[Openid-dcp] DCP WG EU call agenda

Jin Wen jin.wen at hisgarden.org
Fri Aug 15 01:28:53 UTC 2025 

OpenID Foundation Digital Credentials Working Group EU Friendly Call

Date: August 14, 2025, 07:58 UTC
Duration: Extended to 2 hours

Attendees

Joseph Heenan (Chair), Robert Gallagher, Oliver Terbu, Christian Bormann, Gareth Oliver, Kristina Yasuda, Bjorn Hjelm, Daniel Fett, George Fletcher, Hiroyuki Sano, Lee Campbell, Michael Jones, Patrick Amrein, Paul Bastian, Peter Sorotokin, Rajvardhan Deshmukh, Martijn Haring, Tim Cappalli and Jin Wen

1. Opening and Formalities

-

Meeting started 5 minutes late due to missing expected attendees

-

Code of Conduct Reminder: OpenID Foundation Code of Conduct, Antitrust Policy, and IPR Policy apply

-

Note Taking: Jin Wen volunteered to take meeting notes

-

Agenda: Sent out one hour prior to the meeting

2. Event Updates

IIW Date Changes

-

IIW dates reverted to original schedule: October 21-23, 2025

-

DCP WG hybrid meetings rescheduled for:

-

Monday morning, October 20th (day before IIW)

-

Friday morning, October 24th (day after IIW)

-

Locations to be confirmed within usual area

-

General OpenID Foundation workshop on Monday afternoon as usual

Call Extensions

-

Today's call extended to 2 hours

-

Proposed extension for Thursday EU call on August 28th to 2 hours for HAIP discussions

3. VCI 1.0 Major Decisions

Interactive Authorization Endpoint (IAE) Status

-

Vote announcement delayed from today to Friday due to ongoing technical issues

-

Key Security Issue: Mixup attack vulnerability identified on IAE affecting all interaction types - see[issue#595](https://github.com/openid/OpenID4VCI/issues/595)

Technical Discussion Summary

-

Wallet attestations provide protection against the attack when present

-

ISS parameter recommended as additional mitigation, particularly for redirect-to-web flows

-

Current VCI security text already covers FAPI requirements including ISS parameter usage

Major Decision: Remove IAE from VCI 1.0

Consensus reached to remove Interactive Authorization Endpoint from VCI 1.0 due to:

-

Multiple unresolved technical issues emerging

-

Insufficient time for proper review and testing

-

Concerns about rushing normative changes

Next Steps for IAE:

-

Continue development for VCI 1.1 or separate specification

-

Maintain implementation feedback mechanism during 1.0 voting period

-

Consider separate draft or feature branch for ongoing work

4. Pull Request Reviews

VCI PRs Approved for Merge

-

Acknowledgments update -[issue#622](https://github.com/openid/OpenID4VCI/issues/622) - Added missing contributors including Lee, Stefan, Thomas, Raj, Martin, and others

-

Wallet attestation validation -[issue#625](https://github.com/openid/OpenID4VCI/issues/625) - Clarified trust validation requirements

-

Client ID terminology -[issue#626](https://github.com/openid/OpenID4VCI/issues/626) - Clarified wallet attestation 'sub' field

-

Authorization details -[issue#630](https://github.com/openid/OpenID4VCI/issues/630) - Clarified requirements when scope is absent

-

Deferred credential response -[issue#631](https://github.com/openid/OpenID4VCI/issues/631) - Unified response format with credential endpoint

Terminology Alignment Discussion

-

Debate: "holder binding" vs "key binding" terminology between VP and VCI specs

-

Resolution: Align terminology with preference for "cryptographic key binding"

-

Separate PR planned for comprehensive terminology updates - see[issue#621](https://github.com/openid/OpenID4VCI/issues/621)

5. HAIP (High Assurance Interoperability Profile) Updates

PRs Under Review

-

[issue#222](https://github.com/openid/OpenID4VC-HAIP/pull/222) - Required ephemeral encryption keys - Multiple PRs ready for merge pending additional approvals

-

[issue#219](https://github.com/openid/OpenID4VC-HAIP/pull/219) - Require c_nonce for key bound creds - Focus on encryption requirements and attestation specifications,

-

[issue#214](https://github.com/openid/OpenID4VC-HAIP/pull/214) - Require use of (most of) FAPI2 with VCI, Oliver agreed to review

-

[issue#217](https://github.com/openid/OpenID4VC-HAIP/pull/217) - Modified Wording for Key Attestations - Key attestations PR approved for non-VCI format support, Martijn Haring agreed to review

-

[issue#216](https://github.com/openid/OpenID4VC-HAIP/pull/216) - Remove now incorrect sentence about iss in SD-JWT VC

-

[issue#210](https://github.com/openid/OpenID4VC-HAIP/pull/210) - Added support for credentials without cryptographic holder binding, Paul agreed to review

-

[issue#165](https://github.com/openid/OpenID4VC-HAIP/pull/165) - Add nbf claim, with the following outcome:

-

Discussion on timestamp randomization requirements

-

Agreement to strengthen privacy recommendations to requirements

-

Consensus to remove outdated validation tables where superseded by SD-JWT VC

6. Timeline and Next Steps

Immediate Actions

-

Remove IAE from VCI 1.0 via PR to be merged by Friday

-

Publish vote announcement for VCI 1.0 without IAE

-

Merge approved PRs for editorial and non-controversial changes

Ongoing Work

-

Continue IAE development for 1.1 or separate specification

-

Process remaining HAIP PRs with working group reviews

-

Plan implementation feedback mechanisms during voting period

7. Future Meetings

-

Next Thursday call (August 28) proposed for 2-hour extension

-

Hybrid meetings at IIW in October (dates and locations TBC)

-

Continue regular working group schedule

8. Closing

Meeting concluded after productive 2-hour session with significant progress on VCI 1.0 timeline and technical decisions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250815/5ded608d/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list