From 8b256f5b5353311d83dbf43730633d3ea3ac1513 Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:10:02 +0200 Subject: [PATCH 1/9] minor text edits --- content/DRAFT/index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index fa2c612..f56f598 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -161,7 +161,7 @@

Compliance monitoring

The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance. This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a new audit or self-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period.

@@ -173,7 +173,7 @@

Scope of formal audit

Digital Wallet Providers

The formal audit of a Digital Wallet provider SHALL address all compliance criteria as set out in the published OCI Digital Wallet Conformance Criteria document found at the following public location: OCI GitHub - Digital Wallet Conformance Criteria.

Since the nature of the various conformance criteria differs, auditors SHOULD distinguish between Test of Details and Test of Controls as applicable to individual criteria or groups of criteria.

- To the extent that OCI conformance criteria are covered by another audit, auditors MAY rely on audit work performed by other trustworthy entities to avoid duplication of work, for example in the context of a SOC2 or ISO audit. + To the extent that OCI conformance criteria are covered by another audit, auditors MAY rely on audit work performed by other trustworthy entities to avoid duplication of work, for example in the context of a SOC 2 or ISO audit.

Temporary limitation of audit scope

OCI has not yet standardized the DIDComm-based wallet-to-wallet communication that is to be implemented by Digital Wallet Providers. Since the initial overview of technologies proposed in the Digital Wallet Conformance Criteria only permits the implementation of custom DIDComm flows that might be outside of OCI's future recommendations, From a10583a40f89e57c9670c8ad8b4e6c12e17b594a Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Wed, 18 Oct 2023 18:23:58 +0200 Subject: [PATCH 2/9] flowchart link added --- content/DRAFT/index.html | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index f56f598..85a50e4 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -165,6 +165,10 @@

Compliance monitoring

The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance. This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a new audit or self-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period.

+
+ High-level OCI Roadmap Process.svg +
High-level OCI Roadmap Process
+

Scope of formal audit

Credential Issuers

The formal audit SHALL address all compliance criteria in the OCI Credential Issuer Conformance Criteria as it relates to the specific Credential Type(s) the Credential Issuer offers. From 8aa31e2ebc3a3ca6764b88ec599213fee2031686 Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 10:29:25 +0200 Subject: [PATCH 3/9] Self-Attestation types & need for signature --- content/DRAFT/index.html | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index 85a50e4..94c6e6f 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -258,7 +258,7 @@

Auditor acceptance criteria

The audit firm SHALL: The audit firm SHOULD: @@ -276,17 +276,21 @@

Auditor inspection

Self-Attestation

-

Self-attestation refers to representations made by the Service Provider in reference to the relevant OCI Conformance Criteria as a whole or selected requirements therein. Such representations SHALL be signed by the Service Provider’s senior management and provided to the OCI Steering Committee for publication, either as a stand-alone document or as a statement of permission for OCI to hyperlink to the service provider’s own public storage location. Where OCI prescribes a template for such representations, the latest published version at the time of signing SHALL be used by the Service Provider. -

- At any time the OCI Steering Committee MAY challenge any Service Provider on the claims made. The Service Provider SHALL then address the points of concern raised by the OCI Steering Committee in a form and timeframe appropriate to the situation and as agreed with the OCI Steering Committee. +

Self-attestation, in general, refers to representations made by the Service Provider in reference to the relevant OCI Conformance Criteria as a whole or selected requirements therein. OCI distinguishes between Attestation of Conformance and Operational Attestation. +

+ An Attestation of Conformance is an explicit statement by the Service Provider about their adherence to the applicable OCI Conformance Criteria. Such self-attestation SHALL be signed by the Service Provider’s senior management and provided to the OCI Steering Committee for publication, either as a stand-alone document or as a statement of permission for OCI to hyperlink to the Service Provider’s own public storage location. Where OCI prescribes a template for such representation, the latest published version at the time of signing SHALL be used by the Service Provider. +

+ An Operational Attestation is a presentation of operational or system performance data by the Service Provider in relation to selected requirements within the applicable OCI Conformance Criteria. Such self-attestation NEED NOT be signed by the Service Provider’s senior management or other staff. The Service Provider NEED NOT make any claim beyond the presented data in the self-attestation. +

+ At any time the OCI Steering Committee MAY challenge any Service Provider on any of the statements or claims made. The Service Provider SHALL then address the points of concern raised by the OCI Steering Committee in a form and timeframe appropriate to the situation and as agreed with the OCI Steering Committee.

