<div dir="ltr"><div>I wasn't able to join this call or the one right before it. But I was asked via a different channel to take a look at the then very recently submitted PR #<a href="https://bitbucket.org/openid/connect/pull-requests/474" target="_blank">474</a> extending direct_post to support redirect back to the verifier. It had already been merged and published in draft -16 for the <a href="https://openid.net/2023/03/09/public-review-period-for-proposed-second-implementers-draft-of-openid-for-verifiable-presentations-specification/" target="_blank">Public Review Period for Proposed Second Implementer’s Draft</a> by the time I was able to look at it (which really wasn't a long time after). I get the intent of the PR but believe there's a lot of opportunity for improvement of the spec text, which I'd argue makes its incorporation into the public review draft premature. I added some commentary to the PR and its author has engaged (thanks Torsten!) but it has already been merged/published and I believe more than little editorial fixes are needed. So, for lack of knowing how best to engage, I'm sending this email. Just as a disclaimer or sorts - because I was asked to review it, the scope/intent of my comment here is only about that particular PR. <br></div><div><br></div><div><br> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 9, 2023 at 3:27 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal">SIOP Special Topic Call Notes 9-Mar-23<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">David Chadwick<u></u><u></u></p>
<p class="MsoNormal">Takahiko Kawasaki<u></u><u></u></p>
<p class="MsoNormal">Joseph Heenan<u></u><u></u></p>
<p class="MsoNormal">Bjorn Hjelm<u></u><u></u></p>
<p class="MsoNormal">Giuseppe De Marco<u></u><u></u></p>
<p class="MsoNormal">Judith Kahrer<u></u><u></u></p>
<p class="MsoNormal">Kristina Yasuda<u></u><u></u></p>
<p class="MsoNormal">Torsten Lodderstedt<u></u><u></u></p>
<p class="MsoNormal">Elizabeth Garber<u></u><u></u></p>
<p class="MsoNormal">David Waite<u></u><u></u></p>
<p class="MsoNormal">Oliver Terbu<u></u><u></u></p>
<p class="MsoNormal">Christian Frees<u></u><u></u></p>
<p class="MsoNormal">Sebastian Schmittner<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Introductions<u></u><u></u></p>
<p class="MsoNormal"> Christian Frees and Sebastian Schmittner from the European EPC Competence Center GmbH (EECC) introduced themselves<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hackathon<u></u><u></u></p>
<p class="MsoNormal"> Torsten reported that ~20 developers participated in a hackathon last week implementing OpenID4VC<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">OpenID4VP<u></u><u></u></p>
<p class="MsoNormal"> Kristina recapped ISO's desire to ballot their Mobile Driver's license spec<u></u><u></u></p>
<p class="MsoNormal"> It must point to a stable spec<u></u><u></u></p>
<p class="MsoNormal"> Therefore, we need a second Implementer's Draft<u></u><u></u></p>
<p class="MsoNormal"> During the Connect call prior, we merged PR #427 OID4VP: client id format<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Pull Requests<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/478" target="_blank">
https://bitbucket.org/openid/connect/pull-requests/478</a> Fixed JARM JWE only encryption language<u></u><u></u></p>
<p class="MsoNormal"> Oliver updated a syntax error in the PR<u></u><u></u></p>
<p class="MsoNormal"> Merged<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/474" target="_blank">
https://bitbucket.org/openid/connect/pull-requests/474</a> Extended direct_post to support redirect back to the verifier<u></u><u></u></p>
<p class="MsoNormal"> Torsten talked about the possibility of overflowing URL size restrictions<u></u><u></u></p>
<p class="MsoNormal"> Joseph was concerned about whether this would work on iOS<u></u><u></u></p>
<p class="MsoNormal"> Torsen showed us a flow diagram that the PR adds<u></u><u></u></p>
<p class="MsoNormal"> David Chadwick and Torsten discussed a possible security consideration that could be described<u></u><u></u></p>
<p class="MsoNormal"> Merged<u></u><u></u></p>
<p class="MsoNormal"> Some editorial improvements may still be needed<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Issues<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance" target="_blank">
https://bitbucket.org/openid/connect/issues?status=new&status=open&component=SIOP&component=Verifiable%20Presentation&component=Credential%20Issuance</a><u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues/1551" target="_blank">
https://bitbucket.org/openid/connect/issues/1551</a> Administrative Trust in the RP<u></u><u></u></p>
<p class="MsoNormal"> David Chadwick requested to keep this open<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues/1768" target="_blank">
https://bitbucket.org/openid/connect/issues/1768</a> simplify VP Token encoding when only one VP is returned?<u></u><u></u></p>
<p class="MsoNormal"> Torsten noted that we want more feedback from implementers before doing this<u></u><u></u></p>
<p class="MsoNormal"> Joseph dislikes polymorphic parameters because they can cause testing issues<u></u><u></u></p>
<p class="MsoNormal"> Kristina suggested adding text saying that single values must not be returned as an array<u></u><u></u></p>
<p class="MsoNormal"> Torsten thinks returning multiple VPs may be an infrequent corner case<u></u><u></u></p>
<p class="MsoNormal"> We agreed for Kristina to create a PR to add this clarification and then merge it after editors' review<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues/1537" target="_blank">
https://bitbucket.org/openid/connect/issues/1537</a> Presenting VC without a VP using OpenID4VP<u></u><u></u></p>
<p class="MsoNormal"> Torsten will add a comment about security considerations<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues/1863" target="_blank">
https://bitbucket.org/openid/connect/issues/1863</a> JARM JWE-only language is not consistent with JARM<u></u><u></u></p>
<p class="MsoNormal"> This is addressed by PR #478<u></u><u></u></p>
<p class="MsoNormal"> Oliver is closing<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">New Implementer's Drafts for OpenID4VCI and SIOPv2<u></u><u></u></p>
<p class="MsoNormal"> Mike asked when we want to create Implementer's Drafts for the other OpenID4VC specs<u></u><u></u></p>
<p class="MsoNormal"> Kristina said as soon as we merge the major PRs<u></u><u></u></p>
<p class="MsoNormal"> We discussed adding client_id_scheme to the other specs<u></u><u></u></p>
<p class="MsoNormal"> We agreed to do so by reference to OpenID4VP for now<u></u><u></u></p>
<p class="MsoNormal"> We might eventually break this out into its own spec<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/pull-requests/384" target="_blank">
https://bitbucket.org/openid/connect/pull-requests/384</a> Add a cwt proof type<u></u><u></u></p>
<p class="MsoNormal"> Oliver asked for clarifications on how to represent COSE_Key values<u></u><u></u></p>
<p class="MsoNormal"> We discussed changing "Claim Key" to "Label"<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Next Call<u></u><u></u></p>
<p class="MsoNormal"> The next call will be Monday, March 13th at 3pm Pacific Time<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>