![](data:image/svg+xml,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"%3E%3Crect width="16" height="16" rx="4" fill="%23093bff"/%3E%3Ctext x="8" y="11" text-anchor="middle" font-size="9" font-family="Arial,Helvetica,sans-serif" fill="white"%3EO%3C/text%3E%3C/svg%3E)
Governance
The OpenAuthCert Foundation is a vendor-neutral working group that stewards badge issuance, revocation, and evidence integrity. This page outlines the policies the community follows.
Badge status values
pending– submitted for review, not yet approved or signed.certified– approved and signed by maintainers. Evidence is current.revoked– certification withdrawn because requirements are no longer met.denied– application rejected. The submission remains in history for transparency.
In addition, a signed certified badge is shown as expired once its expires_at instant passes. Expiry is computed, not re-signed — exactly like a TLS certificate lapses on its own.
Staying certified: expiry & continuous compliance
Certification is an ongoing commitment, not a one-time stamp. Three mechanisms keep the registry honest:
- Expiry / renewal. Every badge carries a signed
expires_at, set to 12 months after issue. Past that, verifiers and the registry treat it as expired until the vendor opens a renewal PR for re-validation. - Nightly compliance probe. A scheduled job (
probe-compliance.yml) re-tests the live endpoints declared in each badge'schecksblock — the OIDC discovery document, SAML metadata, LDAP reachability, and the public docs (scanned for paywall regressions). Results are recorded as dated evidence on theevidence-databranch. - Automatic revocation after 3 strikes. A per-badge failure counter persists across runs. If a certified vendor fails its checks on three consecutive probe runs, the probe re-signs the badge as
revokedand opens a pull request againstmain. The three-strike gate prevents a transient outage from revoking a legitimate certification.
Revocation triggers
Badges may be revoked — manually or automatically — when:
- The certified free feature is removed or moved behind a paywall (caught by the probe).
- Security issues invalidate previously reviewed features.
- Evidence links break or no longer demonstrate the required behavior.
- Vendors fail to address critical review findings within the agreed timeline.
- The product version is end-of-life without a supported replacement.
Revoked badges must include a revoked_at timestamp and a clear note describing the rationale. The card in the registry highlights revoked and expired entries, and embedded status badges update automatically.
Review & approval flow
- Proposal – Vendors open a pull request with the badge JSON and evidence.
- Probing – Reviewers ask questions, request additional logs, or run interoperability tests.
- Resolution – Vendors update the badge JSON or evidence based on findings.
- Approval – A maintainer signs the canonical payload, updates
digital_signature, and merges the change. - Deployment – The static site rebuilds after CI succeeds and publishes the new badge.
Issues, clarifications, and policy discussions happen in GitHub Issues. Major policy changes are proposed as pull requests for community review.
Pre-deploy checks
Before the website deploys, CI runs:
- Registry validation:
oac validatechecks every badge's JSON Schema, Ed25519 signature, and that its file lives at<vendor>/<application>/<version>.json. - Static site build.
Any failure blocks deployment until addressed.