W3C home > Mailing lists > Public > public-credentials@w3.org > May 2016

Re: Expiry time in Data Model

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Fri, 20 May 2016 21:35:47 +0100
To: "Stone, Matt" <matt.stone@pearson.com>
Cc: Jason Weaver <jweaver@parchment.com>, Eric Korb <eric.korb@accreditrust.com>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <f0d71fbe-329c-9cd9-3f26-06c88de22f8d@kent.ac.uk>

On 20/05/2016 21:00, Stone, Matt wrote:
> On Fri, May 20, 2016 at 1:42 PM, David Chadwick <d.w.chadwick@kent.ac.uk
> <mailto:d.w.chadwick@kent.ac.uk>> wrote:
>     This is a separate issue. A claim may not have expired, but it may have
>     been revoked. Therefore going back to the issuer is a something the
>     recipient/relying party will have to decide to do based on its risk
>     threshold.
>     A second parameter of a credential should be whether it is revocable
>     or not.
>     regards
>     David
> ​The issuer should have a voice in how frequently a claim should be
> reverified and how long it can be cached w/out validation - it's not the
> exclusive domain of the recipient.​

Agreed. However the recipient is still the one doing the trusting, and
it can decide to trust a credential without following the issuer's
policy. E.g. a user has a credential saying Over 18, but it has timed
out. A nightclub owner could still decide to let the user in.

> what is an example of a credential that's irrevocable?

Any short lived one, where the time/overhead of revocation is comparable
with the lifetime


> -stone
> =====
> Matt Stone
> 501-291-1599
Received on Friday, 20 May 2016 20:36:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:52 UTC