[Openid-dcp] DCP WG EU call agenda

Jin Wen jin.wen at onespan.com
Thu Jul 24 23:36:40 UTC 2025 

Here’s today’s meeting minutes:

July 24 DCP Working Group Call
Meeting Details

  *   Date: July 24, 2024


  *   Chair: Joseph Heenan (Torsten Lodderstedt assisting)


  *   Note Taker: Jin Wen


  *   Attendees: 13 participants including Torsten Lodderstedt, Andreea Prian, Daniel Fett, Gareth Oliver, Jan Vereecken, Klaus Roehrle (Sony), Lenah Chacha, Martijn, Max Crone (1Password), Rene Leveille (1Password), David Chadwick, Joseph Heenan, and Gail Hodges

1. Administrative Items
Code of Conduct and Policies

  *   Standard acknowledgment of Code of conduct/Antitrust policy/IPR policy

Introductions and Agenda

  *   No new attendees introduced


  *   Agenda approved without changes

2. Events
IETF Madrid (July 21-25)

Joseph Heenan provided a debrief from the OAUTH session:

  *   SD-JWT VC Discussion: Main topic relevant to the working group was ongoing discussion about "bids" text in SD-JWT VC that was being pushed for removal


  *   Poll Results: Overwhelming favor for removing the problematic text, with formal decision to be repeated on mailing list


  *   Client ID Prefix Draft: Discussion on draft by Aaron, Daniel, and Joseph based on current work, but ran out of time


  *   Next Steps: Interim meeting to be scheduled for adoption discussion

3. General Updates
VCI Interop Test Results (July 16)

  *   Initial results completed, with Gail Hodges presenting detailed findings at end of call

Conformance Test Updates

  *   Confirmed tests available for VCI versions from public review


  *   DC API tests available in both cases

4. OpenID4VCI 1.0 Pull Requests
Major Merged PR

  *   Presentation During Issuance (https://github.com/openid/OpenID4VCI/pull/509): Already merged, addressed security issues with redirect flows

Pending PRs Requiring Review
Application Encryption Security Consideration #569

(https://github.com/openid/OpenID4VCI/issues/569)

  *   Status: Ready to merge with 3 approvals and no outstanding comments


  *   Purpose: Explains what application layer encryption added in VCI achieves and its limitations


  *   Action: Torsten volunteered to review

Credential and Deferred Credential Endpoint Unification #583

(https://github.com/openid/OpenID4VCI/issues/583)

  *   Presenter: Gareth Oliver


  *   Purpose: Merge deferred credential endpoint text into credential endpoint to ensure consistent credential responses


  *   Goal: Prevent different behaviors between endpoints while maintaining current normative requirements


  *   Concerns: Questions raised about whether this allows credential endpoint to accept deferred requests


  *   Discussion: Clarification needed on polymorphic credential request prevention


  *   Action: Torsten volunteered to review


Editorial PRs

  *   Multiple editorial pull requests open requiring 1-2 reviews each


  *   Goal to merge these before next revision publication


5. HAIP (High Assurance Interoperability Profile) Pull Requests
Credentials Without Cryptographic Holder Binding #210

(https://github.com/openid/oid4vc-haip/pull/210)

  *   Presenter: Torsten Lodderstedt


  *   Purpose: Allow HAIP use with credentials not requiring cryptographic holder binding


  *   Rationale: High assurance can be achieved through strong data binding to credential subject, even without cryptographic key binding


  *   Benefits: Enables long-living credentials that don't require reissuance when changing devices


  *   Discussion: Questions raised about definition of "high assurance" in this context


  *   Action: Issue (https://github.com/openid/oid4vc-haip/issues/189) to be updated with clarification of high assurance definition

FAPI2 Requirements #214

(https://github.com/openid/oid4vc-haip/pull/214)

  *   Purpose: Mandate use of most FAPI2 requirements


  *   Key Requirements:


     *   MUST support sender-constrained tokens using DPoP


     *   MUST follow FAPI2 Security Profile with exception for client authentication using Wallet Attestations


  *   Status: Small PR requiring reviews


Key Attestation Wording Modification #217

(https://github.com/openid/oid4vc-haip/pull/217)

  *   Presenter: Torsten Lodderstedt


  *   Key Changes:


     *   Wallets MUST support key attestations


     *   For interoperability: attestations MUST conform to Annex D of OpenID4VCI


     *   Otherwise: other key attestation formats may be used


     *   Batch issuance: all public keys SHOULD be attested within single key attestation


  *   Background: Addresses different objectives for key attestations (interoperability vs. native formats)


  *   Action: Reviews requested from Martijn and Hicham Lozi (hlozi<https://github.com/hlozi>)

nbf Claim Mandate #165

(https://github.com/openid/oid4vc-haip/pull/165)

  *   Purpose: Make nbf (not before) claim mandatory for credential issuer and authorization server metadata publication


  *   Status: Requires review


6. HAIP Open Issues
Ephemeral Encryption Keys #194

 (https://github.com/openid/oid4vc-haip/issues/194)

  *   Question: Should ephemeral encryption keys be required?


  *   Background: HAIP mandates encryption but doesn't require ephemeral keys


  *   Consensus: Working group agreed to make ephemeral encryption keys mandatory


  *   Implementation: Would require passing JWKS within client metadata in requests


  *   Action: Lucas from Radian volunteered to create PR


Cross-Device Flows #98

 (https://github.com/openid/oid4vc-haip/issues/98)

  *   Question: Should redirect_uri be required in cross-device scenarios?


  *   Cross-reference: Related to issue (https://github.com/openid/oid4vc-haip/issues/189)


  *   Security Concern: Traditional cross-device flow not phishing resistant


  *   Discussion Points:


     *   High assurance may require same-device flows or DC API with proximity detection


     *   Similar to German ARef approach limiting to same-device for high assurance


  *   Action: Daniel Fett assigned to analyze and provide recommendations


SD-JWT IAT Claim #29

(https://github.com/openid/oid4vc-haip/issues/29)

  *   Question: Should iat (issued at) claim be selectively disclosable in SD-JWT during presentation?


  *   Current State: HAIP requires IAT in SD-JWT but prohibits selective disclosure


  *   Daniel's Suggestion: Remove extra rules and follow whatever SD-JWT VC specification decides


  *   Discussion: Questions about user experience implications and consistency with mDoc approach


  *   Action: Further discussion needed, particularly regarding mDoc expert input


7. Interoperability Test Results
Test Overview

Gail Hodges presented comprehensive results from July 16 pairwise interoperability testing. The results were consistent across a range of scenarios supported by the OpenID4VCI Specification, with implementers supporting one or multiple configurations of OpenID4VCI

Test Statistics

  *   Total Possible Pairs: 59


  *   Pairs Tested: 47


  *   Success Rate: 87% passed successfully


  *   Resolvable Issues: 11% failed with resolvable issues


  *   Unresolved Issues: 2% failures without immediately obvious solutions


Test Configurations

All tests used OpenID4VCI with various configurations:

  *   SD-JWT with HAIP mode: Custom URI initiated, wallet attestation-based client authentication with x5c header


  *   SD-JWT with private_key_jwt: Custom URI initiated, client assertion authentication


  *   SD-JWT without authentication: Custom URI initiated, no client authentication


  *   mDoc without authentication: Custom URI initiated, no client authentication


Participating Organizations

7 Issuers and 5 Wallets:

  *   Bundesdruckerei GmbH


  *   Fikua


  *   MATTR


  *   Open Wallet Foundation (Android "Multipaz")


  *   Lissi GmbH


  *   Meeco


  *   MyMahi Wallet


  *   OpenID Foundation (open source tests)


Conclusions

  *   No material concerns identified with specifications or OIDF open source tests


  *   Results demonstrate strong interoperability across different implementation approaches


  *   Test suites proven effective for validation


Upcoming Milestones

  *   End of September: Self-certification opening planned once negative tests incorporated


8. Pending Issues Review

Joseph Heenan highlighted issues marked as "pending close" in HAIP repository:

  *   Action: Community members requested to review pending-close labeled issues

<https://github.com/openid/oid4vc-haip/issues?q=is%3Aissue+state%3Aopen+label%3Apending-close>

  *   Timeline: Issues will be closed in approximately one week without comments


  *   Purpose: Clean up issues that are covered by other issues or no longer applicable


9. Announcements
Artificial Intelligence Identity Management (AIIM) Community Group

Max Crone announced upcoming discussion:

