[Openid-dcp] 7th August APAC DCP WG Notes

Andres Olave andres.olave at velocitycareerlabs.com
Wed Aug 13 08:56:18 UTC 2025 

Apologies for the delay in sharing the notes

Attendees:
--------------------

Joseph Heenan
Daniel Florescu
Hiroyuki Sano
Martijn Haring
Nat Skimura
Oliver Terbu
Stefan Charsley
Kenichi Nakamura

Events
--------------------
OpenId4VCI is under public review. IAR has been added. Voting will start soon.

General Updates
--------------------
HAIP has moved repo
Maritijn: How much time till the PRs are in? Joseph: Aim is for them to be 1 week of stability

OID4VCI PRS
--------------------
#605
Nat: Advisable NOT to use capitalization to indicate normative language due to not all languages having capitalization like ISO

#603
Link to security analysis. Looking for 3 approvals to get non-normative changes in.

#602
how to bind the IAE added for sd-jwts. needs to be added for other formats. Binding methods are during a the presentation.
Doesnt change anything normatively to SD-JWT, adds stuff for presentations of mdoc (via the mdoc) and w3c credential formats

#601
Adds more realism for wallet attestations for OAuth client auth

#600
Adds example for metadata wth IAE support

#599
More editorial changes for IAE

#596
Clarify use of scope and authorization details. If scope is absent then you must use authorization details.

#594
time-related information needs to be sanitized

#589
Adds redirect_to_web to IAE. The normal thing where the website can ask the user questions. After the user completes it, the issuer can ask to go to IAE again. Discussion on whether to put into 1.0 or not. If the PR is ready it will be good to put it in. Normally an authoirzation `code` is returned but the non-traditional roles are a bit necessary. Normally the AS would return a code and the wallet would excahnge for access tokne. Currently the auth_session_id is returned. it seems better that would be a new value, so that its not predictable and mirrors how the auth code works in existing OAuth flows which matches existing security analysis.
Oliver: Doesnt PKCE sort that out.
Joseph: Need to see if security analysis around it.
Stephan: Auth session parameter could be fresh.
Oliver: Has a "feeling" that after wallets sends openid4vp, the iae could return another interaction. In those cases you'd need to generate a new auth session. And then added to specific interaction request.
Joseph: Concerned about use of stale session values
Stephan: If the auth session value differs then the IAE should be aborted. There is inconsistency and will raise an issue

#583
Merge the credential endpoint definitions. Stephan and Andres will take a look

OID4VCI Issues
--------------------
IAR Endpoint

  *   Security mixup attack that can be returned
  *   Client auth required on IAR endpoint

Appendix E discussion

The wallet attestation text is not clear enough for the client to understand. A key that MUST be trusted by an issuer.
For a server-based model, then this is ok, but for people wanting wallet applications on phones/watches.
Martijn: For HAIP client auth is profiled and required. then the above issue is a problem.
Nat: should be fixed in VCI,  attestations, then says nothing about the application.  since its server based wallets.
Stephan: Not sure it needs to be specified at all, and leave it to the ecosystem.
Joseph: An OAuth client should not choose its own one. We don't have a client_id schema mechanism, so you could end up with two wallets choosing the same thing.
Who can pick the client_id? It seems to assume the client_ids are prechosen. The issuer AS issues client_ids.
Stephan: Trust should be in the ecosystem
Joseph: Wallets use the same client_id, but use their own keys, and my backend deals with it. HAIP says to use an X5C, which means that each issuer needs to recognise them.

This is only a problem if its mandated in HAIP.  Sounds like an interop problem.
Martijn doesnt think its a huge issue probably needs to be adding details and then its a general structure.


HAIP PRs
Need more approvals on "needs-reviews" tags

HAIP Issues

Andres Olave
CTO
Velocity Career Labs

[cid:E6EF1F368B864767BD6EBB01D04A3E92]
Building the Internet of Careers™
velocitynetwork.foundation<http://www.velocitynetwork.foundation/>|velocitycareerlabs.com<http://www.velocitycareerlabs.com/>
M+61 436 350390|andres.olave at velocitycareerlabs.com<mailto:dror.gurevich at velocitycareerlabs.com>
(GMT+11) Monday - Friday

Download the Velocity Career Wallet App:

[Graphical user interface Description automatically generated with medium confidence]<https://apps.apple.com/us/app/velocity-career-wallet/id1587589679> [A picture containing text Description automatically generated] <https://play.google.com/store/apps/details?id=io.velocitycareerlabs.holderapp>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250813/542cf697/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E6EF1F368B864767BD6EBB01D04A3E92.jpeg
Type: image/jpeg
Size: 3431 bytes
Desc: E6EF1F368B864767BD6EBB01D04A3E92.jpeg
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250813/542cf697/attachment-0001.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 28F55E464CE74069B80A5B54FB3F2116.png
Type: image/png
Size: 7917 bytes
Desc: 28F55E464CE74069B80A5B54FB3F2116.png
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250813/542cf697/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 65CB4C35C5DD45A5A67119ADD7DDB9F1.png
Type: image/png
Size: 10065 bytes
Desc: 65CB4C35C5DD45A5A67119ADD7DDB9F1.png
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250813/542cf697/attachment-0003.png>

More information about the Openid-specs-digital-credentials-protocols mailing list