KDean-GS1
commented
1 year ago A GS1 Prefix, once assigned to a GS1 Member Organization (MO), is never revoked. Under extreme circumstances (e.g., the MO goes out of business), GS1 Global Office will transfer the GS1 Prefix to itself pending reassignment to another corporate entity to act as the MO in that territory. How this will be represented in Verifiable Credentials has yet to be determined, but the short answer is that GS1 Prefix license credentials are expected to live for a very long time and so don't need to be checked against a status list very often.
Licenses granted to user companies have to be renewed regularly, typically every year. However, from the perspective of a trading partner, a user company's GS1 Company Prefix is long-lived and the credential representing it won't change. Because of the chain of dependencies (GS1 Prefix -> GS1 Company Prefix -> GS1 identification key -> Object data), we shouldn't put expirationDate into such licenses; the status list check will be the only way to know. From a business perspective, checking for revocation is something that can be done once a week or so, or even less frequent than that.
Do I need to fetch this every time I verify, or can I cache the Status lists daily/weekly/monthly basis?
This came up in a discussion on the GS1 prefix credentials. Its likely large trade organizations would cache these as there is a limited set. The credentials themselves don't have any expiration, so there is no guidance within them how often to look for new ones. GS1 intended this as nearly all prefixes licenses are renewed, and expirations would disrupt the supply chain. So these large orgs would likely need to check the expiration of these credentials periodically, as it might be prohibitive to check with every verification.
From the perspective of how quickly these things change, I think daily would be much more than sufficient, with something 72 hours being conservative.