[Openid-specs-digital-credentials-protocols] [agenda] DCP WG + SIOP call
Nemanja Patrnogic
patrnogicnemanja at gmail.com
Fri Dec 13 00:36:47 UTC 2024
DCP Meeting notes for 12th of December 2024
*Participants:*
- Kristina Yasuda
- Paul Bastian
- Martijn Haring
- Christian Bormann
- Oliver Terbu
- Andreea Prian
- Pedro Felix
- Michael Jones
- David Chadwick
- Steve Venema
- Daniel Fett
- Brian Campbell
- Lukasz Jaromin
- Bjorn Hjelm
- Rajvardhan Deshmukh
- John Bradley
- Tom Jones
*OAuth Security Workshop + Hybrid WG Meeting*
OAuth security workshop will take place at the end of February and the
Hybrid WG Meeting will happen the day before. There will be a venue for
in-person attendance.
Workshop is looking for sponsors and for proposals for a session:
https://oauth.secworkshop.events/osw2025
*ISO discussion recap*
Alignment document can be found here:
https://docs.google.com/document/d/1AJDDWuRG_b-MOBrAwhBoQV3dhH3LD31WNEQKzOB36SY/edit?tab=t.0
There is an agreement to put mdoc profile over digital credentials
(formerly known as browser) API in HAIP.
There will be an ISO virtual meeting last week of Jan when the requirements
table from the mentioned document will be reviewed and discussed.
*OpenID for VP Implementers Draft v3*
Vote on the implementers draft for VP:
https://openid.net/foundation/members/polls/346
After the IDv3 plan is for VP to go to Final 1.0. Chairs are currently
labelling issues that will go in 1.0, or that will go in 1.1. Take a look
at https://github.com/openid/OpenID4VP/milestone/2 and provide feedback.
*VCI*
PR #408 - Draft for wallet attestation
- merged
PR #276 - Define claims display description and claims path query
- 'value_type' to be removed (three thumbs up were given), Daniel Fett
will make changes, Paul Bastian will approve and help resolve his
colleague's requests for changes
- call for people to convert standing comments / questions to issues
- desire expressed to get approvals before the next WG call, so please
review
*HAIP*
PR #122 - mdoc profile
- Issues opened for certain questions / comments
- wallet must support signed and unsigned requests - issue #129
- transaction data - issue #130
- encryption details - issue #131
- sessiontranscript - issue #135
- Minor discussion regarding wording API VS HTTPS VS Wallet URL
triggered by
https://github.com/openid/oid4vc-haip/pull/122#discussion_r1882203500
- John Bradley suggested wording it like 'redirect based binding'
- post binding?
- Brian Campbell suggested 'redirection' as a general term for
bouncing the user around he considers 'redirect based binding' SAMLy
- Oliver Terbu does not agree that it is redirect based
- Kristina Yasuda will open an issue for this discussion
- plan is to merge this PR as a starting point
Issue #131 - Encryption details over digital cred API
- Table of options
1. JWE with ECDH_ES
2. JWE with HPKE (preferred option but nor referenceable as it is
still in the works)
3. not use JWE, define new mechanism
- Plan to work with option #1 but signal that option #2 will be used
when ready
- Martijn Haring questions if the plan is good and thinks that HPKE
solutions is better than ECDH-ES because of better lib support and easy of
implementation
- John Bradley disagrees with this comment and thinks plenty of libs do
not support it as the spec is not ready and argues that ECDH-ES as an
option is better and allows the use of JWE, MLKEM, and thinks we need to
use better algos when they become available with JWE, eventually things can
be migrated to HPKE or MLKEM
- Martijn Haring asks why are we specifying this in HIPE and not base
VP spec
- Bryan Campbell + John Bradley: maybe we lose protocol flexibility if
we do that, if it went into core VP the text would need to be carefully
worded to not preclude the use of detached arguments -- this is how you do
it when you have detached ADD and this is how you do it when you don't
- next step: see if we need specific proposal for JWE with ECDH-ES in
Core VP not HAIP and Brian Campbell volunteered to work on that, and do a
specific mandate of an algorithm in HAIP
- View summary at
https://github.com/openid/oid4vc-haip/issues/131#issuecomment-2539528136
*VP*
Issue #310 HPKE without JSON?
- John Bradley does not like abandoning JWE because of incompatibility
and complexity, others seem to agree (Michael Jones, Brian Campbell)
- Brian Campbell agrees that we should not build our own HPKE
serialization and use JWE.
- View summary at
https://github.com/openid/OpenID4VP/issues/310#issuecomment-2539453895
*Lazy Verifier problem tangent* - Michael Jones raised 'lazy verifier'
problem and filed a PR with the folks working on the JOSE-HPKE
- Oliver Terbu opened an issue at
https://github.com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt/issues/13
- Brian Campbell thinks that is a massive amount of problems that the
verifier needs to check and that a lot of time of the WG is spent
discussing something that might not be valuable
- Paul Bastian agrees with Brian that we need to see if lazy verifier
problem is really an issue and questions whether it applies to the DC API
at all
- Martijn Haring thinks that lazy verifier problem is important and
makes the protocol better and more robust, although not a complete solution
for all issues, and also states that it applies to the DC API
- John Bradley thinks proposed solutions do not solve the 'very very
very lazy verifier,' but agrees that it makes it harder and in general
sense it makes it more robust although for just a couple of parameters
Best regards,
Nemanja
On Thu, Dec 12, 2024 at 3:21 PM Kristina Yasuda via
Openid-specs-digital-credentials-protocols <
openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> Hi,
>
> Here is the agenda proposal for the call later today.
>
> 1. OIDF Antitrust Policy at www.openid.net/antitrust applies
> 2. IPR reminder/ Note-taking
> 3. Introductions/re-introductions
> 4. Agenda bashing/adoption
> 5. Events/External orgs
> 1. proposal to do a hybrid DCP WG a day before OSW
> 2. update from the ISO Sapporo mtg last week - HAIP will be the
> focus for the next month.
> 6. VCI
> 1. please review the PRs (
> https://github.com/openid/OpenID4VCI/pull/276 and
> https://github.com/openid/OpenID4VCI/pull/408 ). starting WGLC for
> ID-2 once the PRs are ready.
> 7. VP
> 1. the list of issues that chairs think should be discussed/tackled
> before Final 1.0. (includes issues that the WG might decide not to pursue
> but might result in breaking changes if tackled)
> https://github.com/openid/OpenID4VP/milestone/2
> 2. voting on-going - please vote!
> https://openid.net/foundation/members/polls/346
> 3. multi RP authentication:
> 1. https://github.com/openid/OpenID4VP/pull/308
> 8. HAIP
> 1. HAIP mdoc over the browser API profile - would like to merge as
> a starting point - would like to merge as a starting point:
> https://github.com/openid/oid4vc-haip-sd-jwt-vc/pull/122
> <https://github.com/openid/oid4vc-haip-sd-jwt-vc/pull/122>
> 2. repo has been renamed to oid4vc-haip
> 3. MDOC encryption (focus of today)
> 1. https://github.com/openid/oid4vc-haip-sd-jwt-vc/issues/131
> <https://github.com/openid/oid4vc-haip-sd-jwt-vc/issues/131>
>
>
> Best,
> Kristina
> --
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
>
> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20241213/58c54181/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list