[Openid-dcp] DCP WG + SIOP Call ( America ) : Meeting Minutes: 22 July 2025

[Lenah Chacha]

Hello all,

Please find minutes below:
---------------------------



Events:

-       ETF Madrid happening next week

VCI interoperability updates from Gail Hodges

-       The event happened on 21 July 2025

-       VCI tested draft 16 as interop number 3 – Preliminary results whoe
63 passed tests, 32 known identifiable issues, and 1 new issue

-       Gail also asked members to look out for email for  preliminary
results sent out on previous day, another update would come on 25 July 2025

-       Security Analysis done by for openVP4VCI 1.0

o   The reports needs to sent to the working group for review and discussion

o   Gail asked members to raise any concerns in the report - this
assessment did not cover DC API

-       The goal of this analysis is to study the security of the OpenID
for Verifiable Presentations (OID4VP) [OID4VP] specification when used over
the Digital Credentials API (DC API) [2]. More specifically, on a very high
level, we aim to prove that using OID4VP over the DC API fulfills a basic
“claims unforgeability” property, i.e., an attacker cannot convince an
honest verifier to have the properties/claims asserted by an honest issuer
for an honest user in a credential issued to an honest wallet.- Issues in
PRs

-       - The underlying WIM (Web Infrastructure Model) methodology has
been successfully used on various Web protocols in the past, uncovering
previously unknown attacks and often resulting in new standards to mitigate
them. Many of these protocols are at least somewhat related to OIDF
standards, for example: OAuth 2.0 [5, 11], Open ID Connect [5, 12], OpenID
FAPI 1.0 [6], OpenID FAPI 2.0 [15], and Mozilla’s BrowserID [8, 9]. One of
the key strengths of the WIM methodology lies in identifying errors on the
protocol specification level – i.e., a WIM analysis usually assumes that a
protocol specification has been implemented correctly w.r.t. the
specification(s) and excludes attack vectors like Cross-Site Scripting or
vulnerabilities in cryptographic primitives and their implementation (e.g.,
side-channel attacks), as such attacks are usually outside the scope of
protocol specifications.    -

Calls earlier in the day:

-       Group received some comments during review, as a reminder the group
cannot take comments in the review period

-       Some PRs open only editorial.

Reviews done today : OpenID4VCI

-       PR#572 : Reviewed, Lenah to do PR review

-       Issue #211 : To be reviewed later

-       Issue #178 : comments made unblocking issue 160, Oliver Terbu to
review

-       Issue 160 : comments and Pr t be done by Christian ( needs someone
who understands trust lists very well)

-       Issue #199 : comment added and moved to 1.0, Continue working but
HPKE needs working with most likely PQE

o   HPKE and apu/apv values - suggestion given: tell ISO that this working
group will not be working on it in v1.0.

o   Co-Chair to check on on tracker for ISO meetings and come back to WG

-       issue #15 Closed, POST mode was added is v1.0

-       issue #179 Discussed and pending close tagged

-       Issue #88 - No wide support to mandate openid foundation. current
direction is to start with x509 hash

*Lenah *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250728/44c96c1a/attachment.htm>