[Openid-specs-digital-credentials-protocols] [meeting minutes] APAC-friendly DCP WG + SIOP call (PST midday)

Wed Jul 10 20:30:41 UTC 2024

Hi all,

Below are the meeting minutes for the call on 9th of July 2024.

Regards,
Christian

---

Attendees:
Christian Bormann
Joseph Heenan
Brian Campbell
Bjorn Hjelm
Martijn Haring
Michael Jones
Oliver Terbu
Pamela Dingle
Rajvardhan Deshmukh
Steve Venema
Sudesha Shetty
Sébastien Bahloul
Tom Jones

---

New Introductions: 
Martijn Haring, working for Apple and involved in the Digital Credentials
Browser API.
Steve Venema, involved with OpenID for quite some time and recently joined
the Microsoft Identity team.

---

OID4VP profile for the W3C Digital Credentials API -
https://github.com/openid/OpenID4VP/pull/155:

Joseph introduces the PR and mentions that the intention would be to get
this merged rather soon and carve open parts out into their own issues.
Martijn mentions that he wonders how exactly the process works and what
should be within the scope of this PR and about the scope of the
specification in general. Joseph answers that the spec is not strongly
opinionated and tries to cater to all kinds of different use-cases and there
exist interop profiles like HAIP that then reduce the scope. Joseph then
asks for opinions of the working group on how to specify overlapping parts
with other works like the ISO WG. Martijn mentions that in his opinion for
the Browser Credential API profile, it would be nice for ISO if it is fully
specified in the OpenID4VP specification. That would mean specifying things
like encryption, etc. that could be defined only for mDocs or other
credential formats. The alternative would be a lot more difficult. Martijn
votes for specifying a fully interoperable way on how to use the Browser API
in the Openid4VP draft. Christian asks if this should be part of the general
Browser API PR, or in a profile specific for mDoc.
Joseph mentions that in his opinion it sounds like we should define a mDoc
specific profile for the Browser API. Oliver explains that one approach
would be to define a new session transcript that is specific to the
openid4vp / browser API parts and that it might be faster to specify that
kind of specification in OpenID4VP. Martijn mentions that he understands the
wish to keep different option and it would be a good idea for OpenID4VP to
define an interop profile proposal for mDoc within this working group.
Pamela proposes to work fast to create something that can be considered to
be comprehensive and it could still be reverted if necessary (e.g., if this
profile should be part of an ISO document). Christian asks if there is
consensus to keep this PR general and move the mDoc specific parts into its
own PR. Martijn and Joseph agree that we need to do something for mDoc as a
sort of profile. Christian asks that we basically have to define something
similar to HAIP for some parts of OpenID4VP with mDoc as a target.
Oliver volunteers to create an issue that will start a discussion on an
interop profile for mDoc combined with OpenID4VP and DC Browser API. Martijn
adds that this seems to cover his main points and we can still later on
discuss if this profile should be moved somewhere else if necessary. Martijn
asks if people agree that encryption should be mandated for OpenID4VP with
Browser API and Joseph explains that this goes also back to the question if
it is mandated in the WICG spec and we should wait for that update. Brian
comments, that for certain use-cases enforcing encryption might be a bit
extreme. Martijn agrees and adds that maybe there should be a requirement
that if PII is involved, encryption should be mandated.

Joseph explains that the overall aim is to get the Browser API into a decent
shape before Implementers Draft 3 and that would mean merge this PR and then
figure out which other issues for Browser API need to be solved before ID3.
Michael adds that an Implementers Draft also grants IPR guarantees for that
draft, allowing all parties to implement it without fear of lawsuits.

Proposal for new query language -
https://github.com/openid/OpenID4VP/issues/178:

Joseph explains that his feeling is that the issue seems to be ready for a
PR and asks for opinions of the working group. Christian asks if the aim is
to create a PR for OpenID4VP or have a separate working item in the DCP
working group. Oliver and Joseph answer that they would see this as part of
OpenID4VP and not a separate document. Joseph adds that there is a new
comment on the issue asking for a way to inform the user who the verifier is
and Joseph states that this seems to be out of scope of the query language.
Brian would like to have this in the next implementers draft as Joseph
mentions that it should happen after ID3 for timing concerns. Michael agrees
with Brian that we should try to get the query language into ID3 and if not
possible then add a message mentioning that the query language is likely to
change. Christian asks if there are any known issues that might slow a PR
down or anything we can do right now to speed up the PR. Joseph asks about
concerns, but none are brought up. Tom adds that it should be more user
oriented than verifier oriented. Tom asks what is part of the initial query
and Joseph explains that initial request contains the new query, but still
all of the usual attributes and things like verifier authentication does not
change. Tom states that the browser has to get enough information to allow
the user to make a meaningful choice.