How to handle revocation in case of multiple issuers of same credentials?


I am very new to SSI and trying to explore various use cases using it.

So I came across the use case of tracking the ownership of IoT device using SSI.
In this use case, the manufacturer manufactures the IoT device and sells the device to Buyer1 and issues ownership credentials to the Buyer1 and Buyer1 stores the credentials in its wallet.

Now, Buyer1 decides to move on and sell the device to Buyer2. Hence it generates new ownership credentials and issues it to Buyer2. But before issuing new ownership credentials to Buyer2, the ownership credentials of Buyer1 has to be revoked( or “something” has to be done to make them invalid).

The problem I am facing here is that Buyer1 got the credentials from the manufacturer so only the manufacturer has the right to revoke it. But we cannot invite the manufacturer again to revoke the credentials as the manufacturer may have shut his business down or may not exist by the time Buyer1 decides to sell the device to Buyer2.

This leads to a roadblock in my approach. So any suggestions or solutions here is appreciated.

And more thing to note here is all the actors involved here are trust anchors that is because they have the responsibility to issue ownership credentials to the new owner every time there is a change of ownership.

Thanks in advance.


Excellent question, Sachin!

Several approaches that could be taken. Here is a non-exhaustive list.

  1. You could think of ownership as being a credential issued by the device, not by the manufacturer. The manufacturer, Acme, builds into firmware on the device the initial ownership state, and has the device issue an ownership credential to Acme the first time it is powered on. Whenever ownership is transferred, a bill of sale is presented to the device, which then revokes the old ownership credential and issues a new one. This prevents the manufacturer from being involved in all but the first transfer.

  2. Manufacturers could set up an ownership management service that acts as an independent third party, doing all of the same things for ownership credentials that the device did in option #1. This might sound silly, but it’s basically how titles for cars are managed today: the government’s Department of Motor Vehicles facilitates title transfer and acts as the definitive source of ownership. One non-profit party could do this for all devices in an industry.

  3. You could use triple-signed receipts rather than classic credentials to prove ownership. (The wiki for appears to be down right now, but I think the right URI for this topic would be

  4. You could tokenize ownership in the device. I have heard some very clever thinking about this from the likes of Nathan George (Sovrin’s CTO), among others.

Thanks daniel :). I will look into each of these and see which one will be feasible for me to implement.