Distributed Attestation Revocation in Self-Sovereign Identity

TL;DR

This paper introduces a fully distributed revocation mechanism for Self-Sovereign Identity systems, enabling secure, scalable, and offline-verifiable revocations without relying on trusted central authorities.

Contribution

It presents the first distributed revocation protocol for SSI using a gossip-based algorithm that scales to large networks and supports offline verification.

Findings

Protocol effectively disseminates revocations in simulated national-scale networks.

Enables offline verification of revocations to enhance security.

Scales efficiently without central trusted components.

Abstract

Self-Sovereign Identity (SSI) aspires to create a standardised identity layer for the Internet by placing citizens at the centre of their data, thereby weakening the grip of big tech on current digital identities. However, as millions of both physical and digital identities are lost annually, it is also necessary for SSIs to possibly be revoked to prevent misuse. Previous attempts at designing a revocation mechanism typically violate the principles of SSI by relying on central trusted components. This lack of a distributed revocation mechanism hampers the development of SSI. In this paper, we address this limitation and present the first fully distributed SSI revocation mechanism that does not rely on specialised trusted nodes. Our novel gossip-based propagation algorithm disseminates revocations throughout the network and provides nodes with a proof of revocation that enables offline verification of revocations. We demonstrate through simulations that our protocol adequately scales to national levels.