[Openid-dcp] DCP WG EU call agenda

Wen, Jin jin.wen at hisgarden.org
Thu Jul 3 22:21:11 UTC 2025 

July 3 Meeting Minutes: Digital Credentials Protocols Working Group (DCP WG)

Date: July 3, 2025
Time: 5:57 PM GMT
Duration: 1 hour 40 minutes (scheduled for 2 hours)

Attendees

Joseph Heenan, Daniel Fett, Bjorn Hjelm, Christian Bormann, Oliver Terbu, Michael Jones, Paul Bastian, Andreea Prian, Martijn Haring, Andy Lim, Max Crone, Filip Skokan, Klaus Roehrle, Thomas Darimont and Jin Wen (Note taker)

Agenda Items

1. Code of Conduct / Antitrust Policy / IPR Policy

Standard OIDF policies apply as referenced in the agenda.

2. General Updates

VP Vote Status:

-

VP vote is currently underway but has not yet met quorum

-

Members encouraged to vote on both the VP spec and the RP metadata spec

-

Voting deadline: July 8, 2025 (Tuesday)

VCI Working Group:

-

Last call is underway for VCI 1.0

-

Formal decision needed on July 8th to take current version to public review

-

Public review started Sunday and runs for 60 days, followed by 2 weeks voting

-

One known normative change pending: presentation during issuance

Interoperability Testing:

-

VCI interop test planned for July 16th

-

VP conformance tests now support both wallets and verifiers for mDoc and SD-JWT

-

Tests also support W3C digital credentials API

-

At least 5 wallets and verifiers have already passed the new tests

3. External Events Report - Geneva Conference

-

Over 1,200 attendees exceeded expectations

-

Mix of government presentations and technical sessions

-

Strong momentum for OpenID for VC protocols with widespread government adoption

-

Need to create adoption map similar to FAPI

-

Good representation from Global South participants

-

Swiss government offering to fund event again next year

4. OpenID for VP Editorial Updates

Approved and Merged PRs:

-

#640https://github.com/openid/OpenID4VP/pull/640: Fixed list indentation and styling

-

#647https://github.com/openid/OpenID4VP/pull/647: Security checks on DCQL query (concerns raised about text clarity and implementation)

-

#648https://github.com/openid/OpenID4VP/pull/648: Updated Digital Credentials API reference to stable version

-

#650https://github.com/openid/OpenID4VP/pull/650: Grammar fixes for deviceauth_alg_values

-

#651https://github.com/openid/OpenID4VP/pull/651: Various editorial nits

-

#560https://github.com/openid/OpenID4VP/pull/560: Remove whitespace in document history

5. OpenID for VCI 1.0 PRs

Key Discussion:

-

Presentation During Issuance (#509https://github.com/openid/OpenID4VCI/pull/509): Security issue identified, Daniel/Gareth working on fix for next week

-

Editorial updates: Raj's terminology review needs additional reviews

-

Decision to not rush changes before public review period

6. HAIP (High Assurance Identity Proofing) PRs

Major Discussions:

Key Resolution Options (#178https://github.com/openid/oid4vc-haip/pull/178):
This PR proposes significant changes to the client identification scheme requirements in HAIP. Christian explained that the current text mandates support for multiple options (X509 hash, DNS-based resolution, and web-based resolution for SD-JWT), but this creates complexity without clear benefits.

The proposed change would:

-

Mandate only X509 hash client ID scheme

-

Remove the web-based resolution recommendation entirely

-

Simplify the implementation requirements

Detailed Discussion Points:

-

Christian argued that web-based resolution doesn't provide meaningful interoperability benefits since different flows (issuer vs verifier) make it difficult to determine the appropriate resolution method beforehand

-

The group reached consensus to proceed with mandating X509 hash only

-

Oliver raised an important concern about certificate rotation: since X509 hash generates client identifiers based on certificate hashes, certificate rotation (typically every 1-3 years) would change the client identifier

-

This could impact member state references in EU implementing acts that might need to reference specific RP identifiers

-

Christian clarified that this shouldn't be problematic because trust lists contain CA root certificates, not the individual relying party certificates, so intermediate certificates in the chain handle the rotation issue

-

The group agreed to proceed with the X509 hash mandate after resolving Oliver's concerns

nbf Claim Discussion (#165https://github.com/openid/oid4vc-haip/pull/165):
This PR sparked a significant technical debate about timestamp claims in SD-JWT credentials, specifically whether to use nbf (not before) or iat (issued at) claims.

Arguments for nbf (Oliver, Christian, Andrea):

-

nbf has strict validation requirements - verifiers MUST check the timestamp according to RFC definitions

-

Essential for offline use cases where devices cannot request new credential instances

-

Critical for batch issuance scenarios where credentials become valid at future dates

-

SD-JWT VC specification already defines that nbf MUST be verified if present

-

Provides stronger security guarantees for credential validity periods

Arguments against nbf (Mike):

-

nbf creates significant interoperability problems in practice

-

Most JWT libraries have inconsistent handling of nbf vs iat validation

-

nbf should only be used for future-dated tokens, which isn't a recommended practice

-

iat is the standard claim for knowing when a token was issued

-

Removing iat would break assumptions of most JWT libraries and create ecosystem problems

Technical Clarifications:

-

The discussion specifically applies to SD-JWT VC format credentials within HAIP

-

Current text mentions both signature validity and claims validity, which was deemed confusing

-

SD-JWT VC spec already defines nbf as optional but MUST be verified if present

-

The group noted this is about profiling SD-JWT VC for interoperability, not general JWT usage

Resolution:

-

Daniel agreed to raise the nbf/iat discussion in the SD-JWT VC specification issue tracker first

-

The group decided not to make changes in HAIP until the broader SD-JWT VC community weighs in

-

This ensures consistency across specifications and avoids fragmenting the ecosystem

Other HAIP PRs:

-

#187https://github.com/openid/oid4vc-haip/pull/187: HAIP cleanup (Oliver to review)

-

#200https://github.com/openid/oid4vc-haip/pull/200: Wallet attestation JWT x5c header clarification (Andrea to review)

7. HAIP Open Issues

Issuer Metadata Requirements (#180https://github.com/openid/oid4vc-haip/issues/180):

-

Consensus reached:

-

Credential issuers must be required to have metadata

-

Not all credentials need to be listed in issuer metadata

-

Information can come from .well-known or out-of-band mechanisms

Batch Issuance Mandate (#150https://github.com/openid/oid4vc-haip/issues/150):

-

Proposed text: "If verified/verifier unlinkability needs to be prevented for a particular credential, batch issuance must be supported and used"

-

Agreement that wallets and issuers must support batch issuance capability

-

Implementation use depends on credential type and ecosystem needs

Action Items

-

Daniel: Raise nbf/iat discussion in SD-JWT VC issue tracker

-

Christian: Update key resolution PR to remove web-based resolution

-

Multiple reviewers: Review pending editorial PRs before Tuesday

-

All members: Vote on VP and RP metadata specs before July 8th deadline

-

Daniel/Gareth: Develop security fix for presentation during issuance

Next Steps

-

Working group to reconvene for formal decision on VCI public review (July 8th)

-

Continue PR reviews and editorial cleanup

-

Prepare for VCI interop testing (July 16th)

-

Monitor VP vote progress toward quorum

Meeting adjourned early due to attendee fatigue after Geneva conference

Sent with [Proton Mail](https://proton.me/mail/home) secure email.

On Thursday, July 3rd, 2025 at 2:15 PM, Joseph Heenan via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:

> Hi all
>
> Proposed agenda for the EU friendly call today (4PM London / 5PM CET / 8AM PDT) on the usual zoom, https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09
>
> As previously communicated, this is a 2 hour meeting - I appreciate not everyone will be able to make the full 2 hours, if there are any requests to schedule particular items for particular time slots please let me know.
>
> - Code of conduct / Antitrust policy / IPR policy: https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf
> - Note-taking
> - General updates
>
> - VP vote underway - please vote if you are an OIDF member! https://openid.net/foundation/members/polls/364 (please also vote on the OpenID Connect Relying Party Metadata Choices vote that’s underway too, abstain votes help reach quorum: https://openid.net/foundation/members/polls/367 )
> - VCI working group last call underway
> - VCI interop test planned for 16th July
> - Conformance test updates - see https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250630/000859.html
> - OID4VP editorial updates prior to publishing final
> - OID4VCI 1.0 PRs, in particular:
>
> - Presentation During Issuance - https://github.com/openid/OpenID4VCI/pull/509
> - HAIP PRs, including:
>
> - HAIP cleanup: https://github.com/openid/oid4vc-haip/pull/18
> - Key resolution / move to x509 hash client id prefix: https://github.com/openid/oid4vc-haip/pull/178
> - HAIP open issues
>
> If anyone has any specific topics they’d like to cover please reply to this email or ask at the start of the call.
>
> Thanks
>
> Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250703/cd888dab/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list