The revocation process involves multiple parties:

1. Issuer: The entity that originally issued the credential and has authority to revoke it
2. Holder: The entity holding the credential (may or may not be aware of revocation)
3. Verifiers: Entities that need to check credential validity before accepting presentations
4. Registrars/Backers: Infrastructure components that maintain copies of TELs for availability
5. Witnesses: KERI witnesses that provide receipts for revocation events

Process Flow

Step 1: Revocation Decision

The issuer determines that a credential must be revoked based on one of the triggering conditions mentioned above. This decision may be:

• Automated: Triggered by system events (e.g., LEI status change)
• Manual: Initiated by authorized representatives
• Policy-Driven: Required by governance framework rules

Step 2: Revocation Event Creation

The issuer creates a revocation event in the credential's Transaction Event Log (TEL). This event:

• References the credential's SAID (Self-Addressing Identifier)
• Contains a sequence number indicating its position in the TEL
• Includes a timestamp (though not used for security, only informational)
• Is cryptographically signed by the issuer's current authoritative keys

Critical Technical Detail: The revocation event itself does NOT require signatures on the credential - it's a signed statement in the TEL that references the credential's SAID.

Step 3: KEL Anchoring

The revocation event is anchored to the issuer's Key Event Log (KEL) through a seal:

{
  "s": "3",
  "d": "ELvaU6Z-i0d8JJR2nmwyYAZAoTNZH3UfSVPzhzS6b5CM"
}

This seal appears in an interaction event or rotation event in the issuer's KEL, creating a cryptographic commitment to the revocation event. The KEL event is then signed by the issuer's authoritative keys, providing the security foundation.

Step 4: Witness Receipting

The KEL event containing the revocation seal is sent to the issuer's designated witnesses, who:

1. Verify the event's cryptographic integrity
2. Check that it properly chains to previous events
3. Create signed receipts of the event
4. Store the event and receipts for future queries

This witness receipting provides distributed consensus on the revocation event's existence and ordering.

Step 5: Registrar/Backer Propagation

For public verifiable credential registries, the revocation event propagates to Registrars (also called Backers in TEL context):

• Registrars maintain copies of the TEL for high availability
• They provide query endpoints for verifiers to check credential status
• Multiple Registrars create redundancy and prevent single points of failure

Step 6: State Transition Finalization

The credential's state in the TEL transitions from:

Issued → Revoked

This state change is:

• Immutable: Cannot be undone (though a new credential could be issued)
• Verifiable: Any party can verify the state by processing the TEL
• Timestamped: The revocation event includes issuance datetime
• Ordered: The sequence number establishes ordering relative to other events

Step 7: Verification by Relying Parties

When a verifier receives a credential presentation, they:

1. Extract the credential's SAID and registry identifier (ri field)
2. Query the TEL for the credential's current state
3. Verify the TEL's cryptographic integrity by checking KEL anchoring
4. Determine whether to accept or reject the credential based on state

Technical Requirements

Cryptographic Requirements

Issuer Key Authority: Only the entity controlling the issuer AID's authoritative keys can create valid revocation events. This is enforced through:

• Digital signatures on KEL events that anchor TEL events
• Witness verification of signature validity
• Threshold requirements for multi-sig issuers

SAID Integrity: The credential's SAID must match the content being revoked. Any modification to the credential would change its SAID, making revocation references invalid.

KEL-TEL Binding: The cryptographic binding between KEL and TEL is critical:

KEL Event → Contains Seal → References TEL Event → Contains Revocation

This chain must be verifiable end-to-end without trusted intermediaries.

Witness Threshold: For issuers using witness pools, revocation events must satisfy the issuer's witness threshold (typically defined by TOAD - Threshold of Accountable Duplicity).

Timing Considerations

Grace Periods: The vLEI ecosystem implements a 90-day grace period for certain revocations, creating "ghost credentials" that remain technically valid during the transition period. This addresses practical realities of credential lifecycle management.

Event Ordering: KERI uses event sequence numbers rather than timestamps for security-critical ordering. Timestamps are informational only, as they can be manipulated by attackers.

