<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>How do you address the issue of peer to peer IDs? Do you only use
the set of atomic VCs once and get a new set after the first set
has been selectively disclosed? Or do you provide the same VCs and
DID to all RPs/Verifiers?</p>
<p><br>
</p>
<p>Kind regards</p>
<p>David<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 26/09/2022 19:58, Petteri Stenius
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DU0PR05MB9534EDC5F9A6FDDB11041F3BFA529@DU0PR05MB9534.eurprd05.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
Yes, the subject value of the different credentials is the same.
The subject is also the holder and the vp_token is signed by the
subject.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
Petteri</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Torsten Lodderstedt <a class="moz-txt-link-rfc2396E" href="mailto:torsten@lodderstedt.net"><torsten@lodderstedt.net></a><br>
<b>Sent:</b> Monday, September 26, 2022 19:23<br>
<b>To:</b> Artifact Binding/Connect Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
<b>Cc:</b> Petteri Stenius
<a class="moz-txt-link-rfc2396E" href="mailto:Petteri.Stenius@ubisecure.com"><Petteri.Stenius@ubisecure.com></a><br>
<b>Subject:</b> Re: [Openid-specs-ab] SIOP Special Topic Call
Notes 22-Sep-22</font>
<div> </div>
</div>
<div dir="auto">
<div dir="ltr">Hi Petteri,</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">thanks for sharing!</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">It seems from the example the holder binding uses
did:web. Are the different credentials bound to the same DID?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">best regards,</div>
<div dir="ltr">Torsten.</div>
<div dir="ltr"><br>
<blockquote type="cite">Am 26.09.2022 um 18:07 schrieb Petteri
Stenius via Openid-specs-ab
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a>:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="x_elementToProof x_ContentPasted0"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:11pt; color:rgb(0,0,0)">
Hi,
<div><br class="x_ContentPasted0">
</div>
<div class="x_ContentPasted0">The selective disclosure
model of Finnish ID system is quite simple:</div>
<div><br class="x_ContentPasted0">
</div>
<div class="x_ContentPasted0">- There's a relatively small
number of claims.</div>
<div class="x_ContentPasted0">- Each claim is issued in a
separate credential. </div>
<div class="x_ContentPasted0">- A relying party can
request specific claims by using scope or claims
parameter.
</div>
<div class="x_ContentPasted0">- Resulting vp_token
contains one or more credentials with the requested
claims.</div>
<div class="x_ContentPasted0">- The wallet app can refresh
credentials so that claims such as age_over_18 have
valid information.</div>
<div><br class="x_ContentPasted0">
</div>
<div class="x_ContentPasted0">Link to more detailed
information <a
href="https://wiki.dvv.fi/display/DHHJD/SIOPv2+POC+-+Guide+for+Relying+Parties"
id="LPNoLPOWALinkPreview" moz-do-not-send="true"
class="moz-txt-link-freetext">
https://wiki.dvv.fi/display/DHHJD/SIOPv2+POC+-+Guide+for+Relying+Parties</a> </div>
<div class="x__Entity x__EType_OWALinkPreview
x__EId_OWALinkPreview x__EReadonly_1">
</div>
<div><br class="x_ContentPasted0">
</div>
<div class="x_ContentPasted0">Petteri</div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Openid-specs-ab
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab-bounces@lists.openid.net"><openid-specs-ab-bounces@lists.openid.net></a> on
behalf of Nat Sakimura via Openid-specs-ab
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
<b>Sent:</b> Friday, September 23, 2022 11:36<br>
<b>To:</b> Artifact Binding/Connect Working Group
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
<b>Cc:</b> Nat Sakimura <a class="moz-txt-link-rfc2396E" href="mailto:nat@nat.consulting"><nat@nat.consulting></a><br>
<b>Subject:</b> Re: [Openid-specs-ab] SIOP Special Topic
Call Notes 22-Sep-22</font>
<div> </div>
</div>
<div>
<div dir="auto">It would be great if how Finnish LD-Proof
is approaching selective disclosure can be documented.
It will help this community. </div>
<br>
<div class="x_x_gmail_quote">
<div dir="ltr" class="x_x_gmail_attr">2022年9月23日(金) 4:48
Mike Jones via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a>>:<br>
</div>
<blockquote class="x_x_gmail_quote" style="margin:0 0 0
.8ex; border-left:1px #ccc solid; padding-left:1ex">
<div style="word-wrap:break-word" lang="EN-US">
<div class="x_x_m_-3110177811645109254WordSection1">
<p class="x_x_MsoNormal">SIOP Special Topic Call
Notes 22-Sep-22</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Mike Jones</p>
<p class="x_x_MsoNormal">Petteri Stenius</p>
<p class="x_x_MsoNormal">David Chadwick</p>
<p class="x_x_MsoNormal">Joseph Heenan</p>
<p class="x_x_MsoNormal">Torsten Lodderstedt</p>
<p class="x_x_MsoNormal">Bjorn Hjelm</p>
<p class="x_x_MsoNormal">Kristina Yasuda</p>
<p class="x_x_MsoNormal">David Waite (DW)</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Petteri reported on the
Finnish ID system being developed</p>
<p class="x_x_MsoNormal"> They have
chosen SIOP</p>
<p class="x_x_MsoNormal"> It uses a
wallet</p>
<p class="x_x_MsoNormal"> The
credentials will be JSON-LD</p>
<p class="x_x_MsoNormal"> There is
selective disclosure for age verification</p>
<p class="x_x_MsoNormal"> They are
building a wallet from scratch to hold the
Finnish identity documents</p>
<p class="x_x_MsoNormal"> <a
href="https://dvv.fi/en/-/development-of-the-digital-identity-card-already-far-along-feedback-from-test-users-guiding-completion-of-the-mobile-application"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">
https://dvv.fi/en/-/development-of-the-digital-identity-card-already-far-along-feedback-from-test-users-guiding-completion-of-the-mobile-application</a></p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Public Review Period for
Proposed Final Unmet Authentication Requirements
Specification</p>
<p class="x_x_MsoNormal"> Nat had
privately asked if there are multiple
implementations of the specification</p>
<p class="x_x_MsoNormal"> Torsten
said that this a mandatory to implement
requirement for IdPs using
<a href="http://yes.com" target="_blank"
rel="noreferrer" moz-do-not-send="true">yes.com</a></p>
<p class="x_x_MsoNormal">
He said that there are least four different
implementations in the
<a href="http://yes.com" target="_blank"
rel="noreferrer" moz-do-not-send="true">yes.com</a>
ecosystem</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Pull Requests</p>
<p class="x_x_MsoNormal"> <a
href="https://bitbucket.org/openid/connect/pull-requests/"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">
https://bitbucket.org/openid/connect/pull-requests/</a></p>
<p class="x_x_MsoNormal"> PR #240:
Add "type" to OP Metadata (Issues #1566, #1592,
#1628)</p>
<p class="x_x_MsoNormal">
Torsten, Oliver, and David Chadwick are working
on a new proposal for credential metadata</p>
<p class="x_x_MsoNormal">
It has a credentials_supported structure</p>
<p class="x_x_MsoNormal">
It has a "standard" element - for instance
"iso-mdoc"</p>
<p class="x_x_MsoNormal">
They do not want issuers to have to invent
something on top of the existing credential
formats</p>
<p class="x_x_MsoNormal">
David said that each standard has their own
naming schemes</p>
<p class="x_x_MsoNormal">
But we can use common display names to present
information to the user</p>
<p class="x_x_MsoNormal">
Kristina is not a fan of the structure having
the "standard" and the "proof" separately</p>
<p class="x_x_MsoNormal">
Some of these things are standard-specific
already so we don't have to separately declare
the "standard"</p>
<p class="x_x_MsoNormal">
Torsten understands Kristina's feedback and is
leaning in that direction</p>
<p class="x_x_MsoNormal">
Torsten simplified his displayed proposed
example to eliminate "standard" and to include,
for instance "format": "jwt_vc"</p>
<p class="x_x_MsoNormal">
Kristina questioned whether to include @context</p>
<p class="x_x_MsoNormal">
She said that, as discussed in the VCWG last
week, there are JSON credentials that don't use
@context data structures</p>
<p class="x_x_MsoNormal">
For instance, a "university_degree" credential
may be understood by the parties without
@context</p>
<p class="x_x_MsoNormal">
@context is ignored in JSON-serialized VCs</p>
<p class="x_x_MsoNormal">
Kristina requested that this be described in
