veramo icon indicating copy to clipboard operation
veramo copied to clipboard

Published 20 hours ago verified publisher icon decentralized-identity

add a local (example) credential revocation plugin

Open mirceanis opened this issue 1 year ago • 2 comments

@italobb please add details

mirceanis avatar Aug 09 '22 15:08 mirceanis

The plugin will implement the ICredentialStatusManager interface, allowing the revocation of credentials using a simple centralized revocation method, which we'll call SimpleStatus. The credentialStatus field of a credential using the SimpleStatus will have the following format:

    "credentialStatus": {
        "id": "https://example.com/credential/status/74636220-fd6c-49ba-bcbf-fe858bcc2729",
        "type": "SimpleStatus"
    }

  • How will the credentialStatus field of a VC be generated using this plugin? The plugin MUST receive an URL prefix (in our example https://example.com/credential/status/) as parameter during its instantiation. The plugin will generate a random UUID for the credential and simply append it to the URL prefix. This new URL will be the credentialStatus.id.

  • How the credential status will be served? This plugin must be instantiated by an agent in a remote-server which will pass it's server URL as a parameter for the plugin instantiation. The plugin will offer a method which can be used by the server to serve the credential status response.

  • Where will the revocation information be stored? The plugin will receive a storage provider as parameter and a simple storage provider will be implemented in the remote-server module.

  • How secure is this credential status method? It's really a demonstration of a credential status plugin which shouldn't be used in production. Some important issues in this example:

    • It won't check if the one generating the credentialStatus is the same who will issue the credential.
    • There's no strong linkage between the credential itself and the credentialStatus.id. Anyone can use that same reference in another VC without any check.
    • The URL which respond by the status won't return a signed payload or VC. It`ll simply return if that VC was revoked or not without confirming the authorship of the VC.

italobb avatar Aug 13 '22 19:08 italobb

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 12 '22 22:11 stale[bot]