Asynchronous Propagation: Revocation events propagate asynchronously through the distributed infrastructure:

• Witnesses may receive events at different times
• Registrars update their copies independently
• Verifiers may observe different states during propagation windows

First-Seen Policy: KERI's "first-seen" policy means that once a witness or watcher observes a revocation event, it cannot be "unseen" - this prevents certain classes of attacks.

Error Handling

Invalid Revocation Attempts: If a revocation event fails validation (wrong keys, invalid signature, broken chain), it is rejected by witnesses and does not affect credential state.

Duplicity Detection: If an issuer attempts to create conflicting revocation events (e.g., revoking and not revoking simultaneously), KERI's duplicity detection mechanisms identify this as malicious behavior.

Recovery Mechanisms: If an issuer's keys are compromised:

• Pre-rotation enables key recovery
• Revocation events signed with compromised keys can be invalidated
• The issuer can rotate to secure keys and re-establish authority

Network Partitions: During network partitions, different parts of the infrastructure may have different views of credential state. KERI's eventual consistency model ensures convergence once connectivity is restored.

Usage Patterns

Pattern 1: Immediate Revocation

For high-security scenarios requiring immediate revocation:

1. Issuer creates revocation event
2. Anchors to KEL immediately
3. Broadcasts to all witnesses
4. Waits for witness threshold receipts
5. Confirms revocation to requesting party

This pattern prioritizes speed and ensures rapid propagation.

Pattern 2: Batch Revocation

For efficiency when revoking multiple credentials:

1. Accumulate revocation events
2. Create single KEL interaction event with multiple seals
3. Anchor all revocations in one KEL event
4. Reduces KEL growth and witness load

This pattern is used when immediate revocation is not critical.

Pattern 3: Delegated Revocation

For hierarchical credential structures:

1. Delegator revokes delegation
2. Automatically invalidates all credentials issued by delegate
3. Cascading revocation through credential chains

This pattern leverages KERI's delegation mechanisms for efficient bulk revocation.

Pattern 4: Holder-Initiated Revocation

When holders request revocation of their own credentials:

1. Holder sends signed revocation request to issuer
2. Issuer verifies holder's authority (via AID control)
3. Issuer creates revocation event
4. Holder receives confirmation

This pattern respects holder autonomy while maintaining issuer authority.

Best Practices

Revocation Policies: Establish clear governance policies defining:

• Who can request revocation
• What conditions trigger automatic revocation
• How revocation decisions are documented
• Appeal or dispute resolution processes

Monitoring and Alerting: Implement systems to:

• Monitor TEL state changes
• Alert relevant parties when revocations occur
• Track revocation rates for anomaly detection
• Audit revocation decisions for compliance

Credential Lifecycle Management: Integrate revocation into broader lifecycle:

• Automatic revocation on credential expiration
• Revocation before re-issuance
• Revocation as part of role changes
• Revocation in response to security incidents

Verifier Integration: Ensure verifiers:

• Always check credential status before acceptance
• Cache TEL state appropriately (with TTLs)
• Handle network failures gracefully
• Implement fallback verification strategies

Integration Considerations

With IPEX Protocol: Revocation integrates with IPEX (Issuance and Presentation Exchange):

• Verifiers check status during presentation exchanges
• Revoked credentials fail verification automatically
• IPEX messages can include revocation notifications

With vLEI Ecosystem: In GLEIF's vLEI implementation:

• QVI revocation cascades to issued credentials
• Legal Entity credential revocation affects role credentials
• Grace periods accommodate organizational transitions
• Sally (reporting agent) tracks revocation events

With Multi-Signature Identifiers: For multi-sig issuers:

• Revocation requires threshold signatures
• Multiple authorized representatives must coordinate
• Partial signatures are escrowed until threshold met
• Revocation authority may differ from issuance authority

With Delegation Hierarchies: In delegated identifier structures:

• Delegator revocation affects delegate-issued credentials
• Delegation revocation is distinct from credential revocation
• Cascading effects must be carefully managed
• Recovery mechanisms preserve credential validity when possible

Revocation vs. Key Rotation

A critical distinction in KERI terminology:

Key Rotation: In KERI, "rotation" refers to changing the authoritative keys for an identifier. This is NOT the same as credential revocation.

