Status List 2021 Questions from Alex Tweeddale on 2022-09-27 (public-credentials@w3.org from September 2022)

From: Alex Tweeddale <alex@cheqd.io>
Date: Tue, 27 Sep 2022 10:42:29 +1000
To: public-credentials@w3.org
Message-ID: <CAHBQp8UAeGBNb=K0b5tvQ7k_JPxHvYWF2D+NR87AYjp0xpkDJQ@mail.gmail.com>

Hey CCG folks 👋

I'm currently doing some research into Status List 2021 and I have a couple
of questions around its implementation. I was hoping one of you might be
able to help:

*1. Minimum bitstring length and herd privacy*

I understand that there is a minimum bitstring length/size
<https://w3c-ccg.github.io/vc-status-list-2021/#revocation-bitstring-length>
in order to preserve the privacy of Holders and make it harder for an
issuer to correlate which Holders are using their Credentials and when they
are using them.

I am curious as to why the number 131,072 was chosen, and also at what
point it is recommended that this length should be extended. For example,
after 10,000 Credentials have been issued and assigned to bitstring values
within this Status List, should the length of this bitstring be extended
accordingly and scale with the number of issued Credentials?

*2. Centralization of the bitstring*

Using a Verifiable Credential hosted by the issuer to store the entire
bitstring seems to be a single point of failure for the ecosystem. I note
that there are suggestions to perhaps use a Content Delivery Network and
caching to remove this reliance on requests to a single server.

Is there a desire to store the Status List on a Verifiable Data Registry as
a resource? At cheqd, we've recently developed our resource module
<https://docs.cheqd.io/identity/ledger-resources/creating-a-resource> which
would be capable of storing/identifying a Status List with a unique DID
URL, associated with a DID Document. Using this model, the Status List
could be retrieved using a DID Resolver, and this would remove any
relationship needed between an issuer and a verifier.

I've put together a draft document on how this resource module could extend
to supporting Status List 2021 from a technical perspective
<https://docs.cheqd.io/identity/ledger-resources/using-on-ledger-resources-to-support-statuslist2021>.
I'd be really keen to hear the community's thoughts on whether this is a
good idea, or whether this could lead to further privacy risks.

Looking forward to hearing feedback / suggestions / warnings
-- 

Alex Tweeddale

Governance & Compliance Lead

Schedule a meeting <https://calendly.com/alex-tweeddale/introductory-call>

cheqd.io <https://www.cheqd.io/> | Twitter <https://twitter.com/cheqd_io> |
LinkedIn <https://linkedin.com/company/cheqd-identity> | Telegram
<https://t.me/cheqd>

Received on Tuesday, 27 September 2022 00:42:54 UTC