[Openid-specs-digital-credentials-protocols] [EXT] [agenda] DCP WG + SIOP call (PST 8am)

Sudesha Shetty Sudesha.Shetty at gendigital.com
Thu Sep 19 22:14:00 UTC 2024 

Hello Everyone,

Please find the meeting notes from today’s DCP WG + SIOP call.

Participants

  *   Kristina Yasuda
  *   Joseph Heenan
  *   David Chadwick
  *   Javier Ruiz
  *   Pedro Felix
  *   Tim Cappalli
  *   Brain Campbell
  *   Daniel Fett
  *   Rajvardhan Deshmukh
  *   Paul Bastian
  *   Lukasz Jaromin
  *   Bjorn Hjelm
  *   Andreea Prian
  *   Jan Vereecken
  *   Hicham Lozi
  *   Tom Jones
  *   Steve Venema
  *   Gareth Oliver

Notes:


  *   Kristina reminded the team about the new antitrust policy (http://www.openid.net/antitrust) and encouraged everyone to familiarize themselves with it.
  *   Announcement about upcoming OAuth Security Workshop 2025 https://oauth.secworkshop.events/osw2025
  *   Update by Kristina on moving VP/VCI to v1.0 final and then proceeding to v1.1–  We have been discussing version 1.0 final, and there appear to be no strong objections to proceeding with finalizing it and moving on to version 1.1. However, there are still concerns and discussions needed regarding the scope of version 1.0. Once those are addressed, we can proceed in this direction. The formal approval will follow, and we will ask if the draft is ready for the last call for working group.
  *   PR Discussion #1 - https://github.com/openid/OpenID4VCI/pull/392 - “add an option to use credential_configuration_id in credential request”
     *   Topic of discussion: Do we want to remove format and type to specify which credential is being requested? If we do that then we should do it in authorization request too.
     *   Discussion:
        *   There are concerns about how this change might affect current implementations and whether it should be included in version 1.0 or deferred to future updates. Paul prefers replacing the current option rather than adding another, while Oliver suggests separating the discussions to avoid complications for implementers. The group is undecided but agrees to gather feedback from those using the format and type option.
     *   Concluded with following comment on PR: https://github.com/openid/OpenID4VCI/pull/392#issuecomment-2361317742
  *   PR Discussion #2 - https://github.com/openid/OpenID4VP/pull/258 - “Permit the use of the new query language instead of presentation exchange.”
     *   Daniel introduced a new approach for handling claims and credential sets. The new model defines claims with unique IDs and allows for optional claims, reducing complexity in applications with multiple claims. The same approach can be applied to credentials. Paul raised a concern about the logic of optional credentials but appreciated the clarity of the claims structure. The group generally agreed on the approach, with a few members indicating they would review it later.
  *   PR Discussion #3 -  https://github.com/openid/OpenID4VP/pull/263 - “Change client_id_scheme to a prefix”
     *   Discussion on the proposal to remove the client ID scheme parameter and instead prefix the client ID value with the client ID scheme. This proposal aims to address a security issue while maintaining compatibility with existing Federation implementations. The group agreed that the Federation specification would not be impacted by this change.
Jan raised concerns about the added semantics to the client ID, which may require interpretation. Joseph and Brian clarified that the client ID has never been entirely opaque and that the prefixing approach merely relocates existing semantics.  The group discussed separating the conversation around a single deployment using multiple trust frameworks from the current security issue, with agreement that the latter should be resolved first. Joseph opened an issue #248<https://github.com/openid/OpenID4VP/issues/248>. to address the multi-framework topic. There was general support for moving forward with the current proposal, pending final approval from key stakeholders. The goal is to merge the proposal soon, possibly by the following week.
  *   PR Discussion #4 - https://github.com/openid/OpenID4VCI/pull/381 “remove c_nonce from the token endpoint response”
     *   Pedro raised a question about the term "fresh," which Brian clarified as a nonce usable for subsequent requests. Suggestions were made to improve the wording. Oliver inquired about protecting the endpoint with access tokens, but it was previously deemed unnecessary. While some expressed concerns about potential abuse of the unprotected endpoint, the group agreed that cryptographic validation was a bigger issue. They leaned towards a stateless nonce implementation but will gather feedback on stateful nonces in the future.
Lukasz suggested adding a note for transparency, stating that the endpoint is not protected by access tokens, which Kristina agreed to. With three approvals in place, the PR is likely to be merged next week.
  *   PR Discussion #5 - https://github.com/openid/OpenID4VCI/pull/389  “first draft for key attestation”
     *   Paul confirmed the PR needs reviews and polishing but going in right direction. He raised a question about the necessity of a cnf claim for key attestation (especially for multiple keys). Kristina requested a description in the PR to clarify steps. Paul agreed to update the PR and address the cnf claim issue.
  *   PR Discussion #6 - https://github.com/openid/OpenID4VCI/pull/276 “Define claims display description and claims path query”
     *   Kristina discussed the need to revisit the PR addressing display definitions for nested claims, noting its previous deferral due to implementation concerns. With version 1.0 approaching, she suggested re-evaluating the PR. Paul emphasized that the new query language proposal might overlap with this topic, recommending consensus on the query language first. Brian raised the question of authority in defining credential type metadata, highlighting a conflict between issuer metadata and type metadata. The group agreed to prioritize the query language design before addressing the breaking change in the PR.
  *   PR Discussion #6 - https://github.com/openid/OpenID4VCI/pull/382 “Enable non-breaking extensibility”
     *   Kristina raised the topic of enabling non-breaking extensibility in issuance, highlighting a conflict between the RAR specification and a proposed PR that suggests ignoring unrecognized parameters. Brian explained that the original intent was to ensure strict adherence to types without extensibility. Joseph clarified that the PR aims to allow future extensibility, preventing issues if new parameters are defined later. The group acknowledged that this topic is blocking the PR and agreed to revisit it next week.



Thanks
Sudesh








From: Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols-bounces at lists.openid.net> on behalf of Kristina Yasuda via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net>
Date: Thursday, September 19, 2024 at 10:34 AM
To: Digital Credentials Protocols List <openid-specs-digital-credentials-protocols at lists.openid.net>
Cc: Kristina Yasuda <yasudakristina at gmail.com>
Subject: [EXT] [Openid-specs-digital-credentials-protocols] [agenda] DCP WG + SIOP call (PST 8am)
Hi All,

Below is the suggested agenda for today's DCP WG + SIOP call at 12:00 midday PT: https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09

  1.  IPR reminder / Antitrust policy (http://www.openid.net/antitrust)
  2.  Note-taking
  3.  Introductions/re-introductions
  4.  Agenda bashing/adoption
  5.  Events/External orgs

     *   OSW https://oauth.secworkshop.events/osw2025

  1.  Consensus around proposed plan for moving VP/VCI to v1.0 final with v1.1 to follow
  2.
  3.  add an option to use credential_configuration_id in credential request. VCI PR #392
  4.  Permit the use of the new query language instead of presentation exchange. VP PR #258
  5.  client_id_scheme security. VP PR #124
  6.  [updated] Add extensibility to Credential Response. VCI PR #391
  7.  [updated] Remove c_nonce from the token endpoint response. VCI PR #381.
  8.  Define claims display description and claims path query - https://github.com/openid/OpenID4VCI/pull/276
  9.  [heads-up/no action as far as I am aware] Update Appendix 1 to be consistent with the latest snapshot of the Digital Credentials API. VP issue #264
  10. Key attestation first draft PR - please review:  https://github.com/openid/OpenID4VCI/pull/389
  11. Other Open PRs/Issues

Thank you,
Kristina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240919/7e1efbcd/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list