-

OCI provides a public repository for submitted self-attestations at https://github.com/Open-Credentialing-Initiative/marketplace/tree/main/proof. +

OCI provides a public repository for submitted self-attestations.

Audited service providers

-

Where self-attestation is permissible or required as additional evidence on top of a third-party audit (refer to Test of Controls), the Service Provider SHALL make the necessary documentation available to OCI. +

Where Operational Attestation is permissible or required as additional evidence on top of a third-party audit (refer to Test of Controls), the Service Provider SHALL make the necessary documentation available to OCI.

VRS providers

-

VRS providers SHALL self-attest that they are in compliance with all requirements within the OCI VRS Providers Conformance Criteria. +

VRS providers SHALL provide Attestation of Conformance, i.e. self-attest that they are in compliance with all requirements within the OCI VRS Providers Conformance Criteria.

From b47c5b34186d063ef7c70197392decc3c3e81377 Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 10:42:36 +0200 Subject: [PATCH 4/9] Update oci-self-attestation-process.svg --- content/DRAFT/assets/oci-self-attestation-process.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/DRAFT/assets/oci-self-attestation-process.svg b/content/DRAFT/assets/oci-self-attestation-process.svg index 65f86a0..2077616 100644 --- a/content/DRAFT/assets/oci-self-attestation-process.svg +++ b/content/DRAFT/assets/oci-self-attestation-process.svg @@ -1,4 +1,4 @@ -
Change in Conformance Requirements
Change in Conformanc...
Initial or Re-Conformance
Audit/Attestation
Initial or Re-Confor...
Sunrise
Date
Sunrise...
Operational Recurring
Self-Attestation
Operational Recu...
Audit
Deadline
Audit...Text is not SVG - cannot display \ No newline at end of file +
Change in Conformance Requirements
Change in Conformanc...
Initial or Re-Conformance
Audit/Attestation
Initial or Re-Confor...
Sunrise
Date
Sunrise...
Recurring
Operational
Attestation
Recurring...
Audit
Deadline
Audit...Text is not SVG - cannot display \ No newline at end of file From 412f78a5a42a0f6c71e12386269ec2105e4772ff Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 11:04:11 +0200 Subject: [PATCH 5/9] trusted provider links addresses https://github.com/Open-Credentialing-Initiative/Conformance-Program/issues/3 --- content/DRAFT/index.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index 94c6e6f..401370a 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -238,11 +238,11 @@

Trusted service provider registries

- + - +
Trusted Digital Wallet Provider registryComing soonRefer to Proof of OCI conformance
Trusted Credential Issuer registryComing soonRefer to Proof of OCI conformance. Digital wallets call a technological implementation of the Trusted Issuer registry to enable automated credential checks. Refer to the respective section in the Digital Wallet Conformance Criteria.
@@ -290,7 +290,7 @@

Audited service providers

Where Operational Attestation is permissible or required as additional evidence on top of a third-party audit (refer to Test of Controls), the Service Provider SHALL make the necessary documentation available to OCI.

VRS providers

-

VRS providers SHALL provide Attestation of Conformance, i.e. self-attest that they are in compliance with all requirements within the OCI VRS Providers Conformance Criteria. +

VRS providers SHALL provide Attestation of Conformance, i.e. self-attest that they are in compliance with all requirements within the VRS Integration Conformance Criteria.

From 79593cd46bd2efe335ba1178ccee6a05f6a6000c Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 11:46:10 +0200 Subject: [PATCH 6/9] Update oci-self-attestation-process.svg --- content/DRAFT/assets/oci-self-attestation-process.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/DRAFT/assets/oci-self-attestation-process.svg b/content/DRAFT/assets/oci-self-attestation-process.svg index 2077616..b91c032 100644 --- a/content/DRAFT/assets/oci-self-attestation-process.svg +++ b/content/DRAFT/assets/oci-self-attestation-process.svg @@ -1,4 +1,4 @@ -
Change in Conformance Requirements
Change in Conformanc...
Initial or Re-Conformance
Audit/Attestation
Initial or Re-Confor...
Sunrise
Date
Sunrise...
Recurring
Operational
Attestation
Recurring...
Audit
Deadline
Audit...Text is not SVG - cannot display \ No newline at end of file +
Change in Conformance Requirements
Change in Conformanc...
Initial or Re-Conformance
Audit/Attestation
Initial or Re-Confor...
Sunrise
Date
Sunrise...
Recurring
Operational
Attestation
Recurring...
Audit/
Attestation
Deadline
Audit/...Text is not SVG - cannot display \ No newline at end of file From 3e07ef813cf1b5c71e4cc05b3ec3fb21bd98ce24 Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 11:47:31 +0200 Subject: [PATCH 7/9] compliance monitoring extended --- content/DRAFT/index.html | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index 401370a..3480bcd 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -145,7 +145,7 @@