  *   Topic: Including Verifiable Credentials in Model Context Protocol


  *   Timing: Immediately following this call


  *   Relevance: Significant interest for DCP WG members


10. Action Items Summary

  1.  Reviews Needed:


     *   Application encryption security consideration PR (Torsten assigned)


     *   Credential/Deferred endpoint unification (https://github.com/openid/OpenID4VCI/issues/583) (additional reviewers needed)


     *   FAPI2 requirements PR (https://github.com/openid/oid4vc-haip/pull/214)


     *   Key attestation wording PR (https://github.com/openid/oid4vc-haip/pull/217) (Martijn, Klaus)


     *   nbf claim mandate PR (https://github.com/openid/oid4vc-haip/pull/165)


  2.  Issue Analysis:


     *   High assurance definition clarification (https://github.com/openid/oid4vc-haip/issues/189) (Torsten assigned)


     *   Cross-device flow security analysis (https://github.com/openid/oid4vc-haip/issues/98) (Daniel assigned)


  3.  Pull Requests to Create:


     *   Ephemeral encryption keys mandate (https://github.com/openid/oid4vc-haip/issues/194) (Lucas assigned)


  4.  Administrative:


     *   Review pending-close issues within one week


     *   Multiple editorial PR reviews for VCI


11. Next Steps

  *   Continue OpenID4VCI 1.0 finalization efforts


  *   Address HAIP normative requirements and clarifications


  *   Prepare for next revision publications


  *   Monitor interoperability test suite development


Meeting Adjourned


On Jul 24, 2025, at 06:49, Joseph Heenan via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi all

Proposed agenda for the EU friendly call in ~1 hour time on the usual zoom, https://zoom.us/j/94085567252?pwd=cHNFMExFalhlM2MrOFhoN3J6eDRuZz09


  1.  Code of conduct / Antitrust policy / IPR policy: https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf<https://urldefense.com/v3/__https://openid.net/wp-content/uploads/2025/06/OIDF_Groups-Activities-Events-Note-Well_Final_2025-06-12.pdf__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41QaDL5OHQ$>
  2.  Note-taking
  3.  Introductions
  4.  Agenda bashing
  5.  Events
     *   IETF Madrid 21st-25th July
  6.  General updates
     *   16th July VCI interop test initial results (to be done at end of call when Gail joins)
     *   Conformance test updates
  7.  OID4VCI 1.0 PRs, in particular:
     *   Presentation During Issuance - https://github.com/openid/OpenID4VCI/pull/509<https://urldefense.com/v3/__https://github.com/openid/OpenID4VCI/pull/509__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41QZmWnaXU$>
     *   Please review some of the editorial PRs: https://github.com/openid/OpenID4VCI/pulls<https://urldefense.com/v3/__https://github.com/openid/OpenID4VCI/pulls__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41QYk3-qOM$>
  8.  HAIP PRs
     *   Mandating nbf claim https://github.com/openid/oid4vc-haip/pull/165<https://urldefense.com/v3/__https://github.com/openid/oid4vc-haip/pull/165__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41Qz6Q6m7M$>
  9.  HAIP open issues
     *   Ephemeral encryption keys required? https://github.com/openid/oid4vc-haip/issues/194<https://urldefense.com/v3/__https://github.com/openid/oid4vc-haip/issues/194__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41QBzZXf74$>
     *   Allowing cross device flows? https://github.com/openid/oid4vc-haip/issues/98<https://urldefense.com/v3/__https://github.com/openid/oid4vc-haip/issues/98__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41Q7LpOXYM$>
     *   Make iat in SD-JWT selectively disclosable? https://github.com/openid/oid4vc-haip/issues/29<https://urldefense.com/v3/__https://github.com/openid/oid4vc-haip/issues/29__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41QyLIs0Ns$>

If anyone has any specific topics they’d like to cover please reply to this email or ask at the start of the call.

Thanks

Joseph

--
Openid-specs-digital-credentials-protocols mailing list
Openid-specs-digital-credentials-protocols at lists.openid.net
https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols__;!!DZ56qYBuutOgaEbgjQ!sFn3gpveQw_5Z5f3EkzC2ovvGoA9ZNwq027EEdGt7k1G7_0iBhpVFRSVJwZ7IXoLJTsemZU9iQIMggweZRRbd41Qe_pj2b0$

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250724/85c25f11/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list