Revocation · POC 04
The BSA requires suspicious activity reporting and the ability to freeze suspicious transactions. In an agentic economy, this means revoking credentials and cascading that revocation to all downstream sub-agents — in seconds, not days.
Regulatory Framework
Hierarchical revocation ensures that revoking a parent credential immediately invalidates all downstream sub-agents, even if their own credentials have not yet expired. This enables immediate incident response: when Acme Corp's root credential is revoked, the Finance Department Agent, Procurement Bot, Vendor Payment Sub-Agent, and all other descendants lose authority within milliseconds.
Revocation Cascade Timeline:
The "time to kill" metric measures total cascade propagation. In ACK, this is typically 500–800ms depending on network latency. This is orders of magnitude faster than traditional incident response, which operates on hours or days.
Regulatory Citations: BSA Suspicious Activity Reporting (31 CFR 1020.320); GENIUS Act §5 Real-Time Transaction Monitoring; W3C Verifiable Credentials BitstringStatusListEntry specification
Interactive Exploration
Check the revocation status of any credential in the registry. Then use "Simulate Revocation" to see the cascade in action — the parent credential is revoked, and child credentials are automatically invalidated with staggered propagation times. Watch how a single revocation event disables an entire branch of the delegation tree.
Check credential status, view hierarchies, and simulate cascade revocations
System Architecture
The credential lifecycle timeline shows issuance, attestation, revocation, and expiry events across a six-month window. The critical moment: when a parent credential is revoked, all child credentials are automatically invalidated — the cascade propagates instantly through the delegation hierarchy. Short-lived credentials (hours to days) provide an additional defense layer: even if revocation fails temporarily, credentials expire and are replaced with fresh ones.
Revocation Cascade — Hierarchical Credential Management
Compliance Mapping
| Regulatory Requirement | Authority | How ACK Revocation Satisfies It |
|---|---|---|
| Suspicious Activity Reporting | BSA 31 CFR 1020.320 | When SAR is filed for an agent, the principal immediately revokes its credential. The cascade propagates in seconds. Downstream agents lose authority before any additional suspicious transactions can be initiated. |
| Real-Time Transaction Monitoring | GENIUS Act §5 | ACK monitors credential revocation status in real-time. Transactions from revoked agents are rejected at the smart contract layer (L3). Monitoring happens on every transaction. |
| Credential Status Registry | W3C VC BitstringStatusListEntry | ACK uses W3C Bitstring Status List Entry standard for revocation status. Each credential carries a pointer to its revocation registry entry. Status is checked at presentation time. |
| Hierarchical Control | AML/CFT Best Practice | Revoking a parent revokes all children immediately. This ensures that incident response can be executed at a single point (the compromised agent or suspicious transaction source), eliminating need to revoke each descendant individually. |
| Short Credential Lifetime | Risk Management Best Practice | Credentials are issued with short lifetimes (hours to days depending on risk level). Expiry provides an automatic defense mechanism: even if revocation fails, the credential is replaced on next refresh. |