Attestation Revocation
A status list allows you to revoke or suspend credentials at an individual level. This is possible by incorporating some claims in every credential being issued, which has a descriptor pointing to the status list location (URI), as well having an index within the status list. The status list itself is a simple bitstring, where every bit either is a 0 (the default), or 1, meaning revoked or suspended, depending on the purpose of the status list. Some status lists do not use a single bit position, and can have multiple bits, for additional statuses. Company Passport does not currently define additional statuses.
If the purpose is revocation then it cannot be undone. If it is suspension then you can go from active to suspended and back to active.
the status list index assigned to a VC needs to be unique and random, to ensure external parties are not able to infer what index would be related to newly issued credentials (herd privacy). For example issuing a credential could receive index 12345 in the status list, whilst the next credential would get index 93630.
Token Status List
Token Status List (opens in a new tab) is a simple status list specification, defining a compressed bitstring status list, made available as a JWT. The status list JWT can be referenced within credentials.
Token Status List is primarily used for revocation in SD JWT VC Attestation Format.
Example SD-JWT VC with status entry
The below example is an SD-JWT VC credential issued with a unique status list index. Notice the additional status top-level object.
{
"typ": "vc+sd-jwt",
"alg": "EdDSA",
"kid": "#z6MkhDzzttfao44a8Qa63fsQBu4bRzpzxeNoqYpnpQQv7gmo"
}{
"alg": "ES256", <-- The algorithm used
"kid": "#keyId", <-- The key identifier of the issuer (used to sign the JWT)
"typ": "vc+sd-jwt", <-- Indicated this is a SD-JWT-VC
}
.
{
"vct": "https://example.com/RSIN",
"status": {
"status_list": {
"idx": 0, <-- numeric value that represents the index to check for status information in the status list
"uri": "https://example.com/status-lists/1" The status list URI (it can be downloaded at this location)
}
},
"iss": "did:web:example.com",
"iat": 1719941996,
"kvk_number": "12345678",
"legal_entity": {
"rsin": "12345678"
},
"_sd_alg": "sha-256"
}Example JWT StatusList
The below example shows the actual Token Status List. This list is made publicly available as a JWT that can be downloaded.
Every credential issued using this status list would have a URI pointing to this list. The lst is the bitstring, which is gzip compressed and base64url encoded. After every change of the status list a new version is published and thus signed by the issuer.
{
"alg": "ES256", <-- The algorithm used
"kid": "#keyId", <-- The key identifier of the issuer (used to sign the JWT)
"typ": "statuslist+jwt" <-- Indicated this is a status list in JWT format
}
.
{
"exp": 2291720170, <-- Optional expiration time of the status list, handy for cache evictions for instance
"iat": 1686920170, <-- Issuance time of the status list
"iss": "did:web:example.com", <-- Issuer of the status list. Must be the same as the `iss` value of the VC
"status_list": {
"bits": 2, <-- number of bits per Referenced Token in the status list ("lst", which is 1, 2, 4 or 8)
"lst": "H4sIAOpbjGQC_zvp8hMAZLRLMQMAAAA" <-- The encoded and compressed status list
},
"sub": "https://example.com/status-lists/1" <!-- The status list identifier itself. Must match the `uri` value in the `status_list` object of the referencing VC
}Bitstring Status List
Bitstring Status List (opens in a new tab) is similar to the Token Status List, and provides a simple specification defining a compressed bitstring status list, made , made available as a BitstringStatusListCredential VC. The status list VC can be referenced within other credentials.
Bitstring Status List is primarily used for revocation in W3C Verifiable Credential Attestation Format.
Example W3C VC with BitStringStatusListEntry
The below example is a W3C VC issued with a unique status list index. Notice the additional credentialStatus top-level object.
{
"@context": ["https://www.w3.org/ns/credentials/v2"],
"id": "https://example.com/credentials/23894672394",
"type": ["VerifiableCredential"],
"issuer": "did:example:12345",
"issued": "2021-04-05T14:27:42Z",
"credentialStatus": {
"id": "https://example.com/credentials/status/3#94567", <-- unique ID containing the link to the statusListCredential with a fragment pointing to the index
"type": "BitstringStatusListEntry", <-- Mandatory for BitstringStatusListEntry
"statusPurpose": "revocation", <-- either revocation or suspension, depending on statuslist purpose
"statusListIndex": "94567", <-- unique number, randomly assigned during issuance
"statusListCredential": "https://example.com/credentials/status/3" <-- Unique URL for the statusList
},
"credentialSubject": {
"id": "did:example:6789",
"type": "Person"
},
"proof": { ... }
}Example BitstringStatusListCredential
The below example shows the actual status list. This list is made publicly available as a W3C Verifiable Credential that can be downloaded. Every credential issued using this statusList would have a URI pointing to this list.
The encodedList is the bitstring, which is gzip compressed and base64url encoded. The whole status list is represented as a W3C Verifiable Credential, so that relying parties can verify that the status list is signed by the issuer of a verifiable credential.
After every change of the status list a new version is published and thus signed by the issuer.
{
"@context": ["https://www.w3.org/ns/credentials/v2"],
"id": "https://example.com/credentials/status/3",
"type": ["VerifiableCredential", "BitstringStatusListCredential"], <-- The 2nd type indicates this is a bitstring status list
"issuer": "did:example:12345",
"issued": "2021-04-05T14:27:40Z",
"credentialSubject": {
"id": "https://example.com/status/3#list", <-- Unique ID of the status list, the list fragment is mandatory
"type": "BitstringStatusList", <-- Type of status list
"statusPurpose": "revocation", <-- Purpose. Can be revocation or suspension
"encodedList": "H4sIAAAAAAAAA-3BMQEAAADCoPVPbQwfoAAAAAAAAAAAAAAAAAAAAIC3AYbSVKsAQAAA" <-- The encoded and compressed statusList
},
"proof": { ... }
}