Revoke a Credential

Overview

A key part of our Digital Identity model is that Issuers can provide subjects with Credentials containing verifiable claims, those subjects can hold their data and present it to Verifiers without the Issuer being aware of how or when the holder is using their data.

Credentials issued on the MATTR Platform can be created as revocable, this allows Verifiers to obtain the revocation status of a Credential as it is being presented. This is done in a way that preserves the privacy of the credential holder.

This tutorial will demonstrate how to issue Credentials that are revocable using the Revocation List 2020 standard, and how an Issuer is able to revoke/un-revoke the issued Credential.

Check out the video:

We use the Privacy Enhanced Mode for embedded Youtube videos.

A Revocable Credential

A revocable Credential contains a credentialStatus property that points to a revocation list that contains the revocation status (revoked/not-revoked) of many credentials, (up to 131,072!) this ensures that when a Verifier requests a revocation list, the privacy of exactly which credential they are validating the revocation status for remains private i.e. the Issuer will not know who to or how often a Credential is being presented.

{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://schema.org",
"https://w3id.org/vc-revocation-list-2020/v1"
],
"type": [ ... ],
"credentialStatus": {
"id": "https://tenant.platform.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#4",
"type": "RevocationList2020Status",
"revocationListIndex": "4",
"revocationListCredential": "https://tenant.platform.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3"
},
"issuer": {
"id": "did:key:z6MkndAHigYrXNpape7jgaC7jHiWwxzB3chuKUGXJg2b5RSj",
"name": "tenant.platform.mattr.global"
},
"credentialSubject": { ... },
"issuanceDate": "...",
"proof": { ... }
}

The revocationListCredential value contains the location where the revocation list can be obtained, generally it is stored on the Platform owned by the Issuer.

In order to find the revocation status within the list, the revocationListIndex points to the location that indicates if the credential is revoked or not.

The Revocation List Credential

Every revocable Credential issued will reference a Revocation List, this is automatically created and held on the tenant for the Issuer.

The revocation list can be obtained from a public endpoint as defined in the subject holder's Credential.

GET https://tenant.platform.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3

The retrieved Revocation List is in the form of a JSON-LD based Verifiable Credential. This allows a Verifier to ensure that the Credential Issuer and the Issuer of the Revocation List are the same.

{
"id": "https://tenant.platform.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3",
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/vc-revocation-list-2020/v1"
],
"type": [
"VerifiableCredential",
"RevocationList2020Credential"
],
"issuer": "did:key:z6MkndAHigYrXNpape7jgaC7jHiWwxzB3chuKUGXJg2b5RSj",
"credentialSubject": {
"type": "RevocationList2020",
"encodedList": "H4sIAAAAAAAAA-3BMQEAAADCoPVPbQwfoAAAAAAAAAAAAAAAAAAAAIC3AYbSVKsAQAAA"
},
"issuanceDate": "...",
"proof": { ... }
}

The encodedList contains bits in an encoded form, where each bit indicates if a credential is revoked (1) or not (0). The revocationListIndex points to the bit that indicates the revocation status of the Credential.

In order to simplify these processes, we provide a set of Revocation endpoints to manage all of this from the Issuer perspective. In the Verify flow, the platform will automatically resolve the revocation status and return an error state back if it is revoked.

Steps

Find out how to issue a Credential that can be revoked, revoke the credential, and as a Verifier obtain the revocation status of the credential.