V2: Revocation improvements

[kimdhamilton]

Revocation Improvements

TL;DR: Jump to the end if you are interested in just the v2 changes

Goals

• Revocation should be explicit and allowed to vary, to support (at least) differing choices of:
  • domains
  • blockchains
  • revocation techniques: revocationList URI, smart contract, IPNS
• Change default implementation

Non-goals

• This will not provide a reference implementation of alternate revocation techniques (smart contract, IPNS)

Current revocation technique

There is a practical complication with the current revocation technique of spending outputs: once a revocation key is rotated, it can never be used to revoke a certificate.

This first explores with the issuer global revocation address.

Context

The issuer's global revocation address is the revocation address listed in the Issuer Identification endpoint. When issuing Blockchain Certificates, the transaction includes an output to this address; spending this address revokes the entire batch.

The current verification standard assumes 1 active global revocation address. Previous revocation addresses are associated with an invalid date.

What happens if the private key is leaked

Suppose the private key corresponding to the issuer's global revocation address is leaked. This allows an attacker to revoke any certificate batches associated with that revocation address.

Since the revocation event is timestamped with the blockchain transaction, this timestamp, along with the Issuer Identification timestamps, could be used to effectively discard (by convention) the revocation event. However, there are practical concerns with that; consider all options:

• Case 1: Blockchain Certificates verification uses timestamped revocation checks
  • If the issuer rotates their revocation address (which includes updating the identification endpoint to mark this revocation address invalid as of the compromised time), this allows the attacker's revocation event to be ignored
  • But this effectively invalidates that revocation address for the future, meaning the issuer can no longer revoke any batches associated with that address
  • Therefore, the issuer must reissue all certificates associated with that revocation address if they want the right to revoke in the future
• Case 2: Blockchain Certificates verification does not use timestamped revocation checks
  • All certificates issued with that revocation address must be considered revoked
  • Therefore, the issuer must reissue all certificates associated with that revocation address

Furthermore, given the current verification standard, only 1 revocation address is effectively active at a given time. This means that the issuer must reissue certificates ever issued (if they want to retain the ability to revoke in the future).

One (discarded) option was to allow multiple active revocation keys, and rotate them frequently on a planned basis. However, this complicates the revocation convention even more, as all revocation keys the issuer even used must be considered during verification.

Similar reasoning applies to per-recipient revocation. And in fact, it's messier since the per-recipient revocation addresses would not have a natural timestamp for comparison.

Why the existing revocation technique was chosen

The current revocation technique of spending outputs is symmetric in the sense that either the issuer or the recipient can revoke a certificate. This characteristic strikes many as unintuitive; there is no analog for recipient revocation in well-known credentialing systems.

In fact, this has been the most debated aspect of the design, because it additionally introduces the following consequences:

• transaction size (hence cost) is a function of the number of recipients
• while the hashed data in the transaction uses the OP_RETURN code, each recipient output is a dust amount (min required by Bitcoin), which contributes to UTXO bloat

Let's unpack the recipient revocation scenario. Blockchain certificate transactions are structured as follows:

input:

• issuer address

output:

• per recipient:
  • recipient's address
  • issuer's recipient-specific revocation address
• issuer's global revocation address
• OP_RETURN hashed data
• issuer change address

The original concern is that, since the addresses are part of the public ledger, a bad actor could also issue a certificate to the recipient's address (discovered either because the recipient attached the address to an identity, or through graph analysis), which the recipient would want to disavow. This is a theoretical concern, but a primary design principle of Blockchain Certificates is recipient control.

Alternative transaction structure

input:

• issuer address

output:

• OP_RETURN hashed data
• issuer change address

By removing the recipient address and revocation addresses from the transaction, a recipient can still prove ownership of the address, as long as the address is in the certificate, which is hashed and placed on the blockchain.

This means the recipient address is not part of the public ledger. But the recipient can disclose the contents and prove ownership of the address by signing a message.

This has additional benefits:

• Fixed cost, independent of batch size
• Addresses UTXO bloat concerns
• Frees up recipient address to be any cryptographic public key
• More easily portable to other blockchains

Impact on recipient revocation

While this removes the ability for a recipient to explicitly revoke a certificate, the following mitigations are available:

• Contents of the certificate must be revealed to discover that the recipient address is referenced.
• If bad actors are a concern, features already part of the OBI standard such as endorsements could be relied on to ensure recipient approval (or requiring a recipient to cryptographically sign the certificate)

Revocation in the next version

In the next version of the schema, the revocation technique will be explicit so it may vary during the Blockcerts verification process. For example, revocation could be published as a list in IPNS, implemented as a smart contract in Ethereum, or published in a issuer-hosted revocation list, as used in the OBI standard.

For now, the default implementation will use an (URI) issuer-hosted revocation list, for practical concerns (and given that Blockcerts uses the Bitcoin blockchain).

The OBI schema has a revocationList field, which will be used to store this URI.

Details of impact to schema are provided in #23 and #28.

[StephenCleary]

The new revocation system creates a hard dependency on the issuer's website. Currently, with all revocation part of the chain itself, the only issuer verification necessary is a matching of the issuer address with their identity. So, it becomes possible (in theory) for issued certificates to always be valid, without the need to talk to the issuer directly - as long as the validator is willing to accept that the issuer's address does represent a particular issuer identity.

