Product Docs
Product DocsTechnical DocsLearning & GovernanceUseful Links
  • Product Docs
  • Node Docs
  • Learning Docs
  • â„šī¸Getting Started
    • Product Overview
    • âžĄī¸Get Started with cheqd Studio
      • 👉Set Up Your Account
      • đŸ—ī¸Create API Keys
      • đŸĒ™Token Top Up
      • 🔄Advanced Configuration Options
    • â˜‘ī¸Use Trust Registries for AI Agents
      • đŸ—ī¸Build an AI Agent Trust Registry
        • Setup AI Agent Trust Registry
          • Issue Verifiable Credentials to AI Agent
        • Setup and Configure MCP Server
          • Create AI Agent DID
          • Import Credential to AI Agent
          • Advanced functionality
            • Issue a Verifiable Credential
            • Verify a Credential
      • 🤝Validate AI Agent Trust Chain
  • đŸŸĸStart using cheqd
    • 🆔Create DIDs and Identity Keys
      • Create Issuer DID
      • Create Identity Keys and Subject DIDs
      • Resolve a DID
      • Update a DID
      • Deactivate a DID
    • ✅Issue Credentials and Presentations
      • Issue Credential
      • Setup Verida Wallet
      • Verify Credential
      • Verify Presentation
      • Revoke Credential
      • Suspend or Unsuspend Credential
    • â™ģī¸Charge for Verifiable Credentials
      • Understanding Credential Payments
        • Access Control Conditions
        • Privacy Considerations
      • Charge for Status List
      • Issue Credential with Encrypted Status List
      • Create Verifier Pays Issuer flow
      • Bulk Update or Rotate Encryption Keys
    • 🤝Build Trust Registries
      • Decentralized Trust Chains (DTCs)
        • Root Authorisations
        • RTAO -> TAO
        • TAO -> SubTAO
        • TAO -> Trusted Issuer (TI)
        • Referencing Trust Registry within a Verifiable Credential
      • Set up Trust Chain
        • Issue Verifiable Accreditation
        • Verify Verifiable Accreditation
      • Get Started with TRAIN
        • Deploy TRAIN and Anchor rTAO in DNS
        • Validate Trust Chain
    • 🎋Create Status Lists
      • Bitstring Status List
        • Create Bitstring Status List
        • Update Bitstring Status List
        • Check Bitstring Status List
        • Search Bitstring Status List
      • Token Status List
        • Create Token Status List
        • Update Token Status List
    • â†•ī¸Create DID-Linked Resources
      • Understanding DID-Linked Resources
        • Context for developing DID-Linked Resources
        • Technical composition of DID-Linked Resources
        • Referencing DID-Linked Resources in VCs
      • Create DID-Linked Resource
      • Search DID-Linked Resource
  • đŸ› ī¸Integrate an SDK
    • Choosing the right SDK
    • 🍏Credo
      • Setup Credo Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create DID-Linked Resource
        • Resolve DID-Linked Resource
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential (AnonCreds)
        • Present a Verifiable Credential (AnonCreds)
    • 🍊ACA-Py
      • Setup ACA-Py Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential
        • Present a Verifiable Credential
        • Revoke a Verifiable Credential
    • 🍈Veramo
      • Setup Veramo CLI for cheqd
        • Troubleshooting Veramo CLI setup
      • Decentralised Identifiers (DIDs)
        • Create a DID
        • Querying a DID
        • Update an existing DID
        • Deactivate a DID
        • Create an off-ledger holder DID
        • Managing Identity Keys
        • Troubleshooting
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential
        • Verify a Verifiable Credential
        • Create a Verifiable Presentation
        • Verify a Verifiable Presentation
      • Credential Payments
        • Charge for Status List
        • Issue Credential with Encrypted Status List
        • Verifier pays Issuer
      • Bitstring Status List
        • Create Status List
        • Issuing a Verifiable Credential referencing Status List
      • DID-Linked Resources
        • Create a DID-Linked Resource
        • Create a new Resource version within existing Collection
    • đŸĢWalt.id Community Stack
  • đŸ—ī¸Architecture
    • Architecture Decision Record (ADR) Process
    • List of ADRs
      • đŸ”ĩADR 001: cheqd DID Method
      • đŸŸĸADR 002: DID-Linked Resources
      • 🟡ADR 003: DID Resolver
      • 🟠ADR 004: DID Registrar
      • đŸŸŖADR 005: DID Resolution & DID URL Dereferencing
  • đŸ’ĢAdvanced features and alternatives
    • âžĄī¸DID Registrar
      • Setup DID Registrar
      • Create a DID
      • Create a DID-Linked Resource
    • âŦ…ī¸DID Resolver
      • Setup DID Resolver
    • ⚡AnonCreds Object Method
      • Schemas
      • Credential Definitions
      • Revocation Registry Definitions
      • Revocation Status Lists
    • 🌠Advanced Tooling
      • cheqd Cosmos CLI for identity
        • Create a DID
        • Update a DID
        • Deactivate a DID
        • Query a DID
        • Create a DID-Linked Resource
        • Update a DID-Linked Resource
      • Direct interaction with ledger code
      • VDR Tools CLI with cheqd (deprecated)
      • Demo Wallet for Identity Setup
  • âš›ī¸Network
    • Get started with cheqd Network
      • Identity Write Pricing
      • Comparison to Hyperledger Indy
    • ⏊Setup your Wallet
      • Setup Leap Wallet
        • Congifure cheqd testnet for Leap
      • Setup Keplr Wallet
      • Migrate from Keplr to Leap Wallet
    • â†Ēī¸Useful Tools and APIs
      • Block Explorer
      • Testnet Faucet
      • Validator Status API
      • Cheqd x Cosmos Data APIs
      • Cosmos Airdrop Helpers
      • Cosmos Address Convertor
      • Ethereum Bridge
    • âŦ†ī¸Network Upgrades
      • 2021
        • 0.1.x
        • 0.2.x
        • 0.3.x
      • 2022
        • 0.4.x
        • 0.5.x
        • 0.6.x
      • 2023
        • 1.x
      • 2024
        • 2.x
        • 3.x
      • Root Cause Analysis of Outages
        • v1.x upgrade RCA
  • âš–ī¸Legal
    • License
    • Code of Conduct
    • Security Policy
  • 🆘Support
    • System Status
    • Discord
    • Bugs & Feature Requests
Powered by GitBook
LogoLogo

