search

openwallet-foundation / acapy

ACA-Py is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://aca-py.org
Apache License 2.0
421 stars 515 forks source link

Prover checks if a credential in their wallet is revoked #729

Closed swcurran closed 4 years ago

swcurran commented 4 years ago

Is there a way to invoke this Indy Node transaction - https://github.com/hyperledger/indy-node/blob/master/docs/source/requests.md#get_revoc_reg_delta - such that a prover could find out if there credential has been revoked?

Perhaps an ACA-Py Admin API isCredentialRevoked(credential) called by a prover controller that:

Determine if the capability is possible and document how. Once we have that we can decide to proceed or not.

sklump commented 4 years ago

I can take this if you like. It should take about a day.

I think the to/from/last-check shenanigans are extraneous. Let the ledger retain deltas (single source of truth) and read off cred rev ids revoked from parsed deltas; e.g.,

{
  "ver": "1.0",
  "value": {
    "prevAccum": "21 13A8F16F0E46D020F554B368251A84765B473F4DD702FDA49C1E78CF1A262B28B 21 1226BD6AC9169FB3132C859D236A5006BEEEBE4AC898BE2B4F860573A71DBEB31 6 753245401F1B3CC820C8BBA174A42DA13CB3907EA6601B608049C59CCDA89365 4 3AA55AC49839E32354940286CF769A5F1BA7DF4AC88409A7D9E67C30E562FCB5 6 7D19BCE96D9580D9DCEB9E5157CA8579333849C2F46C40039BD2C70B535AB0D3 4 238C7B948475A0159C543D9F5EEAA9A961037DA899BFA36B70FD64E23BFDF0D1",
    "accum": "21 1162C3EE1202A8B38BA15892410BE21E6512C43986824974943100EE250F29D50 21 1180AAB57D7CD9AB8CEE8E52385661636720EB22DC1165E6A2B9812CC89A95BE3 6 7C54F47BBF71FD0A5CE22EF72809D4F6394F184947215E0F39274611C78BAC7C 4 1B0D9230F07F5C5654E60D958D0E3F1F2B6FC143CDAD5940617A7D960167715F 6 77E797376C36A47D914BAD8187C5EE2049FD3ED869E87B7B7B98392E9B4233CD 4 0F477822F3026762B156FB4DD19CF8B4F50E368FAC1678DF6342970FFB6F4FA7",
    "revoked": [
      1
    ]
  }
}

Alternatively, the prover can always call the issuer's admin API (if the issuer is up), but this is worse because the issuer knows when the prover checks, counter to the ideals of self-sovereign identity.

ianco commented 4 years ago

I found this function in the indy-sdk, does this do what we need?

https://github.com/hyperledger/indy-sdk/blob/master/libindy/src/api/anoncreds.rs#L2262

I need to experiment with it a bit ...

Theoretically since the holder knows the rev reg id and the index of their credential they should be able to check independently if the credential is revoked (without contacting the issuer).

ianco commented 4 years ago

The aca-py api "GET /present-proof/records/{pres_exch_id}/credentials" returns data in this format:

[{"cred_info": {"referent": "2193127d-88bb-4171-8171-085798a7faa5", "attrs": {"timestamp": "1601334830", "degree": "Maths", "name": "Alice Smith", "age": "24", "date": "2018-05-28"}, "schema_id": "4wR1x7SNe1k3Dq8JsWtGMm:2:degree schema:80.38.38", "cred_def_id": "4wR1x7SNe1k3Dq8JsWtGMm:3:CL:36:default", "rev_reg_id": "4wR1x7SNe1k3Dq8JsWtGMm:4:4wR1x7SNe1k3Dq8JsWtGMm:3:CL:36:default:CL_ACCUM:bab8f5c4-814f-4996-9655-23cc7c6aa533", "cred_rev_id": "1"}, "interval": {"from": null, "to": 1601335170}, "presentation_referents": ["0_degree_uuid", "0_date_uuid", "0_age_GE_uuid", "0_name_uuid"]}]

These values match up with the parameters required in the indy-sdk fn "indy_create_revocation_state()" no?

sklump commented 4 years ago

The revocation state creation a step en route to proof presentation, which we want to avoid/bypass. The info is in the delta in its ["value"].get("revoked", []) list: int(cred_rev_id) appears in list content only if cred is revoked.

sklump commented 4 years ago

I'd love to take this one and leave you to focus on the ongoing investigation of postgres record locking vs. concurrent updates. That one is going to wreck the planet, left unchecked. And it is way outside my ken.

ianco commented 4 years ago

@sklump it's all yours!

sklump commented 4 years ago

https://github.com/hyperledger/aries-cloudagent-python/pull/735