Re: Revocation and No Phone Home

On Mon, Jun 2, 2025 at 5:19 PM Filip Kolarik <filip26@gmail.com> wrote:
> Another potential mitigation is to decouple the status service from the issuer, e.g. by leveraging third-party status services that maintain a status list without knowing the content of VC, only storing its status and permitting the issuer to modify it.

Yes, agreed. The challenging thing here is for the issuer to trust the
3rd party to run the status service, but I expect that'll happen in
time (just as large swaths of businesses have delegated the operation
of their entire cloud infrastructure to cloud infrastructure providers
without great visibility into the day-to-day operations or logs
associated with those services).

... and, of course, blockchain-based revocation methods address this
issue (but tend to be fairly heavyweight). :)

... or any sort of file mirroring / database replication / content
distribution network service would work as well. There are a few ways
to retrieve a status list without directly contacting the issuer that
use commonly deployed web technology. One of the challenges we might
have today in the VC ecosystem is providing lasting guidance on what
mechanisms to use for specific use cases.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Tuesday, 3 June 2025 12:41:22 UTC