Skip to content

Conformity Assessment

This section is based on the ISO/IEC 17000:2020 Conformity assessment by the ISO Committee on Conformity Assessment, CASCO

Compliance vs Compatibility

Compliant service is about conforming to given policies or rules.
Compatible software is about conforming to given technical implementation.
Two services can be compliant to the same policies and rules but not necessarily compatible.
Two services can be compatible with each other but not necessarily compliant to the same policies and rules.

Workflows

flowchart

    SystemOwner(System Owner)
    subgraph CASystem [Conformity Assessment System]
        direction TB
        SchemeOwner(Schema Owner)
        CAScheme(Conformity Assessment Scheme)
        object(Objects of Conformity Assessment)
        criteria(Specified Requirements)
        AB(Accreditation Bodies)
        CAB(Conformity Assessment Bodies)
        CAA(Conformity Assessment Activities)

        SchemeOwner -- develop and maintain --> CAScheme
        CAScheme -- identify --> criteria
        CAScheme -- provide the methodology to perform --> CAA
        CAA -- demonstrate fulfillment of --> criteria
        criteria -- need or expectation applying to --> object
        CAB -- perform --> CAA
        AB -- issue  accreditations to --> CAB
        SchemeOwner -. award authority to .->  AB
    end

    SystemOwner -- develops and maintains --> CASystem

The positive result of the conformity assessment activities is an attestation, which is a statement that fulfilment of Specified Requirements has been demonstrated, for a given Conformity Assessment Scheme and Scope of attestation.

Attestation types

Type of Attestations in ISO/IEC 17000:2020 Example
first-party conformity assessment activity, also known as declaration a person self-declaring itself competent
second-party conformity assessment activity assessment of a person's knowledge and skills conducted by someone with the interest of the person (trainer/instructor).
third-party conformity assessment activity, also known as certification assessment of a person's knowledge and skills conducted via a impartial exam.

Assessment and Signing activities

The ISO/IEC 17000:2020 and VC documents mentioned above have overlapping and different scopes.

ISO/IEC 17000:2020 term Verifiable Credentials Data Model term
🟩 The object of the assessment is equivalent to 🟩 The RDF subject in the credentialSubject
🟩 The CAB issuing an attestation is equivalent to 🟩 The VC issuer
🟧 An attestation document (.pdf, .jpg) doesn't necessarily contain cryptographic mechanism to be tamper-proof. is NOT equivalent to 🟩 A VC must contain at least one cryptographic proof
🟩 An attestation document must refer to a Conformity Assessment Scheme. is NOT equivalent to 🟧 The VC's claims are issued under the sole authority of the issuer.

Success

This specification is leveraging the best 🟩 of both ISO/IEC 17000:2020 and W3C VC specifications by:

  • Adopting the formal and well defined ISO/IEC 17000:2020 workflows for issuing claims.
  • Adopting the state-of-the-art W3C VC mechanism to ensure tamper-proof and machine readable information.

Example

  1. A CAB outputs attestation(s).
  2. A VC issuer issues credential(s).
  3. A Trust Service Provider is a type of CAB which issues certificate(s).
  4. A CAB can also issue credential(s).
  5. The signature of a credential can be verified using the certificate of the credential's issuer.
  6. The trustworthiness of a credential is directly proportional to the capacity of the verifier to assess the trustworthiness of the issuer's certificate.