NFR007 - Maximum system response time: 48h vs. 24h REQ elsewhere and PDG's 4 h

[bluesteens]

for Steering

Most importantly there seems to be a conflict between NFR007 and para 4.1.10. regarding caching duration (24 vs 48h). + A few wording issues. We should also assess whether OCI and PDG are fully aligned regarding credential revocation update periods.

---

points for improvement

1. the NFR wording contains normative words in sections that should not contain requirements but mere descriptions.
2. there's also a mix of SHALL, SHOULD, MAY that could be straightened out for clarity
3. it states:

Cached data SHALL be valid no longer than 48 hours.

#3 appears to be in direct conflict with REQ in 4.1.10 on revocation

Credential revocation data SHALL not be older than 24 hours during normal operations of the OCI Directory Service.
[...] why revocation data older than 24 hours were potentially used

Thus, it is permissible to use revocation data older than 24 h during downtime. However, NFR007 reads as if it referred to normal operations and caching was only used to reduce response times. In that context, 007 should require 24 h, not 48 h. If there are other data sets that may be cached for longer as part of d2d ops, then OCI should consider making a distinction between those and revocation status in NFR007.

It may also be of note that the PDG Blueprint, Chapter 1 says:

Requirement-Cred-011:
If an Accredited Credential Issuer learns that the conditions of the credential are no longer met (e.g., a license has been lost), either due to a pushed notification or confirmation by the Accredited Credential Issuer, the credential shall reflect this change within 4 hours.

How is this reconciled with OCI's 24 h/48 h caching provision?

---

Triage:

• Is Issue appropriate for OCI Architecture
• Assign Size
• Assign Priority
• Assign Label (if needed)
• OCI affected Artifacts Identified
• Assign Triage - Artifact Version Target (v x.x.x Milestone)
• Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• Trading Partners
• Issuers
• Wallet Solutions
• PI Verification Solutions

Affected OCI Artifact

• Schema Document
• Identity Schema
• ATP Schema
• Issuer Conformance Criteria
• Wallet Conformance Criteria
• VRS Solution Conformance Criteria
• Wallet API Specification
• Governance Document
• Conformance Program
• OCI Website
• Internal Process

Change Category (Guides Steering Review)

- Steering/Industry Review

• Business-Level (May affect business operations)
• OCI Governance, Policy or website feature

- Steering/Industry Notification

• Technical-Level (Does not affect business operations)
• OCI Internal Process or Infrastructure

Communication

• Website
• Newsletter
• email:
• Other:

[bluesteens]

review 06/22/23:

• re-instate 48 h
• add to confo row: "Note that other parts of the Conformance Criteria may set shorter validity times for particular types of cached data."