DID key rotation (NFR004)

[bluesteens]

Steering: Proposal Summary

This is for the Steering work START approval step. Discuss the proposed work or change. # Should DID key rotation be based on usage frequency or a fixed time period? A key that's used more frequently can cause more harm in the wrong hands. Thus, usage-based rotation might add more security to the overall system.

---

see NFR004

current requirement:

keys SHALL be rotated no less often than once every 12 months

should we consider a usage-based key rotation in addition or instead of time-based rotation?

---

Steering: Publication Summary

Discuss the work that was completed in reference to the above proposal. Include any differences from the proposal and why. #

• [x] Is Issue appropriate for OCI Architecture
• [x] Create Steering-level Summary of request
• [x] Assign Size
• [x] Assign Priority
• [x] Assign Label (if needed)
• [ ] OCI affected Artifacts Identified
• [ ] Assign Triage - Artifact Version Target (v x.x.x Milestone)
• [ ] Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• [ ] Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• [ ] Trading Partners
• [ ] Issuers
• [ ] Wallet Solutions
• [ ] PI Verification Solutions

Affected OCI Artifact

• [ ] Schema Document
• [ ] Identity Schema
• [ ] ATP Schema
• [ ] Issuer Conformance Criteria
• [ ] Wallet Conformance Criteria
• [ ] VRS Solution Conformance Criteria
• [ ] Wallet API Specification
• [ ] Governance Document
• [ ] Conformance Program
• [ ] OCI Website
• [ ] Internal Process

Change Category (Guides Steering Review)

- Steering/Industry Review

• [ ] Business-Level (May affect business operations)
• [ ] OCI Governance, Policy or website feature

- Steering/Industry Notification

• [ ] Technical-Level (Does not affect business operations)
• [ ] OCI Internal Process or Infrastructure

Communication

• [ ] Website
• [ ] Newsletter
• [ ] email:
• [ ] Other:

[bluesteens]

should this be a DID holder decision? but OCI recommends to offer both rotation methods

[bluesteens]

Mtg July 27: rejected, as it seems overengineered. key management systems could cater sufficiently for the recommended level of security; refer to comments in https://github.com/Open-Credentialing-Initiative/Digital-Wallet-Conformance-Criteria/issues/30