- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Fri, 20 May 2016 21:35:47 +0100
- To: "Stone, Matt" <matt.stone@pearson.com>
- Cc: Jason Weaver <jweaver@parchment.com>, Eric Korb <eric.korb@accreditrust.com>, Credentials Community Group <public-credentials@w3.org>
On 20/05/2016 21:00, Stone, Matt wrote: > > On Fri, May 20, 2016 at 1:42 PM, David Chadwick <d.w.chadwick@kent.ac.uk > <mailto:d.w.chadwick@kent.ac.uk>> wrote: > > This is a separate issue. A claim may not have expired, but it may have > been revoked. Therefore going back to the issuer is a something the > recipient/relying party will have to decide to do based on its risk > threshold. > > A second parameter of a credential should be whether it is revocable > or not. > > regards > > David > > > The issuer should have a voice in how frequently a claim should be > reverified and how long it can be cached w/out validation - it's not the > exclusive domain of the recipient. Agreed. However the recipient is still the one doing the trusting, and it can decide to trust a credential without following the issuer's policy. E.g. a user has a credential saying Over 18, but it has timed out. A nightclub owner could still decide to let the user in. > > what is an example of a credential that's irrevocable? Any short lived one, where the time/overhead of revocation is comparable with the lifetime regards David > > -stone > > > > ===== > Matt Stone > 501-291-1599 >
Received on Friday, 20 May 2016 20:36:19 UTC