- changed component to Registration
Software Statement Revocation
How does the OP determine a software statement's state? Is there a kind of CRL or OCSP responder to actually obtain the status?
Comments (5)
-
reporter -
reporter John proposed at the Technical Workshop in DA that revocation of software statement could be handled by a central service provided by OIX (based on block chaining?)
Advantage: issuer of a software statement does not need to provide 24/7 service for statement revocation checks.
-
-
assigned issue to
-
assigned issue to
-
- changed milestone to Implementer's Draft
How does the OP determine a software statement's state? Is there a kind of CRL or OCSP responder to actually obtain the status?
-
I think this depends on who issues the software statement. If it is issued by the OP then it should be pretty easy for the OP to know a software statement it issued is no longer valid. However, if the deployment model allows a different entity to issue a software statement then I don’t think that is specified anywhere.
I can think of solutions using a JWS with a jti claim and using the issuer claim to query the issuer to determine status. This may need to be specified if needed.
- Log in to comment