Not After Verification Policy Reference
This reference documents the notAfter verification policy for the verifier service. The notAfter policy checks if a credential has expired based on its expiration date.
Policy Overview
Section titled “Policy Overview”The notAfter verification policy validates the temporal validity of credentials and presentations by ensuring they have not been used after their expiration date. This temporal check helps enforce time-bound credentials that should only be valid until a specific point in time.
Supported Standards
Section titled “Supported Standards”The notAfter verification policy supports expiration validation across multiple standards:
| Standard | Organization | Specification | Expiration Property | Validation Aspect |
|---|---|---|---|---|
| JSON Web Token (JWT) | IETF | RFC 7519 §4.1.4 | exp (expiration time) | Checks current time against the JWT expiration time claim |
| ISO 18013-5 mDL | ISO | ISO 18013-5:2021 §8.2.2.2 | expiry_date | Verifies mobile driving license has not been used after its expiration date |
| Verifiable Credentials Data Model v1.1 | W3C | VC Data Model §4.8 | expirationDate | Validates credential has not been used after its expiration date |
| Verifiable Credentials Data Model v2.0 | W3C | VC Data Model §4.9 | validUntil | Ensures current time is not after the specified validUntil date |
How It Works
Section titled “How It Works”The notAfter policy validates one or more date fields in the credential to ensure that the current time is not after the expiration date:
flowchart LR
subgraph "notAfter Verification"
Input[Credential] --> Extract[Extract Date Values]
Extract --> Compare[Compare with Current Time]
Compare --> Decision{Is Current Time <= Expiration Date?}
Decision -->|Yes| Valid[Valid]
Decision -->|No| Invalid[Invalid: Expired]
end
style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
style Extract fill:#e1f5fe,stroke:#333,stroke-width:1px
style Compare fill:#e1f5fe,stroke:#333,stroke-width:1px
style Decision fill:#e1f5fe,stroke:#333,stroke-width:1px
style Valid fill:#dcedc8,stroke:#333,stroke-width:1px
style Invalid fill:#ffcdd2,stroke:#333,stroke-width:1px
Temporal Properties
Section titled “Temporal Properties”The notAfter policy can verify different temporal properties depending on the credential format:
| Credential Type | Temporal Property | Description | Specification Reference |
|---|---|---|---|
| W3C Verifiable Credential (v1.1) | expirationDate | The date when the credential expires | W3C VC Data Model §4.8 |
| W3C Verifiable Credential (v2.0) | validUntil | Explicit date until which the credential is valid | W3C VC Data Model §4.9 |
| JWT Credential | exp (expiration time) | Date after which the JWT is not valid | IETF RFC 7519 §4.1.4 |
| ISO 18013-5 mDL | expiry_date | Date after which the mobile driving license is not valid | ISO 18013-5:2021 §8.2.2.2 |
Time Tolerance
Section titled “Time Tolerance”The notAfter policy supports a configurable time tolerance to account for:
- Clock skew between issuer, holder, and verifier systems
- Network delays in credential transmission and verification
- Time zone discrepancies
The tolerance is specified in milliseconds and creates a buffer period after the expiration date where the credential is still considered valid.
Configuration
Section titled “Configuration”The notAfter verification policy offers various configuration options that control its behavior, including:
- Enabling or disabling temporal validation
- Setting time tolerance values
- Configuring behavior for missing date fields
- Setting different validation rules for credentials and presentations
For detailed configuration options, parameters, and default values, see the Verifier Configuration Reference.