[Openid-dcp] DCP WG US call agenda
David Chadwick
d.w.chadwick at truetrust.co.uk
Thu Jun 26 16:49:51 UTC 2025
Actually I was present as well, so could you add me
Many thanks
David
On 25/06/2025 01:02, Jin Wen via
Openid-specs-digital-credentials-protocols wrote:
> Today’s minutes:
>
>
> Digital Credentials Protocols Working Group Meeting Minutes
>
> Date:Tuesday, June 24, 2025Time:12:01 PM PDTChair:TorstenNote-taker:Jin
>
>
> Attendees
>
> Torsten Lodderstedt, Kristina Yasuda, Joseph Heenan, Daniel Fett,
> Patent Pending, Andres Olave, Bjorn Hjelm, Brian Campbell, Christian
> Bormann, Gareth Oliver, George Fletcher, Lee Campbell, Lukasz Jaromin,
> Martijn Haring, Robert Gallagher, Michael Jones, Paul Bastian, Tim
> Cappalli, Tobias Looker and Jin Wen
>
>
> Agenda Items
>
>
> 1. Note Well
>
> The new Note Well document was introduced, which replaces the
> IPR/antitrust point and incorporates both those elements plus the new
> code of conduct policy.
>
>
> 2. External Events/Announcements - GDC Conference
>
> Torsten provided an overview of the Global Digital Collaboration (GDC)
> Conference scheduled for July 1-2, 2025, in Geneva, Switzerland. Key
> points:
>
> *
>
> Over 100 sessions planned
>
> *
>
> Standards track sessions featuring HAIP as basis for global
> interoperability
>
> *
>
> Collaboration with W3C, FIDO, and ISO
>
> *
>
> Kristina will demonstrate the German national wallet alongside the
> French national wallet
>
> *
>
> Various relevant sessions including OpenID4VPBLE, mDL/mdoc,
> SD-JWT, and DIDs
>
> Torsten shared the GDC standard track sessions
>
> *
>
> HAIP - OpenID4VC + DC API + CTAP - (Lee, Tim, Christian, Oliver,
> Kristina)
>
> *
>
> FIDO's Roadmap for Digital Credentials
>
> *
>
> Trust Management is mission critical for Wallets in Age of AI
>
> *
>
> Patterns + Problems + Solutions
>
> *
>
> OpenID4VPBLE
>
> *
>
> mDL/mdoc in a nutshell
>
> *
>
> SD-JWT and SD-JWT VC: Simple is a Feature
>
> *
>
> Decentralized Identifiers (DIDs) for global interoperability
>
> *
>
> Verifiable credential based trust propagation for decentralized
> identity Title: Verifiable credential-based trust propagation for
> decentralized identity and its relationship with digital identity
> wallet
>
> *
>
> OpenID for Verifiable Credentials: Using conformance tests to
> achieving interoperability, security and scalability
>
> *
>
> GlobalPlatform technologies for wallets (GlobalPlatform)
>
> *
>
> Trust Services, the backbone of EUDI Wallet ecosystem (CSC, ETSi)
>
> *
>
> Claim169 (MOSIP, …)
>
> *
>
> What’s new in W3C VCs
>
>
> 3. Formal Decision on VP Draft
>
> Decision:The working group approved taking OpenID for VP draft-29 to
> voting. Joseph confirmed that the announcement for the vote went out
> yesterday and voting is already open.
>
>
> 4. Extension of Thursday Calls
>
> Decision:Approved extending Thursday calls to 2 hours until HAIP goes
> to WGLC. Next week's Tuesday call will be cancelled due to GDC, with
> Thursday made a 2-hour call (second hour non-working group).
