Revocation
Revocation Lists
Revocation lists are a fundamental method for managing the status of verifiable credentials. They provide a straightforward mechanism for issuers to indicate which credentials are no longer valid.
Key Concepts
-
Definition: A revocation list is a collection of identifiers for credentials that have been revoked by the issuer. These lists are publicly accessible and can be queried by verifiers to determine the status of a credential.
-
Structure: Typically, a revocation list contains the following components:
- Credential Identifiers: Unique identifiers for each revoked credential.
- Metadata: Information such as the issuer, the date of revocation, and the reason for revocation.
-
Distribution: Revocation lists are published by issuers and made available to verifiers through a designated endpoint or URL. This ensures that verifiers can access the most up-to-date revocation information.
Detailed Process
-
Credential Issuance:
- When a credential is issued, it is assigned a unique identifier.
- The credential is considered valid until it is either revoked or expired.
-
Revocation Event:
- An event triggers the need to revoke a credential. This could be due to reasons like credential expiration, compromise, or policy violations.
- The issuer updates the revocation list by adding the identifier of the revoked credential.
-
List Update and Publication:
- The revocation list is updated with the new revoked identifier.
- The updated list is published and made accessible to verifiers. This can be done through a web service or API endpoint that verifiers can query.
-
Verifier's Role:
- During the credential verification process, the verifier retrieves the latest revocation list from the issuer's endpoint.
- The verifier checks if the credential identifier is present in the revocation list.
- If the identifier is found, the credential is considered revoked and is rejected. If not, the credential is considered valid.