Define ONE concrete format for the revocation parameter #35
Comments
msporny
added
the
security-tracker
msporny
changed the title
msporny
changed the title
|
We could return back a more complete view of the revocation list, including a {
"@context": "...",
"id": "https://example.org/revocations/23984",
"type": "SimpleRevocationList2017",
"contains": ["https://example.com/vcs/234", "https://example.com/vcs/6554", ...]
} |
|
It is not clear to me what the purpose of /23984 is at the end of the URL. Is this meant to be the unique credential ID/number? If so, we have a privacy issue, since this allows the credential issuer to determine which SPs the user is contacting with the credential. This should not be condoned or supported in the model or protocol. |
It's the identifier for the revocation list, which SHOULD contain a very large list of revocation information. It SHOULD NOT be unique to the credentia ID/number, because if it were, we have a privacy issue (as you mentioned). We need to be very clear about this in the spec (and elaborate upon it in the privacy section). As far as "supporting it" in the data model or protocol, we can't do anything (from a technical perspective) to prevent someone from tying revocation lists 1-to-1 to credentials. Credential repositories MAY warn people if there are revocation lists containing only 1 entry (for example), but that requires heuristics that are beyond the specification. We should certainly not condone it. Some of us are working on blockchain-based revocation lists in an attempt to address the privacy implications of having revocation lists in the first place. |
|
I like the idea of blockchain revocation. Do you have any pointers to the work? |
|
I am late to this dance but I'm jumping in. The idea of a list of revocations seems odd to me - as I'm dealing with lists that could easily be 10K items or more. What about a dead simple api call at the Issuer end that either uses a DID or just the base URL (to reduce any correlation) of a claim and simply asks for a status check? Results could be
The simplest implementation could be to return OK or REVOKED (skipping the expired and replaced cases). This leaves the burden of tracking revocations on the issuer, but that's where it logically lies. Am I missing something here? |
Yes. :) What you're suggesting has been identified as a privacy violation by the group. The API call you describe would have to take in the credential ID as a parameter. At that point, the issuer knows who is making the call (the verifier) and the credential being interrogated. This is a problem, for example, when an gambling site does an age verification check and then hits the DMV. Most people wouldn't want the DMV to know that they are using information in their driver's license to prove that they can gamble. APIs like the ones you describe lead to privacy violations as a standard practice and the group is trying very hard to prevent that from happening. |
|
We now have one concrete format that we're suggesting for the simplest use case: https://w3c-ccg.github.io/vc-csl2017/ We still have lots of work to do on the blockchain-based revocation method: https://w3c-ccg.github.io/vc-status-registry/#the-registry That said, the simplest proposed mechanism does have decent privacy characteristics for large bundles of status/revocation information. Closing this issue as we now reference a mechanism in the core vc-data-model spec, even if it is non-normative. |
What is the simplest format of the revocation parameter?
Perhaps something like this:
{ "revocation": { "id": "https://example.org/revocations/23984", "type": "SimpleRevocationList2017" } }When you dereference the "id" parameter above, options include:
If the issued verifiable claim's id is in the list of IDs, then its status is revoked. Note that the mechanism used for pseudonymous revocation will be calculated differently, which is why the format of the revocation list is signature scheme specific.
The text was updated successfully, but these errors were encountered: