[Openid-specs-digital-credentials-protocols] [agenda] DCP WG + SIOP call
Kristina Yasuda
yasudakristina at gmail.com
Thu Jan 23 20:43:21 UTC 2025
Hi All,
I wanted to follow up on the client_id/origin discussion we had today.
We don't have another DCP WG mtg before ISO virtual mtg next week. So
having heard DCP WG discussion and having re-read ISO requirement, what I
would like to offer as a way forward is *to explain at the ISO virtual mtg
that ISO requirement of “mdoc authentication must be bound to the origin”
is being addressed not by including origin in the session transcript but by
the following:*
what prevents MITM/replay of the request RP sent through the DC API:
- for unsigned requests, origin is in the returned credential because
origin == client_id, and client_id is in the session transcript of mdoc and
`aud` of sd-jwt vc
- for signed request, expected_origins is in the signed request so if
the wallet can identify if there is MITM/replay because origin from the
platform will not match expected_origins in the signed request (MITM cannot
modify content of the signed request)
If this gets accepted, *we could remove origin from session transcript*,
and conclude this discussion we have been having.
I also put this in the issue comment
<https://github.com/openid/OpenID4VP/pull/308#issuecomment-2610907352>. Please
respond if you strongly disagree.
Best,
Kristina
On Thu, Jan 23, 2025 at 8:36 PM Jan Vereecken via
Openid-specs-digital-credentials-protocols <
openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> Hi All,
>
> Please find the meeting minutes below
>
> - Participants
> - Kristina Yasuda
> - Christian Borrmann
> - Steve Venema
> - Daniel Fett
> - Jin Wen
> - Andreea Prian
> - Andy Lim
> - Bjorn Hjelm
> - Brian Campbell
> - Daniel Fett
> - Juda Saadi
> - Paul Bastian
> - Torsten Lodderstedt
> - Gareth Oliver
> - Lukasz Jaromin
> - Oliver Terbu
> - Pedro Felix
> - Rajvardhan Deshmukh
> - Tim Cappalli
> - Nemanja Patrnogic
> - Agenda
> - Please register to the Hybrid meeting before OSW!
> https://www.eventbrite.co.uk/e/oidf-dcp-wg-hybrid-meeting-prior-to-osw-2025-tickets-1146184230889
> -
> https://openid.net/public-review-period-for-proposed-second-implementers-draft-of-openid-for-verifiable-credential-issuance/
> - OID4VP / HAIP: Topics we need to tackle before ISO's virtual
> meeting in the last week of january (they are labelled ISO_VirtualMeeting):
> - discuss "If the RP sends a request with multiple client
> identifiers for one or more mdocs, how is it supposed to figure out which
> client identifier to use for checking the session transcript in the
> respective device response?":
> https://github.com/openid/OpenID4VP/pull/308
> - how the request looks like for "returning multiple credentials
> for one DCQL query":
> https://github.com/openid/OpenID4VP/issues/298
> [ideally would like to merge today] intent_to_retain PR:
> https://github.com/openid/OpenID4VP/pull/338 - [ideally would
> like to merge today] DCQL mandatory in DC API
> https://github.com/openid/oid4vc-haip/pull/151
> - [editorial ideally would like to merge today]
> https://github.com/openid/oid4vc-haip/pull/153
> - please review "Enable RP to convey the desired credential
> issuers to the Wallet"
> https://github.com/openid/OpenID4VP/pull/393
> - please review priority PRs for OpenID4VP:
> https://github.com/openid/OpenID4VP/pulls?q=is%3Aopen+is%3Apr+milestone%3A%22Final+1.0%22
> - please review priority issues for OpenID4VP 1.0 that do not have
> a resolution yet:
> https://github.com/openid/OpenID4VP/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22Final%201.0%22%20-label%3Ahas-PR%20-label%3Aready-for-PR%20
> - Notes
> - *VP - PR338*: add intent to retain to claims query in DCQL
> - Will be merged
> - *HAIP - PR154*: remove pre-authz code
> - Will be merged. Note: big change for implementors
> - *HAIP - PR153*: Add Multi RP Credentials/Authentication capability
> - Agreement to mandate x5c certificates
> - Intention for a stable version to be published to support ISO
> interop event (registration ending end of January)
> - *HAIP - PR151*: Mandate DCQL instead of PE; all DCQL features are
> mandatory
> - Will be merged.
> - *VP - PR308*: Add Multi RP Credentials/Authentication capability
> - 2 question in the PR that deserve some discussion.
> - *Session transcript*
> - Discussion on keeping the client identifier as an essential
> security feature for both signed and unsigned requests and different
> options to solve it in conjunction with the session transcript.
> - No clear direction. Request for WG members to review the
> different options in the PR!
> - *Response encryption*: not discussed during call
> - *VP - PR393*: DCQL: express desired credential issuers
> - Request for reviews
> - *VP - 298*: Support for selecting multiple credentials via a
> single dcql
> - Request for people to chime in.
>
>
> Have a nice day.
>
> Regards,
> Jan
>
>
> ------------------------------
> *From:* Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols-bounces at lists.openid.net> on
> behalf of Kristina Yasuda via Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols at lists.openid.net>
> *Sent:* Thursday, 23 January 2025 16:27
> *To:* Digital Credentials Protocols List <
> openid-specs-digital-credentials-protocols at lists.openid.net>
> *Cc:* Kristina Yasuda <yasudakristina at gmail.com>
> *Subject:* [Openid-specs-digital-credentials-protocols] [agenda] DCP WG +
> SIOP call
>
> Hi all,
>
> Below is the suggested agenda for today's DCP WG + SIOP call today.
>
> 1. OIDF Antitrust Policy at www.openid.net/antitrust applies
> 2. IPR reminder/ Note-taking
> 3. Introductions/re-introductions
> 4. Agenda bashing/adoption
> 5. Events/External orgs
> 1. please register to the Hybrid meeting before OSW!
> https://www.eventbrite.co.uk/e/oidf-dcp-wg-hybrid-meeting-prior-to-osw-2025-tickets-1146184230889
> 6. OpenID4VP specification adopted by DCP WG
> 7. Public Review Period for Proposed Second Implementer’s Draft of
> OpenID for Verifiable Credential Issuance Specification
> <https://openid.net/public-review-period-for-proposed-second-implementers-draft-of-openid-for-verifiable-credential-issuance/>
> ongoing
> 8. OID4VP / HAIP: Topics we need to tackle before ISO's virtual
> meeting in the last week of january (they are labelled ISO_VirtualMeeting):
> - discuss "If the RP sends a request with multiple client
> identifiers for one or more mdocs, how is it supposed to figure out which
> client identifier to use for checking the session transcript in the
> respective device response?":
> https://github.com/openid/OpenID4VP/pull/308
> - how the request looks like for "returning multiple credentials
> for one DCQL query": https://github.com/openid/OpenID4VP/issues/298
>
> [ideally would like to merge today] intent_to_retain PR:
> https://github.com/openid/OpenID4VP/pull/338
>
> - [ideally would like to merge today] DCQL mandatory in DC API
> https://github.com/openid/oid4vc-haip/pull/151
> - [editorial ideally would like to merge today]
> https://github.com/openid/oid4vc-haip/pull/153
> - please review "Enable RP to convey the desired credential issuers
> to the Wallet" https://github.com/openid/OpenID4VP/pull/393
> 9. please review priority PRs for OpenID4VP:
> https://github.com/openid/OpenID4VP/pulls?q=is%3Aopen+is%3Apr+milestone%3A%22Final+1.0%22
> 10. please review priority issues for OpenID4VP 1.0 that do not have a
> resolution yet:
> https://github.com/openid/OpenID4VP/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22Final%201.0%22%20-label%3Ahas-PR%20-label%3Aready-for-PR%20
>
> Thank you!
> Kristina
> --
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
>
> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250123/04d28d8a/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list