[Openid-specs-ab] SIOP Special Topic / DCP Call Notes 14-Sep-23

Thu Sep 14 15:05:24 UTC 2023

Attendees:

Joseph Heenan
Torsten Lodderstedt
Kristina Yasuda
Michael Jones
Andrew Hughes
Bjorn Hjelm
Brian Campbell
Idakto Clement
Giuseppe De Marco
Judith Kahrer
Mark Haine
Mark Dobrinic
Naohiro Fujie
Paul Templeman
Pedro Felix
Rajvardhan Deshmukh
Thomas Robin
Venkatasubramanian D
Yann (iDAKTO)
Matthew Miller
Dima Postnikov
Anthony Nadalin
Daniel Fett

Please register if you will attend the in-person pre-IIW DCP working group meeting : https://www.eventbrite.com/e/oidf-digital-credentials-protocol-working-group-meeting-at-cisco-tickets-708486982637?aff=oddtdtcreator
(Virtual participation will be available too, the Webex link will be shared on the WG mailing list in due course)

https://github.com/openid/OpenID4VP/pull/44

Torsten believes we need to be clearer about how what scope values mean, that one scope relates to exactly one credential, and that non-VC scopes are not included in VC requests. Torsten is not sure why we need this change at all as we already have the presentation definition.

https://github.com/openid/OpenID4VP/issues/45

WG consensus that Torsten can open a PR for this.

https://github.com/openid/OpenID4VCI/pull/65

Joseph asked for examples of the different valid forms of requests that don’t use scopes.

Agreed to make it clearer that it’s optional to return identifiers.

Daniel was not keen on making it optional as this would mean verifiers would most likely have to support both options in perpetuity. WG agreed this is already a breaking change for multiple credentials case so maybe it’s okay. Kristina will update PR to make it mandatory.

More reviewers are needed on this change.

https://github.com/openid/OpenID4VCI/issues/71

Torsten explained that many people in the EU are asking why we don’t use an issuer provided nonce to ensure the wallet attestation is fresh.

Mike & Pedro emphasised that the server provided nonce was essential to DPoP being scalable. Pedro also added that relying on jti can cause problems with clocks are out of sync.

Torsten asked if a new endpoint for providing the nonce or an error response indicating a nonce is required is people’s preferred option. Please provide feedback.

Brian asked why not to just use the DPoP model. Torsten says he has no compelling reason for a separate endpoint. Daniel agreed with following DPoP type approach.

People then started talking about nonces being shared across the whole protocol flow and maybe a separate endpoint is better. Torsten has posted a summary to the issue.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230914/4fd98cce/attachment-0001.html>