Steering: Proposal Summary

Used to propose a change or addition to Steering.
This is for the Steering work START approval step. Discuss the proposed work or change.

The W3C publishes a W3C VC Directory of projects that are using or extending aspects of Verifiable Credentials.

Proposal: submit OCI's use of credentials under "Type-based Extensions" and consider whether to put an entry in "Evidence" to note that we are exploring this property.

Steering: Publication Summary

Used to present completed work to Steering for approval to publish.
Discuss the work that was completed in reference to the above proposal. Include any differences from the proposal and why.
use [GitHub Preview](https://htmlpreview.github.io/) to show final state of documents along with pull requests (if needed).

Detailed Description:

Triage:

• Is Issue appropriate for OCI Architecture
• Assign Size
• Assign Priority
• Assign Label (if needed)
• OCI affected Artifacts Identified
• Assign Triage - Artifact Version Target (v x.x.x Milestone)
• Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• Trading Partners
• Issuers
• Wallet Solutions
• PI Verification Solutions
• None

Affected OCI Artifact

• Schema Document
• Identity Schema
• ATP Schema
• Issuer Conformance Criteria
• Wallet Conformance Criteria
• VRS Solution Conformance Criteria
• Wallet API Specification
• Governance Document
• Conformance Program
• OCI Website
• Internal Process
• N/A

Change Category (Guides Steering Review)

- Steering/Industry Review

• Business-Level (May affect business operations)
• OCI Governance, Policy or website feature

- Steering/Industry Notification

• Technical-Level (Does not affect business operations)
• OCI Internal Process or Infrastructure

Communication

• Website
• Newsletter
• email:
• Other:

PDG submitted this Change Request to modify the ATP Credential, create an ATP-Equivalent and DSCSA Authority Credential, and research the use of the "Evidence" Claim in credentials.

Change Request Ballot Oct 2022 (3) (2).pdf

This Change Request has been broken down into the following change requests:

[tasklist]

Tasks

• #3
• #4
• #5
• #6

Document an OCI Artifact change process that aligns with the OCI Change Management process and describes steps to make changes to OCI Artifacts and prep changes to be included in future versions of the OCI Interop Profile and Artifact version.

Interoperability Profile: v3.3.0

(previous v3.2.0)

Conformance Program: v1.1.0 (previous v1.0.2)

1. add reference to VRS Self-Attestation repo to Conformance Program#2
2. Open-Credentialing-Initiative/Digital-Wallet-Conformance-Criteria#79

Credential Issuer Conformance Criteria: v2.3.0 (previous v2.2.0)

1. Gap in Credential Issuer Conformance Criteria - (Virtual) Manufacturer Due Diligence#11
2. Credential Monitoring and Expiration#4
3. Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria#20

Wallet Conformance Criteria: v3.4.0 (previous v3.3.0)

1. revocation caching time & language review#76
2. NFR004 - key mgt#30
3. review DIDComm requirements#79
4. update Trusted Issuer Registry links#77
5. IF001 - 2FA requirement#68
6. 4.1.6 Credential Structure - lost focus#38
7. VP Generate Request Parameters#57
8. 6.1 Documentation - IQ and comms with customer#55
9. security and scalability considerations of DID methods#78
10. 5.4 Protection against Credential Replay Attacks and VP Lifetime#47
11. clarify 4.1.1 Identifiers for Enterprise Identity#37
12. section 4 Wallet Conformance Criteria: description of DID methods#31
13. did:web for issuer?#32
14. NFR007 - Maximum system response time: 48h vs. 24h REQ elsewhere and PDG's 4 h#42
15. NFR009 - Audit Requirements: difference to NFR003 and NFR010?#43
16. NFR010 Archiving#13
17. NFR003 - Security - Non-repudiation: unclear wording#41

Conformance-Program v1.1.1. (released Jan 2024)

Digital-Wallet-Conformance-Criteria

Open-Credentialing-Initiative/Digital-Wallet-Conformance-Criteria#93

Sunrise Date(s) for implementation expectation.
Sunset Date(s) expectation.