General Terms and Abbreviations

Compliance monitoring

OCI Participants -

The following OCI Participants SHALL provide self-attestation using the latest applicable version of the OCI-provided template that they are in compliance with the respective published Conformance Criteria:

+

The following OCI Participants SHALL provide Attestation of Conformance using the latest applicable version of the OCI-provided template that they are in compliance with the respective published Conformance Criteria:

@@ -155,19 +155,19 @@

Compliance monitoring

  • Credential Issuers
  • Digital Wallet Providers
    • -

    Further, where self-attestation is deemed a more useful proof of compliance for certain individual conformance requirements of OCI Service Providers undergoing formal third-party audit, these service providers SHALL also provide self-attestations in the applicable format (refer to Test of Controls). +

    Further, where Operational Attestation is deemed a more useful proof of compliance for certain individual conformance requirements of OCI Service Providers undergoing formal third-party audit, these service providers SHALL also provide self-attestations in the applicable format (refer to Test of Controls).

    -

    Once an OCI Service Provider is approved as a result of a successful audit and self-attestation (as applicable), they are considered a valid OCI Service Provider until one of the following events triggers another audit (re-audit) and/or self-attestation:

    +

    Once an OCI Service Provider is approved as a result of a successful audit and self-attestation (as applicable), they are considered a valid OCI Service Provider until one of the following events triggers another audit (re-audit) and/or self-attestation:

    -

    The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance. This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a new audit or self-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period. +

    The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance (Figure 1). This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a re-audit or re-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period. Where Operational Attestation requires recurring reports, the start date for the reporting cadence is determined by the most recent audit affecting the respective conformance requirements.

    High-level OCI Roadmap Process.svg -
    High-level OCI Roadmap Process
    +
    Fig. 1: Key steps in OCI compliance monitoring

    Scope of formal audit

    Credential Issuers @@ -219,16 +219,16 @@

    Validity period

    Process after audit failure following a re-audit

    Notification of OCI

    In the case of a re-audit, the auditee SHALL submit a copy of the auditor’s conclusion of failure to the OCI Steering Committee on the day of receiving the final audit report or the day after if the report is received outside the auditee’s business hours.
    - The OCI Steering Committee SHALL inform all other valid OCI Service Providers of the auditee’s negative audit conclusion.

    - OCI SHALL update the applicable public registry of trusted valid Service Providers to remove the auditee’s details at the appropriate date if listed. + The OCI Steering Committee SHALL inform all other valid OCI Service Providers of the auditee’s negative audit conclusion.

    + OCI SHALL update the applicable public registry of trusted valid OCI Service Providers to remove the auditee’s details at the appropriate date if listed.

    Notification of service users

    The auditee SHOULD inform their customers of the negative re-audit outcome in a timely manner.

    Trusted service provider registries

    -

    OCI SHALL maintain up-to-date registries listing valid Service Providers that have passed the compliance audit, referred to as Trusted Service Providers. +

    OCI SHALL maintain up-to-date registries listing valid OCI Service Providers that have passed the compliance audit, referred to as Trusted Service Providers.

    - Any listed valid OCI Service Provider who does not make a copy of the latest positive auditor’s conclusion available to OCI, will be removed from the registry. They will be added back to the registry upon submission of the positive audit conclusion. + Any listed valid OCI Service Provider who does not make a copy of the latest positive auditor’s conclusion available to OCI, will be removed from the registry. They will be added back to the registry upon submission of the positive audit conclusion.

    Service Providers that have failed in the audit to prove their compliance with OCI Conformance Criteria will not be added or, if already listed, will be removed from the applicable registry.

