[Openid-dcp] (no subject)

Oriol Canadés Díez ocanades at outlook.com
Thu Jun 26 18:46:38 UTC 2025 

Meeting Minutes – OpenID4VCI & OIDC HAIP WG

Date: Thursday, June 26, 2025

Time: 08:00 PT

Chair: Joseph Heenan

Note-taker: Oriol Canadés

Participants: Torsten Lodderstedt, Daniel Fett, Joseph Heenan, Kristina Yasuda, Michael Jones, Andy Lim, Brian Campbell, Christian Bormann, David Chadwick, Gareth Narinesingh, Gareth Oliver, Jin Wen, Juba Saadi, Lukasz Jaromin, Patrick Amrein, Peter Sorotokin, Rajvardhan Deshmukh, Oriol Canadés.

1. General Updates

  *   OpenID Foundation Voting:
     *   Members are encouraged to vote on the ongoing ballots for both VCI and Connect WGs, even if abstaining, to help reach quorum.
     *   No significant feedback yet on the DCP Working Group Last Call.
     *   Plans to start the public review period for VCI [subject to PR #509 discussion].
  *   Interoperability Test Event:
     *   VCI interop event planned for July 16 (virtual); participation requires up-to-date implementation with current spec and HAIP support.

________________________________
2. OID4VCI – Key Discussions

  *   Presentation During Issuance Security (Mix-up Attack) [PR #509]:
     *   Security issue raised: a malicious issuer could forward presentation requests, leading to unauthorized credential issuance (mix-up attack).
     *   Options considered:
        *   Delay start of public review.
        *   Start public review without merging #509, address issue during the review (option favored by Kristina, Torsten, Gareth, Daniel).
        *   Merge now, include a warning paragraph about the known issue, and fix during public review.
        *   Delay to v1.1.
     *   Consensus: Proceed with option 2 (see PR #509<https://github.com/openid/OpenID4VCI/pull/509>), as group prefers not to delay process but not to merge a workaround with an open security hole.
     *   Action: Joseph to inform interop participants; further solution design to continue in parallel.
  *   Signed Metadata PR [PR #520]:
     *   Editorial suggestions; many approvals. Merged (see PR #520<https://github.com/openid/OpenID4VCI/pull/520>).
  *   Nonce Endpoint Protection [PR #558]:
     *   Clarified that the nonce endpoint does not require an access token. Extensively discussed and agreed (see PR #558<https://github.com/openid/OpenID4VCI/pull/558>), pending close.
  *   Other Issues/PRs:
     *   Issue #523<https://github.com/openid/OpenID4VCI/issues/523> (assigned to Gareth), #538<https://github.com/openid/OpenID4VCI/issues/538> (ready for PR), #539<https://github.com/openid/OpenID4VCI/issues/539> (review note by Joseph), #544<https://github.com/openid/OpenID4VCI/issues/544> (in progress), #551<https://github.com/openid/OpenID4VCI/issues/551>(ready for PR), #553<https://github.com/openid/OpenID4VCI/issues/553> (Christian working on shortening examples), #555<https://github.com/openid/OpenID4VCI/issues/555> (comments by Daniel Fett), #288<https://github.com/openid/OpenID4VCI/issues/288>(terminology review assigned to Rajvardhan).

________________________________
3. OIDC HAIP – Key Discussions

  *   Editorial and Cleanup PRs [PR #85, #176, #175, #165, #187, #178]:
     *   PR #85<https://github.com/openid/oid4vc-haip/pull/85>: Defined terms, capitalization, editorial cleanups; conflicts pending (Torsten to review).
     *   PR #176<https://github.com/openid/oid4vc-haip/pull/176>: Signed issuer metadata, feedback from Torsten and Gareth. Discussion that signed_metadata MUST be supported (#156).
     *   PR #175<https://github.com/openid/oid4vc-haip/pull/175>: Conflicts to be fixed and merged (Gareth responsible).
     *   [Other PRs/issues]: See Appendix for full tracking.
  *   Assurance Level and Attestation (General):
     *   Ongoing discussion about defining “high assurance” in concrete properties rather than vague language.
     *   Attestation method support: Both platform-native and cross-platform to be defined for maximum flexibility, but not all must be mandated for all ecosystems.
  *   HPKE Update [Issue #199]:
     *   Michael Jones explains their point of view about HPKE. We pospouse the discussion because we need right experts to get a consensus
  *   Custom URL Schemes and Invocation:
     *   Discussion around requiring a default URL scheme for wallet invocation; most agreed each ecosystem will define its own, but a common fallback remains valuable for interoperability.

________________________________
4. Security & Editorial

  *   Ongoing efforts to:
     *   Clarify key resolution and attestation support in both specs.
     *   Update and shorten specification examples for clarity ([issue #553], Christian B.).
     *   Maintain up-to-date security considerations, including referencing analysis from previous spec versions.
     *   Rajvardhan to review terminology consistency ([issue #288]).

________________________________
5. Next Steps & Deadlines

  *   Public review for VCI 1.0 to commence immediately; security/clarification fixes to continue in parallel.
  *   Interop event: July 16, 2025 (virtual).

________________________________
Appendix: Issue & PR Log (Detailed Tracking)
OID4VCI

  *   PRs:
     *   #509<https://github.com/openid/OpenID4VCI/pull/509>: Presentation during issuance security, mix-up attack mitigation.
     *   #520<https://github.com/openid/OpenID4VCI/pull/520>: Signed metadata (merged).
     *   #558<https://github.com/openid/OpenID4VCI/pull/558>: Nonce endpoint clarification.
  *   Issues:
     *   #523<https://github.com/openid/OpenID4VCI/issues/523>: Ready for PR, assigned to Gareth.
     *   #538<https://github.com/openid/OpenID4VCI/issues/538>: No objections, ready for PR.
     *   #539<https://github.com/openid/OpenID4VCI/issues/539>: Review note (Joseph).
     *   #544<https://github.com/openid/OpenID4VCI/issues/544>: Work in progress.
     *   #551<https://github.com/openid/OpenID4VCI/issues/551>: Ready for PR.
     *   #553<https://github.com/openid/OpenID4VCI/issues/553>: Examples cleanup (Christian B., 70 character width).
     *   #555<https://github.com/openid/OpenID4VCI/issues/555>: Comments (Daniel Fett).
     *   #288<https://github.com/openid/OpenID4VCI/issues/288>: Terminology review (Rajvardhan).

OIDC HAIP

  *   PRs:
     *   #85<https://github.com/openid/oid4vc-haip/pull/85>: Editorials, defined terms, capitalization (Torsten to review).
     *   #176<https://github.com/openid/oid4vc-haip/pull/176>: Signed issuer metadata (Torsten, Gareth).
     *   #175<https://github.com/openid/oid4vc-haip/pull/175>: Conflict fix/merge (Gareth).
     *   #165<https://github.com/openid/oid4vc-haip/pull/165>
     *   #178<https://github.com/openid/oid4vc-haip/pull/178>
     *   #187<https://github.com/openid/oid4vc-haip/pull/187>
  *   Issues:
     *   #87<https://github.com/openid/oid4vc-haip/issues/87>: Cleanup, WG feedback.
     *   #156<https://github.com/openid/oid4vc-haip/issues/156>: signed_metadata MUST be supported.
     *   #189<https://github.com/openid/oid4vc-haip/issues/189>: New comment.
     *   #190<https://github.com/openid/oid4vc-haip/issues/190>: New comment.
     *   #198<https://github.com/openid/oid4vc-haip/issues/198>: New comment.
     *   #199<https://github.com/openid/oid4vc-haip/issues/199>: HPKE (Michael Jones).
     *   #202<https://github.com/openid/oid4vc-haip/issues/202>: New comment.

Regards,
Oriol

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250626/d992f3d6/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list