From c3a8e2c95ce59006455332d554b1911c946adee8 Mon Sep 17 00:00:00 2001
From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 22 Jun 2025 12:01:41 -0400
Subject: [PATCH] Add credential deletion section.

---
 holder.yml |  4 ++-
 index.html | 86 +++++++++++++++++++++++++++++++++---------------------
 2 files changed, 55 insertions(+), 35 deletions(-)

diff --git a/holder.yml b/holder.yml
index 156dd78d..46e58bdc 100644
--- a/holder.yml
+++ b/holder.yml
@@ -52,7 +52,9 @@ paths:
        - oAuth2: []
        - zCap: []
       summary: Deletes a credential or verifiable credential by ID. To delete a credential that does not have credential.id set but has an associated credentialId value, pass credentialId instead.
-      x-expectedCaller: "Issuer Coordinator"
+      x-expectedCaller:
+        - Issuer Coordinator
+        - Holder Coordinator
       operationId: deleteCredential
       parameters:
         - $ref: "./components/parameters/path/ObjectId.yml"
diff --git a/index.html b/index.html
index f1f68874..89e78708 100644
--- a/index.html
+++ b/index.html
@@ -489,48 +489,49 @@ <h3>Services</h3>
 network endpoints of services are defined herein.
         </p>
         <p>
-The Issuer Service takes requests to issue VCs from authorized Issuer Coordinators
-and returns well-formed, signed Verifiable Credentials. This service MUST
-have access to private keys (or key services which utilize private keys)
-in order to create the proofs for those VCs. The API between the Issuer
-service and its associated key service is believed to be out of scope for
-the VC API, but may be addressed by WebKMS or similar specifications.
+The <dfn>issuer service</dfn> takes requests to issue VCs from authorized Issuer
+Coordinators and returns well-formed, signed Verifiable Credentials. This
+service MUST have access to private keys (or key services which utilize private
+keys) in order to create the proofs for those VCs. The API between the Issuer
+service and its associated key service is believed to be out of scope for the VC
+API, but may be addressed by WebKMS or similar specifications.
         </p>
         <p>
-The Verifier service takes requests to verify Verifiable Credentials and
-Verifiable Presentations and returns the result of checking their proofs
-and status (if present). The service only checks the authenticity and
-timeliness of the VC; leaving the Verifier Coordinator to finish Applying any business rules needed.
+The <dfn>verifier service</dfn> takes requests to verify Verifiable Credentials
+and Verifiable Presentations and returns the result of checking their proofs and
+status (if present). The service only checks the authenticity and timeliness of
+the VC; leaving the Verifier Coordinator to finish Applying any business rules
+needed.
         </p>
         <p>
-  The Holder service takes requests to create Verifiable Presentations
-  from an optional set of VCs and returns well-formed, signed Verifiable
-  Presentations containing those VCs. These VPs are used with Issuers to
-  demonstrate control over DIDs prior to issuance and with Verifiers to
-  present specific VCs.
+The <dfn>holder service</dfn> takes requests to create Verifiable Presentations
+from an optional set of VCs and returns well-formed, signed Verifiable
+Presentations containing those VCs. These VPs are used with Issuers to
+demonstrate control over DIDs prior to issuance and with Verifiers to present
+specific VCs.
         </p>
       </section>
       <section>
         <h3>Status Service</h3>
         <p>
-        The Status Service provides a privacy-preserving means for publishing
-        and checking the status of any Verifiable Credentials issued by the
-        Issuer. Implementers of verifier services are encouraged to understand the
-        privacy implications of checking status by referring to the respective
-        status specification used by the verifiable credential.
+The <dfn>status service</dfn> provides a privacy-preserving means for publishing
+and checking the status of any Verifiable Credentials issued by the Issuer.
+Implementers of verifier services are encouraged to understand the privacy
+implications of checking status by referring to the respective status
+specification used by the verifiable credential.
         </p>
         <p>
-          For specific mechanisms by which to manage Verifiable Credential statuses,
-          it's recommended to refer to external well known specifications, such as the
-          [[VC-BITSTRING-STATUS-LIST]].
+For specific mechanisms by which to manage Verifiable Credential statuses, it's
+recommended to refer to external well known specifications, such as the
+[[VC-BITSTRING-STATUS-LIST]].
         </p>
       </section>
       <section>
         <h3>Storage Services</h3>
         <p>
-          <strong>Storage Service (Issuer) &bull;Storage Service
-            (Verifier) &bull; Storage Service (Holder)
-          </strong>
+<strong>Storage Service (Issuer) &bull;Storage Service (Verifier) &bull; Storage
+Service (Holder)
+</strong>
         </p>
         <p>
 Each actor in the system is expected to store their own verifiable
@@ -557,13 +558,13 @@ <h3>Storage Services</h3>
       <section>
         <h3>Workflow Service</h3>
         <p>
-The Workflow Service provides a way for coordinators to automate specific
-interactions for specific users. Each role (Holder, Issuer, and Verifier)
-can run their own Workflow Service to create and manage exchanges that
-realize particular workflows. Administrators configure the workflow system
-to support particular flows. Then, when the business rules justify it,
-coordinators create exchanges at their Workflow Service and give authorized
-access to those exchanges to any party.
+The <dfn>workflow service</dfn> provides a way for coordinators to automate
+specific interactions for specific users. Each role (Holder, Issuer, and
+Verifier) can run their own Workflow Service to create and manage exchanges that
+realize particular workflows. Administrators configure the workflow system to
+support particular flows. Then, when the business rules justify it, coordinators
+create exchanges at their Workflow Service and give authorized access to those
+exchanges to any party.
         </p>
       </section>
       <section>
@@ -858,7 +859,7 @@ <h4>Holder Service</h4>
         that is expected to call the endpoint
       </p>
       <table class="simple api-component-table"
-        data-api-path="/credentials/derive /presentations/prove /presentations /presentations/{id}"></table>
+        data-api-path="/credentials/derive /credentials/{id} /presentations /presentations/{id}"></table>
 
       <h4>Workflow Service</h4>
       <p>
@@ -928,6 +929,23 @@ <h4>Update Status</h4>
           data-api-endpoint="post /credentials/status"></div>
       </section>
 
+      <section>
+        <h4>Delete a Specific Credential</h4>
+        <p>
+An [=issuer service=] or a [=holder service=] might store an issued
+[=verifiable credential=] for an extended period of time. When this is done,
+it can be useful to delete such a [=verifiable credential=]. An [=issuer=]
+might need to do so because of regulatory requirements such as
+<a href="https://en.wikipedia.org/wiki/Right_to_be_forgotten">
+the right to be forgotten</a>. See Section [[[#deletion]]] for additional
+considerations related to the removal of [=verifiable credentials=] from
+systems.
+        </p>
+
+        <div class="api-detail"
+          data-api-endpoint="delete /credentials/{id}"></div>
+      </section>
+
     </section>
 
     <section>