Status List 2021 is a technical specification for managing the revocation or suspension status of Verifiable Credentials (VCs). It provides a standardized mechanism for an issuer to signal whether a previously issued credential is still valid, without revealing which specific credential a holder is checking. This is achieved by using a bitstring status list, where each credential is assigned a unique index position represented by a single bit (0 for valid, 1 for revoked/suspended). The entire encoded bitstring is published at a URI, allowing any verifier to fetch and check the status.
LABS
Glossary
Status List 2021
A W3C standard defining a privacy-preserving, bitstring-based mechanism for checking the revocation or suspension status of a Verifiable Credential.
Chainscore © 2026
definition
VERIFIABLE CREDENTIALS STANDARD
What is Status List 2021?
Status List 2021 is a W3C-community group specification that defines a privacy-preserving, resource-efficient method for managing the revocation status of Verifiable Credentials.
The protocol's design emphasizes privacy and efficiency. Unlike traditional certificate revocation lists (CRLs) that expose specific identifiers, a verifier only needs to request the bit at a specific index, often via a cryptographically-salted URL. This prevents the verifier from learning about the status of other credentials on the same list. Furthermore, the list is compressed using base64-encoded GZIP compression, making it extremely compact—a list with one million status entries is under 125KB. This makes it suitable for decentralized and mobile-first environments.
Implementation involves the issuer including a credentialStatus property in the VC, pointing to the status list index and its URI. The verifier's process involves: 1) parsing this property, 2) fetching the compressed list from the URI, 3) decoding and decompressing it, and 4) checking the bit at the specified index. The list can be hosted on a traditional web server, a decentralized storage network like IPFS, or within a blockchain transaction. This flexibility allows issuers to choose a hosting method that aligns with their trust and availability requirements.
Key advantages of Status List 2021 include its scalability, as a single list can manage millions of credentials; unlinkability, which enhances holder privacy during status checks; and simplicity, leveraging well-understood web technologies. It is a core component in ecosystems using W3C Verifiable Credentials, such as digital identity, educational attestations, and professional licenses, providing a critical mechanism for trust without relying on centralized, queryable databases.
how-it-works
TECHNICAL DEEP DIVE
How Status List 2021 Works
A detailed explanation of the Status List 2021 specification, a W3C standard for managing the revocation status of Verifiable Credentials.
Status List 2021 is a W3C Verifiable Credentials specification that provides a bitstring-based revocation mechanism for credentials. It works by encoding the revocation status of many credentials into a single, compressed bitstring, where each bit represents the status (e.g., 0 for valid, 1 for revoked) of a specific credential. This bitstring is then published at a stable URL, allowing any verifier to check a credential's status by fetching the list and inspecting the bit at the credential's assigned index. This approach is highly efficient, enabling the status management of thousands of credentials with minimal data overhead.
The system relies on two linked components: the status list credential and the status list index. The status list credential is a special Verifiable Credential whose credentialSubject contains the encoded bitstring and its compression type (e.g., gzip). The credential to be checked, such as a driver's license, includes a credentialStatus property pointing to this list's URI and specifying the exact statusListIndex (the bit position) to inspect. This decouples the status information from the credential itself, allowing for real-time updates without altering the original signed credential.
A core innovation is the use of cryptographic bit commitment. The status list bitstring is hashed, and this hash is included in the credential's proof (e.g., in a Merkle tree or as a disclosed attribute). This prevents an issuer from fraudulently changing a credential's status after issuance, as any alteration to the published list would invalidate the cryptographic proof. Verifiers must therefore obtain both the current status list and verify that its hash matches the commitment in the credential they are checking, ensuring the integrity of the status information.
The specification supports different status purposes through distinct list types, primarily revocation and suspension. A revocation list indicates a permanent invalidation, while a suspension list indicates a temporary hold. A single credential can reference multiple status lists for different purposes. The bitstring itself is typically Base64-encoded and compressed to minimize bandwidth usage, a critical consideration for mobile and IoT environments where credentials are frequently verified.
In practice, an issuer generates a status list credential, assigns a unique index to each issued credential, and hosts the list at a persistent URI. When a verifier receives a credential, they parse the credentialStatus field, HTTP GET the status list credential, decompress the bitstring, and check the bit at the specified index. This mechanism provides a standardized, scalable, and privacy-preserving alternative to traditional certificate revocation lists (CRLs) and online certificate status protocol (OCSP) used in public key infrastructure (PKI).
key-features
VC SPECIFICATION
Key Features of Status List 2021
Status List 2021 is a W3C Verifiable Credentials specification that defines a privacy-preserving, space-efficient method for managing credential revocation and suspension using bitstrings.
01
Bitstring-Based Status
The core mechanism uses a bitstring (a string of 0s and 1s) where each bit represents the status of a single Verifiable Credential. A 0 indicates the credential is valid, while a 1 indicates it is revoked or suspended. This compact format allows a single status list to manage thousands of credentials.
02
Decentralized & Portable
The status list is a standard Verifiable Credential itself, published to a verifiable data registry (like a blockchain, IPFS, or a simple HTTPS endpoint). This allows any verifier to fetch and cryptographically verify the list's integrity and issuer without relying on a centralized, proprietary API, enabling true credential portability.
03
Indexed Reference
A credential links to the status list via a credentialStatus property containing:
id: The URL of the status list VC.statusPurpose: Eitherrevocationorsuspension.statusListIndex: The integer position (index) of the credential's status bit within the bitstring. The verifier uses this index to check the specific bit.
04
Privacy-Preserving Verification
During verification, the holder presents only their credential, not the entire status list. The verifier fetches the list independently. This process reveals no information about other credentials on the list, preserving the privacy of all other credential holders managed by the same issuer.
05
Compression with Base64Gzip
The bitstring is compressed using GZIP and encoded in Base64 for the credentialSubject.encodedList property. This reduces storage and bandwidth requirements significantly. For example, a bitstring for 16,000 credentials compresses from 16KB to roughly 50 bytes.
06
Dual Status Purposes
The spec defines two distinct purposes, allowing for flexible credential lifecycle management:
statusPurpose: "revocation": For permanent invalidation (e.g., a diploma is rescinded).statusPurpose: "suspension": For temporary holds (e.g., a library card is frozen). Issuers can maintain separate lists for each purpose.
privacy-advantage
STATUS LIST 2021
The Privacy-Preserving Advantage
The Status List 2021 specification is a W3C standard that enables the selective, privacy-preserving revocation of Verifiable Credentials without revealing unrelated information.
At its core, Status List 2021 is a W3C Verifiable Credentials extension that addresses a critical privacy flaw in traditional revocation methods. Instead of publishing a single, comprehensive list of all revoked credential identifiers, it uses a bitstring—a long string of 1s and 0s—where each bit represents the status of a single credential. A 1 typically indicates a credential is revoked or suspended, while a 0 indicates it is valid. This allows a verifier to check the status of a specific credential by querying only its corresponding bit position, without learning the status of any other credentials on the list.
The mechanism relies on a cryptographically signed status list credential issued by the same entity that issued the original Verifiable Credential. When presenting a credential, the holder provides a cryptographic proof that points to their specific bit in this list. The verifier can then fetch the list, verify its signature for authenticity, and check the single relevant bit. This design ensures minimal disclosure: the verifier learns nothing about the total number of issued credentials, the identities of other holders, or the status of any credential other than the one being presented.
This approach offers significant advantages over older methods like Certificate Revocation Lists (CRLs). Traditional CRLs expose the identifiers of all revoked credentials, allowing verifiers to correlate data and build profiles of user activity. Status List 2021 eliminates this correlation risk. Its implementation is also highly efficient for large-scale systems, as a single, compact bitstring can manage the status for millions of credentials, with updates requiring only the issuer to change specific bits and re-sign the list.
ecosystem-usage
STATUS LIST 2021
Ecosystem Usage & Implementations
The Status List 2021 specification provides a standardized mechanism for managing the revocation status of Verifiable Credentials (VCs). Its primary implementations focus on credential suspension, selective disclosure, and interoperability across trust ecosystems.
01
Credential Suspension & Revocation
The most common application of a Status List 2021 is to suspend or revoke a Verifiable Credential without invalidating the issuer's entire cryptographic key. This is critical for scenarios like:
- Employee badges after termination.
- Membership credentials for lapsed subscriptions.
- Educational certificates found to be fraudulent.
The verifier checks the credential's
credentialStatusfield against the published list to confirm its current validity.
