[Openid-specs-digital-credentials-protocols] [agenda] DCP WG call

[Jan Vereecken]

Hello Everyone,

Please find below the minutes of the meeting

Attendees

  *   Joseph Heenan
  *   Kristina Yasuda
  *   Michael Jones
  *   Aaron Parecki
  *   Andreea Prian
  *   Bjorn Helm
  *   Brian Campbell
  *   Christian Bormann
  *   Daniel Fett
  *   George Fletcher
  *   Hicham Lozi
  *   Juba Saadi
  *   Lee Campbell
  *   Timo Glaastra
  *
Jan Vereecken

Agenda (see previous mail)

Notes

HAIP/PR147: Addition of SD-JWT VCDM
https://github.com/openid/oid4vc-haip/pull/147

Summary by Daniel: In the context of EUDIW, this PR tries to come up with a single credential format that is able to express/secure both simple credentials as well as W3C Verifiable Credentials which allows for selective disclosure. In the end, the EUDIW would reference mdoc and SD-JWT VC with W3C Verifiable Credential data structure on top.

Discussion on the need to support multiple formats and in particular for VCDM the need to support both 1.1 and 2.0. Requirements come from EUDIW. Multiple member states have indicated they already use VCDM (1.1 and 2.0) and want to keep using it (e.g. Spain in education space w. EBSI).

No decision on whether a nested vcdm claim is necessary

Discussion whether HAIP is a spec, 1 profile or a set of profiles. Lee argued for 1 profile w optional parts, Martijn and Joseph that it is a set of profiles and implementors can choose to support all or parts of it.

Actions:

  *   The WG asked for a list of requested formats by member state to understand how big the demand is.
  *   More reviews required for this issue. No volunteers found during meeting. Joseph is going to discuss with editors.

OpenID4VP/399 text about effective client id in DC API can probably be improved
https://github.com/openid/OpenID4VP/issues/399

Marked as ready-for-pr as there were no objections against the POV in the issue

OpenID4VP/399 include verifier's public encryption key into SessionTranscript to prevent some possible attacks in case of unsigned requests
https://github.com/openid/OpenID4VP/issues/400

Some discussion about whether it’s appropriate to fix security issues only in mdoc, whether this issue is worth fixing at all (e.g. Brian thinks it's not). If there is an issue that should be fixed, then we should have generic guidance so that people creating new credential format profiles know what they need to do to safely use those credential formats with VP.

Actions:

  *
Lee to think about severity of security issue and add a comment.

OpenID4VP/401 make consistent the use of prefixes in the client_id scheme
https://github.com/openid/OpenID4VP/pull/401

Joseph introduced the topic, in particular that when we first defined the ‘https’  scheme to mean only OpenID Federation we weren’t aware there were other OAuth ecosystems also using https urls. Also showed the nice table Aaron did summarising the current situation and the suggested approach ( https://github.com/openid/OpenID4VP/pull/401#issuecomment-2648740662 ).

Mike J: We should avoid breaking federation, this would break systems people have in production that use OID4VP with Federation

Joseph: Even if that means we diverge from how IETF define the same mechanism?

Mike J: Yes, but that’s not the discussion we’re having.

Brian: We already made other breaking changes so they’re already broken anyway

We ran out of time without agreeing on next steps.

Joseph mentioned various other PRs listed in the agenda don’t appear to need any further discussion and will be merged once they have sufficient approvals:

noteworthy addition:

  *
https://github.com/openid/OpenID4VP/pull/398
  *
https://github.com/openid/OpenID4VP/pull/393
  *
https://github.com/openid/OpenID4VP/pull/424

smaller PRs:

  *
https://github.com/openid/OpenID4VP/pull/419
  *
https://github.com/openid/OpenID4VCI/pull/452
  *
https://github.com/openid/OpenID4VCI/pull/449
  *
https://github.com/openid/OpenID4VCI/pull/439
  *
https://github.com/openid/OpenID4VCI/pull/441
  *
https://github.com/openid/oid4vc-haip/pull/85/
  *
https://github.com/openid/OpenID4VP/pull/380

Thanks Joseph for covering the last 15 minutes while I was dealing with a power outage!

