Stream: smart/health-cards
Topic: SHC Expiration Claim
Igor Sirkovich (Nov 17 2021 at 18:33):
Ontario has a business requirement to have an expiration date on the vaccine certificates. The rational is to have an ability to identify a vaccine certificate that was issued awhile ago (e.g. 6 months) so that the client can be directed to get a new certificate with the latest data and format. It doesn’t imply the client’s vaccinations has expired. It’s that their certificate is dated and given the contents are constantly changing, we want them to be using the latest and greatest.
I'm wondering if any other jurisdiction or organization has similar requirements. Was this discussed before? Are there any reasons to not include this in the standard?
Isaac Vetter (Nov 17 2021 at 19:08):
Hey Igor, the nbf field in the JWT does effectively contain a timestamp documenting when the SHC was generated. It could be used to determine that a card was 6+ months old. I'd wager that agreeing on the amount of time an SHC should be valid before expiration would be difficult to reach consensus on.
Grahame Grieve (Nov 17 2021 at 19:08):
And your logic is all about the issue date
Josh Mandel (Nov 17 2021 at 19:10):
I agree -- the logic here doesn't require explicit, pre-specified expiration. Clients implementing jurisdictional logic can recommend "get a new card" based on issuance time, or availability of new data, etc.
Josh Mandel (Nov 17 2021 at 19:11):
The problem with expiration times is that they take away the ability for a consumer to use/share records even though the records are still accurate. There may be cases where this makes sense, like for a VC representing a driver's license that expires at a certain time (or as we've discussed elsewhere, a time-limited exemption or pass). But for verifiable clinical information, these concerns don't apply.
Igor Sirkovich (Nov 17 2021 at 21:56):
Thank you @Isaac Vetter, @Grahame Grieve and @Josh Mandel
It seems to be a question on how we look at the SHC: as a Verifiable Credential or as a Clinical Record. In our view, the SHC is being used as a Verifiable Credential (rather than a clinical record) and a VC should support an expiration date that is not based on its content.
Having an expiration date doesn't mean that any record (e.g. Immunization) in the certificate has expired. It rather means that the certificate itself has expired and that a new certificate needs to be issued to its holder.
For example, the W3C VC work (https://www.w3.org/TR/vc-data-model/#expiration) has a requirement for an expiry date on the credential. However, the term "expiration" seems to be confusing, so they are going to rename the "expirationDate" to "validUntil".
Having the "Valid Until" for the Verifiable Credential is actually the requirement for our jurisdiction and it would be great if SHC can define this in the standard. This might be an optional element, but having this in the standard would ensure consistent use and interpretation by systems that want to support this.
Josh Mandel (Nov 17 2021 at 22:02):
We can document this as an optional field in the core spec, but populating this field in your COVID-19 vaccination record SMART Health Cards would still be out of alignment with the specification, for the reasons described above.
Josh Mandel (Nov 17 2021 at 22:02):
Given discussion here, I'm concerned about confusion on this point.
Pascal Pfiffner (Nov 18 2021 at 18:03):
Yeah, that's a good point and we should probably better document what exp means on an SHC, especially for verifiers. FWIW we will surface this date but not use it to mark a card as invalid.
Last updated: Apr 12 2022 at 19:14 UTC
