[Openid-specs-digital-credentials-protocols] DCP WG meeting minutes: Feb 1st, 2024

[Joseph Heenan]

(Resending these on the behalf of Oliver who took them, as he’s having trouble with his emails to the list getting rejected)

Intros No intros 

PR 84
No response_uri in the authz request available. The PR fixes this by stating that the response_uri should be used instead of redirect_uri for client ID schemes. Merging PR 84 since it has 4 approvals.

PR 235
Applied all changes we agreed on last week. Merging after the call. Thanks for approving.

PR 249
Non-normative PR, should go into ID-1. For AS that support only pre-authz code grant, no authz endpoint, no response_type. But RFC8414, which we had been pointing to for AS metadata, mandates that any AS must have response_type supported in the AS metadata. In that case, AS that support only pre-authz code grant cannot put anything there. PR introduces language that it is okay for AS metadata to omit response_types_supported. Discussion on "can" vs "MAY." Changed to MAY, and no objections to using MAY. Reviewers should review the PR again.

PR 250
Editorial one, no reviews yet.

PR 243
Editorial one, Torsten approved. Resolved Joseph's concerns. Please re-review.

PR 187
Privacy considerations, also targeted for ID-1. Kristina added more details. Still, some comments came in. Discussed certain items of the PR with comments. Concerns on user consent language: agreed on new text on user consent. The preferred language is that issuers should get end-user consent when issuing to a wallet. Took into consideration that the user might not be human, and privacy protection laws might not apply to an IoT device. Discussed whether logging considerations should be included at all since it applies to all systems, but it was agreed that it does not hurt to have a reminder on logging considerations. Fine-tuned language on logging. Binding considerations got removed since it was not added on purpose. Removed binding considerations. On expired credentials and whether they should be deleted as soon as possible, there might be cases where the content might expire (e.g., passport) while the credential is still valid. How does the group think about this? Clarification was made that don't hold on to the data if it is no longer needed. It will be taken into account that "valid" will be replaced with "no longer verifiable" since validation is out of scope.

PR 245
Still some discussion on whether a background image is needed. PR will probably go in soon.

PR 246
Not sure if this PR goes in before ID-1. Still active discussion and some reviews needed.

Issue 173
We will keep the current format for MSO mdoc.

Issue 242
Issue needs more discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240201/0c2aa47e/attachment-0001.html>