Revocation of a software statment

Issue #180 new
Charles Marais created an issue


In the Modrna Registration current draft, there is the following sentence : “Verify life cycle of the Software Statement with OAuth spec.“ but I didn’t find in OAuth 2.0 registration spec something relevant on this aspect.

Especially, the “Registry” may have signed a contract with Service Providers on behalf of the MNOs (the software statement, technically speaking, materializes this contract) and if the contract stops it may be relevant for the registry to revoke a previously delivered software statement and / or inform the concerned MNOs that this SP is not allowed any more to consume MNO Apis (or part of them).

Do you have ideas on how we may achieve that kind of processes ?



Comments (2)

  1. Joseph Heenan

    We were contrasting this with the openbanking UK directory, which issues software statements in some cases, but also uses TLS client certificates for authenticating at the AS/RS, and the directory provides a CRL that can be checked. Here’s the main documentation:

    Ralph has a few slides here (starting at 19):

    And from slide 8 here:

  2. gffletch

    Assuming software statements are JWS objects, could not the MNO track the SPs by issuer values? And if a contract with the SP is terminated, the MNO invalidates all clients issued from software statements with an issuer that matches the SP. This of course requires the MNO to track that information.

  3. Log in to comment