Verifiable Credentials (VCs) are a proven way for real world entities to stake claims about
themselves, issuing parties to be assured that this information is tamper-proof, and verifying
parties to be sure that those claims are not fabricated. Along with the Verifiable Credentials
standard, the World Wide Web Consortium (W3C) has published two other closely related
standards on Decentralised Identifiers and Status List 2021. Together these three standards
are the cornerstone for implementing self-sovereign identity (SSI) in decentralised cloud
ecosystems such as the European Gaia-X framework.
The subjects of VCs may be citizens of countries, students at universities, and employees of
companies. These subjects may become ineligible for possessing the VCs issued to them, at
any given point, for a myriad of reasons. When such situations arise these VCs need to be
revoked and/or temporarily suspended. It is easy to see why the revocation and suspension
of Verifiable Credentials is just as important as issuing them. The Status List 2021 standard is
the present-day approach for revoking and suspending VCs. GX Credentials is an open-source
project which is a partial implementation of the Verifiable Credentials standard and enables
the issuance of VCs to companies and their employees.
In the first part of this work, we set forth the design goals for a revocation setup, explore the
shortcomings of the status quo, and describe what is missing in a system like GX Credentials
to enable the revocation and suspension of VCs. This analysis reveals that the problem
statement can be broken down into two sub-problems: (1) Designing a data structure that
improves on the shortcomings of Status List 2021 and (2) Proposing architectural changes to
GX Credentials to build an end-to-end setup for revoking and suspending VCs at scale.
In the second part, we design, and implement solutions for these two sub-problems. For
the revocation data structure, we draw inspiration from TLS and the solutions that have been
proposed to solve TLS certificate revocation. The most promising among these solutions is
CRLite which we use as a basis to design a revocation data structure for Verifiable Credentials.
We conduct experiments with different variants of this data structure which reveals that
using an Approximate Membership Query data structure called XOR Filters gives the most
promising results and leads to 7.5x lesser space consumption than the status quo. For the
architectural changes to GX Credentials, we propose the addition of two components called
the Company Management Service (CMS) and the Membership Checking Service (MCS).
This achieves a better separation of concerns between the three components - the existing GX
Credentials application run by the Trust Anchor, the CMS managed by companies, and the
MCS used by verifiers - and redistributes the data across these components on a need-to-know
basis thereby achieveing better data isolation and privacy guarantees.
Finally, we conclude the thesis by evaluating the proposed solutions on the design goals
that we delineated in the first part.
| Name | Type | Size | Last Modification | Last Editor |
|---|---|---|---|---|
| Srajit Sakhuja MT Final_Presentation.pdf | 3,75 MB | 03.06.2024 | ||
| Srajit Sakhuja MT Kick_Off_Presentation.pdf | 2,39 MB | 03.06.2024 | ||
| Srajit_Sakhuja_MT.pdf | 5,93 MB | 03.06.2024 |