[Openid-specs-digital-credentials-protocols] DCP WG + SIOP Call Notes 2023-09-07

Judith Kahrer judith.kahrer at curity.io
Thu Sep 7 20:07:28 UTC 2023 

Agenda
======
Logistics
GitHub Migration
IPR reminder
Introduction
Conformance Testing
Issue #45: https://github.com/openid/OpenID4VP/issues/45  

(PRs for OID4VP: https://github.com/openid/OpenID4VP/pulls )
(PRs for OID4VC: https://github.com/openid/OpenID4VCI/pulls )


Logistics
======
See: https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20230904/000001.html  
Call details for the DCP WG + SIOP call (time and link) can be found in the OIDF calendar: https://openid.net/calendar/ 
For APAC friendly time, provide your preferences in the doodle: https://doodle.com/meeting/participate/id/dN0qv82a  


GitHub Migration
======
See:  https://lists.openid.net/pipermail/openid-specs-ab/2023-September/010059.html 

Each spec got its own repository. Issues were moved, some PRs reopened.
https://github.com/openid/OpenID4VC 
https://github.com/openid/OpenID4VP 
https://github.com/openid/SIOPv2 
 
If your GitHub account was not added to the OpenID organization on GitHub yet, send a mail as instructed here: https://lists.openid.net/pipermail/openid-specs-ab/2023-September/010052.html   


IPR
=====
To participate sign the contribution agreement for BOTH the OpenID Connect A/B WG and Digital Credentials Protocol WG: https://openid.net/intellectual-property/openid-foundation-contribution-agreements/  


====
Introductions
Amir Sharif introduced himself. Amir recently joined the WG. He works as a researcher in the Security and Trust Research Unit of the Cybersecurity Center of Fondazione Bruno Kessler (Italy). He has several years experience with OAuth 2.0 and OpenID Connect and has worked with Giuseppe De Marco.
Welcome Amir!


Events
=====
IIW 37 October 10 - 12, 2023: https://internetidentityworkshop.com/  
The Internet Identity Workshop is a hybrid event. Participants can join remotely and contribute.
The OIDF Digital Credentials Protocol Working Group has a meeting prior to the workshop: https://www.eventbrite.com/e/oidf-digital-credentials-protocol-working-group-meeting-at-cisco-tickets-708486982637  

Conformance testing
=====
VC related tests focus on the latest implementer’s draft of OID4VP. Tests cover (so far)

response_type=vp_token
client_id=redirect_uri
direct post
cross device and same device
Request_uri
SD-JWT
SD-JWT VC
HAIP
Presentation_definition

There are some limitations in the current tests, such as in the validation of SD-JWTs (e.g., exp is not yet checked) and the content of the presentation_submission is not verified.

Question remains whether to 
improve validation in current tests, 
extend the test suite by 
supporting ISO mdoc, 
adding another client_id_scheme
add negative tests (response_uri != client_id)

Giuseppe would find it helpful to have client_id = entity_id for Italian use-cases.
Torsten will consult the OID4VC Due Diligence Task Force for help on the direction.


Issue #45 - Advanced Cross Device Flow for OpenID4VP
=====
https://github.com/openid/OpenID4VP/issues/45

Problem: In the current cross device flow, the verifier needs to make assumptions about the wallet (like the scheme, universal link, app link or endpoint in general). Further, it does not support encryption.

Proposal: Extend OpenID4VP with an advertisement step where the verifier communicates its capabilities and endpoints to the wallet, that in turn posts its capabilities, endpoints and identifiers in a direct HTTPS POST request to the verifier. In that way, the verifier can craft a Authorization Request that fits the wallets.

Advantage: Supports an open eco system where the wallet is not known to the verifier

Challenges: Trust between wallet and verifier. 
a) Verifier needs to trust wallet: When announcing its capabilities to the verifier, the wallet can make use of client attestation (e.g., add a client attestation JWT as specified in https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ )
b) Wallet needs to trust verifier: Sharing the wallet's capabilities with an untrusted verifier may leak information about the wallet, the device it is running on and similar data that can be misused for attacks if the verifier is a malicious actor. The wallet should authenticate the verifier before it sends any data. The verifier could sign the advertisement or include an assertion. But then, the verifier would need to know about a common trust domain that also the wallet supports. GAIN is meant to deal with verifier and wallet being in different trust domains.

The PR will have to take the challenges into account.


PRs
=====
Out of time. Please review
https://github.com/openid/OpenID4VP/pulls  
https://github.com/openid/OpenID4VCI/pulls  


Attendees
========
Joseph Heenan
Giuseppe De Marco
Judith Kahrer
Amir Sharif
David Chadwick
Michael Jones
Andy Lim
Brian Campbell
David Luna
David Waite
Mattia Zago
Gabe
George Fletcher
Mark
Naohiro Fujie
Nick Burgess
Pedro Felix
Rajvardhan Deshmukh
Sudesh Shetty
Torsten Lodderstedt
Alexandra Ashpole
Bjorn Hjelm
Tom Jones
Oliver Terbu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20230907/8fd33d9f/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list