EBSI recognises the need for a versatile revocation framework that caters to diverse business scenarios while adhering to privacy compliance regulations. Example business scenarios include revoking credentials issued to legal entities and natural persons, managing access rights, and handling work contracts.
This white paper introduces EBSI’s Verifiable Credential Status Framework, which enables the management and expression of a Verifiable Credential’s (VC) status, which can be valid, suspended or revoked. The Issuer of the VC is responsible for storing and keeping this status information up to date. The proposed framework offers various strategies configured for different types of VCs, allowing use cases to select the approach that best meets their specific business requirements.
The revocation of VCs issued to legal entities, including Verifiable Authorisations, Verifiable Accreditations, and Verifiable Attestations, is not subject to the General Data Protection Regulation (GDPR). As such, the status of Legal Entity VCs can be managed either in the Trusted Issuers Registry on EBSI’s ledger or externally. Two strategies are proposed for Verifiable Accreditation management: storing the status information in the EBSI Trusted Issuers Registry or hosting the information by the Issuer and obtaining it via the registry. Data structures for Verifiable Accreditation management include W3C Status List, Certificate Revocation List (CRL), and others.
For VCs issued to natural persons, the status information for Verifiable Attestations must be managed per the GDPR. Furthermore, Natural Person VC status information must be hosted and managed by the Issuer of the Verifiable Attestation, and no personal information is stored on EBSI. The modular design of the VC status framework enables use cases to meet their business, privacy, and security requirements by choosing from different strategies for either short-lived or long-lived VCs. Short-lived VCs involve the holder obtaining a fresh VC each time it is needed. In contrast, long-lived VCs may involve obtaining status information directly from the Trusted Issuer, through the EBSI network, or from the Issuer or a third party as a separate status VC.
Each strategy has advantages and limitations regarding privacy, connectivity, and up-to-date information. Overall, EBSI aims to provide a modular and adaptable framework that caters to the ever-changing needs of citizens, businesses, and public organisations, striking a balance between privacy, security, and functionality.