multiple PRs</p>
<p class="x_x_MsoNormal">
For instance, the base PR shouldn't introduce
@context</p>
<p class="x_x_MsoNormal">
Torsten thinks that it may be premature to write
PRs</p>
<p class="x_x_MsoNormal">
Mike opined that PRs should be written once
there is consensus on how to resolve an issue
and not before</p>
<p class="x_x_MsoNormal">
Torsten said that the decision to drop the
top-level parameter has implications</p>
<p class="x_x_MsoNormal">
This would also have to be propagated to the
authorization_details and credential issuance
parameters</p>
<p class="x_x_MsoNormal">
The primary parameter "format" would determine
the rest</p>
<p class="x_x_MsoNormal">
Kristina said that we already have a "format"
parameter</p>
<p class="x_x_MsoNormal">
This is an extension point</p>
<p class="x_x_MsoNormal">
David Chadwick said that the key issue is
whether the different metadata formats can be
unified or whether they should be
format-specific</p>
<p class="x_x_MsoNormal"> PR #294:
clarifying that aud is not required in a signed
request in SIOPv2, issue #1602</p>
<p class="x_x_MsoNormal">
DW asserted that this is ready to merge</p>
<p class="x_x_MsoNormal">
We discussed the choice of <a
href="https://self-issued.me" target="_blank"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">
https://self-issued.me</a> to indicate static
metadata</p>
<p class="x_x_MsoNormal">
DW suggested we change this to
<a href="https://self-issued.me/v2"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://self-issued.me/v2</a></p>
<p class="x_x_MsoNormal">
We agreed on the call to change it to
<a href="https://self-issued.me/v2"
target="_blank" rel="noreferrer"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://self-issued.me/v2</a>
and then merge</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Testing for OpenID4VC
specs</p>
<p class="x_x_MsoNormal"> Joseph told
us about writing tests for the OpenID4VC specs</p>
<p class="x_x_MsoNormal">
He is working with David Chadwick on this</p>
<p class="x_x_MsoNormal">
Joseph wrote initial tests for the issuance spec</p>
<p class="x_x_MsoNormal">
They use the pre-authorized code route</p>
<p class="x_x_MsoNormal">
He is also writing initial tests for the
presentation spec</p>
<p class="x_x_MsoNormal"> Gail Hodges
is asking the certification team about testing
for the OpenID4VC specs</p>
<p class="x_x_MsoNormal">
Joseph doesn't have enough information to do
estimates yet</p>
<p class="x_x_MsoNormal"> David
Chadwick gave some background on his request for
tests</p>
<p class="x_x_MsoNormal">
He wants to test the features that are already
stable</p>
<p class="x_x_MsoNormal">
Then add more tests as additional features
mature</p>
<p class="x_x_MsoNormal"> As
background, Mike described that it's the
responsibility of the working group to define
testing requirements</p>
<p class="x_x_MsoNormal">
and it's the responsibility of the certification
team to implement the tests</p>
<p class="x_x_MsoNormal"> Joseph
reported that Kristina, Torsten, and Joseph
wrote a document describing the desired tests</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Issues</p>
<p class="x_x_MsoNormal"> <a
href="https://bitbucket.org/openid/connect/issues?status=new&status=open"
target="_blank" rel="noreferrer"
moz-do-not-send="true">
https://bitbucket.org/openid/connect/issues?status=new&status=open</a></p>
<p class="x_x_MsoNormal"> #1643:
Define error codes for the Credential Issuance
Endpoint</p>
<p class="x_x_MsoNormal">
We discussed when to use the HTTP status code
400</p>
<p class="x_x_MsoNormal">
RFC 6750, Section 3.1 (Error Codes) describes
the use of 400, 401, 403, or 405 with OAuth
error codes</p>
<p class="x_x_MsoNormal">
David agreed to update the issue based on
Torsten's comments and the information from RFC
6750</p>
<p class="x_x_MsoNormal"> </p>
<p class="x_x_MsoNormal">Next Call</p>
<p class="x_x_MsoNormal"> The next
call will be Monday, September 26, 2022 at 4pm
Pacific Time</p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" rel="noreferrer"
moz-do-not-send="true" class="moz-txt-link-freetext">Openid-specs-ab@lists.openid.net</a><br>
<a
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</div>
<span>_______________________________________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</body>
</html>