O06 - Revocations
| Sequence | Objective Detail | Test Procedure |
|---|---|---|
| O06 | Confirm that the Innovation supports revocation. | Use the revocation interface of the innovation to revoke certificates used to sign credentials AND use the revocation interface of the Innovation to revoke a single credential. |
Assumptions & Acceptance Criteria
- Support revocation of credentials in the issuer
- Support revocation of signing credentials in the issuer
- Create an administrative UI to perform revocations of single credentials
- Create an administrative UI to perform revocations of single signing keys
- Revocation of a signing key will render the verified status of all credentials signed by that key as "not verified"
- Credentials with an invalid signing key can be reissued with a new valid signing key automatically, or on demand by the holder
- Revocation of a credential directly will render the verified status of that credential as "revoked"
- Credentials with a revoked status cannot be reiussed automatically, nor on demand by the holder
- Instead, if a new credential of that type is required, it must be directly issued again by an administrator on the Issuer portal
Testing Guidance
Revoke a credential using UI
-
Log into the Issuer Portal at https://admin.blueprintissuer.com
tipDefault admin credentials are:
Login: adminlevel4@blueprintissuer.com
Password: adminpassword -
Locate the credential you want to revoke by one of two methods:
- Locate Credential from list of all credentials, OR
- Locate Credential from a Profile
-
On the selected credential's detail page, click the Revoke button
-
The UI should update to show the credential has been revoked
-
Optional: Attempt to verify the credential using the Verifier application. The revocation status should be displayed once scanned.
Revoke a credential using API
-
Choose how to authenticate to the API (e.g. token or api key)
-
Call the
POST /credentials/statusendpoint with the required payloadExample payload
{
"credentialId": "urn:ID_Card:kUjj3k4Eo3DBhnCwtUzhdl1WoUSfVJ5vk8fqod1xwBg",
"credentialStatus": [
{
"type": "BitstringStatusListCredential",
"status": "revoked"
}
]
}Example response
TODO
Revoke a signing credential using UI
-
Log into the Issuer Portal at https://admin.blueprintissuer.com
tipDefault admin credentials are:
Login: adminlevel4@blueprintissuer.com
Password: adminpassword -
Navigate to Decentralized Identifiers
-
Select a DID from the list of identifiers to revoke
-
Choose between the Rotate or Revoke options
Revoke a signing credential using API
-
Choose how to authenticate to the API (e.g. token or api key)
-
For signing key rotation, Call the
PUT /admin/dids/rotate/{didType}endpoint:Example response
{
"did": "did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ1c2UiOiJzaWciLCJ4IjoidTctWGpWVGFaX3g0TlhBNEZUdDJoc25GR3QzclFZN2NCM29nZUFHOUpHayIsInkiOiI1RDhIMVJsLS0wdjExUC1MMW8zUER1UGhval9uY1BYWVJEOU9zeHJocjBVIn0",
"controllerKeyId": "03bbbf978d54da67fc78357038153b7686c9c51addeb418edc077a207801bd2469",
"keys": [
{
"type": "Secp256r1",
"kid": "03bbbf978d54da67fc78357038153b7686c9c51addeb418edc077a207801bd2469",
"publicKeyHex": "03bbbf978d54da67fc78357038153b7686c9c51addeb418edc077a207801bd2469",
"meta": {
"algorithms": ["ES256"]
},
"kms": "local"
}
],
"services": [],
"provider": "did:jwk",
"alias": "03bbbf978d54da67fc78357038153b7686c9c51addeb418edc077a207801bd2469"
} -
For signing key revocation, call the
DELETE /admin/dids/{did}endpoint:
Example response
true
Additional Considerations
- Key rotation is a form of revocation, distinguished by the automatic creation of a new signing key in its place.
- Key revocation consequently does not replace a new signing key.