02
Bitstring Status Lists
The specification defines a bitstring encoding where each credential is assigned a specific index in a large, compressed bit array. A 0 bit indicates the credential is valid, while a 1 indicates it is revoked. This design is highly efficient, allowing a single list to manage the status of thousands of credentials with minimal data overhead, making it suitable for mobile and low-bandwidth verification contexts.
03
Selective Disclosure & Privacy
Status List 2021 supports privacy-preserving verification through cryptographic bitstring proofs. Using BBS+ signatures or similar zero-knowledge techniques, a holder can prove their credential's status (e.g., 'not revoked') without revealing its specific index in the public list. This prevents verifiers from correlating different presentations back to the same holder or credential, a key feature for self-sovereign identity (SSI) systems.
05
Interoperability with Other Status Methods
While Status List 2021 is a modern standard, it is designed to coexist with older revocation methods like OCSP and CRLs. Issuers can support multiple credentialStatus types for different verifier capabilities. The Linked Data Proofs used by the specification ensure it integrates cleanly with the broader W3C Verifiable Credentials Data Model, promoting adoption across government, education, and enterprise ecosystems.
06
Real-World Implementations
Adoption is growing in regulated and high-trust domains:
- EU Digital Identity Wallet (EUDIW): Evaluating the spec for managing credential lifecycles.
- Educational Credentials: Institutions like MIT use similar bitstring mechanisms for verifiable diplomas.
- Supply Chain & Compliance: Used to revoke credentials for certified components or approved vendors.
- Decentralized Identifiers (DIDs): Often paired with DIDs for a fully decentralized revocation model.
REVOCATION PROTOCOLS
Comparison with Other Status Methods
A technical comparison of Status List 2021 against common credential revocation mechanisms, focusing on Verifiable Credential use cases.
| Feature | Status List 2021 | Certificate Revocation List (CRL) | Online Certificate Status Protocol (OCSP) |
|---|---|---|---|
Protocol Type | Decentralized / Offline | Centralized / Offline | Centralized / Online |
Verifier Privacy | |||
Issuer Privacy | |||
Verification Latency | < 1 sec | Minutes to hours | ~100-500 ms |
Network Dependency | |||
Credential Size Impact | ~1 KB | N/A (External) | N/A (External) |
W3C VC Compliance | |||
Scalability for Mass Revocation |
STATUS LIST 2021
Technical Details & Data Model
A deep dive into the W3C Status List 2021 specification, a Verifiable Credentials extension for creating compact, privacy-preserving revocation and suspension lists on distributed systems.
The W3C Status List 2021 is a Verifiable Credentials extension specification that defines a mechanism for encoding a list of statuses, such as revocation or suspension states, into a highly compressed bitstring. It enables issuers to manage the validity of many credentials using a single, compact data structure, which is then referenced by individual credentials via a statusPurpose (e.g., revocation, suspension) and a statusListIndex. This approach is designed to be efficient for distributed systems, as the encoded list can be stored in a credential itself, on a web server, or on a decentralized storage network, balancing privacy, scalability, and verifiability.
STATUS LIST 2021
Common Misconceptions
The W3C Status List 2021 specification is a critical standard for verifiable credentials, but its technical nature leads to frequent misunderstandings about its purpose, security, and implementation.
No, a Status List is not a centralized blacklist; it is a cryptographically verifiable data structure that allows the issuer to signal the status of many credentials in a single, compact bitstring. The list itself is published to a decentralized or issuer-controlled location, such as a blockchain or a web server, but its integrity is secured by a digital signature or cryptographic commitment. Verifiers check the credential's embedded index against the signed list to see if the corresponding bit is set (e.g., 1 for revoked, 0 for valid). This provides a revocation mechanism without requiring the verifier to query a live, centralized database for each check, enhancing privacy and reliability.
STATUS LIST 2021
Frequently Asked Questions (FAQ)
Status List 2021 is a W3C specification for creating compact, privacy-preserving credential revocation lists. This FAQ addresses common technical questions about its implementation and use in decentralized identity systems.
Status List 2021 is a W3C Verifiable Credentials specification that provides a standardized, space-efficient method for checking the revocation status of a credential. It works by encoding a bitstring where each bit represents the status (e.g., 0 for valid, 1 for revoked) of a specific credential, which is then published as a Verifiable Credential itself. A verifier can check a credential's status by resolving the credentialStatus field in the holder's credential to find the status list, then checking the bit at the credential's specific index. This method is far more compact than distributing individual revocation messages for each credential.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall