Skip to main content

Revoke documents using document store

Note: Depending on whether you have deployed the Document Store or OCSP, use the corresponding method to revoke documents.

Licenses, certifications, and permits are some examples of documents that can be issued as verifiable documents.

When issuing verifiable documents, keep in mind that they will remain verifiable indefinitely.

However, there may be times when the issued document needs to be revoked because:

  • It contains errors.
  • It was issued wrongly.
  • After issuance, an incident occurs and requires the document to become ineffective and unverifiable.

Differences between revocation and expiration

info

Revocation serves as a strict, proactive approach to prevent security breach or any change that may compromise the document integrity.

Document revocation is not intended to work as expiration, since documents with an expiry date already have a limited validity duration that the issuer determines at the time of file creation.

For documents with limited validity, consider including expiry dates within the document content for external verification.

The following screenshot shows a certificate example:

Certificate Example

It includes:

  • The document issue date (e.g. “31 December 2022”) can be stored in a field defined by the issuing party and also in the content visually shown in the document renderer.

  • The document expiry date (e.g. “30 December 2025”) can be stored in another field defined by the issuing party and also in the content visually shown in the document renderer.

However, whether or not the document remains viewable after expiration may be up to the issuing party’s decision based on the use case. The document renderer should handle any logic specific to expiration.

Revoking using Document Store

It is possible to revoke a signed document only if you fulfill certain prerequisites. Any future progress can be followed here.

Prerequisites

  • An ethr DID (if you have been following the above steps, you should have one already)
  • Some kind of DID documents:
    1. Base DID document (ISSUER_IDENTITY: identityProof.identifier against ethr DID)
    2. DID-DNS document (ISSUER_IDENTITY: identityProof.identifier against a DNS-TXT)
  • A deployed documentStore, click here for the steps.
  • Before you wrap your document with the wrapper SDK, add a revocation block with these keys:
{
  "$template": {
    "name": "main",
    "type": "EMBEDDED_RENDERER",
    "url": "https://tutorial-renderer.openattestation.com"
  },
  "recipient": {
    "name": "John Doe"
  },
  "issuers": [
    {
      ....
      "name": "Demo Issuer",
      "revocation": {
        "type": "REVOCATION_STORE",
        "location": "<DEPLOYED_DOCUMENT_STORE_LOCATION>"
      },
      ...
    }
  ]
}
  • The <DEPLOYED_DOCUMENT_STORE_LOCATION> is your documentStore location. It must be deployed on the Ethereum blockchain.
  • Wrap your document, sign it, and append the signature to the document (following the tutorial).

Revoking a document

Once you have fulfilled the prerequisites, you will have a document that can be revoked on a deployed documentStore.

To revoke a document from the Ethereum flow using the CLI, replace the variables below and run the command:

open-attestation document-store revoke --address <DOCUMENT_STORE_LOCATION> --hash <HASH_OF_DOC(S)>  --network <NETWORK> --encrypted-wallet-path <PATH_OF_WALLET>

In the example above, because the revocation mapping in the documentStore is separate from the issued mapping, you can revoke the document using the documentStore, even if you haven't issued any document from it.