NFR009 - Audit Requirements: difference to NFR003 and NFR010?

[bluesteens]

for Steering

Both NFR talk about user actions as well as transaction logs. I believe the intention of NFR003 was to deal with user action logs and NFR009 to address tx logs.

I suggest we make that distinction clear by removing any cross-over language.

In addition, NFR010 also talks about data logs and storage. Can we combine 10 and 09?

related issue: https://github.com/Open-Credentialing-Initiative/Digital-Wallet-Conformance-Criteria/issues/13

---

• [x] Is Issue appropriate for OCI Architecture
• [x] Create Steering-level Summary of request
• [x] Assign Size
• [x] Assign Priority
• [x] Assign Label (if needed)
• [x] OCI affected Artifacts Identified
• [ ] Assign Triage - Artifact Version Target (v x.x.x Milestone)
• [ ] Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• [ ] Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• [ ] Trading Partners
• [ ] Issuers
• [x] Wallet Solutions
• [ ] PI Verification Solutions

Affected OCI Artifact

• [ ] Schema Document
• [ ] Identity Schema
• [ ] ATP Schema
• [ ] Issuer Conformance Criteria
• [x] Wallet Conformance Criteria
• [ ] VRS Solution Conformance Criteria
• [ ] Wallet API Specification
• [ ] Governance Document
• [ ] Conformance Program
• [ ] OCI Website
• [ ] Internal Process

Change Category (Guides Steering Review)

- Steering/Industry Review

• [x] Business-Level (May affect business operations)
• [ ] OCI Governance, Policy or website feature

- Steering/Industry Notification

• [ ] Technical-Level (Does not affect business operations)
• [ ] OCI Internal Process or Infrastructure

[bluesteens]

003: "The solution SHOULD also record important actions performed by registered users." >> SHALL 009: purpose is granularity of records. records available for inspection (not just transfer), word as "SHALL have capability" "keep detailed records" 010: purpose is storage of records. re-establish, word as "SHALL have capability". The Wallet Provider SHALL be capable of transferring or making available such records to the user. "... to enable user to comply with regulatory data storage requirements"

[bluesteens]

review 06/22/23: 003 The system collects evidence of user actions to prove the origin and authenticity of data in the event of a future dispute.

remove "important", activities = actions

remove "initiating"

are = made

009 accept all EW sugg except Measurement

010 accept EW