W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

Re: State of Revocation Lists

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 7 Jan 2022 15:40:24 -0500
To: public-credentials@w3.org
Message-ID: <c96546ad-60fd-105b-9786-b2685bc19757@digitalbazaar.com>
On 1/7/22 9:15 AM, Julien Fraichot wrote:
> I started exploring options to handle revocation list, and I would like to 
> ideally follow something that has chances to become interoperable (at least
> on the verification side).

Hey Julien, this will probably be announced in a few weeks/months via the
VC-API work item, but a number of vendors do expect to create an interop test
suite for vc-status-list-2021 in Q1 or Q2 of this year.

> I am aware of this draft https://w3c-ccg.github.io/vc-status-list-2021/ 
> <https://w3c-ccg.github.io/vc-status-list-2021/> but I am curious if itís 
> still being worked on and has chances to become an official
> recommendation?

Yes, still being worked on, we expect to create an interop test suite for it
in the first half of this year and demonstrate multi-vendor interop this year.
It's a high priority for a number of vendors in the CCG.

> I see that this draft leaves aside the CRUD aspect of the file, am I then 
> correct to assume that this aspect is left to the implementer to decide?

Hrm, not quite.

Create and Delete is implementer defined.

Read is defined by the vc-status-list-2021 spec:

https://w3c-ccg.github.io/vc-status-list-2021/#algorithms

Update is defined by the VC-API spec:

https://w3c-ccg.github.io/vc-api/#update-status

More detail here:

https://w3c-ccg.github.io/vc-api/issuer.html#operation/updateCredentialStatus

> Are there other efforts that are/will be researched/pursued on revocation 
> lists? I know some companies/people in this group are also implementing 
> cryptographic accumulators to handle revocation, is that something that
> could become a recommendation?

Yes, it's possible, though I'm not aware of anyone working on an
accumulator-based revocation list for VCs at present.

There is nothing stopping anyone from producing an accumulator-based
revocation list, or taking it standards track once enough interop has been
achieved. It's just a "simple" matter of creating something that works,
spec'ing it, getting multiple implementations, test suite, and then taking it
standards track. :)

I will note that one of the issues w/ cryptographic accumulator-based
revocation lists is that they are not easily cacheable, and for large
populations, can result in LOTS of bandwidth usage at the entity that is
hosting the accumulator. Every revocation check needs to download the latest
accumulator (which could be multiple MBs in size).

There are, of course, mitigations for all of this:

* Invest in the download cost of the accumulator because
  the privacy is worth it.

* Only update the accumulator once a day and cache for an
  entire day.

* Provide a statistical probability of revocation in order
  to save storage space.

... and so on.

> And finally what about more decentralized approaches, ie: smart contract, 
> ipns, etc? Here the question is more generic but are those options that can
> be considered in relation to the broader VC ecosystem?

Yes, the VC Data Model allows for a variety of status mechanisms
(suspension/revocation/etc.) to exist via the "credentialStatus" property:

https://w3c.github.io/vc-data-model/#status

So, yes, smart contract based revocation mechanisms are also possible.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Friday, 7 January 2022 20:40:41 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC