From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Certificates and Credentials typically include an Expiry date-time or event, such as "on first use".


  • Many digital documents include a start data and an Expiry date.
  • Many digital documents include a nonce or serial number which typically is used to ensure that the document is only processed on time, and then expires.
  • Liicense is a grant of a right.
  • Identification is the use of document to infer some set of attributes or behaviors to a subject.

There are two concepts that are NOT addressed in the document in the holder's possession.

  • Purpose is the reason why the relying party requests access to a document.
  • Policy is used to determine whether a relying party will accept the document presented. Policy may be determined by regulation or by business rules.


Expiry of a document can be devilishly difficult to determine.

  • Typically, a Certificate will expire on a give data and time, which seems very clear.
  • When a key with a certificate is used to sign a document, should the date of validation or the date of signing be operative?
  • License plates for vehicles expire every year, primarily to ensure that access taxes are collectable. This date is topically on a sticker applied to the license plate. The sticker is the license for the vehicle to be on a public road.

State Issued IDs for Natural Persons

Four kinds of Identity documents are considered here among the many issued by states all over the world.

  1. Passports seem to be the simplest in that they have an Expiry date but cannot be used for travel starting up to 6 months before that date and are eligible for renewal up to 12 months after the expiry date. A digital version has been proposed by some states. So the expiry state of the passport require policy to determine if it is good for any particular purpose.
  2. Social Insurance cards typically have no expiry date other than date of death, which has a legal definition which overrides reality.
  3. EID or electronic smart cards issued to state residents.
  4. Driver's Licenses have two meanings, (1) the grant of a right to use a care on public roads, (2) a plastic card that is provided to the user with its own identity number.

The following Expiry dates and events can apply to a driver's license. Complications arise because the license card is also used as an ID card.

  1. Driving with an expired license is a crime, but any judge can revoke a license at any time. That order can likewise be removed. So only an online check can be used to determine the state of the license to driver.
  2. When a new license is issued, the old one typically has a hole punched in the card, a receipt for the new card is printed and the new card is mailed to the licensee. Now the card is revoked for driving, but is explicitly still valid for ID, although that may, or may not, be honored by a verifier.

For a Digital Driver's License thing get even more complex. Note in particular that the license is a grant of a right to use the public roads. Calling the card a license is conflating the idea of license to drive with a card expressing that license.

  1. The Issuer of the license comes with an identifier and one or more certification: ISO 18013-1 cards, and/or ISO 18013-5 mobile driver's licenses which some state already call mobile IDs.
  2. The mobile Driver's License (18013-5 or mDL) is expected to use that same license number as the card (ISO 18013-1). It is expected that both will have the same Expiry date of the license to drive.
  3. The "mDL" is represented as a bag of bits which is typically called an mdoc and which has an Expiry date which may be significantly shorter than the that of the license to drive.
  4. When the mdoc Expiry date triggers, it is not the mDL that expires, but the mdoc.
  5. The value of the expired mdoc after Expiry for identification is not clear at this point precisely because it can also be used for identification. While the sate can issued regulations, the Relying Party can make its own policy.
  6. A refreshed mdoc (current mDL data) may be send to the mDL in the user's phone by some method not yet clear.
  7. Recall that the license ID number is based on the mDL, not on the mdoc. So the mdoc is what is evaluated, but the mDL is a legal right to drive and most states continue to require a physical card to be present when driving.