[Openid-dcp] [notes] DCP WG + SIOP Call (EU) 19th of June
torsten at lodderstedt.net
torsten at lodderstedt.net
Thu Jun 19 08:13:52 UTC 2025
Hi,
below are the meeting minutes from the working group call June 19th.
best regards,
Torsten.
--- Attendees:
Daniel Fett
Andreea Prian
Andres Olave
Dima Postnikov
Stefan Charsley
Torsten Lodderstedt
Paul Bastian
Ajay Jadhav
Nat Sakimura
--- Issues/PRs:
https://github.com/openid/OpenID4VCI/pull/509
Dima to review over night
Andres will also review
https://github.com/openid/OpenID4VCI/pull/520
Is the shift towards a new design (fully signed instead of signed attribute) needed?
What is mandatory to implement?
Asked attendees to state their opinion on the PR
https://github.com/openid/OpenID4VCI/pull/505
Not relevant for the attendees, main focus to ensure the extension does not make the use of the credential endpoint more complex for implementers relying on TLS
Asked people to review
Nonce Endpoint Protection
https://github.com/openid/OpenID4VCI/issues/541
https://github.com/openid/OpenID4VCI/issues/461
It seems the access token would primarily be used to manage/shard nonces.
for c_nonces, self contained nonces are sufficient
there might be value in the issuer could signal its requirement for an access token
What about DPoP nonces? they must be fetched unprotected as they are required for the token request (issuing access tokens). Also, if the access token is DPoP bound, the nonce endpoint request itself would need to be DPoP protected.
General comment: Many security protocols provide a nonce in the first step of the process in an unprotected manner, doesn't seem to be a problem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250619/4eb45921/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list