[Openid-dcp] 08/12 DCP WG Notes

Tue Aug 12 20:02:52 UTC 2025

Attendees

Gareth Oliver

Joseph Heenan (OIDF & Authlete)

Tom Jones

Lee Campbell

Brian Campbell

Christian Bormann

Martijn

Paul Bastian

Jan Vereecken

Tobias Looker (MATTR)

Michael Jones

Rajvardhan Deshmukh (Cisco)

Robert - Mastercard

Oliver Terbu

Bjorn Hjelm

Notes

   -

   IIW dates changed, DCP WG hybrid meetings changed to match.
   -

   VCI spec under current review
   -

   Suggestion to push vote announcement till friday
   -

   EU friendly call extended to 2 hours
   -

   PR 614
   -

      Adds an additional error code: ‘missing_interaction_type’
      -

   PR 605
   -

      Discussion if it should be recommended
      -

      Considered a bit vague
      -

      Should we be more explicit about what the server can and can’t
      understand?
      -

      Was intended as architectural advice.
      -

      Should we be more explicit about exactly what we can and can’t send
      to it and the consequences when we compromise it.
      -

      There are cases where a server may be more trusted than the client.
      -

      Conclusion is to update it to be specific about access to the
      credential request/response.
      -

   PR 602
   -

      Problem that expected_origins are urls.
      -

      Could just use origins, might be fine, might be not fine
      -

      Alternative is to add an additional expected_urls
      -

      Could also remove it, but we say build and validate the request in DC
      API which would cause problems.
      -

      Provides some form of active auth (as the Wallet can detect)
      -

      Prevents showing the wrong information to wallet (even if unusable)
      -

      Conclusion: to add a new parameter for expected_urls
      -

      Switch prefix to iae for consistency.
      -

   PR #589
   -

      Found several things
      -

      1) Don’t include IAR at all
      -

      2) Go with what we have
      -

      3) Go with full set
      -

      Current approach is (3)
      -

      The high level reason is to authenticate the user then follow-on with
      a native authorization.
      -

   PR #615
   -

      Add metadata about whether IAE is required
      -

      Could you just omit the AR url
      -

      There is some extra nuance: the endpoint might be doing other things
      so the metadata value has some value.
      -

      It only applies for credential issuance
      -

      Enables the use of generalized Authorization Servers.
      -

   PR # 583
   -

      Would be cleaner if we merged them.
      -

      Planning to close
      -

      Open a PR to normalize what is returned from Deferred Credential
      Endpoint
      -

   PR # 617
   -

      Lots of approvals so will merge

Been through all the PRs!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250812/ee07dbf7/attachment-0001.htm>