Replacing credentials |
◆ |
All user credentials, including certificates, must be replaced on a regular basis. The Identity Service Provider will determine the frequency with which the identity certificate is replaced. Because attribute certificates are linked to identity certificates, these must also be replaced at the same time. |
◆ |
Some use cases, for example CBDC, may require credentials to be replaced after only a short period of time (e.g. every 7 days). This is to prevent third parties from tracking the user activity and deriving their identity. |
◆ |
A user can also request that their credentials are replaced at any time, from within the app. |
◆ |
To replace credentials, a new public/private key pair is generated and an associated CSR is created within the app. The user must perform SCA on the CSR, which is then transmitted to the Identity/Attribute Service Provider. The Identity/Attribute Service Provider can then automatically issue the user with new certificates which are automatically downloaded to the app. |
◆ |
Once these new certificates are available locally on the device, the user is requested to replace their existing subscription credentials with the new ones. |
◆ |
The Identity/Attribute Service Provider(s) will revoke the old certificates and the associated private key will be deleted from the device. |