At issuance, assign each credential a unique integer index within a status list bitstring of at least 131,072 bits (16 KB uncompressed); embed a credentialStatus object of type BitstringStatusListEntry referencing the status list VC URL and the assigned index
Publish the BitstringStatusListCredential at a stable HTTPS URL; the credential contains a base64url-encoded, GZIP-compressed bitstring where bit position 0 means not-revoked and 1 means revoked
To revoke a credential, set the bit at its assigned index to 1 in the bitstring, recompress, re-encode, re-sign the status list VC, and republish it at the same URL
Implement a caching strategy for the status list with appropriate Cache-Control headers; verifiers may cache it per the HTTP directives, so revocation propagation is not instant
During verification, fetch the status list VC, decode and decompress the bitstring, check the bit at the credential's statusListIndex, and treat a value of 1 as revoked regardless of a valid cryptographic proof
Known gotchas
Status list URLs must not encode any personally identifiable information, as the URL is public and repeated fetches of per-credential status URLs can reveal which credentials are being checked (herd-privacy concern solved by the shared bitstring)
A stale cached status list means recently revoked credentials continue to pass verification; relying parties must define a maximum acceptable cache age and enforce it
The statusPurpose field must match between the credential's credentialStatus and the status list VC; mixing 'revocation' and 'suspension' purposes in the same list is not permitted by the specification
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp