[Openid-specs-ab] SIOP Special Call Minutes (2023-07-13)

Fri Jul 14 08:16:22 UTC 2023

Announcements:
Oliver Terbu: Spruce is organising an event around ISO 18013-7 https://spruceid.com/iso-mdl-interop-event (info-session Jul 14th). Async fully-remote event over two weeks.
Torsten: Felix has attended some calls and worked on bluetooth spec and want to share the results. Next week we will probably hear more about that.

Nander: Question about adding a parameter to the (verifier's) client_metadata that lists potential credential issuers where the Wallet can acquire a required credential if it does not possesses it yet.
Torsten: We have been thinking of that but makes more sense to add this to the presentation request. Torsten sees value in it --> open an Issue with a suggested solution for this.

PRs
#524: https://bitbucket.org/openid/connect/pull-requests/524
Basically 1 question: whether there's data in the attestation that tells the wallet when the jwt starts to be valid. Discussion is already ongoing on BB (BitBucket).
Suggestion to make the `nbf` required --> when does the attestation starts to be valid. Alternative would be `iat` --> Which one should we use?
discussion about whether`nbf` is only for future-dating tokens.
"None of the specs make `nbf` REQUIRED"
Michael: `iat` should be REQUIRED + probably better to mention `nbf` at all.
Conclusion: Still a draw
Torsten: Suggests to still merge this PR, and continue the discussion in a new Issue.

#551:
We need more reviews and approvals from people in this call (either comment or approve this PR).

#542:
PR seems to be good to go, but more approvals are much appreciated.

#535:
Seems to be good to go as well, so will be merged after this meeting if there are no objections (no objections)

#557:
Oliver: Conversation about encryption of the credential response. Basically, having client_metadata(_uri) as optional parameter in credential request.
PR also introduces a mechanism to negotiate the cypher suite to be used.
The reason for this PR is that this is a requirement by certain communities. They have a need for app-level encryption.
Important!: No further questions, so please approve (and/or leave comments)

Issues:
#1951: https://bitbucket.org/openid/connect/issues/1951/direct_post-response-mode-response-with-a
Discussion about the sequence diagram (https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-1_0.html#name-response-mode-direct_post-2). Question about whether the diagram would work in the cross-device scenario --> the sequence is designed for the same-device scenario.
Move the discussion to the issue. Pedro will add an additional comment to the Issue.

#1922 + #1923:
Boils down to: we need identifiers for multiple issuance of credentials.
The question is: Do we need a dynamic solution for this, if so, how to go about it?
Please review! These issues have the potential to be a significant addition.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230714/68eae2a8/attachment.html>