Credential Revocation: Withdrawing attestation to credential validity. This is a separate operation from key management.

Unified Operation: KERI's design treats key rotation as a combined revoke-and-replace operation for keys, but this is distinct from credential revocation.

Null Key Revocation: For permanent key revocation without replacement, KERI uses "rotation to null key" - but again, this is about identifier keys, not credentials.

Revocation in Different TEL Types

Public TELs

For public verifiable credential registries:

• Revocation state is publicly queryable
• Anyone can verify credential status
• Registrars provide high-availability access
• Privacy is limited (credential existence is public)

Blinded TELs

For privacy-preserving registries:

• Revocation state is hidden by default
• Only parties with the "salty nonce blinding factor" can verify
• Issuer controls who can check revocation status
• Enables selective disclosure of credential state

Management TELs

For registry infrastructure:

• Revocation of registrar authority
• Changes to registry configuration
• Affects multiple credential TELs

Security Properties

Non-Repudiation: Once a revocation event is witnessed and receipted, the issuer cannot deny having revoked the credential.

Duplicity Evidence: Any attempt to present conflicting revocation states (revoked to some verifiers, not revoked to others) is cryptographically detectable.

End-Verifiability: Verifiers can independently verify revocation status without trusting intermediaries, by processing the TEL and verifying KEL anchoring.

Ambient Verifiability: Anyone, anywhere, at any time can verify credential revocation status if they have access to the TEL.

Compromise Recovery: If issuer keys are compromised, KERI's pre-rotation enables recovery and re-establishment of authority, allowing legitimate revocations to be distinguished from attacker-created ones.

Conclusion

Revocation in KERI/ACDC systems represents a sophisticated approach to credential lifecycle management that leverages KERI's core innovations:

• Transaction Event Logs for state tracking
• KEL anchoring for cryptographic security
• Witness pools for distributed consensus
• End-verifiability for trustless verification
• Duplicity detection for security guarantees

This architecture provides stronger security properties than traditional revocation mechanisms while maintaining the decentralized, self-sovereign principles that define the KERI ecosystem. The integration with governance frameworks like vLEI demonstrates how these technical mechanisms support real-world organizational identity requirements.

Error Handling

Network Failures: Implement robust retry logic:

# Pseudo-code
max_retries = 3
for attempt in range(max_retries):
    try:
        result = broadcast_revocation_event(event)
        break
    except NetworkError:
        if attempt == max_retries - 1:
            raise
        time.sleep(2 ** attempt)  # Exponential backoff

Invalid Events: Validate revocation events before broadcasting:

• Verify issuer has authority (controls issuer AID)
• Check credential exists and is currently issued
• Validate event structure and signatures
• Ensure proper KEL anchoring

Performance Optimization

Batch Processing: For bulk revocations:

• Create multiple TEL events
• Anchor all in single KEL interaction event
• Reduces KEL growth and witness load
• Improves efficiency for large-scale revocations

Asynchronous Processing: Implement async workflows:

• Don't block on witness receipts for user-facing operations
• Use background jobs for TEL propagation
• Provide status tracking for pending revocations
• Notify relevant parties upon completion

Security Considerations

Key Compromise: If issuer keys are compromised:

• Use pre-rotation to recover control
• Invalidate revocations signed with compromised keys
• Re-establish authority with secure keys
• Communicate compromise to ecosystem participants

Duplicity Detection: Monitor for conflicting revocation states:

• Compare TEL states across multiple Registrars
• Alert on inconsistencies
• Investigate potential duplicity
• Implement automated response procedures

Testing Requirements

Unit Tests: Test individual components:

• TEL event creation
• KEL anchoring
• Signature validation
• State transitions

Integration Tests: Test end-to-end workflows:

• Complete revocation process
• Witness receipting
• Registrar propagation
• Verifier queries

Security Tests: Test attack scenarios:

• Unauthorized revocation attempts
• Duplicity attacks
• Replay attacks
• Key compromise scenarios