[Openid-specs-digital-credentials-protocols] [notes] DCP WG + SIOP call

Tue Nov 12 22:05:39 UTC 2024

Hi All,

Below are the notes of today’s DCP call.

Regards, Christian 

----

Participants:

Andres Olave

Andrew Regenscheid

Bjorn Hjelm

Brian Campbell

Christian Bormann

David Zeuthen

Dima

Edmund Jay

Gail Hodges

Gareth Oliver

Hicham Lozi

Jin Wen

Kristina Yasuda

Lee Campbell

Martijn Haring

Michael Jones

Paul Bastian

Sébastien Bahloul

Tim Cappalli

Victor Lu

----

General comments:

OpenID4VP is in public review period and there were 3 editorial PRs that have been merged.

OpenID4VCI should go to ID soon, so we have some PRs that need some attention.

----

Key Attestation - https://github.com/openid/OpenID4VCI/pull/389:

Paul introduces that given the feedback that defining key storage types and user authentication individually would be very complex, the PR was shifted to defining attack potential resistances (APRs). Some initial values for the APRs are defined in the PR using the ISO 18045 definitions. This change shifts some burden to the wallet provider but that seems to be fine given the current ecosystem layout. Martijn asks about the requirement that the current text defines a MUST for the ISO definition of APRs and what happens if an ecosystem defines their own APR. Paul answers that other APRs would overwrite the definitions initially given. Christian mentions that Wallets could be compliant to different APRs, but we are not mandating everyone to include the ISO values.

Kristina mentions that Pedro is not on the call, but another topic of discussion was to move to a nested claim structure, but given the current timeline proposes to keep the current structure and go to ID with the current version to get feedback. 

Wallet Attestation - https://github.com/openid/OpenID4VCI/pull/408:

Paul introduces that the current idea is to use the IETF draft for attestation based client authentication to authenticate a Wallet towards the issuer (to proof the wallet is an authentic wallet). The Wallet provider would leverage existing systems like the platform attestations to check the integrity of the wallet and issue a wallet attestation. Martijn mentions that for OpenID4VP, he is hesitant to introduce a common format for the attestation. Given the current ecosystem with different credential formats, ecosystems should leverage the credential formats they already use. Christian mentions that it would reduce complexity for RPs with everyone knowing what to expect. Hicham adds that this attestation will always be accompanied by another credential, which would result in everyone to be forced to support this as a second format option. Paul explains that within OpenID, we already use JWTs in a lot of places and the OpenID4VC implementations already understand and use JWTs, so the added complexity seems to be manageable. Gareth adds that it is not only a JWT and a RP in OpenID4VP would not necessarily need to understand JWTs, but might not be too complex to add. Kristina asks if we could directly use an SD-JWT and if that would make things easier. Brian asks if we are discussing the PR in OpenID4VCI or its possible usage in OpenID4VP. Martijn answers that they would prefer to keep within one ecosystem, including status mechanisms etc. and there might be problems depending on where the attestation is signed and questions why we would need to define a format for this.

Kristina asks if for the time being there are no objections for this in OpenID4VCI. Lee summarizes his understanding that the wallet gets installed, pings its wallet server, which verifies a platform attestation and issues a wallet attestation which is then used towards an issuer. Lee asks to just use an SD-JWT, instead of a JWT, given that an sd-jwt already brings all the features. Brian adds that JWTs are well supported and it fits the general protocol needs and asks why people are not happy with a simple JWT. Lee agrees, that you seem to not need selective disclosure, so a JWT might be fitting and parsing a JWT is not too complex, but parsing something like an mdoc could be pretty complex. Christian explains that sd_hash is not present in the wallet attestation which would break SD-JWT parsing, which is required even if there are no disclosures. Brian states that any kind of selective disclosure seems to be unnecessary here and parsing a key binding is not too complex with the existing libraries and support for JWTs. Martijn asks about revocation support to which Paul agrees, that revocation support is intended and that the Wallet Provider may choose how to implement revocation. Martijn asks to standardize the claims instead of standardizing the format and leave that choice up to the ecosystems. Martijn states that this adds complexity. Kristina asks if people are strongly objecting the current trajectory. Martijn adds that he wishes for support for the identifier list instead of only status list if we want to add revocation. There seems to be no conclusion to get this into ID, but Kristina asks for people to review this PR. Mike states that the main question is if we need selective disclosure and if we need it, we should use SD-JWT and otherwise stick with JWTs.

change sd-jwt vc type identifier from vc+sd-jwt to dc+sd-jwt - https://github.com/openid/OpenID4VCI/issues/414:

Brian introduces the issue that there will likely need to be a change for the media type for sd-jwt-vc from vc+sd-jwt to dc+sd-jwt. OpenID4VCI and OpenID4VP use vc+sd-jwt as Credential Format identifiers and given that the media type changed, we might want to change the credential format identifier to dc+sd-jwt to avoid further confusion. There are no objections and Kristina mentions that we should create PRs for OpenID4VP and OpenID4VCI.

The Value of Having JWKS in the Credential Issuer Metadata - https://github.com/openid/OpenID4VCI/issues/385:

Mike introduces that this is mainly a consistency topic and should be ready for PR to make it easier for people to form their opinion. Kristina adds that this topic will be discussed when Oliver and Joseph are back.

Add Multi RP Credentials/Authentication capability - https://github.com/openid/OpenID4VP/pull/308:

Kristina explains that this introduces the capability to add more than one signature to an Authorization Request in OpenID4Vp leveraging JWS. Kristina asks if this meets the requirements were brought up and Martijn responds that they are reviewing and will provide feedback soon.

Update examples to reference the W3C VCDM v2, Data Integrity, and VC JOSE COSE - https://github.com/openid/OpenID4VP/pull/297:

Kristina explains that this is an upgrade to W3C VCDM2.0 and Mike explains that people are expecting that VCDM 2.0 is going to be used instead of VCDM 1.1 which is currently referenced and this PR is something that is going to come back before final anyway. Given that the creator of the PR will likely not have time to work on it, Mike volunteers to work on the PR if people agree that this should happen now.

From: Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols-bounces at lists.openid.net> On Behalf Of Kristina Yasuda via Openid-specs-digital-credentials-protocols
Sent: Tuesday, November 12, 2024 5:30 PM
To: Digital Credentials Protocols List <openid-specs-digital-credentials-protocols at lists.openid.net>
Cc: Kristina Yasuda <yasudakristina at gmail.com>
Subject: [Openid-specs-digital-credentials-protocols] [agenda] DCP WG + SIOP call

Hi All,

Below is the suggested agenda for today's DCP WG + SIOP call: https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09

1.	OIDF Antitrust Policy at www.openid.net/antitrust <http://www.openid.net/antitrust>  applies
2.	IPR reminder/ Note-taking
3.	Introductions/re-introductions
4.	Agenda bashing/adoption
5.	Events/External orgs
6.	WGLC for OID4VP has started! three PRs merged.
7.	Now trying to get VCI to the implementers draft:

*	VCI: Key attestations https://github.com/openid/OpenID4VCI/pull/389
*	VCI: wallet attestation https://github.com/openid/OpenID4VCI/pull/408
*	VCI: add option to use credential_configuration_id in credential request:  https://github.com/openid/OpenID4VCI/pull/392 

8.	other priority issues/PRs

Cheers,

Kristina

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20241112/34abca83/attachment-0001.htm>