Software Statement Revocation

Issue #35 new
Torsten Lodderstedt created an issue

How does the OP determine a software statement's state? Is there a kind of CRL or OCSP responder to actually obtain the status?

Comments (5)

  1. Torsten Lodderstedt reporter

    John proposed at the Technical Workshop in DA that revocation of software statement could be handled by a central service provided by OIX (based on block chaining?)

    Advantage: issuer of a software statement does not need to provide 24/7 service for statement revocation checks.

  2. gffletch

    I think this depends on who issues the software statement. If it is issued by the OP then it should be pretty easy for the OP to know a software statement it issued is no longer valid. However, if the deployment model allows a different entity to issue a software statement then I don’t think that is specified anywhere.

    I can think of solutions using a JWS with a jti claim and using the issuer claim to query the issuer to determine status. This may need to be specified if needed.

  3. Log in to comment