Verifiable Credential Registry

The registry's primary function is to manage the status of issued credentials, enabling real-time verification of their validity. It provides a mechanism for revocation, allowing issuers to invalidate credentials (e.g., for a lost ID or expired license) without contacting every verifier. Common patterns include:

• Status Lists: Publishing cryptographically signed lists of revoked credential identifiers.
• Bitstring Status Lists: Using compressed bitstrings for efficient, privacy-preserving status checks.
• Smart Contract Registries: On-chain registries where revocation is recorded as an immutable transaction.

The registry acts as a trusted directory for resolving an issuer's Decentralized Identifier (DID) to their current public key material. This is critical for verifying the cryptographic signature on a credential. Functions include:

• DID Resolution: Mapping a DID (e.g., did:web:university.edu) to its associated DID Document.
• Key Rotation: Allowing issuers to securely update their public keys, with the registry providing the authoritative current set.
• Trust Establishment: Serving as a root of trust for verifiers to confirm they are checking credentials from the legitimate issuer.

Registries often provide a discoverable catalog of credential types and their definitions. This enables interoperability by allowing verifiers to understand the structure and semantics of presented credentials.

• Schema Registry: Stores the definition of credential types (e.g., a "Driver's License" schema), specifying required fields and data formats.
• Trusted Issuer Lists: Some registries maintain public lists of authorized issuers for specific credential types.
• Credential Manifest Publication: Allows issuers to publish how credentials can be requested, detailing required information and processes.

By providing an immutable, timestamped record of key registry events, the system creates a cryptographic audit trail. This supports non-repudiation, meaning an issuer cannot later deny having issued or revoked a credential. Key events logged include:

• Issuance Registration: A record that a credential with a specific unique identifier was issued.
• Revocation Timestamp: The exact time a credential status was changed to revoked.
• Key Update Events: A history of changes to an issuer's public keys, preserving the ability to verify older credentials.

Registries are implemented using different architectural models, each with distinct trust and decentralization properties.

• Centralized Registries: A single authoritative database controlled by an organization (e.g., a government). Provides simplicity but creates a single point of trust and failure.
• Decentralized/Blockchain Registries: Use a blockchain or distributed ledger (e.g., Ethereum, Sovrin) as the immutable backbone for status and DID documents. Enhances censorship resistance and availability.
• Hybrid Models: Combine on-chain anchoring for critical events (revocation) with off-chain services for performance and schema management.

In the W3C's architecture, a Verifiable Data Registry is the broader term for the system that manages DIDs, schemas, and credential status. A VCR is a type of VDR focused specifically on credential lifecycle. Other data in a VDR can include:

• DID Methods: The protocols for creating and resolving DIDs on specific networks.
• Revocation Registries: Specialized components for status management.
• Governance Frameworks: Rules and policies that define how the registry operates and who is trusted.

DIDs are the foundational identifiers for credential subjects and issuers in a VCR. They are globally unique, cryptographically verifiable, and controlled by the holder, not a central authority. A DID resolves to a DID Document containing public keys and service endpoints, enabling secure interactions.

• Example: did:ethr:0x123... or did:web:example.com
• Role: Provides the root of trust for signing and verifying credentials without centralized registries.

A core function of a VCR is managing the lifecycle of credentials, particularly revocation. Instead of a central blacklist, status is checked via:

• Status List 2021: A privacy-preserving, compressed bitstring where each bit represents a credential's status.
• Revocation Registries: Smart contracts or verifiable data structures that allow an issuer to update a credential's validity.
• Purpose: Enables issuers to invalidate credentials (e.g., for a lost passport) while preserving holder privacy.

Trust Registries are specialized VCRs that list authorized issuers, accredited schemas, and recognized credential types within an ecosystem. They are critical for interoperability and establishing legal/compliance frameworks.

• Example: The European Blockchain Services Infrastructure (EBSI) uses a trust registry for issuing and verifying educational diplomas across EU member states.
• Governance: Defines who can write to the registry, often managed via decentralized autonomous organizations (DAOs) or consortium agreements.

The W3C VC Data Model is the universal standard that defines the structure, data model, and proof formats for verifiable credentials. A VCR implements this standard to ensure interoperability.

• Core Components: issuer, credentialSubject, issuanceDate, proof (signature).
• Proof Formats: Supports JSON Web Tokens (JWT) and Linked Data Proofs (LD-Proofs) like Ed25519Signature2020.
• Impact: This standard allows credentials issued on one platform to be verified by any compliant system.

VCRs enable reusable Know Your Customer (KYC) credentials, reducing friction and repetition across DeFi, exchanges, and regulated services.

• Flow: A user completes KYC once with a trusted issuer (e.g., a licensed provider). The issuer creates a verifiable credential asserting the user's identity status.
• Selective Disclosure: The user can present cryptographic proofs (like zero-knowledge proofs) to prove they are verified without revealing raw personal data.
• Benefit: Combats fraud while enhancing user privacy and portability.