Credential Revocation by issuer

[jjeroch]

Summary

Revocation request by the issuer of the credential.
The revocation itself will be inside the revocation of the issuer since the credential status list is located inside the issuer wallet.

Details

Task: Implement Credential Revocation Interface for Issuer

implement a credential revocation interface for the issuer itself. This interface will allow the credential issuer to revoke earlier issued credentials, such as frameworkAgreement or BPN, in case of security concerns or account compromise. The interface should follow the specified requirements:

1. Revocation Method: Implement a method revokeCredential that takes the customer's credential unique identifier to be revoked as input parameters.

2. Validation: Before revoking the credential, validate the customer's identity to ensure that they have the authority to revoke the credential.

• Validate issuer permission
• Validate the issuer jwt claim "bpn" - must be the same as the issuer

3. Revocation Process: Once the issuer identity is validated, perform the necessary steps to revoke the credential. Details see below

---

To implement this function, we first of all need a new endpoint inside the issuer component which can get called by the holder.

Endpoint: /api/revocation/issuer/credentials/{credentialId}
HTTP Method: POST
Authority: revoce_credentials_issuer
Validation:
the endpoint can get called by the issuer to revoke a credential

1. validate if the user calling the credential revocation is the issuer
2. validate if the credential is revocable (active)

• if "yes" proceed
• if "no" response "already done"

3. run the revocation process on the wallet side (details see below)
4. with the response of success (from the wallet side); take the following updates

• set the document inside the documents table to "INACTIVE"
• set the credential request inside the ssi_details table to "REVOKED"

Please check, can we somewhere store the info for the user that the issuer has revoked the credential?

The new API Endpoint should support following responses:

• Status Code: 200 OK
• Status Code: 401 Unauthorized (if authentication fails)
• Status Code: 403 Forbidden (if authorization fails)
• Status Code: 404 Not Found (if credential id is not found)
• Status Code: 500 Internal Server Error (for any other server-side errors)

DIM WALLET REVOCATION

Endpoint: /api/v2.0.0/credentials/{credentialId}

HTTP Method: PATCH

Request Headers:

• Content-Type: application/json
• Authorization: Bearer [access_token] (for authentication and authorization)

Request Body:

{
  "payload": {
    "update": {
      "name": "???",
      "description": "revoke",
      "credentialSubject": {
        "id": "???",
        "email": "???"
      }
    }
  }
}