From e3fef8e6b9ecf72dfe644b009353a0911b7f4f58 Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 26 Aug 2023 15:05:16 -0400
Subject: [PATCH 1/5] Add revoked and expires properties to JsonWebKey context.

---
 contexts/jwk/v1 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/contexts/jwk/v1 b/contexts/jwk/v1
index fdc284ab..93d8d0c4 100644
--- a/contexts/jwk/v1
+++ b/contexts/jwk/v1
@@ -13,6 +13,14 @@
           "@id": "https://w3id.org/security#controller",
           "@type": "@id"
         },
+        "revoked": {
+          "@id": "https://w3id.org/security#revoked",
+          "@type": "http://www.w3.org/2001/XMLSchema#dateTime"
+        },
+        "expires": {
+          "@id": "https://w3id.org/security#expiration",
+          "@type": "http://www.w3.org/2001/XMLSchema#dateTime"
+        },
         "publicKeyJwk": {
           "@id": "https://w3id.org/security#publicKeyJwk",
           "@type": "@json"

From aded2d69a9c89596f265bcec2aba7f2f47217f20 Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 26 Aug 2023 15:19:40 -0400
Subject: [PATCH 2/5] Add `expires` property to verification method properties
 list.

---
 index.html | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/index.html b/index.html
index cb6d1923..9f7f0b3d 100644
--- a/index.html
+++ b/index.html
@@ -995,14 +995,29 @@ <h2>Verification Methods</h2>
                 <dd>
 The value of the `controller` property MUST be a <a
 data-cite="INFRA#string">string</a> that conforms to the [[URL]] syntax.
+                </dd>
+                <dt><dfn class="lint-ignore">expires</dfn></dt>
+                <dd>
+The `expires` property is OPTIONAL. It is set, in advance, by the
+<a>controller</a> of a  <a>verification method</a> to signal when that method
+can no longer be used for verification purposes. If provided, it MUST be an
+[[XMLSCHEMA11-2]] `dateTimeStamp` string specifying when the
+<a>verification method</a> SHOULD cease to be used. Once the value is set, it is
+not expected to be updated, and systems depending on the value are expected to
+not verify any proofs associated with the <a>verification method</a> at or after
+the time of expiration.
                 </dd>
                 <dt><dfn class="lint-ignore">revoked</dfn></dt>
                 <dd>
-The `revoked` property is OPTIONAL. If provided, it MUST be an [[XMLSCHEMA11-2]]
+The `revoked` property is OPTIONAL. It is set by the <a>controller</a> of a
+<a>verification method</a> to signal when that method is to no longer to be used
+for verification purposes, such as after a security compromise of the
+<a>verification method</a>. If provided, it MUST be an [[XMLSCHEMA11-2]]
 `dateTimeStamp` string specifying when the <a>verification method</a>
-SHOULD cease to be used. Once the value is set, it is not expected to be updated, and
-systems depending on the value are expected to not verify any proofs associated
-with the <a>verification method</a> at or after the time of revocation.
+SHOULD cease to be used. Once the value is set, it is not expected to be
+updated, and systems depending on the value are expected to not verify any
+proofs associated with the <a>verification method</a> at or after the time of
+revocation.
                 </dd>
               </dl>
             </dd>

From 2d1726e6b45e41ef321bfba7621abc641159b21e Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 26 Aug 2023 15:39:15 -0400
Subject: [PATCH 3/5] Re-anchor definition for expires (on proof and
 verification method).

---
 index.html                    | 16 +++++++++-------
 vocab/security/vocabulary.yml |  8 +++++---
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/index.html b/index.html
index 9f7f0b3d..0e70bc55 100644
--- a/index.html
+++ b/index.html
@@ -614,10 +614,11 @@ <h3>Proofs</h3>
 specified as an [[XMLSCHEMA11-2]] `dateTimeStamp` string.
           </dd>
 
-          <dt><dfn class="lint-ignore">expires</dfn></dt>
+          <dt id="defn-proof-expires">expires</dt>
           <dd>
-An OPTIONAL property that conveys the date and time that a proof expires and that, if present, MUST be
-specified as an [[XMLSCHEMA11-2]] `dateTimeStamp` string.
+An OPTIONAL property that conveys the date and time that a proof expires and
+that, if present, MUST be specified as an [[XMLSCHEMA11-2]] combined date and
+time string.
           </dd>
 
