[Openid-specs-digital-credentials-protocols] DCP WG call 2024.11.14

[Andreea Prian]

Hi All,

Below are the notes of the DCP call on Thursday November 14th.
Regards,
Andreea

-----
On the call with the EU Commission that took place on November 13th:
All specifications (OID4VCI, OID4VP, HAIP) should be final before June 2025. Implementing Acts are expected to be updated afterwards. This implies we can have normative PRs until end of April.
Brian : Other specs like IETF docs will not be final by then.

What are the ISO timelines?
Martijn: March 2025 was communicated at some point but it is not official
Bjorn : action item to gather info if June 2025 is discussed within ISO

On HAIP scope:  could be referenced as such if the scope will match perfectly. HAIP content could be driven by the EU requirements but could also apply globally.
Martijn: what is the impact of having an mdoc profile for Browser API in HAIP?
Kristina: we have to make a decision if this profile should be in HAIP or OID4VP

On credential status management: will not be defined in OID4VCI.

Supporting PoA over OID4VP: this is most likely not a requirement anymore, but a final decision is waited before March 2025.

On disclosure policies: might not require changes to the protocol.

On cryptographic algorithms: should HAIP specify what algorithms should be mandatory to be implemented by the wallet? Further discussions are needed.

Other topics we should give an answer about to the Commission:
Data portability using re-issuance – also to be discussed
Using OID4VP to file complaints to the DPA – Kristina to open an issue

See also slides: https://docs.google.com/presentation/d/11nkkoxvZ9uQylS2vx4LTUBAlvksLTOOrA_eugbSgrdk/edit?usp=sharing

Small update from Kristina - has an individual contract with the EC to help with standardisation work. When discussing EU topics, she will make sure we know which hat she is wearing
-----
Brian brought up a heated topic in the WICG Digital Credentials call - an issue in VP was created : https://github.com/openid/OpenID4VP/issues/326
Having a single protocol with different elements seems challenging for some people, a protocol identifier could be used to differentiate between signed/unsigned requests.
David, Torsten, Brian: Having different protocol values seems legitimate
Gareth: might not be trivial for wallets to interpret but can be ok
Paul: how to scale this if further distinguishers might be needed in the future
Hicham: signed/unsigned might not be the proper differentiator for the structure

Further discussion should take place in VP
-----
Andreea: question on key attestations
In the credential endpoint, is it possible to have in the proofs array “n” jwt entries (for “n” PoPs) and one attestation covering the “n” keys in the attested_keys? Answer is yes.
The text describing the attestation proof type was a little misleading, Kristina suggested a change in the PR.
https://github.com/openid/OpenID4VCI/pull/389
-----
On credential_configuration_id
Kristina went through the changes introduced in the PR https://github.com/openid/OpenID4VCI/pull/392
Torsten: we could introduce a new top level parameter, but just using the authorization_details can be a sufficient approach
Paul: diff parameters conveying the same thing in multiple places is not the best approach
Pedro: parameter which is domain specific in the top level is a bit weird, reusing authorization_details  is better because it is not domain specific
-----
Kristina presented the document with the ISO 18013-7 requirements for the OID4VP specification in order to support Browser API : https://docs.google.com/document/d/1AJDDWuRG_b-MOBrAwhBoQV3dhH3LD31WNEQKzOB36SY/edit?tab=t.0
Requested to the WG to take a look and comment.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20241115/451f854e/attachment-0001.htm>