[Openid-dcp] 07/22 DCP WG Notes
Gareth Oliver
gco at google.com
Tue Jul 22 20:10:30 UTC 2025
Participants
Gareth Oliver
Kristina Yasuda
Joseph Heenan (OIDF & Authlete) (Co-host)
Gail Hodges (Co-host)
Pedram Hosseyni
Fabian Hauck (University of Stuttgart)
Tobias Looker (MATTR)
Daniel Fett
Martijn
Ryan Galluzzo
Christian Bormann
Oliver Terbu
Victor Lu
Rene Leveille (he/him | 1password)
Lenah Chacha
Hichamlozi
Regenscheid, Andrew (NIST)
David Zeuthen (ANSI, Google)
-
Interop Notes
-
the latest OpenID4VCI Interop results are as follows: 47 pairs, of
which 81% passing, 17% fail with resolvable issues, and 2% due to unknown
issues. No material new concerns raised from implementers on v16 or the
OID4VCI tests. Results are based on 7 issuers (including BDR, Fikua,
MultiPaz, Lissi, Mattr, Meeco, OIDF test suite) and 5 wallets (including
BDR, Multipaz, Meeco, MyMahi, and OIDF test suite). We also have passing
pairs on 4 configuration types so far, SD-JWT with Custom URI in
HAIP mode,
SD-JWT with Custom URI with client assertion with
private_key_jwt, and mdoc
Custom ur initiated and no client authentication. We are likely to have
data for a couple more pairs on DC API before we call the results “final.”
-
The 9am German time call this week is cancelled
-
Security Analysis:
https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20250714/000878.html
-
Looking at OpenId4VP with the DC API
-
Headlines:
-
Completed all proofs successfully (though quite abstract analysis)
-
In Scope:
-
Signed/Unsigned requests for DC API
-
Out of Scope:
-
HAIP
-
VCI
-
Fallback
-
Security Properties were confirmed
-
Verifier Authentication, Wallet Authorization and Claims
Unforgeability.
-
May make sense to do an overall analysis of everything together
-
Questions
-
Q: Any difference between the different credential formats?
-
A: Didn’t model any particular credential format, modelled what
all of them had in common.
-
Q: One assumption was that expected_origins was not required so
not modelled. What does that mean?
-
A: After the first report we recommended requiring the check, but
from draft 25 we can prove our security properties without
the check (as it
is in aud).
-
Any objections to accepting this deliverable?
-
A question of whether they delivered on the scope agreed.
-
None, happy to accept.
-
Discuss HAIP Issues
-
PR mandating issuer metadata
-
PR Allowing credentials without cryptographic binding
-
#35: No longer an issue by removing web-based key resolution in
sd-jwt-vc signature validation.
-
#37 Do we need to define key size?
-
What if you want to issue a credential with different signatures?
Do you need another entirely different profile to HAIP?
-
Currently written like it’s only applying to sd-jwt
-
Some regions already require higher curves
-
Likely better to be more permissive.
-
Don’t gain much of an interop benefit from a baseline, unless you
mandate it is always dual issued.
-
Presentation During Issuance
-
Updated to have a new mode, and always return to the interactive
authorization endpoint.
-
Tobias allowed continuation with the authorization endpoint.
-
Some question if returning the auth_session has the same mix-up
attack problem. Seems like not.
-
Request to merge and then patch on top?
-
Seems ok
-
Agreed to change to presentation_request/presentation_response
-
Should auth_session be defined more globally.
-
Can always do it later?
-
Should we namespace errors?
-
Maybe?
-
Should we allow an error response rather than abor?
-
Maybe? Raise different issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250722/b4698449/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list