[Openid-specs-digital-credentials-protocols] [agenda] DCP WG call

[Jin Wen]

Meeting Minutes:

Date: March 20, 2025

--- Participants:
 
Andreea Prian
Bjorn Hjelm
Christian Bormann
Daniel Fett
David Zeuthen
Fabian Aggeler
Gail Hodges
Gareth Oliver
Hicham Lozi
Jin Wen
Kristina Yasuda
Lee Campbell
Martijn Haring
Mirko Mollik
Nick Steele
Oliver Terbu
Paul Bastian
Paolo De Rosa
Peter Sorotokin
Rajvardhan Deshmukh
Veaceslav Dimitroglo
Butterfly Bail-out (us-mtv-plym1625): sorry not able to decode

Announcements
Please register for pre-IIW and post-IIW Hybrid DCP WG meetings
Plan to add a Japan-friendly call once every three weeks
Several Japanese companies have joined the OpenID Foundation with primary interest in this working group
Current call times are not Japan-friendly (even APAC call works for Australia/New Zealand but not Japan)
Doodle poll will be sent for scheduling the new call time
Vote for Proposed Implementer's Draft of OpenID4VC High Assurance Interoperability Profile is being conducted at https://openid.net/foundation/members/polls/355
Logistics for 5/5 event are underway with OIDF staff, with BRD likely to host both workshop and in-person part of the hybrid webinar
Gail will brief head of NY Fed John Williams as part of an innovation panel on fraud and digital identity next week (4/1); if anyone has any key messages (or questions to ask the audience)  pls ping gail at oidf.org.

First Topics:
Priority PRs
PR #448 - DC API: Always use Origin for binding response
Extremely important, needs immediate review
https://github.com/openid/OpenID4VP/pull/448
Removing client_id from mdoc OpenID4VP DC API handover
Request remains unchanged (unsigned browser API request without client_id, signed API request with client_id)
Response/session transcript for mdoc would not include client_id
Currently has two approvals but needs more
This PR unblocks multi-relying party PR and several others
Action: Members to review this PR
PR #421: Transaction Data Requirements PR
https://github.com/openid/OpenID4VP/pull/421
Makes transaction data hashes and algorithms credential format specific
Each credential format will define how to pass transaction data
Addresses support for transaction data with mdoc
Discussion on two interpretations of how transaction data works:
Input data where processing is out of scope
Exact signing of structure in request
Some use cases (like payments) might need flexibility for wallets to modify data
Action: Lee to open a new issue documenting requirements for payments use case

Other PRs Needing Review
PR #452 - client_id scheme PR: Fixes preferential treatment given to OpenID federation and GID scheme (needs approval)
PR #450 - Claim sets PR: Straightforward PR, has two approvals but needs more
PR #459 - add sd-jwt vcdm, needs reviews
PR #401 - Not discussed yet since Brian is not present

Second Topics:
RP Registration Certificates
Presented by Mirko:

https://github.com/openid/OpenID4VP/issues/396
IDAS regulation requires passing more information to wallets during presentation requests
Information includes registration certificates with intended use and authorization certificates
Current proposal is to add a "credentials" parameter with:
type: based on IANA media types
credential_match: limits usage to specific context
data: the content field

Discussion Points
"Credentials" parameter name is overloaded and potentially confusing
Alternative approaches:
Use existing client metadata parameter instead
Place information in signature header of request
Multi-ecosystem considerations for wallets that support multiple jurisdictions
Multi-relying party implications need careful consideration
Suggestion to put it in 'client_metadata'
Rename 'type' (another suggestion was 'format')
Need for 'credentialsMatch' confirmed
Precedent exists with 'credential_ids' in 'transaction_data'
Data field will be parsed by the Wallet based on the type
Wallet must ignore any unrecognized data it does not understand

Decision
Signature header approach seems preferable
Continue discussion next week for final decision

Verifiable Credentials Without proving Key Binding
issue #6 revolves around implementing a feature for handling credentials that don't require key binding in presentations

Presented by Daniel:

https://github.com/openid/OpenID4VP/issues/6
Discussion on allowing credentials to be presented without key binding
Request could include a "no_binding_needed" parameter

Possible Response Approaches
Solution A:
Require at least one credential with key binding in each response while allowing multiple non-key-bound credentials
Pros: Security guarantees maintained but limits use cases
Solution B:
For responses with only non-key-bound credentials, include nonce/audience in response
These elements would be unsigned, changing security properties
Could be encoded in VP token or as separate response parameters

Discussion Points
Need to maintain connection between request and response even without key binding
Security implications must be clearly documented in the spec
mdoc with device MAC also uses nonce
Alternatives include using state parameter instead of nonce
Encryption considerations for non-key-bound credentials

Action Items
Review PR #448 and other open PRs
Lee to open a new issue on transaction data requirements for payments
Continue discussion on RP registration certificates next week
Evaluate security implications for credentials without binding
Prepare for decision on signature header approach for RP certificates

Next Week's Agenda (March 27, 2025)
VCs without VPs: https://github.com/openid/OpenID4VP/issues/6
Wallet attestation during presentation PR: https://github.com/openid/OpenID4VP/pull/318

Upcoming OpenID4VCI Issues for Discussion (in 1-2 weeks)
https://github.com/openid/OpenID4VCI/issues/71
https://github.com/openid/OpenID4VCI/issues/205
https://github.com/openid/OpenID4VCI/issues/305
https://github.com/openid/OpenID4VCI/issues/1
https://github.com/openid/OpenID4VCI/issues/99

HAIP PRs Needing Review
https://github.com/openid/oid4vc-haip/pulls

Note: The current plan is to focus on getting OpenID4VP ready for 1.0 Final (on track for June) first, then move to OpenID4VCI, and then HAIP.