    From 46401fb188f41c2f56eef6e068e270ae39300b63 Mon Sep 17 00:00:00 2001 From: Chris <34170038+bluesteens@users.noreply.github.com> Date: Thu, 19 Oct 2023 12:32:47 +0200 Subject: [PATCH 8/9] reporting cadence --- content/DRAFT/index.html | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/content/DRAFT/index.html b/content/DRAFT/index.html index 3480bcd..b257801 100644 --- a/content/DRAFT/index.html +++ b/content/DRAFT/index.html @@ -144,12 +144,10 @@

    General Terms and Abbreviations

    Compliance monitoring

    - OCI Participants -

    The following OCI Participants SHALL provide Attestation of Conformance using the latest applicable version of the OCI-provided template that they are in compliance with the respective published Conformance Criteria:

    +

    The following OCI Service Providers SHALL provide Attestation of Conformance using the latest applicable version of the OCI-provided template that they are in compliance with the respective published Conformance Criteria:

    - OCI Service Providers

    The following OCI Service Providers SHALL undergo a formal third-party audit to assert their compliance with the respective published Conformance Criteria:

    -

    The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance (Figure 1). This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a re-audit or re-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period. Where Operational Attestation requires recurring reports, the start date for the reporting cadence is determined by the most recent audit affecting the respective conformance requirements. + Scheduling +

    The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance (Figure 1). This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a re-audit or re-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period.

    + Where Operational Attestation requires recurring reports, the start date for the reporting cadence is determined by the most recent audit affecting the respective conformance requirement. At a minimum, reports SHALL show monthly averages of the relevant operational data and cover no more than six (6) months in total. The first report begins in the month of successful (re-)audit completion. Subsequent reports SHALL cover the reporting period directly following the prior reported period. Reports MAY show more granular data than monthly averages and cover more frequent time periods. Reports MAY constitute manual submissions to OCI or automated publicly accessible displays. Each report SHALL be submitted no later than five (5) business days following the end of each reporting period.

    High-level OCI Roadmap Process.svg -
    Fig. 1: Key steps in OCI compliance monitoring
    +
    Figure 1. Key steps in OCI compliance monitoring

    Scope of formal audit

    Credential Issuers @@ -176,7 +176,7 @@

    Scope of formal audit

    Digital Wallet Providers

    The formal audit of a Digital Wallet provider SHALL address all compliance criteria as set out in the published OCI Digital Wallet Conformance Criteria document found at the following public location: OCI GitHub - Digital Wallet Conformance Criteria.

    - Since the nature of the various conformance criteria differs, auditors SHOULD distinguish between Test of Details and Test of Controls as applicable to individual criteria or groups of criteria.

    + Since the nature of the various conformance criteria differs, auditors SHOULD distinguish between Test of Details and Test of Controls as applicable to individual criteria or groups of criteria.

    To the extent that OCI conformance criteria are covered by another audit, auditors MAY rely on audit work performed by other trustworthy entities to avoid duplication of work, for example in the context of a SOC 2 or ISO audit.

    Temporary limitation of audit scope @@ -184,13 +184,13 @@

    Scope of formal audit

    OCI does not require conformance with any DIDcomm-specific elements of the Digital Wallet Conformance Criteria until the respective specifications have been updated. In this transition period, OCI permits other technological means for the issuance and exchange of verifiable credentials, such as API-based approaches.

    Test of Details

    -

    OCI defines Test of Details as any audit method that assesses factual evidence of whether the required conformance criteria have been met as stated.

    +

    OCI defines Test of Details as any audit method that assesses factual evidence of whether the required conformance criteria have been met as stated.

    This is a direct testing approach and may involve methods such as sampling, reperformance, or analytical review.

    Test of Controls

    OCI defines Test of Controls as any audit method that assesses whether operational controls and practices put in place by the auditee are sufficiently documented, functional and adhered to as intended by systems and staff of the auditee.

    - This is an indirect testing approach based on the assumption that adequate controls lead to compliance with stated conformance criteria. Test of Controls may involve methods such as enquiry, inspection of documentation, or observation of the auditee’s staff. Test of Controls methods SHOULD be applied by the auditor in cases where Test of Details is deemed neither feasible nor informative.

    - Where the auditor applies a Test of Controls approach, Service Providers are required to produce audit-independent self-attestation reports or statements publicly available to the OCI ecosystem demonstrating their performance. OCI SHALL maintain a public repository for such documentation. It is then the responsibility of OCI members and service users to assess whether such performance is acceptable for continued collaboration.

    + This is an indirect testing approach based on the assumption that adequate controls lead to compliance with stated conformance criteria. Test of Controls may involve methods such as enquiry, inspection of documentation, or observation of the auditee’s staff. Test of Controls methods SHOULD be applied by the auditor in cases where Test of Details is deemed neither feasible nor informative.

    + Where the auditor applies solely a Test of Controls approach, Service Providers SHALL produce audit-independent Operational Attestation that is available via OCI's public repository. It is then the responsibility of OCI members and service users to assess whether such performance is acceptable for continued collaboration.

    The auditor SHALL apply the Test of Controls approach to the following specific conformance criteria.
    Digital Wallet Conformance Criteria: