[Openid-dcp] DCP WG US call agenda

Jin Wen jwen at noknok.com
Wed Jun 25 00:02:40 UTC 2025 

Today’s minutes:

Digital Credentials Protocols Working Group Meeting Minutes
Date: Tuesday, June 24, 2025
 Time: 12:01 PM PDT
 Chair: Torsten
 Note-taker: Jin

Attendees
Torsten Lodderstedt, Kristina Yasuda, Joseph Heenan, Daniel Fett, Patent Pending, Andres Olave, Bjorn Hjelm, Brian Campbell, Christian Bormann, Gareth Oliver, George Fletcher, Lee Campbell, Lukasz Jaromin, Martijn Haring, Robert Gallagher, Michael Jones, Paul Bastian, Tim Cappalli, Tobias Looker and Jin Wen


Agenda Items
1. Note Well
The new Note Well document was introduced, which replaces the IPR/antitrust point and incorporates both those elements plus the new code of conduct policy.

2. External Events/Announcements - GDC Conference
Torsten provided an overview of the Global Digital Collaboration (GDC) Conference scheduled for July 1-2, 2025, in Geneva, Switzerland. Key points:

Over 100 sessions planned

Standards track sessions featuring HAIP as basis for global interoperability

Collaboration with W3C, FIDO, and ISO

Kristina will demonstrate the German national wallet alongside the French national wallet

Various relevant sessions including OpenID4VPBLE, mDL/mdoc, SD-JWT, and DIDs


Torsten shared the GDC standard track sessions

HAIP - OpenID4VC + DC API + CTAP - (Lee, Tim, Christian, Oliver, Kristina)
FIDO's Roadmap for Digital Credentials
Trust Management is mission critical for Wallets in Age of AI
Patterns + Problems + Solutions
OpenID4VPBLE
mDL/mdoc in a nutshell
SD-JWT and SD-JWT VC: Simple is a Feature
Decentralized Identifiers (DIDs) for global interoperability
Verifiable credential based trust propagation for decentralized identity Title: Verifiable credential-based trust propagation for decentralized identity and its relationship with digital identity wallet
OpenID for Verifiable Credentials: Using conformance tests to achieving interoperability, security and scalability
GlobalPlatform technologies for wallets (GlobalPlatform)
Trust Services, the backbone of EUDI Wallet ecosystem (CSC, ETSi)
Claim169 (MOSIP, …)
What’s new in W3C VCs

3. Formal Decision on VP Draft
Decision: The working group approved taking OpenID for VP draft-29 to voting. Joseph confirmed that the announcement for the vote went out yesterday and voting is already open.

4. Extension of Thursday Calls
Decision: Approved extending Thursday calls to 2 hours until HAIP goes to WGLC. Next week's Tuesday call will be cancelled due to GDC, with Thursday made a 2-hour call (second hour non-working group).

5. VCI 1.0 Working Group Last Call Preparation
Pull Requests Reviewed:
Presentation During Issuance (#509 <https://github.com/openid/OpenID4VCI/pull/509>)

Status: Pending final reviews from Christian (done now) and Tobias

Daniel confirmed all outstanding comments resolved


Signed Metadata (#520 <https://github.com/openid/OpenID4VCI/pull/520>)

the main discussions on Pull Request #520 (Signed Metadata) centered around two key technical issues:
Mandatory Support for Unsigned Metadata
The first major discussion point was about requiring issuers to support the unsigned form (application/json) of metadata for interoperability purposes. The suggestion was to mandate that issuers must support application/json even when they also offer signed metadata (application/JWT). This would ensure that wallets always have a fallback option to retrieve metadata in unsigned form if they cannot process signed metadata.
Christian noted that while this change doesn't fundamentally alter the behavior - since wallets that can't understand signed metadata likely can't provide wallet attestations anyway and would fail later in the process - the working group seemed to want this requirement for improved interoperability.
Signature Verification Requirements for Wallets
The second major discussion focused on what wallets must do when they receive signed metadata. The debate was whether to change the specification from "should" to "must" regarding signature verification. The proposed requirement was:
"When requesting signed metadata, the wallet must establish trust and verify signatures"
This means that if a wallet actively requests signed metadata, it must either:
Successfully verify the signature and establish trust in the signing key, or
Fail the request entirely
The rationale was that if wallets are going to fetch signed metadata, they should be required to actually verify it rather than potentially ignoring the signature. If they cannot verify it, they should use the unsigned form instead.
DC API Compatibility Concerns
There was also discussion about how these changes would affect the future Digital Credentials API (DC API) implementation, with some concerns about potentially requiring different processing rules. However, the working group decided to address DC API compatibility separately when that specification is integrated.
The working group ultimately reached consensus on both changes, with four approvals received for the PR.
Key decisions made:

