<div class="header-article-container">
<div class="labels-container"></div>
<h1 class="">What to do when good Verifiable Credentials go bad.</h1>
<div class="article-data-info heading-deco terciary"><div>
<div><p>Published on </p>

</div>
<p class="dot-seperator"></p>
<p class="reading-time"><span></span> min read</p>
</div>
</div>  
</div>

<img class="img-fluid" src="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/693209363/image-article-revocation-whitepaper.jpg?api=v2" alt=""/>
<div class="description-article">
<p>Revoking or suspending credentials is a thorny issue. EBSI conducted the first global study on revocation strategies and developed criteria for comparing revocation methods for W3C Verifiable Credentials.</p>
</div>
<div style="display:none;" class="image-credits"><a href=""></a></div>

<div class="side-content-header">

<h4 class="social-share-desc">Share this article</h4>
<div class="social-share">
<a onclick="shareOnFacebook()" class="facebook-share"><img src="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/465732214/facebook-cion.png" alt=""/></a>
<a onclick="shareOnTwitter()" class="twitter-share"><img src="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/465732214/twitter-icon.svg" alt=""/></a>
<a onclick="shareOnLinkedIn()" class="linkedin-share"><img src="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/465732214/linkedin-icon.png" alt=""/></a>
<a onclick="shareViaEmail()" class="mail-share"><img src="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/465732214/mail-icon.png" alt=""/></a>
</div>
<div class="description-article"> Revoking or suspending credentials is a thorny issue. EBSI conducted the first global study on revocation strategies and developed criteria for comparing revocation methods for W3C Verifiable Credentials.</div>
</div>

<p>
  What would happen if a students’ university degree was revoked, due to fraud,
  mistake or misconduct? How can a verifier check if a presented diploma
  verifiable credential is still valid? A means to check the validity of any
  presented Verifiable Credential is needed to maintain trust between the
  Issuers, holders, and verifying organizations within the EBSI ecosystem.
</p>
<p>
  “Revocation by EBSI: EBSI’s Credential Status Framework and how to choose a
  revocation method when using W3C Verifiable Credentials (and more)”, a new
  EBSI whitepaper, explores how revocation and suspension solves this problem.
  Conclusions of this whitepaper can be applied in any ecosystem where
  Verifiable Credentials are exchanged.
</p>

<h2 class="h4">
    <strong>The revocation and suspension of Verifiable Credentials </strong>
  </h2>
  <p>
    Revocation and suspension measures ensure that credential holders continue to
    meet specific criteria, like having successfully obtained a degree (for
    natural persons), or having a certain legal accreditation or mandate (for
    legal persons and entities). The ability to revoke or suspend credentials
    allows issuers to retain control over their Verifiable Credentials, and
    ensures only the right holders have valid credentials. It also ensures that
    <a class="mrg-r-0 link-cta text-secondary" href="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/600343491/Chapter%205%20-%20Issuer%20Trust%20Model%20%20.pdf?api=v2" target="_blank">Trusted Issuers</a> can have their mandate revoked, in the event of a
    restructuring or a termination of a business’ operations.
  </p>
  <p>
    Many revocation methods have been piloted across the world, across a number of
    industries and sectors. EBSI analysed and compared different revocation
    methods used across the globe, and this enabled us to define a series of key
    business criteria for selecting a suitable revocation method for your project.
  </p>

<h2 class="h4">
  <strong>The requirements for revocation in EBSI’s use cases</strong>
</h2>
<p>
  EBSI’s use cases have defined essential business requirements for a revocation
  framework that ensures privacy and regulatory compliance for all participants
  in the credential ecosystem, while also allowing for multiple options for
  revocation. A revocation framework must:
</p>
<ul>
  <li><p>Ensure compliance with GDPR</p></li>
  <li><p>Eliminate the traceability of holders</p></li>
  <li><p>Protect holder privacy</p></li>
  <li>
    <p>Retain from storing or processing personal data on the EBSI blockchain</p>
  </li>
  <li>
    <p>Prevent issuers or third parties from linking revocation checks to holders</p>
  </li>
</ul>

<p>
  Use case owners need to answer a series of questions to find what revocation
  strategy is most suitable:
</p>
<ul class="article-list-numbers">
  <li><p>What level of privacy preservation is needed?</p></li>
  <li>
    <p>Is there a need to create a limited time window for the validity of the
        credential?</p>
  </li>
  <li>
    <p>Is it necessary to track the validity of signatures within the use case?</p>
  </li>
</ul>

<h2 class="h4">
  <strong>Multiple approaches to revocation are possible</strong>
</h2>
<p>
  Different approaches for revocation are needed for Verifiable Credentials
  issued to legal entities (where GDPR does not apply), and natural persons
  (where it does). EBSI designed a
  <a class="mrg-r-0 link-cta text-secondary" target="_blank" href="https://api-conformance.ebsi.eu/docs/specs/credential-status-framework/credential-status-strategies"><strong>Credential Status Framework</strong></a> to be able to select the relevant
  revocation method (or combination of methods) to suit the specific privacy and
  efficiency requirements of your use case.
</p>
<p>
  For legal entities the options are: storing status information in the EBSI
  Trusted Issuers Registry, or alternatively status information is hosted
  directly by the Issuer and obtained by the Trusted Issuers Registry.
</p>
<p>
  For natural persons there are more options. Verifiable Credentials can be
  short lived, and a new valid VC is issued whenever the holder requests one.
  For long lived VCs status information can be obtained directly from the
  Trusted Issuer. Status information can instead be obtained from the Trusted
  Issuer through the EBSI network. And as a final option holders can be granted
  a special VC that contains the status information of their credentials.
</p>
<p>
  These strategies address the many needs of diverse stakeholders in different
  EBSI use cases; while all ensuring privacy and limiting traceability, while
  offering a high degree of functionality for all public, private, and public
  sector users.
</p>

<p>
  For more information on revocation and these proposed strategies, please read
  the full whitepaper, or read our <a class="mrg-r-0 link-cta text-secondary" target="_blank" href="https://hub.ebsi.eu/vc-framework/credential-status-framework"><strong>technical specifications</strong></a> for
  all the revocation methods that have been identified as viable by EBSI.
</p>

<a
  class="btn secondary"
  href="https://ec.europa.eu/digital-building-blocks/sites/download/attachments/693209363/%28EBSI%29.%28Revocation%20Whitepaper%29.%28V1.0%29.pdf?api=v2"
>Download the whitepaper</a>

<div class="box bg-grey">
  <p></p>
  <h2 class="h5">
    <strong><i>Further reading</i></strong>
  </h2>
  <p>
    <strong
      >Discover our other publications on
      <a
        rel="nofollow"
        href="https://ec.europa.eu/digital-building-blocks/sites/display/EBSI/Explained+Series"
        target="_blank"
        >EBSI Explained</a
      ></strong
    >
  </p>
  <p>
    <strong
      >Consult 
      <a
        rel="nofollow"
        href="https://hub.ebsi.eu/vc-framework/credential-status-framework"
        target="_blank"
        >the technical specifications for credential revocation</a
      ></strong
    >
  </p>
  <p>
    <strong
      >Discover the
      <a
        rel="nofollow"
        href="https://hub.ebsi.eu/vc-framework"
        target="_blank"
        >EBSI Verifiable Credentials Framework </a
      ></strong
    >
  </p>
  <p></p>
</div>