How does the OP determine a software statement's state? Is there a kind of CRL or OCSP responder to actually obtain the status?
I think this depends on who issues the software statement. If it is issued by the OP then it should be pretty easy for the OP to know a software statement it issued is no longer valid. However, if the deployment model allows a different entity to issue a software statement then I don’t think that is specified anywhere.
I can think of solutions using a JWS with a jti claim and using the issuer claim to query the issuer to determine status. This may need to be specified if needed.