[Openid-specs-digital-credentials-protocols] [minutes] APAC-friendly DCP WG + SIOP call (PST midday) 1st of October 2024

Joseph Heenan joseph at authlete.com
Wed Oct 2 12:01:15 UTC 2024 

 
Attendees:

Joseph Heenan
Kristina Yasuda
Paul Bastian
Torsten Lodderstedt
Brian Campbell
Christian Bormann
Daniel Fett
Michael Jones
Nemanja Patrnogic
Tom Johnson
John Bradley
Lukasz Jaromin
Tom Jones


 

Introductions

Tom Johnson: With IC Consult, based in Dallas Texas, works on various identity and decentralised things.


Events 

Pre-IIW workshop: Won’t be at Cisco now due to a building closure - new location to be confirmed but should still be in the general area around the computer history museum.



Client id scheme security

https://github.com/openid/OpenID4VP/pull/263
 
Brian has approved despite concerns (as detailed on PR), no further concerns raised by anyone else including as a result of Joseph’s email to the WG mailing list a week ago, Kristina messaged Oliver to double check but otherwise plans to merge very soon.


Key attestation

https://github.com/openid/OpenID4VP/pull/258

Paul & Christian updated the PR earlier today. Ready to move away from being draft. Paul talked through the latest version.
Several questions (see the ‘unticked’ items in the PR summary).

Some discussion about what the PR is trying to achieve. Essentially you need a proof of possession for a key, but not for the keys that are being bound (as proof of possessions) to the issued credentials. See comment Kristina added to PR for the consensus from the call.

Nonce PR

https://github.com/openid/OpenID4VCI/pull/381

Some debate over GET vs POST for nonce endpoint. Brian had tried removing the specification of which http method is used, there seemed to be a consensus that we do need to pick for interoperability purposes. We agreed on picking POST relatively arbitrarily as we just need to pick one. Brian to update PR.


How can verifiers that support multiple trust models/ecosystems know how to authenticate to the wallet? 

https://github.com/openid/OpenID4VP/issues/248

Question about whether we can solve this without imposing JWS JSON serialisation. Potentially can be solved for browser API by making multiple requests (albeit that results in duplication of the payload), and in non-browser API using request_uri_method=POST - although in the latter case there’s an issue if the client_id needs to be different depending on which wallet the verifier is authenticating too, we ran out of time before reaching a conclusion on that. We didn’t have enough browser people on the call to discuss the Browser API part.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20241002/f60ab6ea/attachment.html>

More information about the Openid-specs-digital-credentials-protocols mailing list