DID revocation on Hyperledger Indy

I read several documents about a revocation of verifiable credentials.

However, I cannot find that how Indy controls the revocation of DIDs.

If DIDs is revoked, what happen on Indy?

It will be helpful to be very precise about what is meant by “revocation” of DIDs. There are several possibilities:

  1. The keys associated with a DID can be revoked and replaced with new ones. This is done with a NYM transaction that changes the keys that a DID uses.

  2. The DID spec describes an operation that’s called “deactivation”. This is also called “retirement”. It means that a DID is marked as “no longer used” and “cannot be reactivated”. This is done by rotating the DID’s keys so there is only one key, and it has a reserved value (I believe the reserved value is all zeros, but I could be remembering wrong). Since nobody knows the private key for a public key of all zeros, this pubkey value means that nobody can ever change the DID ever again; nor can they ever authenticate with the DID. This would be an appropriate operation for the DID of a person who passes away; the DID needs to remain on the ledger, but we don’t want any impostor to be able to impersonate the dead DID owner.

  3. You might be imagining a “delete” operation for DIDs, where a DID is removed from the ledger entirely. Sovrin doesn’t support such an operation. Even when the DID will not be used going forward, it is nevertheless a historical fact that it existed and was registered in the past. Since the ledger is an immutable historical record, it cannot generally be purged. (There is one theoretical exception to this, which is that could be possible to “tombstone” a ledger record such that it doesn’t show up in query results. However, this is only theory; there’s no feature to support this at present.)

Thank you for help Danielh. Your reply is very helpful for me.

I have a double check about it. :slight_smile: