| 1. Definition | 2. Functional Requirements | 3. Syntax | 4. Semantics |
1 Definition
An Instance Credential binds a Logical Instance Identity to a Cryptographic Instance Identity and asserts its validity, issuer, and supporting evidence.
2 Functional Requirements
An Instance Credential shall:
- Include a Header identifying the version of the Instance Credential structure.
- Bind a logical instance through the Subject field.
- Bind a cryptographic instance through the CII field.
- Identify the issuing authority through the Issuer field.
- Specify the validity interval through the Validity field.
- Optionally include Evidence supporting the credential.
- Include a Signature covering the entire credential.
- Optionally include DataXMData and DescrMetadata.
- Use only the keys defined in this Data Type.
3 Syntax
https://schemas.mpai.community/PTF/V1.0/data/InstanceCredential.json
4 Semantics
| Label | Description |
|---|---|
| Header | Instance Credential Header — Standard “PTF-ICR-V”. |
| InstanceCredentialID | ID of Instance Credential. |
| InstanceCredentialTime | Time of Instance Credential Creation. |
| Subject | Logical instance bound by the credential. |
| Subject.InstanceType | Type of logical instance (“AIMInstance” or “ProcessInstance”). |
| Subject.InstanceID | Identifier of the logical instance. |
| Subject.Specification | URI or identifier of the AIM or Process specification. |
| CII | Reference to the Cryptographic Instance Identity. |
| – HashAlgorithm | Hash algorithm identifier from the Security Algorithm Taxonomy. |
| – Hash | Hash of the referenced CII object (hex or base64url). |
| Issuer | Issuing authority of the credential. |
| – Name | Human‑readable or URI identifier of the issuing authority. |
| – KeyID | Identifier of the issuer’s signing key. |
| Validity | Validity interval of the credential. |
| – NotBefore | Start of the validity interval. |
| – NotAfter | End of the validity interval. |
| – Scope | Optional scope or usage constraint. |
| Evidence | Attestation evidence classified using the Security Evidence Taxonomy. |
| – Type | Evidence type from the Security Evidence Taxonomy. |
| – Value | Opaque evidence payload encoded as base64url. |
| Signature | Digital signature over the credential. |
| – Algorithm | Signature algorithm identifier from the Security Algorithm Taxonomy. |
| – Value | Digital signature value encoded as base64url. |
| DataXMData | Metadata that the Process/AIM exchanges with other Process/AIM. |
| DescrMetadata | Descriptive metadata (max length 2048). |
