Revoke documents using OCSP responder
Note: Depending on whether you have deployed the Document Store or OCSP, use the corresponding method to revoke documents.
Licenses, certifications, and permits are some examples of documents that can be issued as verifiable documents.
When issuing verifiable documents, keep in mind that they will remain verifiable indefinitely.
However, there may be times when the issued document needs to be revoked because:
- It contains errors.
- It was issued wrongly.
- After issuance, an incident occurs and requires the document to become ineffective and unverifiable.
Differences between revocation and expiration
Revocation serves as a strict, proactive approach to prevent security breach or any change that may compromise the document integrity.
Document revocation is not intended to work as expiration, since documents with an expiry date already have a limited validity duration that the issuer determines at the time of file creation.
For documents with limited validity, consider including expiry dates within the document content for external verification.
The following screenshot shows a certificate example:
It includes:
-
The document issue date (e.g. “31 December 2022”) can be stored in a field defined by the issuing party and also in the content visually shown in the document renderer.
-
The document expiry date (e.g. “30 December 2025”) can be stored in another field defined by the issuing party and also in the content visually shown in the document renderer.
However, whether or not the document remains viewable after expiration may be up to the issuing party’s decision based on the use case. The document renderer should handle any logic specific to expiration.
Revoking using OCSP responder
You can revoke a document using your own Online Certificate Status Protocol (OCSP) responder. In short, an OCSP responder is a service that will respond with the revocation status of a certificate and the reason it is revoked.
Revocation type and location
You would require a DID document with
revocation.type:OCSP_RESPONDERrevocation.location:https://ocsp-sandbox.openattestation.com
Replace the revocation.type and revocation.location values below.
{
"$template": {
"name": "main",
"type": "EMBEDDED_RENDERER",
"url": "https://tutorial-renderer.openattestation.com"
},
"recipient": {
"name": "John Doe"
},
"issuers": [
{
....
"name": "Demo Issuer",
"revocation": {
"type": "OCSP_RESPONDER",
"location": "<OCSP_RESPONDER_URL>"
},
...
}
]
}
Revoking a document
To learn about a reference implementation to revoke a document using the OCSP responder, see this readme.
Note: Other implementations will also be recognized by verifiers, as long as they adhere to the request/response format required by the OpenAttestation framework.