[Openid-dcp] 07/29 DCP WG Notes
Gareth Oliver
gco at google.com
Wed Jul 30 13:43:00 UTC 2025
Attendees
Gareth Oliver
Torsten Lodderstedt
Joseph Heenan (OIDF & Authlete)
Gail Hodges
Steve Venema
Brian Campbell
Lee Cam
Christian Bormann
Daniel Fett
Oliver Terbu
Martijn
Oliver Terbu
Tobias Looker (MATTR)
Bjorn Hjelm
Discussion
-
Heads up that FIDO is talking about notification endpoints/lifecycle
management for DPCs (payment credentials)
-
How soon do we need it?
-
1.1 is fine, but something that exists in prioritary
-
Suggestion post-IIW to talk about server-to-server in a dedicated
call.
-
Suggestion using sec-events, no one has tried implementing this yet
so needs more robustness.
-
This is 3 months, can we talk about it earlier?
-
Ideally yes
-
Some support to having a dedicated
-
Suggestion to work out some time in august.
-
Lifecycle management vs server to server?
-
Both?
-
Starting point is to establish a common reference model and
objective for what ‘server to server’ means.
-
AI for Gareth to put together a first draft
-
-
IIW
-
Likely to host a workshop on monday afternoon
-
JOSE HPKE
-
Need further changes before WGLC is done again and likely more
breaking changes so advise against taking a reference.
-
Any dispute of the current plan of record?
-
There is an informative note in VP (nothing we can do to change that,
but probably fine)
-
VCI
-
Issuer metadata
-
Example added, request for an extra review (Gareth will take a
look)
-
Deferred Credential Endpoint
-
Waiting for some reviews, to see if it is an improvement to
implementors
-
Tobias will take a look when he gets a chance.
-
Grammar/Punctuation Fixes
-
Non-normative just looking for review
-
HAIP
-
Key Attestations
-
What about interop
-
Either you mandate (which means HAIP is not always applicable)
else, you need some interaction.
-
Missing the key attestation is a large gap
-
Should is not good enough because it doesn’t help with
interoperability
-
There are existing formats, and transformation won’t meet the
security requirements.
-
Suggest to match the conditional wording in 4.1
-
Wording of must depending on an ecosystem.
-
Suggestion to have a SHOULD that ecosystem turns into a MUST
-
Must be stronger than a SHOULD.
-
Should there be an ecosystem guidance section?
-
Maybe, but be good to start inline.
-
If writing guidance have to be complete (e.g. the
privacy/security implications of a transformation)
-
Presentation of ISO Mdocs over OpenId4VP
-
Ready for PR
-
Meaning of HAIP
-
(High Assurance that) Valid and bound to the holder
-
(High Assurance that) Actually presented by the holder
-
If HAIP supports credentials that are not key bound, is that high
assurance?
-
Not necessarily, as you can do other means.
-
Suggestion is we need to achieve these two, but silent on the
specifics of the holder authentication.
-
Torsten to do a PR of the proposal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250730/0909e4fa/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list