Credentials
About credentials
Section titled “About credentials”A credential is an attestation that a project has met a specific policy.
Credentials are typically issued once an auditing team deems the policy’s requirements have been implemented to a satisfactory degree. When issuing a credential, the issuer must always specify an expiration date. An active credential can also be revoked at any time.
Key concepts and actions associated with credentials include:
What a credential contains
Section titled “What a credential contains”Credentials are machine-readable JSON files which follow the W3C Verifiable Credential format.
Each credential includes:
- The project and policy it attests to.
- The declarations and reviews that support the attestation, referenced by their CIDs.
- The person who issued the credential.
- A validity period, defined by its issue date and expiration date.
- A revocation status, so the credential can be revoked before its expiration date if needed.
Because every credential is cryptographically-signed, anyone can verify who issued it and confirm it has not been altered since. Credentials appear under the Certification tab of an applied policy, in the Issued Credentials table. Once a policy has an active credential, the project displays a Certified status.
Issuing a credential
Section titled “Issuing a credential”A credential can be issued at any time, regardless of how many controls in the policy have been marked Compliant.
To issue a credential:
- From an applied policy, select the Certification tab
- Select Issue Credential
- Enter an Expiration Date and choose the date and time the credential will expire
- Select Review
- Review the credential summary, then select Issue Credential
Downloading a credential
Section titled “Downloading a credential”A credential can be downloaded as a JSON file for independent verification.
To download a credential:
- From an applied policy, select the Certification tab
- In the Issued Credentials table, select the actions menu (⋮) on the credential’s row
- Select Download Credential
Revoking a credential
Section titled “Revoking a credential”Revoking a credential invalidates it before its expiration date. This can be used, for example, if a project’s compliance status changes after the credential was issued.
Revoked credentials cannot be made active again — a new credential would have to be issued.
To revoke a credential:
- From an applied policy, select the Certification tab
- In the Issued Credentials table, select the actions menu (⋮) on the credential’s row
- Select Revoke Credential
- Provide a reason for revoking the credential
- Select Revoke Credential to confirm
Once revoked, the credential’s reason for revocation — along with who revoked it and when — can be viewed by selecting the credential’s row in the Issued Credentials table.