Readiness
:::info Source
Sourced from services/certification-service/SERVICE_READINESS.md in the documentation repo.
:::
1. Level per Milestone
| M | Level | Scope |
|---|---|---|
| M0 | — | Design |
| M1 | L2 | Stub: issue + verify; single template |
| M2 | L2 | — |
| M3 | L3 | — |
| M4 | L4 | Full templates + OpenBadges 3.0 + wallet + revocation |
| M5 | L4 | Offline issuance claim; multi-region |
2. Gates
G1 Domain
- Certificate, RevocationRecord, OfflineIssuanceClaim aggregates + invariants.
- State machine tested.
- 95% unit / 80% mutation.
G2 API
- OpenAPI published.
- Public verify endpoint documented.
- Idempotency + cursor.
- Pact with progress, notification, search, analytics.
G3 Events
-
certification.certificate.issued.v1,.revoked.v1,.verified.v1(audit), offline claim events. - Outbox + inbox.
G4 Sync
- Certificate read-replicable
server_authoritative; OfflineIssuanceClaimappend_only.
G5 AI
- Template suggestion (M4) via AIClient; provenance + HITL.
- Revocation anomaly detection (M5) with human decision.
G6 Observability
- Issuance pipeline SLI; verify latency.
- JWKS availability.
- Revocation rate + reason distribution.
G7 Performance
- Issuance p95 < 10s.
- Public verify p95 < 100ms (cached).
- JWKS serve p95 < 10ms.
- 500 concurrent issuances sustained.
G8 Security
- JWS signing HSM-backed.
-
kidrotation tested. - Offline claim signature verification.
- Public endpoint rate limiting + enumeration defense.
- Two-tenant iso green.
- Pen-test for public verify.
3. SLOs
| SLI | Target |
|---|---|
| Issuance pipeline p95 | < 10s |
| Issuance success rate | ≥ 99.9% |
| Public verify p95 | < 100ms (cache hit) |
| JWKS availability | 99.999% |
| Revocation propagation (CDN purge) | < 60s |
4. DoD
- Unit + integration + contract + OpenBadges conformance green.
- OpenAPI updated.
- Event schemas registered.
- Migrations fwd+back.
- Two-tenant iso green.
- Dashboard + runbook updated.
5. Release Checklists
S1 (M1 — stub)
- Issue certificate on completion.
- Public verify endpoint live.
- Basic PDF artifact.
- JWS proof signed.
S4 (M3 → L4 at M4)
- Multiple templates.
- OpenBadges 3.0 VC.
- Wallet passes (Google/Apple).
- Revocation workflow UI.
- Branding + signatory editor.
S5 (M4 offline issuance)
- Offline claim E2E green.
- Signature verification correctness across clock-skew scenarios.
- Anonymization policy implemented per tenant.