The expectation is that the certificates are checked latest when the SecureChannel is renewed. Applications may do the checks earlier.

This should be described already today.
TBD:
Check if this is already defined and maybe have a chapter that describes the dependencies and summarize the definitions we have already.

Added new chapter:

6.1.7 Continuous security checks
ApplicationInstanceCertificates or UserIdentityTokens may expire, get invalid or may be rejected on Client or Server side.

A complete ApplicationInstanceCertificates verification shall be executed every time the SecurityToken is renewed for a SecureChannel. OPC UA Application may do additional verifications between SecurityToken renews e.g. if the trust list is updated from a GDS.

If the SecureChannel does not use ApplicationInstanceCertificates, the OPC UA Application shall executed frequent ApplicationInstanceCertificate checks for the Session.

The recovery mechanisms for ApplicationInstanceCertificate replacement scenarios are described in 6.7.

OPC UA Application shall have internal notification mechanisms to get informed about removal of user identities or should frequently check if the UserIdentityTokens is still valid or if the authorization for a UserIdentityTokens was changed.

Added in
OPC 10000-4 - UA Specification Part 4 - Services 1.05.0 Draft15.docx

Agreed to changes edited in Virtual F2F.