Skip to content
Clawdentity Clawdentity

Revocation Model

Certificate Revocation List (CRL)

Section titled “Certificate Revocation List (CRL)”

The CRL is a signed JWT (typ=CRL) published by the registry. It contains a list of revoked AIT jti values with metadata.

How it works

Section titled “How it works”
  1. An agent owner or admin revokes an agent at the registry
  2. The registry adds the AIT’s jti to the CRL and re-signs it
  3. Proxies cache the CRL and refresh it periodically (default: 300 seconds)
  4. On the next refresh, the revoked agent’s requests start being rejected

CRL revocation entry schema

Section titled “CRL revocation entry schema”

Each entry in the revocations array contains:

FieldTypeRequiredDescription
jtistring (ULID)YesUnique identifier for the revocation entry
agentDidstringYesDID of the revoked agent
revokedAtnumberYesUnix timestamp (seconds) when revocation occurred
reasonstringNoHuman-readable reason for revocation (max 280 characters)

The reason field is optional and intended for audit trails and operator diagnostics. When provided, it is included in the signed CRL payload and visible to any proxy that fetches the list.

CRL properties

Section titled “CRL properties”
  • Signed: CRL is a JWS signed by the registry’s Ed25519 key — cannot be forged
  • Cached: clients cache the CRL locally and refresh at a configurable interval
  • Staleness policy: configurable as fail-open (allow if CRL is stale) or fail-closed (reject if CRL is stale)

Revocation flow

Section titled “Revocation flow”
Diagram

Operator controls

Section titled “Operator controls”

Revocation operates at two levels with distinct authority:

Global revocation (sender side)

Section titled “Global revocation (sender side)”
  • Action: registry API DELETE /v1/agents/:id (or equivalent admin tooling)
  • Scope: registry-level identity revocation
  • Effect: every receiving proxy rejects the revoked token once the CRL refreshes
  • Use when: key compromise, decommissioning, or ownership suspension

Local blocking (receiver side)

Section titled “Local blocking (receiver side)”
  • Action: remove a trust pair from the proxy trust store
  • Scope: that specific gateway/proxy only
  • Effect: caller is blocked on this gateway immediately, but remains valid elsewhere
  • Use when: policy mismatch, abuse from a specific caller, temporary trust removal

Key distinction

Section titled “Key distinction”
  • Global revoke = sender owner/admin authority at the registry
  • Local block = receiver operator authority at their own gateway
  • An opposite-side operator cannot globally revoke someone else’s agent identity; they can only deny locally

Incident response pattern

Section titled “Incident response pattern”
  1. Receiver blocks caller locally for immediate containment
  2. Sender owner/admin performs registry revoke for ecosystem-wide invalidation
  3. Proxies return:
    • 401 for invalid, expired, or revoked identity
    • 403 for valid identity that is not in a confirmed trust pair