In ARF Annex II, VCR_04 states that: "A PID Provider or Attestation Provider SHALL revoke a PID or attestation at least
when its security has been compromised", while in the Section Credential Lifecycle the requirement is only recommended: "The Credential Issuers, for technical security reasons (e.g. in the case of compromised cryptographic keys), SHOULD decide to revoke the Credentials." Could we make it mandatory as indicated in Annex II?
In ARF Annex II, VCR_04 states that: "A PID Provider or Attestation Provider SHALL revoke a PID or attestation at least when its security has been compromised", while in the Section Credential Lifecycle the requirement is only recommended: "The Credential Issuers, for technical security reasons (e.g. in the case of compromised cryptographic keys), SHOULD decide to revoke the Credentials." Could we make it mandatory as indicated in Annex II?