[Openid-specs-digital-credentials-protocols] [minutes] APAC-friendly DCP WG + SIOP call (PST midday)

Kristina Yasuda yasudakristina at gmail.com
Tue Mar 5 21:04:27 UTC 2024 

Hi all, here are the minutes:


Joseph Heenan

Daniel Fett

Kristina Yasuda

Christian Bormann

Tobias Looker

Jin Wen

Torsten Lodderstedt

Dima Postnikov

Brian Campbell

Mike Jones

Sebastien Bahloul

Orie Steele

George Fletcher



Daylight saving related time zone changes are coming. We will try keep
calendars in sync, but noon PST is the source of truth, if you are in doubt.



Please register to post-IIW hybrid DCP WG in
https://www.eventbrite.com/e/openid-foundation-dcp-working-group-hybrid-meeting-tickets-841453930357
.



 Oauth Security Workshop submissions deadline is coming up:
https://oauth.secworkshop.events/osw2024.



   1. Request_uri extension


   - https://github.com/openid/OpenID4VP/pull/59


   - Suggestion is the following:
      - drop the ability to sign the initial request
      - the verifier is expected to send its capabilities (esp. signature
      algorithms) in the client_metadata parameter with the initial request
      - the Wallet should send the POST request to the request URI with a
      data set, which does not allow user tracking, i.e. subset of client
      metadata + nonce for request object signing + ephm. key for
request object
      encryption
      - the very first request from the verifier looks like …?
      request_uri=...&client_metadata=...



   - Please review this PR, if we can get WG agreement in this direction,
   changes will be made to the PR.



   1. OpenID4VP and Browser API


   - Browser API open to support multiple protocols, one of those protocols
   should be OpenID4VP. Torsen did a presentation that he worked on with
   Joseph and Kristina on how that should look like
   - Intro about browser api: https://github.com/WICG/digital-identities.
   - Requirements:
      - Wallet needs to authenticate the verifiers using trust
      infrastructure independent from the web trust infrastructure
(important for
      eIDAS 2.0)
         - Proposed solution is use signed request object
         - Tobias: there might be cases where web origin is sufficient, in
         which case signing is not required
      - Prevent replay of authenticated requests.
         - Proposed solution is encrypt the response to the verifier's
         ephemeral public key
      - Easy migration to the browser api for the existing openid4vp
      implementations
   - What is not in the request object: redirect_uri, state, response_uri.
   - Discussion
      - Tobias: need to separate authenticating who you are sending the
      request to and integrity to protect the request.
      - Kristina: need to differentiate what is parsed by the wallet and
      what is needs to be understood by the browser
      - In the android model, the (sandboxed) matcher is provided by the
      wallet. And it is that matcher that parses the request, not the mobile OS
      itself.
      - Sebastian/Orie: question seems to be how much the browser needs to
      understand about the incoming request? How opaque is it for the platform.
   - Document to review is here:
   https://docs.google.com/document/d/1A10PZ_DviMJeyy2mDFt2QLcXUbT4O2dc_BizNXAD2PQ/edit
      - Please review the document, comment and indicate if you believe DCP
      WG should work on this and if yes, should this be a new WG item
in DCP WG.



   1. Query syntax


   - https://github.com/openid/OpenID4VP/issues/112
   - The issue describes feedback that has been received on PE.
   - Sticking to the process outlined here:
   https://github.com/openid/OpenID4VP/issues/112#issuecomment-1960037463
      - There is no clear agreement on the suggested way forward out of few
      options presented in the issue-comment
      - Tobias did a presentation for one concrete solution how a new query
      language specific to credential format could look like (close to option 4
      in the issue-comment)
         -
         https://docs.google.com/document/d/10JT--pXWsfwC4QVu3XJpXGwcO08M6tnpkZ4PKdtCEWo/edit#heading=h.7igj7m3na8ru
      - Discussion
      - Orie asked about intentToRetain feature
      - Kristina asked about why presentation_submission kind of feature
      was missing -> was not deemed useful by the proposers of this document
   - Please review this proposal and make comments on issue #112 about your
   desired next step


On Tue, Mar 5, 2024 at 10:25 AM Joseph Heenan via
Openid-specs-digital-credentials-protocols <
openid-specs-digital-credentials-protocols at lists.openid.net> wrote:

> Hi All,
>
> Below is the suggested agenda for the today's DCP WG + SIOP call at 12:00
> midday PT.
>
> - IPR reminder/ Note-taking
> - Introductions/re-introductions
> - Agenda bashing/adoption
> - DST changes means the call time will move for many people sometime over
> the next month; check the calendar
> - Events/External orgs
> - PRs
>    - Please review VP SD-JWT profile:
> https://github.com/openid/OpenID4VP/pull/115
>    - Please review VP Editorial:
> https://github.com/openid/OpenID4VP/pull/119
> https://github.com/openid/OpenID4VP/pull/121
> https://github.com/openid/OpenID4VP/pull/114
>    - Request URI extension: https://github.com/openid/OpenID4VP/pull/59
> - Issues:
>     - OpenID 4 VP profile of the Browser API -
> https://github.com/openid/OpenID4VP/issues/90
>     - Query language - https://github.com/openid/OpenID4VP/issues/112
> - Other PRs
>    - VCI
> https://github.com/openid/OpenID4VCI/pulls?q=is%3Aopen+is%3Apr+milestone%3AID-1
>    - VP https://github.com/openid/OpenID4VP/pull/59
>    - HAIP
> https://github.com/openid/oid4vc-haip-sd-jwt-vc/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc
> - Issues (in the most recently updated order)
>    - VCI
> https://github.com/openid/OpenID4VCI/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc
>    - VP
> https://github.com/openid/OpenID4VP/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc
>    - HAIP
> https://github.com/openid/oid4vc-haip-sd-jwt-vc/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc
>
>
> Thanks
>
> Joseph
>
> --
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
>
> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240305/041d8ecc/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list