>
>
> 5. VCI 1.0 Working Group Last Call Preparation
>
>
> Pull Requests Reviewed:
>
>
> Presentation During Issuance (#509
> <https://github.com/openid/OpenID4VCI/pull/509>)
>
> *
>
> Status: Pending final reviews from Christian (done now) and Tobias
>
> *
>
> Daniel confirmed all outstanding comments resolved
>
>
> Signed Metadata (#520
> <https://github.com/openid/OpenID4VCI/pull/520>)
>
> the main discussions on Pull Request #520 (Signed Metadata) centered
> around two key technical issues:
>
>
> Mandatory Support for Unsigned Metadata
>
> The first major discussion point was about requiring issuers to
> support the unsigned form (application/json) of metadata for
> interoperability purposes. The suggestion was to mandate that issuers
> must support application/json even when they also offer signed
> metadata (application/JWT). This would ensure that wallets always have
> a fallback option to retrieve metadata in unsigned form if they cannot
> process signed metadata.
>
> Christian noted that while this change doesn't fundamentally alter the
> behavior - since wallets that can't understand signed metadata likely
> can't provide wallet attestations anyway and would fail later in the
> process - the working group seemed to want this requirement for
> improved interoperability.
>
>
> Signature Verification Requirements for Wallets
>
> The second major discussion focused on what wallets must do when they
> receive signed metadata. The debate was whether to change the
> specification from "should" to "must" regarding signature
> verification. The proposed requirement was:
>
> "When requesting signed metadata, the wallet must establish trust and
> verify signatures"
>
> This means that if a wallet actively requests signed metadata, it must
> either:
>
> *
>
> Successfully verify the signature and establish trust in the
> signing key, or
>
> *
>
> Fail the request entirely
>
> The rationale was that if wallets are going to fetch signed metadata,
> they should be required to actually verify it rather than potentially
> ignoring the signature. If they cannot verify it, they should use the
> unsigned form instead.
>
>
> DC API Compatibility Concerns
>
> There was also discussion about how these changes would affect the
> future Digital Credentials API (DC API) implementation, with some
> concerns about potentially requiring different processing rules.
> However, the working group decided to address DC API compatibility
> separately when that specification is integrated.
>
> The working group ultimately reached consensus on both changes, with
> four approvals received for the PR.
>
>
> Key decisions made:
>
> *
>
> Issuers must support application/json (unsigned metadata) for
> interoperability
>
> *
>
> When requesting signed metadata, wallets must establish trust and
> verify signatures
>
> *
>
> Text clarified: "When requesting signed metadata, the wallet must
> establish trust"
>
> Credential Request Denied Error Case (#549
> <https://github.com/openid/OpenID4VCI/pull/549>)
>
> *
>
> Status: Approved and ready to merge
>
> *
>
> Kristina approved after conflicts resolved
>
> Credential Metadata Clarification (#552
> <https://github.com/openid/OpenID4VCI/pull/552>)
>
> *
>
> Status: Approved with no objections raised
>
>
> Issues Discussed:
>
> Nonce Endpoint Protection (#461
> <https://github.com/openid/OpenID4VCI/issues/461>)Working Group Consensus:
>
> *
>
> No need to protect nonce endpoint with access token
>
> *
>
> Nonce endpoint serves primarily for freshness, not replay protection
>
> *
>
> Session binding adds unnecessary complexity
>
> *
>
> Nonces can be implemented as stateless on server side
>
> *
>
> Action:Issue will be closed in one week unless strong objections
> raised
>
> *
>
> Action:Create PR to explicitly state nonce endpoint is not protected
>
>
> 6. Working Group Last Call Decision
>
> Decision:Working group reached consensus to start Working Group Last
> Call for OpenID4VCI 1.0, noting that:
>
> *
>
> PRs #509 and #520 are awaiting final reviews with no outstanding
> technical issues
>
> *
>
> One additional PR expected to clarify nonce endpoint protection
>
> *
>
> 14-day WGLC period will begin, with potential to start 60-day
> public review simultaneously
>
>
> 7. Action Items
>
> *
>
> Everyone: to continue VP voting process:
>
> o
>
> https://openid.net/foundation/members/polls/364
> <https://openid.net/foundation/members/polls/364>
>
> o
>
> https://openid.net/specs/openid-4-verifiable-presentations-1_0-29.html<https://openid.net/specs/openid-4-verifiable-presentations-1_0-29.html>
>
> *
>
> Christian and Tobias to complete final reviews of PR #509
>
> *
>
> Create PR clarifying nonce endpoint is not protected
>
> *
>
> Torsten to make official announcements regarding call schedule changes
>
> *
>
> Lee to discuss nonce implementation with Peter at GDC
>
>
> 8. Next Meetings
>
> *
>
> Thursday, June 27, 2025: Extended 2-hour call
>
> *
>
> Tuesday, July 2, 2025: Cancelled due to GDC
>
> *
>
> Regular schedule resumes following GDC
>
> Meeting adjourned at approximately 1:00 PM PDT
>
>
>
>
>> On Jun 24, 2025, at 09:20, Kristina Yasuda via
>> Openid-specs-digital-credentials-protocols
>> <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
>>
>> Hi All,
>>
>> Proposed agenda for the US friendly call today on the usual zoom,
>> https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09
>> <https://www.google.com/url?q=https://zoom.us/j/94085567252?pwd%3DcHNFMExFalhlM2MrOFhoN3J6eDRuZz09&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2MTjLMTiFyuntHQMKDRIAZ>
>>
>> Given WG agreement, chairs believe we could start WGLC for OpenID4VCI
>> 1.0 today.
>>
>> 1. Notewell (replaces the IPR/antitrust point we usually have, it
>> incorporates both of those and the new code of conduct policy):
>> https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf
>> <https://www.google.com/url?q=https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf&source=gmail-imap&ust=1751386877000000&usg=AOvVaw3bkEl3nHEqsIxvmyhtTu8n>
>> 2. Note-taking
>> 3. external events/announcements
>> 1. might be good to sync on GDC sessions next week relevant to
>> this WG
>> 4. (has been announced 2 weeks ago) formal decision on going ahead
>> with the updated VP draft as per
>> https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250609/000831.html
>> <https://www.google.com/url?q=https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250609/000831.html&source=gmail-imap&ust=1751386877000000&usg=AOvVaw3m_-xmv2yvA0keCtK_FQZc>
>> 5. Chairs' proposal to extend thursday calls to 2h until HAIP goes
>> to WGLC
>> 6. Review / merge open VCI 1.0 PRs that we need to merge to go to
>> WGLC, in particular:
>> 1. Presentation During Issuance -
>> https://github.com/openid/OpenID4VCI/pull/509
>> <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/pull/509&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2Qor0MgGb4fbDh0aqCA8Bk>
>> 2. add option to have signed Credential Issuer metadata, remove
>> signed_metadata from Credential Issuer metadata -
>> https://github.com/openid/OpenID4VCI/pull/520
>> <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/pull/520&source=gmail-imap&ust=1751386877000000&usg=AOvVaw2j02jvQGnzM1UYbojkHHta>
>> 7. Open VCI issues, in particular:
>> 1. Protect the nonce endpoint
>> https://github.com/openid/OpenID4VCI/issues/461
>> <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/461&source=gmail-imap&ust=1751386877000000&usg=AOvVaw1Z9Km1vGL36e0ZXYlWjBqw> ,
>> or:
>> 2. Add explicit statement that nonce endpoint is not protected
>> by an access token -
>> https://github.com/openid/OpenID4VCI/issues/541
>> <https://www.google.com/url?q=https://github.com/openid/OpenID4VCI/issues/541&source=gmail-imap&ust=1751386877000000&usg=AOvVaw1inlk-MO0dxMGjPR7CSV10>
>>
>> If anyone has any specific topics they’d like to cover please reply
>> to this email or ask at the start of the call.
>>
>> Cheers,
>> Kristina
>> --
>> Openid-specs-digital-credentials-protocols mailing list
>> Openid-specs-digital-credentials-protocols at lists.openid.net
>> https://www.google.com/url?q=https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols&source=gmail-imap&ust=1751386877000000&usg=AOvVaw32CBwIuxCRWYAbg7mnG5_c
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250626/6051776b/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list