Credential Update

Dynamically grant or revoke access to gated resources based on updated credentials. This is foundational for decentralized autonomous organizations (DAOs), token-gated content, and smart contract functions.

• Example: A DAO updates a member's credential to grant voting rights after they stake a governance token.
• Example: A subscription service revokes access to premium features when a payment credential expires.

Maintain regulatory compliance by attaching, verifying, and expiring Know Your Customer (KYC) and Anti-Money Laundering (AML) attestations. Credentials can be issued by verified oracles and automatically invalidated after a set period.

• Example: A DeFi protocol requires a valid, non-expired KYC credential from a trusted provider for high-value transactions.
• Example: An institution updates a user's credential to reflect a change in accredited investor status.

Build verifiable, portable reputations by accumulating credentials from completed tasks, proven skills, or community endorsements. These soulbound tokens (SBTs) or attestations form a persistent, updatable record.

• Example: A developer receives a credential for completing a smart contract audit, which is added to their on-chain resume.
• Example: A contributor earns governance power in a protocol based on a continuously updated reputation score credential.

Automate recurring access models by issuing time-bound credentials that require renewal. This enables web3-native SaaS models, newsletter subscriptions, and club memberships without centralized billing systems.

• Example: A user holds a credential proving an active subscription, which a dApp checks before granting service. The credential expires and must be renewed with payment.
• Example: A gated community automatically removes members whose annual membership credential has lapsed.

Proactively manage security and data freshness by invalidating credentials after a set period or upon a triggering event. This is critical for mitigating the risk of stale or compromised data.

• Example: A university degree attestation is issued with a 10-year expiration to encourage periodic re-verification.
• Example: An employer instantly revokes an employee's access credential upon termination, updating their on-chain status.

Use credential updates to synchronize a user's identity state across multiple blockchain networks. A credential issued on one chain can be used to generate a corresponding, updated credential on another via cross-chain messaging.

• Example: A user's verified identity credential on Ethereum is used to mint a corresponding credential on Polygon, enabling seamless cross-chain dApp access.
• Example: A governance credential is updated on a Layer 2 after voting on the mainnet, ensuring a unified reputation system.

The defining feature of a credential update is the persistence of the credential identifier (e.g., a unique hash or DID). This allows systems to track the lifecycle of a single claim while invalidating its previous cryptographic proofs. Key steps include:

• Revocation: The issuer cryptographically invalidates the old credential, often by publishing a revocation status (e.g., to a revocation registry).
• Re-issuance: A new credential is issued with the same identifier but updated metadata, a new issuance date, and fresh cryptographic signatures.
• This ensures continuity for verifiers who reference the identifier while enforcing the latest credential state.

Updates are not automatic and are triggered by specific, verifiable events. Common triggers include:

• Expiration: A credential reaches its pre-defined validUntil date.
• Security Event: A private key compromise or detected fraud necessitates immediate revocation.
• Data Change: The underlying attested information changes (e.g., a user's address or membership status).
• Policy Compliance: To adhere to new regulatory or system requirements (e.g., GDPR right to erasure). The update process must be initiated by the credential's issuer or an authorized delegate, preserving the chain of trust.

Applications verifying credentials must implement checks for updates to prevent accepting stale or revoked data. Essential practices are:

• Check Status: Always query the credential's revocation registry or status list (e.g., a bitstring) before trusting it.
• Validate Freshness: Verify the issuanceDate and expirationDate are within acceptable bounds for your use case.
• Respect Context: Understand if the application logic requires the latest credential or if a historical, valid-but-superseded credential is acceptable (e.g., for audit trails). Failure to check status is a common security flaw, equivalent to accepting a revoked passport.

The credential issuer bears the operational burden of managing updates securely and efficiently.

• State Publication: Maintain a secure, highly available service (like a revocation registry) for publishing credential status. This is often implemented on-chain for transparency and resilience.
• Key Management: Use robust key rotation practices for signing credentials to limit blast radius if an issuance key is compromised.
• Audit Trail: Keep an immutable log of all update actions (revoke, re-issue) for compliance and dispute resolution.
• Cost Considerations: On-chain update mechanisms incur transaction fees; design systems to batch updates where possible.

Naive update mechanisms can leak user activity. Advanced techniques enhance privacy:

• Zero-Knowledge Proofs (ZKPs): Allow a user to prove a credential is valid and unrevoked without revealing its identifier or contents, using tools like zk-SNARKs or zk-STARKs.
• Blind Revocation Registries: Use cryptographic accumulators or semaphore-style merkle trees where a verifier can check a credential's non-revocation status without learning about other credentials in the system.
• Selective Disclosure: Updated credentials should still support revealing only specific attributes (e.g., "over 21") rather than the entire credential.

For credentials to work across ecosystems, update mechanisms must follow open standards.

• W3C VC Data Model: Defines standard fields like credentialStatus for pointing to a revocation service.
• Status List 2021: An IETF draft specifying a compact, scalable method for encoding revocation statuses in a bitstring, often stored on a blockchain.
• DID Methods: The Decentralized Identifier (DID) method specification (e.g., did:ethr, did:key) dictates how associated keys are rotated, which underpins credential re-issuance. Adhering to standards ensures credentials remain portable and verifiable across different platforms and wallets.

A Status Registry is a decentralized ledger or list used to track the validity of credentials. It is the primary mechanism for performing a credential update, such as a revocation.

• How it works: The issuer publishes a revocation list (e.g., a W3C Status List) to a public registry. Verifiers check this registry to confirm a credential's status.
• Key Benefit: Enables real-time updates without requiring the re-issuance of the credential itself.

Selective Disclosure allows a holder to reveal only specific claims from a credential without exposing the entire document. Credential updates can enable or restrict what data can be disclosed.

• Example: A university credential may be updated to allow disclosure of only the degree type and year, hiding the specific GPA.
• Technology: Often implemented using zero-knowledge proofs (ZKPs) or BBS+ signatures.

A Credential Refresh is a specific type of update where an expired or time-bound credential is renewed by the issuer, often automatically via a pre-authorized protocol.

• Use Case: A subscription-based service credential that needs monthly renewal.
• Mechanism: Relies on OAuth 2.0-style refresh tokens or DID-linked service endpoints that allow the holder to request a new credential without manual re-verification.

The W3C Verifiable Credentials Data Model defines standard methods for credential updates, primarily focused on revocation.

• Status List 2021: Encodes a bitstring where each bit represents the status (revoked/active) of a credential, allowing for compact, scalable revocation lists.
• Linked Data Proofs: Updates can be signed with new proofs, invalidating previous ones. Verifiers must check the latest proof chain.

A credential is cryptographically bound to a Decentralized Identifier (DID). Updating the DID's state on its associated DID Document can control credential validity.

• Key Rotation: If a DID's private key is compromised, rotating to a new public key in the DID Document effectively revokes all credentials signed by the old key.
• Service Endpoints: The DID Document can point to a service endpoint for checking credential status, decentralizing the update mechanism.

Consider a DAO membership credential. The update protocol is crucial for governance.

• Joining: A credential is issued upon passing a vote.
• Suspension: If a member violates rules, their credential status is updated to "suspended" in the DAO's status registry, removing voting rights.
• Expulsion: A full revocation permanently removes access. This demonstrates how credential updates enforce on-chain governance outcomes in off-chain identity systems.