Revocation
Checking and managing revocation status for delegation credentials
Revocation Checking
MCP-I requires implementation of credential revocation to enable withdrawal of delegation.
StatusList2021 Verification
The preferred revocation method uses the W3C StatusList2021 specification:
async function checkRevocationStatus(credential) {
if (!credential.credentialStatus) {
throw new Error("Credential lacks status information");
}
if (credential.credentialStatus.type !== "StatusList2021Entry") {
throw new Error("Unsupported status type");
}
// Extract status list URL and index
const statusListUrl =
credential.credentialStatus.statusListCredential ||
credential.credentialStatus.id.split("#")[0];
const statusListIndex = parseInt(
credential.credentialStatus.statusListIndex,
10
);
// Fetch the status list
const response = await fetch(statusListUrl);
const statusListCredential = await response.json();
// Decode and check the status
const statusList = decodeStatusList(
statusListCredential.credentialSubject.encodedList
);
const isRevoked = statusList.getStatus(statusListIndex);
return { isRevoked };
}
Revocation Caching
For performance optimization:
- Cache status list results with appropriate TTL
- Implement efficient status list processing
- Consider webhook notifications for critical credential revocations
Revocation Checking Requirements
For Level 2+ implementations, revocation checking is mandatory for all credentials. Level 1 implementations may implement simplified revocation checking with appropriate security trade-offs documented.