search

Open-Credentialing-Initiative / Digital-Wallet-Conformance-Criteria

Conformance Criteria for Digital Wallets | https://open-credentialing-initiative.github.io/Digital-Wallet-Conformance-Criteria/latest
https://open-credentialing-initiative.github.io/Digital-Wallet-Conformance-Criteria/latest
Apache License 2.0
1 stars 2 forks source link

NFR004 - key mgt #30

Closed bluesteens closed 10 months ago

bluesteens commented 1 year ago

Steering summary: Unclear wording around wallet security aspects. Suggest to reword to avoid ambiguity.

It is not entirely clear whether this NFR is to deals only with keys in relation to the DID document or also provider app-specific security.

It says under Conformance Criteria

  • Solution SHALL provide secure key management for encryption and signing keys -Solution SHALL provide features to update DID documents and to rotate keys in accordance with the W3C DID standards and best practices/implementation guidelines on a regular basis, keys SHALL be rotated no less often than once every 12 months.
  • Solution SHALL provide rotation features for encryption keys (e.g. database encryption, certificate renewal)

The last bullet reads as if it was meant to address sth like API keys for a provider app. The rest seems to apply to DID docs.

OCI should consider splitting both scopes into 2 NFR or making it clearer within this 004 what is meant.

bluesteens commented 1 year ago

Affected Parties (help determine Sunrise/Sunset):

bluesteens commented 1 year ago

Mtg July 27: also consider specifying what happens to rotated keys (deleted, retired)

bluesteens commented 1 year ago

consider adding that key rotation is only required for PROD accounts/usage

bluesteens commented 11 months ago

14.9. P&A: edits to make text work for both DID methods persisted in the DID document = discoverable via the DID document