W3C home > Mailing lists > Public > public-credentials@w3.org > May 2016

Re: Expiry time in Data Model

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Fri, 20 May 2016 21:35:47 +0100
To: "Stone, Matt" <matt.stone@pearson.com>
Cc: Jason Weaver <jweaver@parchment.com>, Eric Korb <eric.korb@accreditrust.com>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <f0d71fbe-329c-9cd9-3f26-06c88de22f8d@kent.ac.uk>


On 20/05/2016 21:00, Stone, Matt wrote:
> 
> On Fri, May 20, 2016 at 1:42 PM, David Chadwick <d.w.chadwick@kent.ac.uk
> <mailto:d.w.chadwick@kent.ac.uk>> wrote:
> 
>     This is a separate issue. A claim may not have expired, but it may have
>     been revoked. Therefore going back to the issuer is a something the
>     recipient/relying party will have to decide to do based on its risk
>     threshold.
> 
>     A second parameter of a credential should be whether it is revocable
>     or not.
> 
>     regards
> 
>     David
> 
> 
> ​The issuer should have a voice in how frequently a claim should be
> reverified and how long it can be cached w/out validation - it's not the
> exclusive domain of the recipient.​

Agreed. However the recipient is still the one doing the trusting, and
it can decide to trust a credential without following the issuer's
policy. E.g. a user has a credential saying Over 18, but it has timed
out. A nightclub owner could still decide to let the user in.

> 
> what is an example of a credential that's irrevocable?

Any short lived one, where the time/overhead of revocation is comparable
with the lifetime

regards

David
> 
> -stone
> 
> 
> 
> =====
> Matt Stone
> 501-291-1599
> 
Received on Friday, 20 May 2016 20:36:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC