- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 3 Jun 2025 08:40:42 -0400
- To: Filip Kolarik <filip26@gmail.com>
- Cc: Stephen Curran <swcurran@cloudcompass.ca>, W3C Credentials CG <public-credentials@w3.org>
On Mon, Jun 2, 2025 at 5:19 PM Filip Kolarik <filip26@gmail.com> wrote: > Another potential mitigation is to decouple the status service from the issuer, e.g. by leveraging third-party status services that maintain a status list without knowing the content of VC, only storing its status and permitting the issuer to modify it. Yes, agreed. The challenging thing here is for the issuer to trust the 3rd party to run the status service, but I expect that'll happen in time (just as large swaths of businesses have delegated the operation of their entire cloud infrastructure to cloud infrastructure providers without great visibility into the day-to-day operations or logs associated with those services). ... and, of course, blockchain-based revocation methods address this issue (but tend to be fairly heavyweight). :) ... or any sort of file mirroring / database replication / content distribution network service would work as well. There are a few ways to retrieve a status list without directly contacting the issuer that use commonly deployed web technology. One of the challenges we might have today in the VC ecosystem is providing lasting guidance on what mechanisms to use for specific use cases. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Tuesday, 3 June 2025 12:41:22 UTC