Governance

Open-Credentialing-Initiative/OCI-Governance#13

Part of the original PDG Change request approved by Steering.
#1

PDG requested OCI to explore the uses of the "Evidence" claim to provide transparency to what the issuer checked. Need to consider confidentiality and how evidence might be used.

https://github.com/Open-Credentialing-Initiative/Tracing-Conformance-Criteria

The P&A team is looking to standardize the way all OCI Repos are configured and how items are processed.

relates to #10

Triage:

• Is Issue appropriate for OCI Architecture
• Create Steering-level Summary of request
• Assign Size
• Assign Priority
• Assign Label (if needed)
• OCI affected Artifacts Identified
• Assign Triage - Artifact Version Target (v x.x.x Milestone)
• Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• Trading Partners
• Issuers
• Wallet Solutions
• PI Verification Solutions

Steering summary:
As part of OCI's continuous improvement, we suggest to introduce a new credential revocation method. This would affect wallet providers and credential issuers to modify their current set-ups. It should be considered whether the current method shall be replaced or whether OCI will support 2 revocation methods. Supporting more than 1 method will require wallets to implement 2 methods, which may be seen as a barrier to entry. In case of a complete switch to the new method, credentials connected to the current method would need to be reissued to be compatible with the new method. Thus, transition mgt would also need to be considered.

the P&A chairs would like to draw your attention to the proposal of switching from the current LDAP-based credential revocation method to an Ethereum-based one.

LDAP is mentioned in the following conformance criteria.
Main sections:
wallet: https://open-credentialing-initiative.github.io/Digital-Wallet-Conformance-Criteria/latest/#credential-revocation
issuer: https://open-credentialing-initiative.github.io/Credential-Issuer-Conformance-Criteria/#credential-revocation
Plus several smaller mentions in the wallet criteria.

Here is some background information in preparation of our discussion.
Spherity's LDAP assessment (see below)
Spherity's Medium article re Ethereum method: https://medium.com/spherity/how-issuers-can-manage-credential-revocation-19b2f573054f
Spherity's GitHub: https://github.com/spherity/ethr-revocation-registry

affected artifacts:

• wallet criteria
• issuer criteria

Part of the original PDG Change request approved by Steering.
#1

Open-Credentialing-Initiative/Digital-Wallet-Conformance-Criteria#64
Open-Credentialing-Initiative/Credential-Issuer-Conformance-Criteria#16
Open-Credentialing-Initiative/schemas#10

Steering: Proposal Summary

Used to propose a change or addition to Steering.
This is for the Steering work START approval step. Discuss the proposed work or change.

The PDG Blueprint Chapter 5 includes optional usage of OCI credentials in TI Request and TI Response messages used to trace product ownership. The current OCI artifacts were created with DSCSA PI Verification in mind. Adjustments may need to be made to accommodate usage of OCI credentials for Tracing.

This request is to:

1. Determine the impact to OCI artifacts (ex: is the wallet required to log what type of transaction the credential is used for?).
2. Adjust OCI artifacts (ex: Trace inclusive language, create Trace solution conformance criteria)
3. Adjust OCI website and other messaging

Steering: Publication Summary

Used to present completed work to Steering for approval to publish.
Discuss the work that was completed in reference to the above proposal. Include any differences from the proposal and why.
use [GitHub Preview](https://htmlpreview.github.io/) to show the final state of documents along with pull requests (if needed).

Detailed Description:

Consideration: If Trading Partners desire to differentiate whether a credential was used for Verification or Tracing.

Triage:

• Is Issue appropriate for OCI Architecture
• Assign Size
• Assign Priority
• Assign Label (if needed)
• OCI affected Artifacts Identified
• Assign Triage - Artifact Version Target (v x.x.x Milestone)
• Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• Trading Partners
• Issuers
• Wallet Solutions
• PI Verification Solutions
• TI Trace Solutions

Affected OCI Artifact

• Schema Document
• Identity Schema
• ATP Schema
• ATP-Equivalent Schema
• DSCSA Authority Schema
• Issuer Conformance Criteria
• Wallet Conformance Criteria
• VRS Solution Conformance Criteria
• Trace Solution Conformance Criteria
• Wallet API Specification
• Governance Document
• Conformance Program
• OCI Website
• Internal Process

Change Category (Guides Steering Review)

- Steering/Industry Review

• Business-Level (May affect business operations)
• OCI Governance, Policy or website feature

- Steering/Industry Notification

• Technical-Level (Does not affect business operations)
• OCI Internal Process or Infrastructure

Communication

• Website
• Press Release
• Newsletter
• email:
• Other:

Tasks

• Add Repackager and 3PL to Organization type
• Fix syntax in Schema Document introduction.

affects 3 artifacts

• Wallet criteria
• issuer criteria
• VC schema documentation (scope to exclude schema validation idea)

Each Conformance Criteria Document contains information in its Introduction section. The proposal is to move this content to the Getting Started area and reference it in each Conformance Criteria Document.

[tasklist]

Tasks

• Credential Issuer Conformance Criteria Intro edits
• Wallet Conformance Criteria Intro edits
• Getting Started edits