Atala Prism Expiring Credentials and Revocation

So many questions about Atala and eagerness to start using it, but starting with hopefully a simple question.

Say you have a credential, this could be a university degree and luckily these aren’t expiring. But say they later found out you cheated and now need to take back your degree. Is there a way to revoke a credential issued?

Similar scenario with examples given on the Atala Prism website such someone starts a job and now has an employment credential, how does that get terminated or expired, once they move jobs?

The user is meant to own this data. But then doesn’t the organization that wants to verify the information need to contact the original issuer to verify it, hence the original issuer can still take away a users credential. Which I thought was meant to be against the principal of decentralized ID in that they couldn’t.

1 Like

Ok I was in the zone for some learning, so a few hours of YouTube lectures later here I am. I probably should have done this first, sorry. I’ll place my findings here for anyone else.

Since Atala Prism isn’t released yet this is speculatory. I’m basing this off the current state of the W3C specification document, Microsoft’s explanation of it’s implementation and guessing it will be similar. Also this is my first few hours of diving into DIDs, hence please correct me if applicable.

  1. You use the Atala Prism SDK to create a DID (e.g. did:prism:xxxx) on the Cardano blockchain, using my private key. This DID and signing will be on the Cardano blockchain.
  2. I now need to go to the issuer, say the university in this case. I can scan a QR code (like in the DEMO), which asks me to accept a credential.
  3. I accept which now creates a new DID. I assume some kind of co-signing happens here to prove both issuer and personal DID acceptance. This would then be stored on the blockchain, with DID Document details.
  4. This DID is specific to a type of credential. You will have did:, that is just a W3C identifier to says its a DID. prism is the method name, which tells you the DID can be verified via Atala Prism, hence i suppose the Cardano blockchain, and xxxxx is going to be the method name, which is the actual credential associated with the DID.
  5. Because you created the DID and signed using your private key, you, the user have ownership over that DID and can cryptographically prove it.
  6. The details to generate a DID Document are likely to be stored on the blockchain too. Note sure if there will be a secondary chain link, but I hope not.
  7. The DID Document is just going to contain public keys and a service endpoint, so you can verify information. Not sure what the limit of the information for the DID Document will be.
  8. DID Documents usually have a service endpoint that can then be reached to find out more information about that credential.

This is where I assume Atala PRISM comes in. Where there will be an endpoint that can answer further questions and prove identity and validity of the credential. But since its on the Cardano blockchain and the service endpoint is up to the issuer, it could be anywhere.

Hence at this point the Service Endpoint could reject its validity. You would still own and control the identity, but the service endpoint could give more information.

So to sum it up, you can prove you own a credential, and the service endpoint can communicate more information regarding the credential. I suppose if the service endpoint goes down in the future you are no longer able to do anything other than just verify you have a credential from that issuer, but with little to no more information provided.

Unless you need to provide a static DID that just dictates ownership, and you can sign it to someone else. If I am right the service endpoint is optional, or could even point to another distributed ledger for more information.

Though on some credentials and information you don’t want public information stored on there, so you will need to communicate peer to peer for that information. Plenty of variations to think about.


In the EU SSI/DID solution they also mention “revoke”: File:(20201118)(Piloting with EBSI Webinar 2 Roadmap Your Pilot)(v1.01)-82.png - Wikimedia Commons They also wrote stuff about it: [archived]Technical Specification (16) - Description of DID Registrar / Resolver - EBSI Documentation - CEF Digital Maybe that helps us to understand the generic big picture.


Hello, @FlippyFlink!

Who are the “they” that you are referring to that mentions the “revoke” in the EU SSI/DID solution?

“They” is the European Commission and people working with them who are developping the EU SSI/DID solution. The …82.png links to a YouTube video where “they” comment on that an all other slides.