[Openid-dcp] OID4VCI draft 16 published

Joseph Heenan joseph at authlete.com
Fri Jun 27 13:32:42 UTC 2025 

Hi all

Draft 16 of OID4VCI has been published:

https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-16.html

As per my email earlier in the week, and the discussion on yesterday’s WG call, the reason for publishing we start public review on.

Due to a last minute discussion on the presentation during issuance pull request ( https://github.com/openid/OpenID4VCI/pull/509 ) this is not included into this revision, but the working group will continue discussion and may decide to publish a new version containing this and update the version under public review.

Change log since draft 15 is:


add new mechanism for signed Credential Issuer metadata
remove signed_metadata from Credential Issuer metadata
move proof type section to the Annex for readability, add some introduction and fix text in Section 8.1
move claims and display into credential_metadata and allow for credential-format specific mechanisms to override it
remove the option to use format from authorization_details in the Authorization Request
add implementation consideration about pre-final specs
move issuance pending from Deferred Credential Error Response to Deferred Credential Response
move the interval parameter from Deferred Credential Error Response to Credential Response
rework the Credential Response text, fix immediate issuance to have HTTP 200 status code
adds an option to return DPoP Nonce from the Nonce Endpoint
change Cryptographic Holder Binding to Cryptographic Key Binding
add privacy considerations for the client_id used with wallet attestations
deprecate the proof parameter in the credential request
URL to retrieve Credential Issuer Metadata now requires .well-known/openid-credential-issuer to be added at start of path to align with IETF requirements
explicitly state that various arrays in metadata/requests need to be non-empty
add missing request for media type registration of key-attestation+jwt in IANA Considerations
rename keyattestation+jwt to key-attestation+jwt
set key attestation nonce to c_nonce value for proof types with key attestations
use mdoc as a term, instead of mDL
clarify mdoc as a credential format can be used with non-mDL use-cases
remove the Dynamic Credential Request section and associated content
rename ldp_vp to di_vp
require proof_signing_alg_values_supported to match key proof algorithms
Align claims path query for ISO mdocs with JSON-based credentials
define proof_signing_alg_values_supported for attestation proof type
make type and values for credential_signing_alg_values_supported format specific
make type and values for proof_signing_alg_values_supported proof type specific
change algorithm identifiers for credential_signing_alg_values_supported to COSE algorithm values for mdocs
add Credential Request encryption and Zip support
request encryption is now required when response encryption is used
clarify an access token is not required at the nonce endpoint
clarify that credential_request_denied should be treated as non-recoverable and the request not retried
clarify meaning of absence of cryptographic_binding_methods_supported / proof_types_supported
cleanup language around c_nonce
make OAuth2 security recommendations more actionable, including recommending use of FAPI2 Security Profile
add unknown_credential_configuration and unknown_credential_identifier errors
remove no-longer applicable unsupported_credential_type and unsupported_credential_formaterrors
issuer value in metadata must be validated
improve intro text about key attestations
clarify that number of issued credentials is related to number of keys proofed or attested
update OpenID Federation reference to draft 43
"Multiple credential issuance" section renamed to "Batch credential issuance" and made editorial improvements to it
clarify that when using scopes, if credential_identifiers are returned from the token endpoint they are inside authorization_details
clarity that x5c, kid and jwk in the jwt proof type are mutually exclusive
clarify what checks wallet performs after receiving credential offer
editorial improvements to tx_code language

Thanks

Joseph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250627/7005ba91/attachment.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list