FAQ

Whilst the theory of Verifiable Credentials can be overwhelming, their use is not. OCI provides solution providers with a knowledge base to get up to speed. It is then down to them to create user-friendly apps. We understand that the aim is to provide credentialing fully integrated into existing solutions.

DSCSA requires Product Verifications on returned and suspicious products. The industry is using the Verification Routing Service (VRS) infrastructure to exchange verification requests between wholesalers or dispensers and manufacturers.

Because most product verification requests must be sent directly to manufacturers, this leads to situations where, for example, a manufacturer interacts with a dispenser with whom the company has no prior business relationship.

The challenge here is that pharmaceutical supply chain actors are only supposed to be transacting with authorized trading partners (ATP). If you have never dealt with the other side, how will you know whether they are an ATP as defined by DSCSA?

That’s why all trading partners involved in product verifications must check the ATP status of their counterparty. To ensure that both sides comply with DSCSA requirements, OCI has developed an approach to credentialing that enables a fully automated interoperable electronic verification process of the authorized status.

Watch this short video for further information.

No. There is no membership requirement to use a solution supplied by an OCI-conformant provider. Nevertheless, we encourage trading partners and solution providers to actively participate in the development of the OCI architecture and governance.

Every full member must commit to the OCI Governance and sign our Membership Agreement. Please check our OCI community page. Once signed and accepted, you are a full member and can contribute to OCI in our meetings and work groups with members from across the industry.

There are no membership fees for trading partners.

For membership questions, please contact hello@oc-i.org.

Sure. Please send your feedback, suggestions and questions to hello@oc-i.org.

For specific feedback on all resources published on the OCI GitHub, please use the standard “Issue” feature provided by GitHub.

The industry is currently using multiple solution providers, different routing services and implementations to fulfill DSCSA requirements. Hence, multiple providers and trading partners exchange data and interact with each other. To enable interoperability between all these parties, OCI has developed a decentralized architecture that enables all interacting trading partners to verify their authorized trading partner (ATP) status in an electronic way.

This is achieved by combining the usage of Verifiable Credentials that express the ATP status with unique Decentralized Identifiers. These components are defined by open standards from the World Wide Web Consortium (W3C). This is the same organization that has defined the standards for how the internet works today.

Leveraging these W3C-defined tools avoids vendor lock-in, interoperability constraints, and data aggregation within a central entity.

Here is a short video about the DSCSA ATP Credentialing.

Verifiable Credentials are effectively electronic proofs similar to credentials we use in everyday life, such as your driving license giving assurance that you are able to drive properly.

OCI architecture incorporates Verifiable Credentials to exchange the authorized trading partner (ATP) status in digital interactions. Every recipient having access to a Digital Wallet can verify the received presentation of an ATP Verifiable Credential.

In technical terms, a Verifiable Credential is a digital assertion containing a set of claims (e.g., about a state license or FDA Establishment Identifier) made by an entity about itself or another entity. A subset of identity data, Verifiable Credentials are cryptographically signed and can be verified. Verifiable Credentials can be used to create selective disclosures of information (known as “verifiable presentations”) to limit data exposure. The entity described by the claims is called the subject of the credential.

OCI uses Verifiable Credentials in accordance with the openly accessible W3C specification.

A Digital Wallet is the software used to manage the digital identity and its associated Verifiable Credentials.

The Digital Wallet is the layer providing trading partners and credential issuers a peer-to-peer exchange of credential details. The issuer of credentials can send credentials into the Digital Wallet of the Trading Partner. The Trading Partner can use the Digital Wallet to acquire, store and present credentials.

In the OCI ecosystem, integrators like Verification Routing Service (VRS) providers are able to connect themselves to their customers’ Digital Wallets.

On a customer's behalf, the VRS provider can:

• request the presentation of the ATP credential (and attach it to a product enquiry or response message) and

• verify all incoming ATP credentials.

OCI has established multiple mechanisms to ensure that a credential is trustworthy. A central element is the usage of OCI-conformant, cryptographically verifiable credentials that are signed by the issuer and the presenter. Additionally, each presented credential is confined by an expiration period.

1. Digital Signatures proof authenticity

a. Each issued Verifiable Credential is signed by the credential issuer. OCI-conformant issuers are listed in a public registry, which is automatically checked as part of the business interaction to ascertain the origin of the signature.

b. The issuer’s publicly accessible digital signature is derived from a private key (secret signing mechanism) in their digital wallet. OCI requires from digital wallet providers strong security mechanisms to protect the integrity of private keys.

c. The decentralized identifier (DID) of a credential issuer is anchored on their secured domain name server. This makes the issuer’s identifier secure, trustworthy and human readable. Example DID: did:web:credential-issuer-name.com

d. In addition, the credential holder signs each presentation of a credential using a similar signing mechanism as the issuer.

e. The recipient of a credential (verifier) can challenge all signatures and scrutinize whether a credential and its presentation are trustworthy through automated mechanisms.

2. Avoiding re-usage of credentials

a. After five minutes, each OCI-conformant presentation of a Verifiable Credential expires. Enforcing this short timespan avoids re-usage of credentials for unintended purposes.

The OCI has launched an Early Adopter Program initiative. The Early Adopter Program is supported by VRS providers and has the objective to validate the OCI architecture with trading partners. Please refer to our dedicated page.