seems meaningless. The job of the CI is to keep monitoring for as long as needed (i.e. customer pays) or until VC revocation on any of the grounds specified in the conformance criteria.