[Openid-specs-digital-credentials-protocols] 2025-01-30 DCP Meeting Minutes

Thu Jan 30 21:24:46 UTC 2025

Participants

Joseph Heenan (OIDF & Authlete)

Kristina Yasuda

Steve Venema

George Fletcher

Brian Campbell

Andy Lim

Gareth Oliver

Bjorn Hjelm

Rajvardhan Deshmukh (Cisco)

Martijn Haring

Oliver Terbu

Jan Vereecken

Andreea Prian (iDAKTO)

Paul Bastian

Juba Saadi | Lissi GmbH

Lee Campbell

Notes

   -

   Going to vote, check your issues are labeled correctly
   -

   Certain amount of issues are ready for PR, please help!
   -

   Registration for RDW (before ISO event) deadline tomorrow. Please sign up
   -

   Agenda
   -

      Recap ISO virtual meeting
      -

      Multi-RP request
      -

      Want to discuss PR 393
      -

      PR 406
      -

      Unsigned request processing
      -

   Next ISO meeting (1st week of march) update on issues
   -

   Issue 400
   -

      (brian): if we need to do this then we should do it for all formats.
      Don’t believe it is needed, and has a high bar given the change.
      -

   Issue 406
   -

      Allow encrypting request without signing because each credential is
      signed.
      -

      Consensus: makes sense, brian to do PR
      -

   Issue 400
   -

      <gave summary>
      -

      Want to be careful with encouraging not verifying a signature
      -

      Explicitly allowing for it in multi-auth (should *not* do this)
      -

      Could do it with parallel requests, but not in favour
      -

      How to solve not trying all?
      -

      Could try and communicate it in JARM that already has this, but this
      is not used often.
      -

      Is there a side channel leakage
      -

         Maybe? But it’s pretty minor.
         -

         Could always include it, but then it requires all other credential
         formats to change.
         -

         General consensus is that replacing client id with origin is
         reasonable.
         -

         Be clear that wallet can reject
         -

         Should an RP be able to know and reject based on wallet processing
         -

            Bit philosophical, but might make sense as there is more risk
            -

   Update on PR 406 so there isn’t a minor version.
   -

      Why this: to make processing logic simpler
      -

      Must make a new identifier when a backwards incompatible change is
      made
      -

      DCP WG can decide, people ok are with it. Request re-review and
      merge.
      -

   HAIP last call
   -

   Missing the restriction on client_id_scheme for other profiles. Will fix
   in last call
   -

    Update on security analysis
   -

      Coordination with researchers (in a useful timeframe).
      -

         Not possible to do e2e in a few weeks.
         -

         Focus on the interactions over the DC API.
         -

         Find an abstraction without going into the details.
         -

         Need a more rigorous verification from someone closer to the DC API
         -

            Lee volunteered
            -

   Test suits for utrecht test event will be available
   -

   Verbatim from chat (gail):
   -

      Ideally we would be looking for 2-5 implementers representing
      different jurisdictions. For noting: Joseph plans to be there in person.
      -

      For other testing work, Joseph intends to release beta of VP Verifier
      with mdoc/mdl support mid-next week. Who will be able to test the tests
      where released.
      -

      The cert team also plans to release VCI Initial ID2 tests for issuers
      and phase 2 with beta tests in March, so we also seek to line up who is
      available to test the tests.
      -

   Web payments looking to join
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250130/40a58a73/attachment-0001.htm>