Regards,
Jan

________________________________
From: Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols-bounces at lists.openid.net> on behalf of Joseph Heenan via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net>
Sent: Thursday, 13 February 2025 16:55
To: Digital Credentials Protocols List <openid-specs-digital-credentials-protocols at lists.openid.net>
Cc: Joseph Heenan <joseph.heenan at oidf.org>
Subject: [Openid-specs-digital-credentials-protocols] [agenda] DCP WG call

Hi All,

Below is the suggested agenda for today's DCP WG call in 5 minutes time. Next week, OIDF Liaisons will be preparing a document for ISO meeting in the beginning of march.

  1.  OIDF Antitrust Policy at www.openid.net/antitrust<http://www.openid.net/antitrust> applies / IPR reminder
  2.  Note-taking
  3.  Events/External orgs
  4.  Public Review Period for Proposed Implementer’s Draft of OpenID4VC High Assurance Interoperability Profile has started: https://openid.net/public-review-period-for-proposed-implementers-draft-openid4vc-haip/
  5.  Please see notes from the Tue mtg on the updates from ISO SC17 WG4 mtg in Nagasaki last week
  6.  [HAIP] SD-JWT VCDM:
     *   https://github.com/openid/oid4vc-haip/pull/147
     *   https://github.com/openid/oid4vc-haip/issues/128
  7.  Continue ISO-related OID4VP / HAIP topics:
     *   https://github.com/openid/OpenID4VP/issues/399
     *   https://github.com/openid/OpenID4VP/issues/400
  8.  other issues that have been asked to be put on the agenda
     *   make consistent the use of prefixes in the client_id scheme https://github.com/openid/OpenID4VP/pull/401
  9.  PRs that will be merged once 3-4 approvals are in, without another WG discussion, (unless something unexpected comes up
     *   [merged] breaking change: https://github.com/openid/OpenID4VCI/pull/453
     *   noteworthy addition:
        *   https://github.com/openid/OpenID4VP/pull/398
        *   https://github.com/openid/OpenID4VP/pull/393
        *   https://github.com/openid/OpenID4VP/pull/424
     *   smaller PRs:
        *   https://github.com/openid/OpenID4VP/pull/419
        *   https://github.com/openid/OpenID4VCI/pull/452
        *   https://github.com/openid/OpenID4VCI/pull/449
        *   https://github.com/openid/OpenID4VCI/pull/439
        *   https://github.com/openid/OpenID4VCI/pull/441
        *   https://github.com/openid/oid4vc-haip/pull/85/
        *   https://github.com/openid/OpenID4VP/pull/380
  10. Please continue the discussion in the comments
     *   "Clarify the wallet behavior if the signature can't be verfied"  https://github.com/openid/OpenID4VP/issues/395<https://github.com/openid/OpenID4VP/issues/395>
     *   multi RP request: discuss "If the RP sends a request with multiple client identifiers for one or more mdocs, how is it supposed to figure out which client identifier to use for checking the session transcript in the respective device response?": https://github.com/openid/OpenID4VP/pull/308
     *   [please vote for the options] agree on the path forward for "same credential fulfilling multiple credential queries": https://github.com/openid/OpenID4VP/issues/397
     *   [ready-for-PR] Support for RP authentication with X.509 certificates that do not contain a dns name: https://github.com/openid/OpenID4VP/issues/320

Please review priority issues for OpenID4VP 1.0 that do not have a resolution yet: https://github.com/openid/OpenID4VP/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22Final%201.0%22%20-label%3Ahas-PR%20-label%3Aready-for-PR%20

Please volunteer to do PRs for the ready-for-PR labelled Issues in OpenID4VP / OpenID4VCI / HAIP repos.

Thanks

Joseph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250214/18f5abd8/attachment-0001.htm>