           <dt id="defn-domain">domain</dt>
@@ -996,7 +997,7 @@ <h2>Verification Methods</h2>
 The value of the `controller` property MUST be a <a
 data-cite="INFRA#string">string</a> that conforms to the [[URL]] syntax.
                 </dd>
-                <dt><dfn class="lint-ignore">expires</dfn></dt>
+                <dt id="defn-vm-expires">expires</dt>
                 <dd>
 The `expires` property is OPTIONAL. It is set, in advance, by the
 <a>controller</a> of a  <a>verification method</a> to signal when that method
@@ -1925,8 +1926,8 @@ <h2>Relationship to Verifiable Credentials</h2>
 Document authors and implementers are advised to understand the difference
 between the validity period of a <a href="#proofs">proof</a>, which is expressed
 using the <a href="#dfn-created">`created`</a> and <a
-href="#dfn-expires">`expires`</a> properties, and the validity period of a
-<a data-cite="?VC-DATA-MODEL-2.0#dfn-credential">credential</a>,
+href="#defn-proof-expires">`expires`</a> properties, and the validity period of
+a <a data-cite="?VC-DATA-MODEL-2.0#dfn-credential">credential</a>,
 which is expressed using the
 <a data-cite="?VC-DATA-MODEL-2.0#defn-validFrom">`validFrom`</a> and
 <a data-cite="?VC-DATA-MODEL-2.0#defn-validUntil">`validUntil`</a> properties.
@@ -1935,7 +1936,8 @@ <h2>Relationship to Verifiable Credentials</h2>
 <a href="#proofs">proof</a>, it is important to ensure that the time of interest
 (which might be the current time or any other time) is within the
 validity period for the proof (that is, between
-<a href="#dfn-created">`created`</a> and <a href="#dfn-expires">`expires`</a> ).
+<a href="#dfn-created">`created`</a> and
+<a href="#defn-proof-expires">`expires`</a> ).
 When <a data-cite="?VC-DATA-MODEL-2.0#validation">validating</a> a
 <a>verifiable credential</a>, it is important to ensure that the time of
 interest is within the validity period for the
diff --git a/vocab/security/vocabulary.yml b/vocab/security/vocabulary.yml
index dc490541..1f817c2d 100644
--- a/vocab/security/vocabulary.yml
+++ b/vocab/security/vocabulary.yml
@@ -207,9 +207,11 @@ property:
     range: xsd:dateTime
 
   - id: expires
-    label: Proof expiration time
-    defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-expires
-    domain: sec:Proof
+    label: Expiration time for a proof or verification method
+    defined_by: https://www.w3.org/TR/vc-data-integrity/#defn-proof-expires
+    domain:
+      - sec:Proof
+      - sec:VerificationMethod
     range: xsd:dateTime
 
   - id: nonce

From b298c4953928fd59b0d01ff5e8f2b522a2d87523 Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 2 Sep 2023 10:24:00 -0400
Subject: [PATCH 4/5] Simplify grammar for `expires` property.

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 index.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/index.html b/index.html
index 0e70bc55..2fa7d5c3 100644
--- a/index.html
+++ b/index.html
@@ -616,9 +616,8 @@ <h3>Proofs</h3>
 
           <dt id="defn-proof-expires">expires</dt>
           <dd>
-An OPTIONAL property that conveys the date and time that a proof expires and
-that, if present, MUST be specified as an [[XMLSCHEMA11-2]] combined date and
-time string.
+The `expires` property is OPTIONAL. If present, it MUST be an [[XMLSCHEMA11-2]]
+`dateTimeStamp` string specifying when the proof expires.
           </dd>
 
           <dt id="defn-domain">domain</dt>

From c4aede2d1851454a91856b1ee8f17d22d683d353 Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 2 Sep 2023 10:56:59 -0400
Subject: [PATCH 5/5] Clarify VM revocation/expiration vs. VC revocation.

---
 index.html | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/index.html b/index.html
index 2fa7d5c3..6e94da91 100644
--- a/index.html
+++ b/index.html
@@ -1949,6 +1949,23 @@ <h2>Relationship to Verifiable Credentials</h2>
 <a data-cite="?VC-DATA-MODEL-2.0#dfn-credential">credential</a>, might result
 in accepting data that ought to have been rejected.
         </p>
+
+        <p>
+Finally, implementers are also urged to understand that there is a difference
+between the <a href="#dfn-revoked">revocation time</a> and
+<a href="#defn-vm-expires">expiration time</a> for a <a>verification method</a>,
+and the revocation information associated with a <a>verifiable credential</a>.
+The <a href="#dfn-revoked">revocation time</a> and
+<a href="#defn-vm-expires">expiration time</a> for a <a>verification method</a>
+are expressed using the `revocation` and `expires` properties, respectively, and
+are related to events such as a private key being compromised or expiring and
+can provide timing information which might reveal details about a controller
+such as their security practices or when they might have been compromised. The
+revocation information for a <a>verifiable credential</a> is expressed using
+the `credentialStatus` property and is related to events such as an individual
+losing the privilege that is granted by the <a>verifiable credential</a> and
+does not provide timing information, which enhances privacy.
+        </p>
       </section>
 
       <section>