W3C home > Mailing lists > Public > public-credentials@w3.org > May 2016

Re: Expiry time in Data Model

From: Stone, Matt <matt.stone@pearson.com>
Date: Mon, 23 May 2016 08:55:00 -0600
Message-ID: <CA+w1=RSVih9cd8fVT44TCpuezNU8OU=Gf+=fUxO6-9U9umRWQA@mail.gmail.com>
To: David Chadwick <d.w.chadwick@kent.ac.uk>
Cc: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>
I didn't completely follow the details of the thread since my last
contribution on Friday, but... I think an evolution occurred.  The thread
seemed to evolve to a discussion about claims expiring due to crypto
weakness.

I wasn't considering crypto weakness as a driver for this requirement.

When I brought up the question, I was channeling several of our customers
who have policies mandating the frequency for "re-"validating a credential.
In fact they've resisted electronic verification because there's no current
way to force this practice.  Their thinking is "don't assume a credential
that was confirmed last month, with a scheduled expiration date of next
year is still valid" - it's not very different than a credit card--I have
one in my wallet w/ a 10/2020 expiration, but I'm confident it will be
replaced before then.

In the professional space where licenses = higher pay, people cheat and
commit fraud.  Issuers demand that claims are verified frequently. Issuers
are the only organizations with the data and insight (and perhaps
motivation) to manage this time to live concept as a way to protect the
veracity of the credential in the marketplace and our protocol for
verification must support compliance with this concept.

Oh yeah - +1 to Nate for the comment about historians :) - totally agree.

-stone


=====
Matt Stone
501-291-1599


On Sun, May 22, 2016 at 8:08 AM, David Chadwick <d.w.chadwick@kent.ac.uk>
wrote:

>
>
> On 22/05/2016 14:56, Timothy Holborn wrote:
> >
> >
> > On Sun, 22 May 2016 at 23:30 David Chadwick <d.w.chadwick@kent.ac.uk
> > <mailto:d.w.chadwick@kent.ac.uk>> wrote:
> >
> >
> >
> >     On 22/05/2016 13:26, Timothy Holborn wrote:
> >     > What about version control and therein; 'get latest'...
> >
> >     I dont think this is needed when have an issuing time and expiry
> time.
> >     You can tell from the former which is the latest credential
> >
> >
> > If a new version is released, then the older version has expired?
>
> Not necessarily. It depends upon the expiry time. It is frequently the
> case that I have had two credit cards from the same bank that are both
> valid simultaneously, and I am asked to cut up the older one. But I can
> continue to use it for a week or two if I wish.
>
> regards
>
> David
>
>
>
> >
> > Tim.H.
> >
> >
> >     regards
> >
> >     David
> >     >
> >     > On Sun, 22 May 2016 at 22:01 Victoriano Giralt <victoriano@uma.es
> >     <mailto:victoriano@uma.es>
> >     > <mailto:victoriano@uma.es <mailto:victoriano@uma.es>>> wrote:
> >     >
> >     >     On 21/05/16 20:44, David Chadwick wrote:
> >     >     > You are mixing up the attribute/claim, date of birth (or
> >     similar)
> >     >     which
> >     >     > lasts forever, and the credential, which is a cryptographic
> >     digital
> >     >     > representation of it. This has to have an expiry time due to
> the
> >     >     > inherent weakness of the crypto.
> >     >
> >     >     You are very right, David, it is possibly me being thick
> >     because of the
> >     >     cabin pressure. I should read threads twice before responding
> >     from a
> >     >     plane :-) You already noted that in the thread, and you are
> right,
> >     >     signatures should be refreshed because of crypto.
> >     >
> >     >     > regards
> >     >
> >     >     double those ;-)
> >     >
> >     >     --
> >     >     Victoriano Giralt                             CIO
> >     >                                                   University of
> Malaga
> >     >     +34952131415                                  SPAIN
> >     >
>  ==================================================================
> >     >     Note: signature.asc is the electronic signature of present
> message
> >     >     A: Yes.
> >     >     > Q: Are you sure ?
> >     >     >> A: Because it reverses the logical flow of conversation.
> >     >     >>> Q: Why is top posting annoying in email ?
> >     >
> >
>
>
Received on Monday, 23 May 2016 14:55:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC