Comments (7)
We could return back a more complete view of the revocation list, including a contains
property with all of the IDs for revoked credentials (claims). This approach would be very similar to inboxes in the LDN spec and would potentially make the list constitute a container that is compliant with other specs. It would also allow for layering paging abilities for servers that may not be able to serve all entries in the list at once -- so clients can page through and find what they're looking for.
{
"@context": "...",
"id": "https://example.org/revocations/23984",
"type": "SimpleRevocationList2017",
"contains": ["https://example.com/vcs/234", "https://example.com/vcs/6554", ...]
}
from vc-data-model.
It is not clear to me what the purpose of /23984 is at the end of the URL. Is this meant to be the unique credential ID/number? If so, we have a privacy issue, since this allows the credential issuer to determine which SPs the user is contacting with the credential. This should not be condoned or supported in the model or protocol.
from vc-data-model.
It is not clear to me what the purpose of /23984 is at the end of the URL
It's the identifier for the revocation list, which SHOULD contain a very large list of revocation information. It SHOULD NOT be unique to the credentia ID/number, because if it were, we have a privacy issue (as you mentioned). We need to be very clear about this in the spec (and elaborate upon it in the privacy section).
As far as "supporting it" in the data model or protocol, we can't do anything (from a technical perspective) to prevent someone from tying revocation lists 1-to-1 to credentials. Credential repositories MAY warn people if there are revocation lists containing only 1 entry (for example), but that requires heuristics that are beyond the specification.
We should certainly not condone it. Some of us are working on blockchain-based revocation lists in an attempt to address the privacy implications of having revocation lists in the first place.
from vc-data-model.
I like the idea of blockchain revocation. Do you have any pointers to the work?
from vc-data-model.
I am late to this dance but I'm jumping in. The idea of a list of revocations seems odd to me - as I'm dealing with lists that could easily be 10K items or more.
What about a dead simple api call at the Issuer end that either uses a DID or just the base URL (to reduce any correlation) of a claim and simply asks for a status check? Results could be
- OK (or current)
- expired (in some system)
- revoked (with or without reason)
- replaced by (with a replacement claim address)
The simplest implementation could be to return OK or REVOKED (skipping the expired and replaced cases).
This leaves the burden of tracking revocations on the issuer, but that's where it logically lies.
Am I missing something here?
from vc-data-model.
Am I missing something here?
Yes. :)
What you're suggesting has been identified as a privacy violation by the group. The API call you describe would have to take in the credential ID as a parameter. At that point, the issuer knows who is making the call (the verifier) and the credential being interrogated. This is a problem, for example, when an gambling site does an age verification check and then hits the DMV. Most people wouldn't want the DMV to know that they are using information in their driver's license to prove that they can gamble. APIs like the ones you describe lead to privacy violations as a standard practice and the group is trying very hard to prevent that from happening.
from vc-data-model.
We now have one concrete format that we're suggesting for the simplest use case:
https://w3c-ccg.github.io/vc-csl2017/
We still have lots of work to do on the blockchain-based revocation method:
https://w3c-ccg.github.io/vc-status-registry/#the-registry
That said, the simplest proposed mechanism does have decent privacy characteristics for large bundles of status/revocation information. Closing this issue as we now reference a mechanism in the core vc-data-model spec, even if it is non-normative.
from vc-data-model.
Related Issues (20)
- Specify that it is important to validate the `issuer` value HOT 8
- Specify what kind of processing is safe on a returned document HOT 21
- Ensure `credentialStatus` `id` field is optional HOT 5
- Verifying a VC should return the same credential regardless of the verification method HOT 3
- Clarify embedded proof extension point HOT 3
- phrasing and/or punctuation for input "inputBytes or inputDocument and inputMediaType" needs work HOT 4
- reconsider `@id` for `mediaType` term HOT 17
- Does the specification need a normative "Credential Type Specifications" section? HOT 5
- (editorial) "bitstring" vs "bit string" HOT 1
- `Type-Specific Credential Processing` is better phrasing than `Credential Type-Specific Processing` HOT 2
- Backtick characters in Internationalization / Language examples HOT 2
- typo in Terms of Use HOT 2
- Support of SHACL Schema in Version 2.0 HOT 4
- "โฆ" as a term name in the context file? HOT 2
- Unnecessary direction attribute? HOT 12
- EnvelopedVerifiablePresentation missing in data model HOT 5
- first example contains an http url identifying a credential HOT 5
- Remove at risk issue markers for property extension points. HOT 1
- What does the hash values in ยงB.2 mean? HOT 4
- Proposal: remove ambiguity and asymmetry as it relates to subject identifiers HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vc-data-model.