Should revoked keys remain in DID Document? #63
Comments
They should probably remain in the DID Document, and keys should be associated w/ a revocation list of some kind.
Yes, agreed.
Yes, we don't have this in the spec yet.
Yes, we should allow this or specify that all keys MUST be associated w/ a revocation list.
I suggest we reuse some combination of these existing terms -- "created" and "expires" and "revoked". |
|
Add language that states that if a key does not exist in a DID Document, an implementation MUST assume that the key has been revoked. |
|
Hello! Thanks for tackling this issue. Looking at the diff, it seems that the revocation list structure is not being enforced. Shouldn’t we standardize the data model of the list to improve the interoperability between different DID methods? Let me know if you want me to create a new issue to discuss this. Thanks |
|
The text says it’s up to the method spec. To standardize on a method or structure for that I think it should be a separate issue |
Yes, we should and that work is sort of happening here (but needs to be generalized to keys, which shouldn't be that difficult): https://w3c-ccg.github.io/vc-status-registry/ and here https://w3c-ccg.github.io/vc-csl2017/
As @mikelodder7 said, yes, please do. |
When keys are being revoked are there any recommendations on whether they should remain in DDoc or be removed comletely?
When checking validity of signature in a credential there is a need to check if the key of a signer was revoked at the time of signing. To do this check there should be a way to check all DID's keys and retrieve their revocation timestamps.
I would think that to make this check easier it would be better to keep revoked keys in DDoc, but in the spec I see only examples of complete keys removal.
Will it be allowed in DID Method spec to have revoked keys stay in DDoc? Maybe we can add "keyRevoked" and "keyRevocationTS" properties?
The text was updated successfully, but these errors were encountered: