Copyright © 2024 Named editors. Contributors to the Open Credentialing Initiative.
This section describes the status of this document at the time of its publication. Other documents may supersede this document.
This is a living document developed by OCl's Founding Members with input from other OCI Charter Members, DSCSA Trading Partners, Authorities, Solution Providers, Associations, Standards Bodies and others interested in implementing and contributing to the betterment of the W3C Verifiable Credentials architecture piloted by the DSCSA Pilot. It is anticipated that the contents of this document will be reviewed and updated to address feedback related to compliance, business operations, W3C and GS1 Standards, interoperability, changing legislation, regulations, and policy.
This document lays out the conformance criteria for service providers who wish to be recognized by the Open Credentialing Initiative (OCI) as Tracing service providers.
The publication is intended for Tracing service providers who wish to implement
Authorized Trading Partner (ATP) credentialing in an Open Credentialing Initiative (OCI)-compliant way under
the US Drug Supply Chain Security Act (DSCSA). Implementation means the integration of OCI trust architecture
components with the Tracing system.
This document provides a specification of the Conformance Criteria for a Tracing provider.
For a general introduction to OCI, please refer to our Getting Started guide or the Open Credentialing Initiative website.
In accordance with the Digital Wallet Conformance Criteria, all digital wallets provide the same APIs for creating and verifying ATP Credential Presentations. Tracing providers integrate these APIs in accordance with the latest OCI Interoperability Profile. Refer to the published OCI resources for details.
Tracing providers SHALL only integrate wallets that are compliant with the OCI digital wallet conformance criteria. The OCI conformance programme lays out how compliance with the OCI digital wallet conformance criteria will be verified and compliant wallets made well-known to the Tracing provider.
Tracing providers SHALL integrate the digital wallet REST APIs by establishing a secure authentication via OAuth2.0 bearer token and encryption via SSL TLS v1.2+. The Connection SHALL be REST on HTTPS.
Tracing providers SHALL have measures in place to facilitate their access to the following wallet APIs:
Given that Tracing providers serve multiple customers, it may be expected that providers will need to integrate one or more digital wallet solutions. The mapping of each Tracing customer to the respective customer digital wallet account is a critical factor in a secure integration.
When a Tracing provider is connected to a wallet solution with one or multiple customer accounts, the Tracing provider SHALL ensure that each of its internal customer accounts has the ability to designate and maintain its digital wallet solution. The association of a Tracing customer to a digital wallet will be maintained through customer configuration.
There are multiple potential Tracing-wallet combinations. Interoperability testing supports the frictionless implementation of technology standards in the context of identity and trust as an ecosystem solution. OCI recommends use of its OCI’s published test case resources when designing interoperability test activities. Each OCI Digital Wallet provider SHALL ensure interoperability with other OCI Digital Wallets enabling Tracing solution providers to seamlessly integrate with OCI Digital Wallet providers according to the APIs defined in the OCI Digital Wallet Conformance Criteria.
The Tracing provider SHALL send the TIRequestID or TIResponseID (as applicable) in the Tracing request and response messages to the digital wallet (via the Wallet API) as the corrUUID when requesting the digital wallet to generate a verifiable presentation of a verifiable credential. Refer to OCI Digital Wallet Conformance Criteria for Generating a Verifiable Presentation API.
The Tracing and Digital Wallet integration design SHOULD be optimized to minimize latency.
Tracing SHALL maintain auditable logs of Verifiable Presentation generation and verification requests and responses.