Best,
Jin


> On Mar 20, 2025, at 05:52, Kristina Yasuda via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> 
> Hi All,
> 
> To also communicate in writing, the current plan is to focus on getting OpenID4VP ready for 1.0 Final (we are on track for June) first and then move to OpenID4VCI and then HAIP.
> 
> Below is the suggested agenda for the DCP WG call:
> OIDF Antitrust Policy at www.openid.net/antitrust <https://www.google.com/url?q=http://www.openid.net/antitrust&source=gmail-imap&ust=1743079990000000&usg=AOvVaw3T5nJs-8q1d620GP8hSVwX> applies / IPR reminder
> Note-taking
> Events/External orgs
> please register for pre-IIW and post-IIW Hybrid DCP WG meetings
> Vote for Proposed Implementer’s Draft of OpenID4VC High Assurance Interoperability Profile is being conducted at https://openid.net/foundation/members/polls/355 <https://www.google.com/url?q=https://openid.net/foundation/members/polls/355&source=gmail-imap&ust=1743079990000000&usg=AOvVaw22ELIYvpTTs0jlrWupKEhX>
> [heads up] co-chairs are trying to find a slot for once in 2-4 weeks call that is Japan friendly since there are some companies interested in joining from Japan and our APAC-calls are friendly for NZ/Australia but not really japan..
> reminding people to review PRs: https://github.com/openid/OpenID4VP/pulls?q=is%3Aopen+is%3Apr+milestone%3A%22Final+1.0%22 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/pulls?q%3Dis%253Aopen%2Bis%253Apr%2Bmilestone%253A%2522Final%2B1.0%2522&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1wkAfugamTNUgyIRBkQF1f>
> especially this one. it unblocks some other important PRs:  https://github.com/openid/OpenID4VP/pull/448 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/pull/448&source=gmail-imap&ust=1743079990000000&usg=AOvVaw0WJrA78uurXhtnO5mJoiwm>
> and this one: https://github.com/openid/OpenID4VP/pull/421 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/pull/421&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1_j0DILHMvjJXxqc0PNUpU>
> EUDIW requirement. RP registration certificates and other attestations/certificates to match issuer policies: https://github.com/openid/OpenID4VP/issues/396 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/issues/396&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1DDbgj8ebdWI9W6KH_lIEx>
> agree on the direction for "same credential fulfilling multiple credential queries" https://github.com/openid/OpenID4VP/issues/397 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/issues/397&source=gmail-imap&ust=1743079990000000&usg=AOvVaw0oxU6iy2k9kL-dkN6CSOx7> 
> Next week Tue the plan is to discuss 
> VCs without VPs: https://github.com/openid/OpenID4VP/issues/6 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/issues/6&source=gmail-imap&ust=1743079990000000&usg=AOvVaw2BtPHA-rBRYITmYlbgTA29>
> wallet attestation during presentation PR: https://github.com/openid/OpenID4VP/pull/318 <https://www.google.com/url?q=https://github.com/openid/OpenID4VP/pull/318&source=gmail-imap&ust=1743079990000000&usg=AOvVaw0cCS4h1E3B8GfVung9YFQ0>
> 
> about VCI.... Here is the list of issues that would require longer discussion in OpenID4VCI. we will get to them in 1-2 weeks once we tackle all opendi4vp issues. please start looking at them:
> https://github.com/openid/OpenID4VCI/issues/71 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/71&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1WS3dUtGUilnrdTGpg8Dfw>
> https://github.com/openid/OpenID4VCI/issues/205 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/205&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1_RVwsOCQbvLhLjzXuGWdH>
> https://github.com/openid/OpenID4VCI/issues/305 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/305&source=gmail-imap&ust=1743079990000000&usg=AOvVaw3Z7MQm4OPdn0Jm8JBwpXK1>
> https://github.com/openid/OpenID4VCI/issues/1 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/1&source=gmail-imap&ust=1743079990000000&usg=AOvVaw2W1TeNTmYSdO-YSbgNYar0>
> https://github.com/openid/OpenID4VCI/issues/99 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/99&source=gmail-imap&ust=1743079990000000&usg=AOvVaw0glW13MVILmndwJph25hBZ>
> about HAIP... there are few PRs that need to be reviewed too: https://github.com/openid/oid4vc-haip/pulls <https://www.google.com/url?q=https://github.com/openid/oid4vc-haip/pulls&source=gmail-imap&ust=1743079990000000&usg=AOvVaw1H0DZv3MQl3iaOu3PvUz6O>
> 
> Best,
> Kristina
> -- 
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
> https://www.google.com/url?q=https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols&source=gmail-imap&ust=1743079990000000&usg=AOvVaw2NYYKIMSuEWS2pPJUx6MMk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250320/53c96a57/attachment-0001.htm>