| 1. Definition | 2. Functional Requirements | 3. Syntax | 4. Semantics |
1 Definition
A Process Lifecycle Credential (PLC) is a credential that records and attests to the lifecycle state of a specific Process Instance within the MPAI‑PTF Trust Framework. It binds a Process Instance identifier to a lifecycle state (e.g., Created, Running, Terminated), along with issuer, validity, optional supporting evidence, and a digital signature.
The PLC enables relying parties to reason about where in its lifecycle a Process Instance is, and whether that state has been authoritatively asserted and cryptographically protected.
2 Functional Requirements
A Process Lifecycle Credential shall:
- Identify the credential and context
- Include a Header indicating the PLC version.
- Optionally include an MInstanceID for the managing instance.
- Optionally include a ProcessLifecycleCredentialID.
- Optionally include a ProcessLifecycleCredentialTime indicating when the PLC was created.
- Bind to a specific Process Instance
- Include a ProcessInstanceID identifying the Process Instance whose lifecycle is being attested.
- Express lifecycle state
- Include a LifecycleState value from a controlled set:
Created,Configured,Running,Suspended,Terminated,Destroyed.
- Include a LifecycleState value from a controlled set:
- Identify the issuer
- Include an Issuer object with:
- Name — human‑readable or URI identifier of the issuing authority.
- KeyID — identifier of the issuer’s signing key.
- Include an Issuer object with:
- Define temporal validity
- Include a Validity object with:
- NotBefore — earliest time at which the PLC is valid.
- NotAfter — latest time at which the PLC is valid.
- Include a Validity object with:
- Optionally attach supporting evidence
- Optionally include an Evidence array where each item:
- Has a Type from the Security Evidence Taxonomy.
- Has a Value as an opaque payload (base64url).
- May include HashAlgorithm from the Security Algorithm Taxonomy (Hash).
- May include HashValue as a hash of the evidence payload.
- Optionally include an Evidence array where each item:
- Provide integrity protection
- Include a Signature object with:
- Algorithm from the Security Algorithm Taxonomy (Signature).
- Value as a base64url‑encoded digital signature over the PLC.
- Include a Signature object with:
- Support metadata
- Optionally include DataXMData for data‑exchange metadata.
- Optionally include DescrMetadata as human‑readable descriptive metadata.
- Forbid undeclared fields
- Reject any properties not defined in the schema.
3 Syntax
https://schemas.mpai.community/PTF/V1.0/data/ProcessLifecycleCredential.json
4 Semantics
| Label | Description |
|---|---|
| Header | PLC header string, of the form PTF-PLC-Vx.y, indicating the version of the PLC structure. |
| MInstanceID | Optional identifier of a relevant virtual instance. |
| ProcessLifecycleCredentialID | Optional identifier of this specific PLC. |
| ProcessLifecycleCredentialTime | Time at which the PLC was created, using the OSD Time data type. |
| ProcessInstanceID | Identifier of the Process Instance whose lifecycle state is being attested. |
| LifecycleState | Lifecycle state of the Process Instance. One of: Created, Configured, Running, Suspended, Terminated, Destroyed. |
| Issuer | Information about the authority issuing the PLC. |
| Issuer.Name | Human‑readable or URI identifier of the issuing authority. |
| Issuer.KeyID | Identifier of the issuer’s signing key used to sign the PLC. |
| Validity | Temporal validity interval of the PLC. |
| Validity.NotBefore | Earliest time at which the PLC is considered valid. |
| Validity.NotAfter | Latest time at which the PLC is considered valid. |
| Evidence | Optional list of evidence items supporting the asserted lifecycle state. |
| Evidence[].Type | Evidence type identifier from the Security Evidence Taxonomy. |
| Evidence[].Value | Opaque evidence payload encoded as base64url. |
| Evidence[].HashAlgorithm | Optional hash algorithm identifier from the Security Algorithm Taxonomy (Hash). |
| Evidence[].HashValue | Optional hash of the evidence payload, encoded as hex or base64url. |
| Signature | Digital signature over the PLC. |
| Signature.Algorithm | Signature algorithm identifier from the Security Algorithm Taxonomy (Signature). |
| Signature.Value | Digital signature value encoded as base64url. |
| DataXMData | Data exchange metadata, as defined in DataExchangeMetadata.json. |
| DescrMetadata | Optional human‑readable descriptive metadata (max length 2048 characters). |
