[Openid-specs-ab] SIOP Special Topic Call Notes 24-Aug-23
Michael Jones
michael_b_jones at hotmail.com
Thu Aug 24 16:10:29 UTC 2023
SIOP Special Topic Call Notes 24-Aug-23
Kristina Yasuda
Mike Jones
Mark Haine
David Waite (DW)
Joseph Heenan
David Luna
Nander Stabel
Daniel Fett
Brian Campbell
Giada Sciarretta
Amir Sharif
Jean Snyman
Pedro Felix
Andrew Hughes
Oliver Terbu
Takahiko Kawasaki
Digital Credentials Protocols Working Group
The first call is in a week, as announced at
OAuth Security Workshop (OSW) 2023 is in progress in London
Formal methods
Mike led discussions on the features Presentation Exchange
We talked about which of that functionality we need and don't
Mike will send out notes
Pull Requests
https://bitbucket.org/openid/connect/pull-requests/
PR #577: add security considerations on TLS (Issue #1621)
Merging
PR #570: clarify requirements when credential offer is not signed (issue #1687)
Giuseppe needs to re-review
PR #604: ed: change CONDITIONAL to OPTIONAL in VCI (Issue #2005)
Daniel pointed out that using OPTIONAL doesn't always fit when there are conditions
Mike said that we sometimes say things like "REQUIRED when ..." and "REQUIRED except when ..."
We'll close this PR and create a new one using the new language
Other editorial PRs are #605, #610, and #611
PR #612: VCI: Adding a credential identifier (issue #1923)
Mike and Joseph asked what the proposed identifiers are to be used for
Mike observed that this is somewhat parallel to the PE descriptor_map "id" property
Kristina described having arrays of objects within arrays of objects
Kristina said that the kinds of credentials that can be issued should be in the credential metadata
Joseph said that it's the issuer that knows what kinds of credentials it can issue
Joseph asked whether the wallet can ask for a credential and get returned five of them
Kristina said that issuance only happens one at a time unless the batch endpoint is used
DW said that the issuer already knows a lot about the user
We talked about whether the wallet can distinguish between different credentials from an issuer without inspecting their contents
Daniel said that we may need more specificity about whether multiple instances of the same credential are issued or different credentials
Pedro said that identifiers are created at runtime knowing the context of the user
He views the potential identifiers as being very dynamic
He said that there could be hundreds of kinds of vaccine certificates
Kristina said that the credential response could dynamically add identifiers
Kristina said that if display identifiers are different that could be put in the credentials
That could be a huge simplification
Kristina will revise the PR
The approach is to remove credentialSubject from credential_definition
Taka said that implementations are needed to confirm that the spec can be implemented interoperably
PR #608: Wallet notifying the Issuer of acceptance/rejection of issued credential (Issue #1929)
David said that we need a way of binding which credentials the wallet successfully stored out of the credentials that were issued
One possible identifier is the proof value
Another possible identifier might be added by PR #612
Pedro described circumstances in which proofs might not be unique
Issues
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance
#1922: OID4VCI: Unique ID for each element in credentials
Taka agreed with Kristina's last comment in the issue
There was a hallway conversation this week about dropping authorization_pending because it makes the pre-authorized code long-lived
Daniel is in favor of merging the credential endpoint and the batch endpoint
Next Call
The next call will be Monday, August 28th at 4pm Pacific Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230824/f9fb9d99/attachment.html>
More information about the Openid-specs-ab
mailing list