With the issuer-hosted revocation model, any issuer-related service problems would "invalidate" all certificates:

• Going out of business
• Changing (domain) names
• Discontinuing the use of blockchain certificates and reclaiming those server resources

Even temporary interruptions - like an improperly configured new proxy - could cause cert validation to fail until it's brought to their attention.

I'm not saying revocation lists are the wrong direction; just pointing out that it is exchanging one set of problems for another. With the new revocation scheme, we're taking a step away from the blockchain and a step towards something more like PKI, where every issuer is a CA.

[kimdhamilton]

Note that there has always been a dependency on the issuer hosting the identification information to confirm the issuing and revocation keys have not been revoked. This is part of the current verification process. See Step 5

Long term, we want to move all issuer hosting requirements to IPFS/IPNS, which will solve some of the longevity concerns.

[kimdhamilton]

Merged and docs updated

[Velofisch]

Hello, one value of using blockcerts to have two independent possibilities to validate a diploma: a) With the IRI to the issuer's website, you will be able to retrieve the JSON file. Since the JSON is signed by the issuer and is hosted on the issuer's website, this is already proof enough and renders the system robust to any changes to the blockchain used. b) With the JSON file stored in the recipient's wallet, you can independently validate the diploma. This renders the diploma independent on the existence of the issuer's webserver. Revocations need to be possible by the issuer. Revocations by the recepient are not important to us. If the issuer does not exist anymore, there is no need to still be able to do any revocation. However, it is important, that the revocation information is attached to the certification of the diploma on the blockchain in order that every validation will not only validate the diploma but will also display the revocation at the same time. Detaching the revocation from the certification would void a lot of the advantages, that we see in the use of blockcerts.

Best Jörn University of Geneva

[kimdhamilton]

Hello Jörn, Thanks for the feedback. I agree with your statements, and one of our highest priorities is finding a general solution that meets these requirements.

One of the limitations with v1 revocation -- attaching revocation with a Bitcoin address has many limitations such as:

• by design, it leads to UTXO bloat, because if a recipient or the issuer spends the revocation output, the cert is revoked
• outside of a dedicated product (cert-wallet for recipients, or an issuing product for issuers), it is difficult for recipients to manage / remember which addresses not to spend
• doesn't fit well with best practices of key rotation

However, we're exploring other ways to meet the criteria you mentioned, and solve the limitations I called out. One promising approach that is consistent with principles of self-sovereign identity is decentralized identities (DIDs, and specific methods like BTCR.

This is an active area of investigation if anyone is interested in participating. We have several threads on the blockcerts community forum; so please join in the discussion with any comments, proposals, or feedback.

Best, Kim

[Velofisch]

Hi Kim, thank you for your answer. Would it be possible to do the revocation by a transfer to and not from the revocation address? The revocation transaction could be authenticated by coming from a specific address owned by the university. The advantage would be that it does not need any space on the blockchain as long as the certificate is not revoked. Also you could add some metadata for the revocation reason (some bits should be sufficient). To enable key rotation, you could also map the key rotation on the blockchain. The old revocation key is used to sign the transfer to a new key.

What do you think?

Best regards

Jörn

---

Jörn Erbguth Legal Tech Consultant erbguth.ch

joern@erbguth.ch +41 787256027

Am 18.05.2017 um 20:42 schrieb Kim (Hamilton) Duffy notifications@github.com:

Hello Jörn, Thanks for the feedback. I agree with your statements, and one of our highest priorities is finding a general solution that meets these requirements.

One of the limitations with v1 revocation -- attaching revocation with a Bitcoin address has many limitations such as:

by design, it leads to UTXO bloat, because if a recipient or the issuer spends the revocation output, the cert is revoked outside of a dedicated product (cert-wallet for recipients, or an issuing product for issuers), it is difficult for recipients to manage / remember which addresses not to spend doesn't fit well with best practices of key rotation However, we're exploring other ways to meet the criteria you mentioned, and solve the limitations I called out. One promising approach that is consistent with principles of self-sovereign identity is decentralized identities (DIDs, and specific methods like BTCR https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2017/blob/master/event-documents/group-abstracts/work-abstract-did-methods-btcr-pgpr.md.

This is an active area of investigation if anyone is interested in participating. We have several threads on the blockcerts community forum http://community.blockcerts.org/; so please join in the discussion with any comments, proposals, or feedback.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/blockchain-certificates/cert-schema/issues/24#issuecomment-302505967, or mute the thread https://github.com/notifications/unsubscribe-auth/AJp55P3yfK9QL9Xf2rq_qPUJhnw-G1ioks5r7JD5gaJpZM4L8sEi.

[kimdhamilton]

Hello Jörn, This revocation technique is definitely better than V1 (it addresses the UTXO bloat concern). Also, the key rotation approach is the style we want. There are a few standards in this area I am looking into (as usual, I'd like to make sure it's generalized). I expect to have something of a first stab at a proposal, or at least writeup of options/pros/cons, next week. I'll put that on the blockcerts community forum (http://community.blockcerts.org/) but will ping you to make sure you get updates.

Thanks for the excellent feedback! Kim