FLEXIBLE REVOCATION OF CREDENTIALS

摘要

The invention relates to a computer-implemented method for handling revocation statuses of credentials, the method including: an issuing computer transmitting a public key to user and verifying computers, a revocation computer sending revocation parameters to user and verifying computer devices, issuing credentials to a user computer by an issuing computer, verifying issued credentials by the user computer, transmitting updated revocation information to the revocation computer by the verifying computer, updating provisional revocation status information by the revocation computer, updating revocation status information by the revocation computer, transmitting updated revocation information to a revocation computer by a verifying computer, updating provisional revocation status information by the revocation computer, transmitting updated revocation status information to the user and verifying computers by the revocation computer, creating a presentation token by the user computer, transmitting the presentation token to a verifying computer, and verifying the presentation token by the verifying computer.

主权项

1. A computer-implemented method for flexible revocation of credentials, the method comprising:
issuing and storing a plurality of credentials by a credential issuing computer system, each credential being provided to a user computer device, the user computer device being configured for requesting one or more hardware and/or software functions offered and provided by one or more credential verifying computer systems; initializing and storing by a revocation computer system a revocation status vector comprising vector elements, wherein for a set of the vector elements:
each vector element is assigned to a different one of the credentials,each vector element comprises a sequence of bits, wherein for a set of the bits each bit of the set of bits is assigned to a different one of the functions,the bit value at a given bit position of the sequence is indicative of the credential assigned to the element comprising said sequence of bits,a revocation status indicates whether said credential is valid or invalid for the function assigned to said bit position, andfor each sequence of bits the same bit positions are assigned to the same functions; transforming the revocation status vector by the revocation system into a commitment value and providing the commitment value to the one or more verifying computer systems; computing a witness value by the revocation system for each vector element of the set of vector elements; providing to the user computer device the vector element which is assigned to the credential of said user computer device and the respective witness value, the witness value proving that the vector element provided is identical to the vector element for which the witness value was computed; generating a presentation token by the user computer device for its credential, the presentation token comprising the vector element provided by the revocation system and a proof of possession of the respective credential assigned to said vector element and of possession of the witness value computed for said vector element; transmitting by the user computer device the presentation token and a request for one of the hardware and/or software functions to the respective verifying computer system; receiving the presentation token and request by said verifying computer system; evaluating by the receiving verifying computer system for the requested function the validity of the revocation status of the credential for which the presentation token was generated using the commitment value for verifying the proof of possession of the witness value comprised by the presentation token; and in case of validity, providing the requested function to the requesting user computer device.