[Openid-dcp] DCP APAC Meeting Notes - July 10 2025

Andres Olave andres.olave at velocitycareerlabs.com
Thu Jul 10 22:09:50 UTC 2025 

Hi all,

Below are the notes for Thursday's APAC call

Cheers,
Andres

---------------------------------------

# APAC Meeting Notes - July 10 2025

## Attendees:

Veaceslav Dimitroglo
Nat Sakimura
Andres Olave
Kenichi Nakamura
Joseph Heenan
Stefan Charsley

## Initial Discussion

- Veaceslav asks about reference implementations of DCQL & Claims path pointer.
- Joseph suggests the Open Wallet Typescript & Kotlin multiplatform implementations. Kotlin: https://github.com/openwallet-foundation-labs/identity-credential/tree/main

## Upcoming Events:
IETF Madrid 21 July - Relevant specs: Client attestation draft, Token list, Client Id Prefix + JOSE WG discussing HPKE
DICE September is delayed to November

## Notifications:
- VP 1.0 Final has been published - https://openid.net/specs/openid-4-verifiable-presentations-1_0.html. There's another version that won't be updated with errata, but it shouldn't be used
- VCI is under public review
- VCI interop testing on July 16 using draft 16.

### Conformance tests
- VP Final conformance tests are already out!
- VCI is being updated

## PRs

### Presentation during issuance https://github.com/openid/OpenID4VCI/pull/509

- Interop testing of the proposal was done during German Funke meetup.
- Daniel recently added improvements to assist in the detection of session fixation attacks. Waiting on Gareth's response
- Joseph clarifies that this feature will be optional and that the AS shows support via metadata. It will be used for German PID presentation
- Stefan raises the need to clarify what the wallet should do if the issuer uses a custom type that the wallet doesn't understand. Joseph clarifies that the wallet should send another request to the server, and this should be added to the spec.
- Andres raised issues around wallets collaborating. Joseph believes that the spec is sufficient and that HAIP handles this using wallet attestations. Waiting for others to chime in.

### Many Editorial PRs

These need one or two more reviews: 556, 567, 560, 564, 565, 566

### Change to the client identifier scheme to be x509_hash: https://github.com/openid/oid4vc-haip/pull/178

It enables client ids without DNS names.
Stefan questions how to keep a stable client id with x509_hash? Joseph says WG is waiting for feedback from Mirko

### Signed Issuer Metadata https://github.com/openid/oid4vc-haip/pull/176

Adds signed metadata and uses x5c header. Almost have enough approvals

## HAIP Issues:

There is a lot of work as there are 49 issues tagged for 1.0 Final

### Mandating HPKE https://github.com/openid/oid4vc-haip/issues/199

- Kenichi notifies that its an input into ISO WG 10
- Joseph notes that resolving the issue depends on the outcome of JOSE HPKE at IETF. The meeting is in 2 weeks, and if it progresses & is approved, then HAIP will reference the draft. Otherwise, WG will need to make its own decisions.

### Using HAIP outside of Root of Trust scenario https://github.com/openid/oid4vc-haip/pull/178

- Stefan raised this issue for the NZ use case. Every issuer would need to hand out a cert chain to a wallet, and the wallet decides whether to trust or not.
- Joseph: In the EU, this is on a per-country basis, as there is a trust list per country. Wallets decide which countries are trusted.
- Stefan: Questions the removal of web resolution from SD-JWT, which enables the usage of WebPKI. In NZ, the accreditation received is a trustmark only. Additionally, he is concerned that WebPKI is moving towards limiting certificates to a lifetime of 47 days, meaning Credentials would only be valid for 47 days.
- Joseph: If you are in a trustless system, requiring the certificate chain means that root certificate acceptance is also required. OpenID Federation could be an option, but it also needs a root for the trust chain. Agrees that (currently) HAIP tends to be EU-focused and they need more feedback from non-EU ecosystems. Discusses the same issue that appeared in open banking implementations in multiple jurisdictions, and that, for example, Brazil introduced a directory service to function as the root cert issuer. Can't see that working exactly the same in wallets.

The conclusion is that the language doesn't prevent solutions outside of the profile, but that will lead to interop issues, and that this needs to be looked at further

### Meaning of High Assurance https://github.com/openid/oid4vc-haip/issues/189

- Stefan: Thinks its about having a minimum level of trust and security. Target audience/usage sections could be further clarified.
- Joseph: Wants something more quantitative and properties. Unlinkability between verifiers, Device binding, "higher level of security".

## Final Discussions:

### The APAC meeting slot:
Should it be every week or every fortnight? Became weekly due to conference season, but should it stay that way?
Participants note that attendance is not high. Joseph had been hoping for more European participation.
The attendees appreciate the slot
Andres/Stefan suggest keeping it weekly until the HAIP draft is published so that significant PRs aren't missed completely

### VCI Vote Clarification
Veaceslav requested clarification on the upcoming dates for VCI. It's available on the website. Voting will be August 29 - September 12.









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250710/68d74cae/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list