General

  • Website
  • Blog
  • Get $CHEQ

Product Docs

  • Product Docs
  • cheqd Studio
  • Creds.xyz
  • Bug/Feature Requests

Technical Docs

  • Node Docs
  • GitHub
  • Block Explorer

Learning Docs

  • Learning Docs
  • Governance Docs
  • Governance Forum
  • Governance Explorer
On this page
  • cheqd AnonCreds Object Method for Revocation Registry Definition Objects
  • AnonCreds Revocation Registry Definition Object ID
  • cheqd Revocation Registry Definition Object ID
  • Understanding Request vs Response formats
  • cheqd Revocation Registry Definition Request format
  • cheqd resource Metadata
  • cheqd Revocation Registry Definition Response format
  • Create Revocation Registry Definition transaction
  • Tying CredDef, RevRegDef and StatusList Objects together
  • Fetching a cheqd Revocation Registry Definition Object
  • Same Resource Name, different Resource type
  • Constructing an AnonCred with this logic
  • Legacy AnonCreds Revocation Registry Definition Structure

Was this helpful?

Edit on GitHub
Export as PDF
  1. Advanced features and alternatives
  2. AnonCreds Object Method

Revocation Registry Definitions

cheqd support for Ledger-Agnostic AnonCreds Revocation Registry Definitions

Last updated 10 days ago

Was this helpful?

cheqd AnonCreds Object Method for Revocation Registry Definition Objects

In the ledger-agnostic , a Revocation Registry Definition Object acts as an on-ledger hub for revocation, providing a central point information about the:

  1. type of Revocation Registry (In Indy this is always "CL_ACCUM").

  2. cred_def_id: Each Revocation Registry must be linked to one specific Credential Definition.

  3. tag: An issuer-specified name for the Revocation Registry, to ensure consistency when referencing the registry.

  4. maxCredNum: The maximum amount of Credentials that can be revoked in the Revocation Registry before a new one needs to be started.

  5. tailsLocation: A resolving to the location of the Tails File.

A Tails File is a large file containing a cryptographic accumulator value of prime numbers multiplied together. When a Credential is revoked, the value of the accumulator changes, removing the cryptographic value of the Credential as a factor of the accumulator value.

Each credential issued using the Revocation Registry Definition is given its own index (1 to the maxCredNum).

While not required, the Indy community has created a component, the “,” which is basically a web server for storing Tails Files.

This documentation will guide an implementor of AnonCreds on cheqd on how the cheqd AnonCreds Object Method defines and structures Revocation Registry Definition IDs and associated content.

AnonCreds Revocation Registry Definition Object ID

If you are not familiar with the latest Ledger-Agnostic AnonCreds Revocation Registry Definition structure, click the collapsible tile below to learn about the new format.

Ledger-agnostic AnonCreds Revocation Registry Definition Object Content

Each specific AnonCreds identifier must be defined within an AnonCreds Object Method in the .

This means that an AnonCreds Revocation Registry Object ID does not need to be formatted in any particular syntax, in the latest version of the AnonCreds Specification.

The required content and data model for the AnonCreds Revocation Registry Definition Object are as follows:

  • issuerId - the of the revocation registry. MUST adhere to rules and MUST be the same issuerId as the on which the is based.

  • revocDefType: the input parameter type (This is currently always CL_ACCUM)

  • credDefId: the input parameter cred_def_id, .

  • tag - an arbitrary string defined by the [ref: issuer], enabling an [ref: issuer] to create multiple s for the same .

  • value - The value of the revocation registry definition

    • publicKeys - Public keys data for signing the accumulator; the public key of a private/public key pair

      • accumKey - Accumulator key for signing the accumulator

        • z - a public key used to sign the accumulator (described further below)

    • maxCredNum - The maximum amount of Credentials that can be revoked in the Revocation Registry before a new one needs to be started

    • tailsLocation - The URL pointing to the related tails file

    • tailsHash - The hash of the tails file (see also: ) resulting from hashing the tails file version prepended to the tails file as SHA256 and then encoded to base58.

For example, the on-ledger Revocation Registry Definition Object Content is as fol

{
  "issuerId": "did:web:example.org",
  "revocDefType": "CL_ACCUM",
  "credDefId": "Gs6cQcvrtWoZKsbBhD3dQJ:3:CL:140384:mctc",
  "tag": "MyCustomCredentialDefinition",
  "value": {
    "publicKeys": {
      "accumKey": {
        "z": "1 0BB...386"
      }
    },
    "maxCredNum": 666,
    "tailsLocation": "https://my.revocations.tails/tailsfile.txt",
    "tailsHash": "91zvq2cFmBZmHCcLqFyzv7bfehHH5rMhdAG5wTjqy2PE"
  }
}

cheqd Revocation Registry Definition Object ID

cheqd resources module uses the following format:

did:cheqd:mainnet:<issuerDid>/resources/<revRegDefResourceId>

Rather than using a composite string for the Revocation Registry Definition Resource ID. The cheqd AnonCreds object method uses a UUID to identify the Revocation Registry Definition Object Content.

For example, the following DID URL is cheqd's representation of a revocRegDefId:

did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J/resources/af20b1f0-5c4d-4037-9669-eaedddb9c2df

Another supported format for a revocRegDefId may be used in applications where it is important to derive the credDefId, revocRegDefId and statusListId from the same root.

This format uses query-based syntax, for example:

did:cheqd:mainnet:<IssuerDid>?resourceName=<resourceName>&resourceType=<resourceType>

For example:

did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsRevocRegDef

Understanding Request vs Response formats

The request format may be specific to each AnonCreds Object Method. However, the response format should be standardised to enable any AnonCreds supported application to understand the object, without needing custom or method-specific logic.

cheqd Revocation Registry Definition Request format

The cheqd revocation registry definition request format comprises of:

  1. A Resource file for the Revocation Registry Definition object content (e.g. degreeRevocRegDef.json); and

  2. A Payload file (including the signing keys and additional inputs to create a DID-Linked Resource).

Both of these inputs are required to provide the ledger enough information to:

Revocation Registry Definition Resource file

Before creating any on-ledger resource transaction, it is important to assemble the required Revocation Registry Definition Object Content and save it as a file locally.

In the example below, the content should be saved as a file, for example: degreeRevocRegDef.json with the following content:

{
  "revocDefType": "CL_ACCUM",
  "credDefId": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J/resources/77465164-5646-42d9-9a0a-f7b2dcb855c0",
  "tag": "2.0",
  "value": {
    "publicKeys": {
      "accumKey": {
        "z": "1 0BB...386"
      }
    },
    "maxCredNum": 666,
    "tailsLocation": "https://my.revocations.tails/tailsfile.txt",
    "tailsHash": "91zvq2cFmBZmHCcLqFyzv7bfehHH5rMhdAG5wTjqy2PE"
}

Note: The associated Credential Definition specified must have enabled revocation support for the Revocation Registry Definition to be able to be used properly in an SDK.

Resource file field
Resource file input
Payload file field
Payload file input

"type"

"CL_ACCUM"

"resourceType"

"anonCredsRevocRegDef"

"tag"

""

"resourceVersion"

""

What this means is that if the Resource file has an object of "type" = "CL_ACCUM" then this should be written as "resourceType" = "anonCredsRevocRegDef" when creating the Payload file.

Revocation Registry Definition Payload File

The Payload file utilises the inputs from the Resource file where possible, mapping common fields across. The Payload file may also require additional inputs to be provided by the creator to create a DID-Linked Resource for inputs not provided in the Resource file.

Below is an example of a Payload file:

{
  "payload": {
    "collectionId": "zF7rhDBfUt9d1gJPjx7s1J",
    "id": "af20b1f0-5c4d-4037-9669-eaedddb9c2df",
    "name": "universityDegree-1.0", // this is an additional input
    "version": "2.0", // this is an optional additional input
    "resourceType": "anonCredsRevocRegDef",
    "alsoKnownAs": []
  },
  "signInputs": [
    {
      "verificationMethodID": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J#key1",
      "privKey": "y4B5qis9BXUq/mODsrWtS3q5ejOk/okSIXlX1/a9HvuG3PgYmekfQmq3QhJ4JSzN/rkiGCQDNKoTXMmxuXDHbg=="
    }
  ]
}
Additional parameter
Expected input
Rationale

"name"

"<insert same name as CredDef>-<revocation tag>"

The Payload file drawing inputs from the Resource file on its own does not provide the ledger the requisite amount of information to create a full DID-Linked Resource. resourceName must be provided as an additional input parameter, as well as a revocation tag. There must be a hyphen between them.

Publishing resource using CLI

For example, the full request format using a CLI should be structured as follows:

cheqd-noded tx resource create [payload.json] [degreeRevocRegDef.json] \
  
  --chain-id cheqd \
  --keyring-backend test \
  --output json \
  --fees 10000000000ncheq \
  --gas auto \
  --gas-adjustment 1.8 \
  --from base_account \

cheqd resource Metadata

Once you have created your Revocation Registry as a resource on cheqd, the following metadata will be generated in the DID Document Metadata associated with did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J

"linkedResourceMetadata": [
  {
  "resourceURI": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J/resources/af20b1f0-5c4d-4037-9669-eaedddb9c2df",
  "resourceCollectionId": "zF7rhDBfUt9d1gJPjx7s1J",
  "resourceId": "af20b1f0-5c4d-4037-9669-eaedddb9c2df",
  "resourceName": "universityDegree-1.0",
  "resourceType": "anonCredsRevocRegDef",
  "resourceVersion": "2.0",
  "mediaType": "application/json",
  "created": "2022-08-21T08:40:00Z",
  "checksum": "7b2022636f6e74656e74223a202274657374206461746122207d0ae3b0c44298",
  "previousVersionId": null,
  "nextVersionId": null
  }
]

cheqd Revocation Registry Definition Response format

This can either be compiled by the associated SDK handling cheqd AnonCreds, or it can be assembled by the cheqd DID resolver.

{
  "issuerId": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J"
  "revocDefType": "CL_ACCUM",
  "credDefId": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J/resources/77465164-5646-42d9-9a0a-f7b2dcb855c0",
  "tag": "2.0",
  "value": {
    "publicKeys": {
      "accumKey": {
        "z": "1 0BB...386"
      }
    },
    "maxCredNum": 666,
    "tailsLocation": "https://my.revocations.tails/tailsfile.txt",
    "tailsHash": "91zvq2cFmBZmHCcLqFyzv7bfehHH5rMhdAG5wTjqy2PE"
}

Compiling Response format in cheqd DID Resolver

The cheqd DID resolver will use the following logic to compile the standardised response format:

If "resourceType=anonCredsRevocRegDef" then append "issuerId" to the beginning of the Response Format for the resource presented

Create Revocation Registry Definition transaction

Tying CredDef, RevRegDef and StatusList Objects together

Importantly, this allows each new resource to be indexed and versioned by their:

  1. resourceName

  2. resourceType

Fetching a cheqd Revocation Registry Definition Object

Same Resource Name, different Resource type

We propose that the resourceName for CredDefs, Revocation Registry Definitions and Status Lists should remain the same when each of these resources is part of the same AnonCred. This will make it easier for resources to query by resourceName and resourceType to delineate between the three resources using a common root.

Dereference to CredDef

did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsCredDef

Dereference to Revocation Registry Definition

did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsRevocRegDef

Dereference to Revocation Status List

did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsStatusList

Note: across all three of these queries, the resolver would fetch the latest version of the resource by default

Constructing an AnonCred with this logic

This is similar to how Hyperledger Indy uses composite strings to derive assoicated AnonCreds Objects from others. For example:

{
    "schema_id": "did:cheqd:mainnet:7BPMqYgYLQni258J8JPS8K/resources/6259d357-eeb1-4b98-8bee-12a8390d3497",
    "cred_def_id": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsCredDef",
    "rev_reg_id": "did:cheqd:mainnet:zF7rhDBfUt9d1gJPjx7s1J?resourceName=universityDegree&resourceType=anonCredsRevocRegDef",
    "values": {...}
}

Legacy AnonCreds Revocation Registry Definition Structure

Legacy AnonCreds Revocation Registry Definition Object

Like both the Legacy Schema Object ID and the Legacy CredDef Object ID, the Legacy Revocation Registry Definition Object ID was defined as a composite string of the following information:

  1. Object Type: An integer denoting the type of object. 4 is used for Revocation Registry Objects.

  2. Revocation Registry Type: The type of Revocation Registry used, this is by default always "CL_ACCUM".

  3. tag: A unique name or tag given to the Revocation Registry Object.

The revocRegDefId therefore was formatted in the following way:

<publisherDid>:<objectType>:<credDefId>:<revRegType>:<tag>

For example a Legacy AnonCreds revocRegDefId could be:

zF7rhDBfUt9d1gJPjx7s1J:4:zF7rhDBfUt9d1gJPjx7s1J:3:CL:7BPMqYgYLQni258J8JPS8K:2:degreeSchema:1.5.7:credDefDegree:CL_ACCUM:degreeCredRevRegDef

Through combining each of the components into one string, it provides client applications all of the information they need to know about the Revocation Registry Definition Object in a simple and easily consumable format.

This is important to mention, since many client applications may still expect RevRegDef IDs or RevRegDef Content to contain the information or specific syntax of this Legacy revocRegDefId.

cheqd uses to identify individual resources, associated with a DID, using fully resolvable DID URLs.

It is important to differentiate between the Request format for creating an AnonCreds object on cheqd, and the Response format, for how an AnonCreds objectshould be compiled by SDKs and the .

Populate a ; and

Compile a standardised AnonCreds revocation registry definition object in the .

This Revocation Registry Definition Resource file fields should be replicated where possible within the Payload file, to populate a stored on cheqd, with the following mapping:

When passing the Payload file to the ledger, additional inputs may be required within the Payload file to populate the . In this instance, the only additional information required is:

Using the cheqd and , the ledger has enough information to compile the following data structure as a response format.

To create a Revocation Registry Definition on cheqd, you should follow the , and pass the relevant JSON file for the object in the transaction.

Across the , the and the - each resource is associated with the same issuer DID and Collection ID.

New resources can be created to update the existing CredDef or RevRegDef, whilst maintaining the historical state of the previous versions. See the documentation on to understand this further.

Existing DID Resolvers will be able to query for the Revocation Registry Definition Object Content using the .

The cheqd AnonCreds method also enables applications to derive the , and from the same root:

Using this logic, the following queries can be used to dereference to , and , in a way which can derive all three resources from the same root:

The AnonCreds construction below uses this logic to demonstrate how an application could derive the latest using the "rev_reg_id" since it shares the same root and would only require replacing "anonCredsRevocRegDef" with "anonCredsStatusList".

Publisher DID: The DID of the creator of the revocation registry. Generally this will be the same publisher as the creator of the .

CredDef Object ID: This is the .

This legacy format is now attributed to the

đŸ’Ģ
⚡
AnonCreds
specification
URL
Indy Tails Server
AnonCreds Object Method Registry
Issuer Identifier
Issuer Identifiers
Credential Definition
Revocation Registry
further explained here
Revocation Registry Definition
Credential Definition
TAILS_FILE
next section
DID-Linked Resources
cheqd DID Resolver
cheqd DID-Linked Resource
DID-Linked resource
DID-Linked Resource
tutorials for creating a DID-Linked Resource here
Publishing a New Version of a Resource
CredDef
Revocation Registry Definition Object
Status Lists
CredDefs
Revocation Registry Definitions
Status Lists
Revocation Status List
CredDef Object
AnonCreds CredDef Object ID
Hyperledger Indy Legacy AnonCreds Objects Method
Response format
Revocation Registry Definition Request format
associated resource metadata
StatusList Object Method
Revocation Registry Definition Object Method
same patterns and parameters as the Schema Object found here
cheqd CredDef Object Method