We recently released support for revocation of DID signed documents through an Online Certificate Status Protocol (OCSP) responder which would allow for the revocation of documents without the need to deploy a document store. Prior to this release, revocation of documents was only possible through the deployment of a document store which is costly.
The solution works by first deploying an API where an administrator can insert or remove entries from a database containing a list of revoked certificate identifiers. Then, when creating a raw document, the revocation type must be specified as OCSP_RESPONDER and location as the url of the API. When this document is submitted for verification, a query is sent to the online responder and an additional check is conducted to find out if a document has been revoked or not.
The ADR containing our exploration of possible solutions to the problem of costly revocation and our proposed implementation can be found here.
We also released a reference implementation of the OCSP responder using AWS Serverless. You may refer here for a guide on its implementation.
We also added a section in our documentation website under Verfiable Document > DID > Revoking Documents (OCSP) with steps on how to create a OCSP-revokable document.
This solution requires minimally:
- open-attestation v6.2.0
- oa-verify v7.7.0