Re: Verifiable credentials decentralized status

On Sat, Jul 6, 2024 at 6:15 AM Pascal Knoth <> wrote:
>> I am Pascal Knoth, an independent worker,

Hi Pascal, thank you for the work you are doing on revocation
mechanisms for VCs. :)

We definitely need better privacy-preserving mechanisms for doing
revocation. I read through your spec multiple times and have a few
observations and questions.

The use of HOTP is interesting, but I can't quite understand what it
is doing. My expectation going into the specification was that this
was a privacy preserving status checking mechanism that would enable
the holder to assert their status in a way that is decentralized and
didn't require interactions with the issuer. After reading the spec, I
feel that my assumptions are wrong, but don't know which ones.

I gather that the issuer has a secret and they use that to issue some
sort of HOTP-based token, presumably to the holder? The holder then
takes that token and gives it to a verifier? The verifier then uses
that token and asks the issuer if its still valid?

If that's the flow, doesn't the verifier uniquely identify the holder
when the check is performed by the issuer? Doesn't this result in even
more "bytes transmitted over the wire" than a single status bit in a

As you can see, I'm struggling to understand the goals and advantages
of the specification. Can you help me understand where I'm going wrong
above? We are very interested in more decentralized,
privacy-preserving status mechanisms for the VC ecosystem! Thanks
again for the time and care you put into the specification.

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.

Received on Wednesday, 10 July 2024 13:21:55 UTC