- From: Stone, Matt <matt.stone@pearson.com>
- Date: Mon, 23 May 2016 08:55:00 -0600
- To: David Chadwick <d.w.chadwick@kent.ac.uk>
- Cc: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CA+w1=RSVih9cd8fVT44TCpuezNU8OU=Gf+=fUxO6-9U9umRWQA@mail.gmail.com>
I didn't completely follow the details of the thread since my last contribution on Friday, but... I think an evolution occurred. The thread seemed to evolve to a discussion about claims expiring due to crypto weakness. I wasn't considering crypto weakness as a driver for this requirement. When I brought up the question, I was channeling several of our customers who have policies mandating the frequency for "re-"validating a credential. In fact they've resisted electronic verification because there's no current way to force this practice. Their thinking is "don't assume a credential that was confirmed last month, with a scheduled expiration date of next year is still valid" - it's not very different than a credit card--I have one in my wallet w/ a 10/2020 expiration, but I'm confident it will be replaced before then. In the professional space where licenses = higher pay, people cheat and commit fraud. Issuers demand that claims are verified frequently. Issuers are the only organizations with the data and insight (and perhaps motivation) to manage this time to live concept as a way to protect the veracity of the credential in the marketplace and our protocol for verification must support compliance with this concept. Oh yeah - +1 to Nate for the comment about historians :) - totally agree. -stone ===== Matt Stone 501-291-1599 On Sun, May 22, 2016 at 8:08 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote: > > > On 22/05/2016 14:56, Timothy Holborn wrote: > > > > > > On Sun, 22 May 2016 at 23:30 David Chadwick <d.w.chadwick@kent.ac.uk > > <mailto:d.w.chadwick@kent.ac.uk>> wrote: > > > > > > > > On 22/05/2016 13:26, Timothy Holborn wrote: > > > What about version control and therein; 'get latest'... > > > > I dont think this is needed when have an issuing time and expiry > time. > > You can tell from the former which is the latest credential > > > > > > If a new version is released, then the older version has expired? > > Not necessarily. It depends upon the expiry time. It is frequently the > case that I have had two credit cards from the same bank that are both > valid simultaneously, and I am asked to cut up the older one. But I can > continue to use it for a week or two if I wish. > > regards > > David > > > > > > > Tim.H. > > > > > > regards > > > > David > > > > > > On Sun, 22 May 2016 at 22:01 Victoriano Giralt <victoriano@uma.es > > <mailto:victoriano@uma.es> > > > <mailto:victoriano@uma.es <mailto:victoriano@uma.es>>> wrote: > > > > > > On 21/05/16 20:44, David Chadwick wrote: > > > > You are mixing up the attribute/claim, date of birth (or > > similar) > > > which > > > > lasts forever, and the credential, which is a cryptographic > > digital > > > > representation of it. This has to have an expiry time due to > the > > > > inherent weakness of the crypto. > > > > > > You are very right, David, it is possibly me being thick > > because of the > > > cabin pressure. I should read threads twice before responding > > from a > > > plane :-) You already noted that in the thread, and you are > right, > > > signatures should be refreshed because of crypto. > > > > > > > regards > > > > > > double those ;-) > > > > > > -- > > > Victoriano Giralt CIO > > > University of > Malaga > > > +34952131415 SPAIN > > > > ================================================================== > > > Note: signature.asc is the electronic signature of present > message > > > A: Yes. > > > > Q: Are you sure ? > > > >> A: Because it reverses the logical flow of conversation. > > > >>> Q: Why is top posting annoying in email ? > > > > > > >
Received on Monday, 23 May 2016 14:55:28 UTC