Credential Registry

The foundational component of a credential registry, a Verifiable Data Registry is a system that enables the creation and verification of decentralized identifiers (DIDs) and their associated public keys. It provides the necessary infrastructure for DID resolution, allowing any party to look up the cryptographic material needed to verify a credential's signature. Common implementations include:

• Blockchains (e.g., Ethereum, Sovrin, Cardano)
• Distributed Ledgers
• Decentralized File Systems (e.g., IPFS for storing schemas)
• Purpose-Built Networks (e.g., ION on Bitcoin)

Ethereum functions as a credential registry through smart contract standards that map DIDs to Ethereum addresses and manage verifiable claims.

• ERC-1056 (Ethr-DID): A method where an Ethereum address controls a DID. The registry is the Ethereum blockchain itself, with public keys resolvable via smart contracts.
• ERC-780: A standard for a claims registry, a smart contract that holds signed claims (attestations) about any identity (Ethereum address or DID). Anyone can query the contract to verify if a specific claim exists and is valid.

A critical sub-component of a credential registry that stores the machine-readable schemas and credential definitions required for issuance and verification.

• Schema Registry: Publishes the structure (data fields) of a verifiable credential (e.g., "Driver's License Schema").
• Credential Definition (Indy/AnonCreds): Contains the public key used by an issuer to sign credentials of a specific schema, enabling zero-knowledge proofs.
• Status Registry: Manages revocation registries (e.g., accumulators, bitmaps) to check if a credential has been revoked, often implemented as a smart contract or a verifiable data structure.

A credential registry anchors Decentralized Identifiers (DIDs) to a blockchain, providing a globally resolvable endpoint for a subject's public keys and service endpoints. This creates a cryptographic root of trust independent of any central authority. The registry does not store personal data but publishes the DID Document (DIDDoc), enabling verifiers to authenticate credential signatures.

• Key Function: Publishes and updates the DID Document.
• Trust Model: Shifts from centralized certificate authorities to verifiable on-chain proofs.

The registry manages the status of issued verifiable credentials, a critical function for security. Instead of contacting the issuer directly, a verifier checks the registry for a revocation list (e.g., a Status List 2021 bitstring) or a credential status index. This provides a real-time, tamper-proof mechanism to invalidate credentials if a private key is compromised or attributes change.

• Status List: A compressed bitstring where each bit represents a credential's revoked/active state.
• Privacy: Bitstring approaches allow status checks without revealing which specific credential is being verified.

Every credential issuance, update, and revocation event is recorded as an immutable transaction on the underlying ledger (blockchain, DAG, etc.). This creates a permanent, publicly auditable history of all registry operations. Auditors can cryptographically verify the entire lifecycle of a credential, ensuring non-repudiation and detecting any unauthorized alterations.

• Transparency: Anyone can verify the provenance and history of a credential's status.
• Evidence: Provides cryptographic proof of the issuer's actions for compliance and dispute resolution.

A core security feature is enabling secure key rotation for DIDs. If an issuer's or holder's private key is suspected to be compromised, the registry allows the publication of a new DID Document with updated public keys. This process, governed by the DID's verification method and authentication suites, prevents an attacker from issuing fraudulent credentials while preserving the identity's continuity and all previously issued valid credentials.

• Recovery: Uses pre-defined verification relationships or delegated authorities to authorize key updates.
• Continuity: The DID itself remains constant, only the cryptographic keys change.

Advanced registries support privacy-enhancing technologies like Zero-Knowledge Proofs (ZKPs). A verifier can confirm a credential is valid and unrevoked by checking a proof against the registry's state, without learning the credential's contents or the holder's identity. This enables selective disclosure (e.g., proving you are over 21 without revealing your birthdate) and minimizes correlation risks, aligning with data minimization principles of GDPR and similar regulations.

A Revocation Registry is a specialized component, often part of a broader credential registry, that maintains a cryptographically secure list of revoked credentials. It allows verifiers to check if a presented VC is still valid without revealing the holder's identity or other credential details.

• Methods: Common implementations include revocation lists (bitmaps) and accumulators.
• Purpose: Critical for managing credential lifecycle (e.g., revoking a diploma if fraud is discovered).

A Trust Registry is a governance layer that lists which entities (identified by DIDs) are authorized to issue specific types of credentials within a given ecosystem. It answers the question: "Is this issuer trusted for this credential schema?"

• Function: Publishes accreditation rules and authorized issuer lists.
• Example: A healthcare network's registry listing which hospitals are permitted to issue verifiable vaccination records.

A Credential Schema defines the structure, data fields, and semantic meaning of a specific type of verifiable credential. Schemas are published to a registry to ensure all parties (issuers, holders, verifiers) interpret the credential data consistently.

• Content: Specifies required attributes (e.g., degreeType, issuanceDate), data types, and optional fields.
• Standardization: Enables interoperability across different wallet and verification systems.