Issuers must support application/json (unsigned metadata) for interoperability

When requesting signed metadata, wallets must establish trust and verify signatures

Text clarified: "When requesting signed metadata, the wallet must establish trust"


Credential Request Denied Error Case (#549 <https://github.com/openid/OpenID4VCI/pull/549>)

Status: Approved and ready to merge

Kristina approved after conflicts resolved


Credential Metadata Clarification (#552 <https://github.com/openid/OpenID4VCI/pull/552>)

Status: Approved with no objections raised


Issues Discussed:
Nonce Endpoint Protection (#461 <https://github.com/openid/OpenID4VCI/issues/461>)
 Working Group Consensus:

No need to protect nonce endpoint with access token

Nonce endpoint serves primarily for freshness, not replay protection

Session binding adds unnecessary complexity

Nonces can be implemented as stateless on server side

Action: Issue will be closed in one week unless strong objections raised

Action: Create PR to explicitly state nonce endpoint is not protected


6. Working Group Last Call Decision
Decision: Working group reached consensus to start Working Group Last Call for OpenID4VCI 1.0, noting that:

PRs #509 and #520 are awaiting final reviews with no outstanding technical issues

One additional PR expected to clarify nonce endpoint protection

14-day WGLC period will begin, with potential to start 60-day public review simultaneously


7. Action Items
Everyone: to continue VP voting process: 
https://openid.net/foundation/members/polls/364
https://openid.net/specs/openid-4-verifiable-presentations-1_0-29.html

 <https://openid.net/specs/openid-4-verifiable-presentations-1_0-29.html>
Christian and Tobias to complete final reviews of PR #509

Create PR clarifying nonce endpoint is not protected

Torsten to make official announcements regarding call schedule changes

Lee to discuss nonce implementation with Peter at GDC


8. Next Meetings
Thursday, June 27, 2025: Extended 2-hour call

Tuesday, July 2, 2025: Cancelled due to GDC

Regular schedule resumes following GDC


Meeting adjourned at approximately 1:00 PM PDT




> On Jun 24, 2025, at 09:20, Kristina Yasuda via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> 
> Hi All,
> 
> Proposed agenda for the US friendly call today on the usual zoom, https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09 <https://www.google.com/url?q=https://zoom.us/j/94085567252?pwd%3DcHNFMExFalhlM2MrOFhoN3J6eDRuZz09&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2MTjLMTiFyuntHQMKDRIAZ>
> 
> Given WG agreement, chairs believe we could start WGLC for OpenID4VCI 1.0 today.
> Notewell (replaces the IPR/antitrust point we usually have, it incorporates both of those and the new code of conduct policy): https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf <https://www.google.com/url?q=https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf&source=gmail-imap&ust=1751386877000000&usg=AOvVaw3bkEl3nHEqsIxvmyhtTu8n>
> Note-taking
> external events/announcements
> might be good to sync on GDC sessions next week relevant to this WG 
> (has been announced 2 weeks ago) formal decision on going ahead with the updated VP draft as per https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250609/000831.html <https://www.google.com/url?q=https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250609/000831.html&source=gmail-imap&ust=1751386877000000&usg=AOvVaw3m_-xmv2yvA0keCtK_FQZc>
> Chairs' proposal to extend thursday calls to 2h until HAIP goes to WGLC
> Review / merge open VCI 1.0 PRs that we need to merge to go to WGLC, in particular:
> Presentation During Issuance - https://github.com/openid/OpenID4VCI/pull/509 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/pull/509&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2Qor0MgGb4fbDh0aqCA8Bk>
> add option to have signed Credential Issuer metadata, remove signed_metadata from Credential Issuer metadata - https://github.com/openid/OpenID4VCI/pull/520 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/pull/520&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2j02jvQGnzM1UYbojkHHta>
> Open VCI issues, in particular:
> Protect the nonce endpoint https://github.com/openid/OpenID4VCI/issues/461 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/461&source=gmail-imap&ust=1751386877000000&usg=AOvVaw1Z9Km1vGL36e0ZXYlWjBqw> , or: 
> Add explicit statement that nonce endpoint is not protected by an access token - https://github.com/openid/OpenID4VCI/issues/541 <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/541&source=gmail-imap&ust=1751386877000000&usg=AOvVaw1inlk-MO0dxMGjPR7CSV10>
> If anyone has any specific topics they’d like to cover please reply to this email or ask at the start of the call.
> 
> Cheers,
> Kristina
> -- 
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
> https://www.google.com/url?q=https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols&source=gmail-imap&ust=1751386877000000&usg=AOvVaw32CBwIuxCRWYAbg7mnG5_c

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250624/7ec022fc/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list