Skip to content
This repository has been archived by the owner on Oct 29, 2019. It is now read-only.

Standardize the key revocation list #96

Closed
satazor opened this issue Aug 3, 2018 · 4 comments
Closed

Standardize the key revocation list #96

satazor opened this issue Aug 3, 2018 · 4 comments
Labels
discuss Wider discussion in an issue or meeting required before merging

Comments

@satazor
Copy link

satazor commented Aug 3, 2018

Currently the specs state:

If a public key does not exist in the DID Document, it MUST be assumed the key has been revoked or is invalid. The DID Document MAY contain revoked keys. A DID Document that contains a revoked key MUST also contain or refer to the revocation information for the key (e.g. a revocation list). Each DID Method specification is expected to detail how revocation is performed and tracked.

This means that is up to each DID method spec to specify how to obtain the revoked keys list. The issue is that the data structure for this list is not enforced, reducing the interoperability of the data model for that list.

In my view, it's important to standardize the data model of the revocation list. The reason is that there are many use-cases where we might want to verify signatures of arbitrary data that was signed by identities. To do just that that we must:

  • Verify the signature against a public key
  • Check if the same public key is or was listed in DID document; in case it's in the revocation list, check if the timestamp of when the key was revoked is higher than the timestamp of the signature of the data.

It will become a mess for app developers if we don't have a standardized and well defined revocation list. More specifically, app developers we would need to create "adapters" to build a canonical data model of the revocation list.

Thanks.

@satazor satazor changed the title Standardize the revoked key list Standardize the key revocation list Aug 3, 2018
@msporny
Copy link
Contributor

msporny commented Aug 7, 2018

@satazor wrote:

It will become a mess for app developers if we don't have a standardized and well defined revocation list.

Yes, absolutely agree.

There are two strategies we could employ here. The first is to make sure that revoked keys will exist in the DID Document at all times. The second is to use revocation lists.

Assuming we go with the first strategy, any revoked key will have one of three properties (still under discussion):

"currentStatus": "Revoked"   // tells you its revoked, but not when
"expirationDate": "2018-08-07T01:16:11.268Z" // tells you that the key has expired, but no reason
"revocationDate": "2018-08-07T01:16:11.268Z" // tells you the key has been revoked as of a particular date

It may be beneficial to do multiple of those properties together.

Option 2 may come out of the work on status lists (revocation is a particular subclass of status list): https://w3c-ccg.github.io/vc-csl2017/

So, keys could have status lists associated with them:

  "id": "...#key-2",
  ...
  "keyStatus": {
    "id": "https://example.com/mykeys/status,
    "type": "CredentialStatusList2017"
  },

... the downside here being that it takes just as many properties for the indirection than it does to directly embed that the key has been revoked in the key description.

@peacekeeper
Copy link
Member

I think we will have several situations like this, where features of the DID document should be standardized but remain optional (because not all DID methods may support this). Besides key revocation, another example is versioning.

@rhiaro rhiaro added the discuss Wider discussion in an issue or meeting required before merging label Jan 25, 2019
@peacekeeper
Copy link
Member

Related to #166 and w3c/did-resolution#37

@jandrieu
Copy link
Contributor

Closing as we have adopted this issue in the new DIDWG repo.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
discuss Wider discussion in an issue or meeting required before merging
Projects
None yet
Development

No branches or pull requests

5 participants