Credential Status & Revocation
The validity of digital credentials are fundamental to make digital identity work. Ensuring that verifiable credentials are up-to-date and valid without compromising user privacy is essential. Let's understand why we need a credential status, explore possible solutions, and learn more about the Bitstring Status List v1.0.
Why we need credential status
Digital credentials, such as certificates, badges, and IDs, must have mechanisms to indicate their current status—whether they are active, suspended, or revoked. The ability to check the status of a credential is crucial for several reasons:
- Security: Verifying that a credential has not been revoked or tampered with is vital to prevent fraud and misuse.
- Trust: Ensuring that only valid credentials are accepted maintains trust in digital identity systems.
- Compliance: Many regulatory frameworks require mechanisms to manage and verify the status of digital credentials.
Traditional methods like Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) have limitations, including potential privacy breaches and inefficiency in handling large volumes of data.
Possible Solutions
Addressing the need for an efficient and privacy-preserving way to manage credential status has led to various solutions:
- Certificate Revocation Lists (CRLs): Lists employed to manage the revocation status of digital certificates. They can be large and cumbersome to distribute.
- Online Certificate Status Protocol (OCSP): Provides real-time status information but can expose user actions to tracking.
Each of these solutions has trade-offs, particularly regarding privacy and scalability. To enhance privacy and efficiency, new mechanisms like the Bitstring Status List have been developed.
Bitstring Status List Explained
The Bitstring Status List, specified here, proposes a novel approach to managing credential status using bitstrings. This method offers several advantages over traditional solutions:
- Privacy: By bundling the status of many credentials into a single list, the Bitstring Status List mitigates tracking risks associated with querying individual credential statuses.
- Efficiency: The use of bitstrings and data compression techniques like GZIP ensures that the status information is highly space-efficient and easy to distribute, even for a large userbase.
In essence, the status of a large number of VCs can be grouped into a single list using bitstrings. A bitstring is a sequence of bits, where each bit represents the status of one credential. If a bit is set (1), the credential is revoked or suspended; if unset (0), the credential is active.
Example StatusListCredentials
To illustrate how the Bitstring Status List works, let's look at some practical examples.
Simple Status List Credential
A simple status list credential is a straightforward implementation of the Bitstring Status List mechanism. It associates a single status list entry with a verifiable credential.
{
"@context": [
"https://www.w3.org/ns/credentials/v2"
],
"id": "https://example.com/credentials/status/3",
"type": [
"VerifiableCredential",
"BitstringStatusListCredential"
],
"issuer": "did:example:12345",
"validFrom": "2021-04-05T14:27:40Z",
"credentialSubject": {
"id": "https://example.com/status/3#list",
"type": "BitstringStatusList",
"statusPurpose": "revocation",
"encodedList": "uH4sIAAAAAAAAA-3BMQEAAADCoPVPbQwfoAAAAAAAAAAAAAAAAAAAAIC3AYbSVKsAQAAA"
}
}
This example shows a minimal setup where a single status list oversees the revocation status of credentials. The encodedList property contains the compressed bitstring representing the status of numerous credentials, ensuring efficient data handling and privacy preservation.
Multiple Status Purposes
The Bitstring Status List mechanism can also support multiple status purposes within a single credential. This capability enhances flexibility by allowing various types of status updates (e.g., revocation, suspension) to be managed together.
{
"@context": [
"https://www.w3.org/ns/credentials/v2"
],
"id": "https://example.com/credentials/23894672394",
"type": [
"VerifiableCredential"
],
"issuer": "did:example:12345",
"issuanceDate": "2021-04-05T14:27:42Z",
"credentialStatus": [
{
"id": "https://example.com/credentials/status/5#94567",
"type": "BitstringStatusListEntry",
"statusPurpose": "revocation",
"statusListIndex": "94567",
"statusListCredential": "https://example.com/credentials/status/5"
},
{
"id": "https://example.com/credentials/status/5#12345",
"type": "BitstringStatusListEntry",
"statusPurpose": "suspension",
"statusListIndex": "12345",
"statusListCredential": "https://example.com/credentials/status/5"
}
],
"credentialSubject": {
"id": "did:example:6789",
"type": "Person"
}
}
This example demonstrates a more complex implementation where a single verifiable credential can be marked as both revoked and suspended. This dual-purpose credential status allows managing different characteristics of credential status in a consolidated manner, further enhancing flexibility and efficiency.
Credential Status and Revocation with walt.id
Using walt.id's libs and services, you can issue and verify credentials leveraging the Bistring StatusList standard. At the moment, our policies only support checking for the revoke state in credentials. Learn more here.