[Openid-dcp] DCP WG + SIOP Call (EU) - Meeting Minutes

Jan Vereecken jan.vereecken at meeco.me
Thu Jul 31 16:20:00 UTC 2025 

Hi All,

Please find the minutes from the EU friendly call below.

Regards,
Jan

--

## Attendees

- Kristina Yasuda
- Ryan Galluzzo
- Michael Jones
- Christian Bormann
- Joseph Heenan
- Filip Skokan
- Lee Campbell
- Daniel Fett
- Andreea Prian
- Oliver Terbu
- Gareth Oliver
- Rajvardhan Deshmukh
- Gail Hodges
- Martijn
- Hicham Lozi
- Jan Vereecken

## Meeting Minutes

Updates ISO/IETF/..

•     Client attestation draft progressing well
•     Token status list progressing well
•     SD-JWT DID discussion resolved, will likely proceed without significant text for DID
•     JOSE HPKE, further changes desired, likely to have breaking changes
•     ISO meeting, shared latest draft of HAIP, more discussion around APU/APV
•     VCI under public review


Merge Deferred Credential Endpoint text into Credential Endpoint
https://github.com/openid/OpenID4VCI/pull/583

Waiting for reviews


timestamp fo the batch issued credentials
https://github.com/openid/OpenID4VCI/issues/592

Agree to add it as a privacy consideration. Make it credential format agnostic.
MUST too strong, rather use SHOULD
Suggests to add it to section 15.4.1

Kristina to create a PR


origin value to use for IAR requests is unclear for mdoc presentation / for w3c vc
https://github.com/openid/OpenID4VCI/issues/590

WG agrees this needs to be tackled
- Agreement to not prefix expected origins (only `aud` uses prefix). Desire to make it work / describe it exactly the same as in DC API.
- Specify domain values for W3C in format specific section
- Agreement to move text about audience

Oliver to create a PR


Extension point to support other key attestation formats?
https://github.com/openid/OpenID4VCI/issues/577

WG agrees it’s not an issue and to close it.


Adds the ability to continue after redirect\_to\_web interaction on IAE
https://github.com/openid/OpenID4VCI/pull/589

Daniel introduces the PR and some of the (security) considerations

Tobias to make changes following on Daniel’s comments.
Joseph to also review.

Tobias to answer if this is absolutely required for 1.0

Daniel, Christian do mention that this is something where more security research could be warranted.
Daniel requests 1 extra review from a person with a security background (specifically web security), external to the group would be good to validate the approach.


Add security considerations around retrieval of jwks (and possibly server usage as a whole)
https://github.com/openid/OpenID4VCI/issues/539

Gareth to create a PR


add example for signed request to IAR endpoint
https://github.com/openid/OpenID4VCI/issues/579

Related to presentation during issuance.

Joseph to create a PR


Authorization Server and Credential Issuer must support metadata
https://github.com/openid/oid4vc-haip/pull/208

WG agrees to merge the changes
Oliver to review


Reconsider adding ISO mdoc profile for OID4VCI
https://github.com/openid/oid4vc-haip/issues/221

Discussion to restructure OpenID4VP section and including general requirements and then credential format specific sections.

Oliver brings up the current spec mandates the support of SD-JWT VC for issuers, but would like to see this changes to and/or ISO mdoc

Oliver to create a PR


Wallets must support the pre-auth flow
https://github.com/openid/oid4vc-haip/issues/227

Lee elaborates that there are current flows (e.g. payment) where the user is already authenticated and the idea is to not add extra authentication.

WG understands this is a relevant use case and solutions for it need to be discussed further.



[Meeco]<https://www.meeco.me/>

Jan Vereecken, Chief Product Officer, Meeco
+32 473 93 61 03  |  jan.vereecken at meeco.me<mailto:jan.vereecken at meeco.me>
twitter/x: @janvereecken<https://twitter.com/janvereecken>   |  linkedin: janvereecken<http://www.linkedin.com/in/janvereecken>


Discover Meeco at meeco.me<https://www.meeco.me/> or read our blog, case studies, and industry reports on our Insights<https://www.meeco.me/insights> page.
We are on LinkedIn @meeco_me<https://www.linkedin.com/company/meeco-me/mycompany/> and X @meeco_me<https://twitter.com/meeco_me>

This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250731/619331de/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list