[Openid-specs-digital-credentials-protocols] DCP Meeting notes for 23rd July 2024

[Paul Bastian]

# Attendees

Kristina Yasuda
Joseph Heenan
Torsten Lodderstedt
Paul Bastian
Brian Campbell
Alan Wang
Bjorn Hjelm
Christian Bormann
Daniel Fett
Gareth Oliver
Hicham Lozi
Lukasz Jaromin
Oliver Terbu
Rajvardhan Deshmukh
Steve McCown
Tom Jones

# Events

- discussion for DCP Hybrid Meeting at next IIW, probably planned for 
Monday morning
- IIW this week, SD-JWT is going to Working Group Last Call

# Issue on Key/Wallet Attestation for Issuance

- https://github.com/openid/OpenID4VCI/issues/355
- last meeting it seemed discussion on both wallet attestation and key 
attestation + optimizations seems to complicated, opening a new issue to 
discuss key attestation optimizations
   - adding the wallet attestation to the token endpoint (already exists 
in HAIP)
   - integration of key attestation to the credential endpoint 
(different syntax proposed)
   - adding metadata giving rise to the issuer's requirements re key 
attestations
- Torsten presents example for a very simplified key attestation: 
https://github.com/openid/OpenID4VCI/issues/355#issuecomment-2246090328
- discuss how to integrate this into credential request, Paul agrees 
with Torsten's proposal to use an JOSE header in the OpenID4VCI proof 
JWT that contains the key attestation issued by the Wallet Provider
- Paul says this would also enables similar mechanism to use for CWT 
proof type
- Brian asks how to integrate this into LDP proof type, no experts available
- Kristina would like to focus on JWT proof type at first
- Torsten asks next for Issuer metadata that states that wallet 
attestation is required, there is no Issuer metadata in HAIP yet
- Torsten proposes to start a PR as enough consensus seems to be there, 
Paul agrees to do the PR
- Joseph asks for understanding, Kristina gives a summary again
- Torsten asks also to start a PR on wallet attestation aligned with 
what we have in HAIP, Paul agrees to do the PR

# Issue on Wallet Attestation in Presentation

- https://github.com/openid/OpenID4VP/issues/141
- Martijn asks for the motivation of this, does not seem clear to him 
when things were checked during issuance
- Kristina explains that ARF foresees user to revoke his wallet
- Torsten explains that legal text requires this
- Martijn tries to figure out if this is used for technical solutions or 
only to tick a box for legal text
- Christian refers to comment from Paolo (EC) for further context
- Paul explains that there a different technical solutions to fulfill 
the checks for possible revocations, either enforced by issuer or by 
relying party, but we will still have it anyway due to legal text
- Torsten steers discussion to comparison of Option 2 (Wallet 
attestation is a regular credential) and Option 3 (Wallet Attestation is 
used within JARM encrypted response structure)
- Option 2 is easiest to go (no changes to OpenID4VP)
- Christian points out that with Browser API has limitations to only one 
credential that may create trouble with Option 2
- Christian/Paul say that Option 2 creates exception to wallet code, e.g. UI
- Daniel argues for Option 2, easy to implement, some difficulties may 
be solved by query language changes
- Torsten points out that Option 1 does not work with BrowserAPI and we 
may benefit of opinions by BrowserAPI people
- Gareth doesn't see obstacles with Option 2, may bundle 2 things, 
unless no filtering is taking place
- Torsten points out the privacy / scalability challenges of this 
feature, try to convince people not to use it, Paul adds that if feature 
is not used much then go for the simpler solutions
- Kristina asks if BrowserAPI is able to request mDL+wallet attestation, 
but UI/UX only showing mDL?
- Hicham thinks its not a BrowserAPI question, Gareth thinks we should 
not make the path to easy if this is not the desired solution
- agreement to get more feedback from BrowserAPI folks

# Fix c_nonce language

- https://github.com/openid/OpenID4VCI/pull/365
- Kristina says she wants to merge it after removal of batch issuance PR

# removes the Batch Credential Endpoint

- several comments open
- waiting for Pedro on Thursday call

# Consider removing cwt proof type

- https://github.com/openid/OpenID4VCI/issues/320
- Kristina says we added this for mDL
- if we use wallet attestation, we probably use JWT anyway
- Paul says that there have been issues in the LSP interop event, so 
either we need more clarifications or remove cwt as it doesn't add 
benefits over JWT proof type
- discuss again on Thursday and put on the mailing list to see if this 
is ready for PR
- Taka had objections
- Brian asks for issues with Brainpool curves in JOSE, but agrees to the 
removal