[Openid-specs-digital-credentials-protocols] Notes DCP WG + SIOP meeting minutes: Jun 11, 2024

Lukasz Jaromin lukasz.jaromin at raidiam.com
Wed Jun 12 06:50:20 UTC 2024 

Thank you Oliver.

@All, the last sentence in the notes may be misleading. Please ignore it.

Regards

On 11 Jun 2024, at 22:09, Oliver Terbu <oliver.terbu at mattr.global> wrote:

Nie otrzymujesz często wiadomości e-mail z adresu oliver.terbu at mattr.global<mailto:oliver.terbu at mattr.global>. Dowiedz się, dlaczego jest to ważne<https://aka.ms/LearnAboutSenderIdentification>
Sorry but I think wrt c_nonce, the following summary might be more accurate (as found herehttps://github.com/openid/OpenID4VCI/issues/331#issuecomment-2161515537):
[https://opengraph.githubassets.com/06d325e97524fcd50795eba1474d919200b5c6a5527e5442e65826eaf00fc33c/openid/OpenID4VCI/issues/331]<https://github.com/openid/OpenID4VCI/issues/331#issuecomment-2161515537>
Is c_nonce required in proof or not? · Issue #331 · openid/OpenID4VCI<https://github.com/openid/OpenID4VCI/issues/331#issuecomment-2161515537>
Nonces in proof types are OPTIONAL but the following sentence confused me: The proof element MUST incorporate the Credential Issuer Identifier (audience), and a c_nonce value generated by the Autho...
github.com<http://github.com/>



  1.  no c_nonce from the token endpoint.
  2.  c_nonce from the credential endpoint is optional. returned in the credential error response if needed.
  3.  is attack in VC Issuance is vulnerable to Unknown Key Share attacks<https://github.com/openid/OpenID4VCI/issues/19> #19<https://github.com/openid/OpenID4VCI/issues/19> worth protecting against? if yes, ath probably makes sense. if not no need. -> direction seems to be making ath mandatory.

________________________________
From: Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols-bounces at lists.openid.net<mailto:openid-specs-digital-credentials-protocols-bounces at lists.openid.net>> on behalf of Lukasz Jaromin via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net<mailto:openid-specs-digital-credentials-protocols at lists.openid.net>>
Sent: Tuesday, June 11, 2024 10:05 PM
To: openid-specs-digital-credentials-protocols at lists.openid.net<mailto:openid-specs-digital-credentials-protocols at lists.openid.net> <openid-specs-digital-credentials-protocols at lists.openid.net<mailto:openid-specs-digital-credentials-protocols at lists.openid.net>>
Cc: Lukasz Jaromin <lukasz.jaromin at raidiam.com<mailto:lukasz.jaromin at raidiam.com>>
Subject: [Openid-specs-digital-credentials-protocols] Notes DCP WG + SIOP meeting minutes: Jun 11, 2024

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.

Hi All,

Please find the meeting notes below.

Attendees:
- Kristina Yasuda
- Jan Vereecken
- Oliver Terbu
- Elizabeth Garber
- Paul Bastian
- Sudesha Shetty
- Lukasz Jaromin
- Victor Lu
- Daniel Fett
- Michael Jones
- Brian Campbell
- Christian Bormann
- Tobias Looker
- John Bradley
- Tom Jones
- Sebastien Bahloul

Agenda:

  1.  Announcement to help with PRs. The number of issues is growing.
  2.  PRs and Issues. Call for specific PRs and/or issues that we should discuss?
     *   Batch credentials
     *   c_nonce issue

Issues

  *   VCI #286 Encrypted responses in Batch and Deferred Endpoint https://github.com/openid/OpenID4VCI/issues/286 discussion on whether we do encryption
  *   VCI #189 Move Use Cases Appendix before Acknowledgements and Notices https://github.com/openid/OpenID4VCI/issues/189 Q: Any objection to do that? Yes
  *   VCI #233 Examples of signed JWTs do not always have valid signatures https://github.com/openid/OpenID4VCI/issues/233 We move on with it and have a volenteer wants to do it.
  *   VCI Pull #293 rework credential and batch credential endpoint  https://github.com/openid/OpenID4VCI/pull/293 Please review it. It will be merged if there are two more approvals. Additional comments: PR is going to be merged, however this happens conditionally provided that we will discuss VCI Issue #18. Tobias will create the issue to addresses the problem of an array with a single proof.
  *   VCI pull #336 add randomness to the credential_offer_uri https://github.com/openid/OpenID4VCI/pull/336 is ready to be merged
  *   VCI Issue https://github.com/openid/OpenID4VCI/issues/301 We will add clarification on it.
  *   Olivier explains c_nonce related issue  https://github.com/openid/OpenID4VCI/issues/331 Discussion whether we need c_nonce or not. We looked at https://github.com/openid/OpenID4VCI/issues/19 while talking about it. The group is leaning towards keeping the c_nonce as required.

Regards
LJ

Lukasz Jaromin
Head of Standards and Product Strategy
T.



0203 148 6609
lukasz.jaromin at raidiam.com<mailto:lukasz.jaromin at raidiam.com>

[https://storage.letsignit.com/icons/designer/socials/Linkedin--circle--black.png]<https://cloud.letsignit.com/collect/bc/652d0421e161c54081b81962?p=TMTQYP7uhVuEibYQ91RsC3IoNUOt5RBT8PxKu46ijB2dgYDas3ErY4e5aF36Y1QJAFvBq2HuNtKxmETJCut3KpCEIhZSyMrKEv86z2lTEIZvXWEQB9EFnTGMHp0zHr0amR6353_yp-GqFqaiskCLVrZHUSx89Swc40vs2oPD5o4=>
[https://storage.letsignit.com/5fd527570105a500075428f0/generated/effects_08e3e03b4f71b6a89cf4bd9f429daac0a7f6dd1ccb38a410fc760991.png]

The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240612/2ab3a072/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list