I believe the solution lies primarily in how you define the credentials. If you as an issuer need to be able to revoke the credential on short notice, then make the credential short lived.
You can also often define the credentials in such a way that they don’t need to expire. Compare these two:
The first credential needs to expire or be revoked before the 19th birthday, the second never have to be revoked.
How credentials work at the moment they don’t even need to live as credentials in the canister. The canister can just have the data about the user and when the credential is requested, the canister can decide to issue or not issue the credential.
For example, suppose Open Chat wants to issue credentials for group membership. They don’t need to create the credentials now.
They can expose the endpoints of the Verifiable Credentials in Internet Computer. When a relying party wants to request a credential, the endpoints will be called. Then Open Chat could just read their internal data, check whether the user is member of a group and issue the credential.
Credentials have also an expiration field. Therefore, as @kristofer mentions, one could decide to set a short time so that the relying party needs to request it again.
To be fair to @singularity, the app consuming this information needs to trust it to be correct for a certain period of time. There is a real risk in the scenario you describe that OC for some reason removes the user from the group. The credential in the consuming app is still valid until expiry non the less.
One “solution” is that the consuming asks the user to prove their group membership on each login. But that would be perceived as really bad ux.
I guess one takeaway is that VCs most likely is not the right tool if you need always up to date information about a user.
Or is there any standard way to handle this? In the real world with physical credentials there often is a backdoor, a way to double check a credential is valid. You show your drivers license to a police officer. The drivers license expires in 5 years. But… police officer radios in and checks the license and it turns out it was revoked because of … some reason.
I believe that is an inherent problem of most digital credentials. That’s probably why it makes sense to have credentials for things that don’t change often.
This feature is still at the beginning for us, we hope to still improve it in the future. That’s why feedback from the use cases is crucial for us.
Thanks for the discussion and don’t hesitate to reach out again with suggestions or solutions!