Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IssuerService: Implement Revocation List service #539

Open
paullatzelsperger opened this issue Feb 3, 2025 · 0 comments
Open

IssuerService: Implement Revocation List service #539

paullatzelsperger opened this issue Feb 3, 2025 · 0 comments
Assignees
@paullatzelsperger
Labels
dcp enhancement New feature or request

Comments

@paullatzelsperger
Copy link
Member

paullatzelsperger commented Feb 3, 2025
edited
Loading

Feature Request

The IssuerService must host a revocation list credential, which verifiers can download when they determine a credential's revocation status.

There should be a CredentialRevocationService, which allows to revoke, suspend, resume and query the status of a certain credential.

Metadata about issued credentials is stored anyways (cf. Credentials Admin API, #536), and that data model should then also contain the revocation status.

Upon change, the metadata in the DB gets updated, and the revocation list credential gets regenerated and signed. The revocation credential then is resolved through a (static, unauthenticated) web endpoint.

Requirements

Transactional updates:

the revocation list credential must always reflect a consistent state

data model:

credential metadata is stored in the DB using the VerifiableCredentialResource. The bit string must never be stored in an unsigned state, but be secured with a proof. Only JWT proofs will be supported

Credential resolution

  • the static web endpoint must be publicly visible and must not require authn/authz

Content types:

by default, the revocation credential is returned as signed JWT VC, the response Content-Type header must reflect that (applications/vc+jwt). Upon client request (Accept=application/json header), the endpoint may respond with an unsigned JSON body (application/json). If the Accept header is not understood, the endpoint responds with 415 unsupported media type.

Variants

  • implementations for StatusList20201 and BitStringStatusList must be provided as extensions
  • BitStringStatusList: only two states and the minimum required bistring length are supported initially

Why Is the Feature Desired?

to allow verifiers to determine the revocation state of credentials issued by this issuer

Who will sponsor this feature?

Please @-mention the committer that will sponsor your feature.

Solution Proposal

If possible, provide a (brief!) solution proposal.
@paullatzelsperger paullatzelsperger added dcp enhancement New feature or request labels Feb 3, 2025
@github-actions github-actions bot added the triage all new issues awaiting classification label Feb 3, 2025
@paullatzelsperger paullatzelsperger self-assigned this Feb 5, 2025
@paullatzelsperger paullatzelsperger removed the triage all new issues awaiting classification label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paullatzelsperger paullatzelsperger

Labels
dcp enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paullatzelsperger