Digital credentials are a game changer for establishing assurance in high-value digital interactions. However, assurance can’t be static—it must reflect up-to-date, accurate, and reliable information over time. This is where revocation plays a key role, enabling credentials to remain relevant and trustworthy, not just at the moment of issuance, but throughout their lifecycle.
At the heart of this is the concept of continuous assurance for issuers, ensuring they maintain control and confidence over the status and validity of the credentials they issue. For verifiers, this aligns with continuous profiling, providing the ability to reliably check credentials against the most current status, reducing reliance on outdated or inaccurate data.
Consider a government-issued mobile driver’s license (mDL): if the license is suspended due to a traffic violation, the status must update promptly to reflect that change. Or take a financial institution revoking a loan approval credential after uncovering new financial information—ensuring the revocation is seamlessly communicated to verifiers is critical to reducing risk.
By maintaining high-assurance, reliable and verifiable data, revocation drives significant value. It enhances convenience by automating updates for issuers and verifiers, reduces risk by preventing the misuse of invalid credentials, and increases security across the ecosystem. Without these capabilities, the digital credential ecosystem risks losing its reliability, exposing issuers, holders, and verifiers to unnecessary vulnerabilities.
Standards and interoperability
Despite the critical role revocation plays, there’s currently no established standard to handle this requirement for mDocs. Recognizing this gap, MATTR has introduced mDocs revocation capabilities that are based on the IETF Token Status List draft standard.
We believe the Token Status List offers a secure, interoperable approach that aligns with the evolving needs of credential issuers and verifiers. By adopting this draft standard early, we aim to stay ahead of the curve. As the draft matures into a finalized specification, we’ll adapt our implementation to remain aligned.
How it works
FOR CREDENTIAL ISSUERS
With MATTR VII, issuers can now issue mDocs in a way that allows them to be revoked later—either temporarily or permanently. This capability is designed to meet real-world issuer needs, such as:
- Temporary suspension: A government pauses access to certain benefits due to an eligibility review.
- Permanent revocation: A financial institution invalidates a loan approval after discovering it was issued in error.
A revocable mDoc includes a reference to a status list. Status lists are automatically created and managed by MATTR VII. They are publicly available and can be consumed by verifiers to check the status of presented mDocs. This ensures that verifiers always check the credential’s validity against the latest issuer-provided information, reinforcing trust and preventing reliance on outdated credentials.
As each status list contains the revocation status of multiple mDocs, each revocable mDoc references the index of its status within a specific status list. As a result, when a verifier retrieves a status list, the issuer cannot tell what specific mDoc they are checking the status for. This means the issuer does not know how often or to whom an mDoc is being presented, maintaining holder`s privacy.
FOR CREDENTIAL VERIFIERS
To support verifiers, our Verification SDKs now include revocation checks as part of their verification workflows. If a credential is revoked, this information is surfaced by the SDK, ensuring that invalid credentials can’t be misused. Since this is currently a proprietary feature, the revocation check is configurable—issuers and verifiers can enable or disable it as required.
ADDITIONAL RESOURCES
To learn more about implementing mDocs revocation, explore these resources:
What's next?
Revocation isn’t just about preventing misuse; it’s about building a digital credentialing ecosystem that inspires confidence and supports long-term trust. We encourage you to think about how revocation could enhance the value of your solution.
Could it ensure compliance in regulated industries? Provide better risk management? Or even improve user experiences by keeping credentials relevant?
If you’re ready to explore the possibilities, MATTR is here to help. Let’s build a digital ecosystem where trust endures.
