# 21.07.2021 Risk Assessment Meeting Notes ###### tags: `risk assessment` The time slot is up for discussion. https://terminplaner4.dfn.de/L2kUIlqOb6Xeavb7 ## Agenda New Timeslot Monday 9-11, from August 2nd Lifecycle draft Document (IAO) eID Issuance Process - Questions to Governikus Any new developments ## Notes ### Lifecycle diagram  - Arrows are state changes - Differences between Manangement states? Revision/Auditing to Provisioning - threat categorization along states (use of states) - Nomeclature from ISO - Question: What state transistions are part of DIDCom, SSI specifications, RFCs? And what is outside the protocol -- Using area would be covered, as well as Issuing and Presentation of Credentials. Initialization is not covered. Focus on interaction with other agents. DID-creation method is highly specific and most likely not covered. -- Revision should also be covered (VC world) -- Revocation SSI specific specification - Initialization: It is already possible to start using the wallet with DID and keys, no external provision required, so shortcut arrow to Use-state possible - credential based life cycle (DID) of documents exists in parallel - wallet revocation is missing - DID deactivation will also revoke Credentials - IDs can be suspended and deactivated, does this also apply to DIDs? -- DID spec does not talk about it, not a described/discussed use case -- VC suspension has no Aries protocol. -- Answer: No, not yet. - Suspension in ONCE not yet possible. ## eID diagram - step 1 is actual an (Einsprung) process starting the use case - up to step 26 the interaction can be called generic, from step 27 it is use case specific - Step 4 realized with an QR Code scanned by ONCE Wallet, no direct interaction between ID-Gateway and Wallet, must be forwared by provisioining service (relying party) ## Hotel use case -