[Openid-dcp] Notes from 9th Sept 2025 call

Rajvardhan Deshmukh (rajvdesh) rajvdesh at cisco.com
Tue Sep 9 20:18:36 UTC 2025 

Hi Folks,

Below are the minutes from today's meeting.

## Attendees

Rajvardhan Deshmukh
Kristina Yasuda
Joseph Heenan
Oliver Terbu
Tobias
Ryan Galluzzo
Christian Bormann
Brian
Gareth
Gail Hodges
Tim Cappalli

## Announcements and general updates:

https://www.eventbrite.co.uk/e/oidf-dcp-wg-mtg-prior-to-iiw-mon-20-oct-2025-cisco-san-jose-ca-tickets-1661413736209?aff=oddtdtcreator
Need help with the Friday venue.

Please vote on VCI if you haven’t yet & are an OIDF member - we didn’t reach quorum yet: https://openid.net/foundation/members/polls/376 https://openid.net/notice-of-vote-openid-for-verifiable-credential-issuance-1-0-final-specification/ Deadline Sep 15th

Western Balkan states (Albania, Bosnia and H, Kosovo, Montenegro, North Macedonia, Serbia) are working towards full participation in EUDIW by Dec 2027.
OIDF is looking at options to support this sub-region, do any WG members have personal or professional expertise in this region? If so let Gail know gail at oidf.org

## Discussions:

https://github.com/openid/OpenID4VCI/pull/648 will merge as part of the preparation for the final 1.0 publication, given more than 3 approvals

https://github.com/openid/OpenID4VCI/pull/649 will merge as part of the preparation for the final 1.0 publication, given more than 3 approvals

https://github.com/openid/OpenID4VC-HAIP/issues/240
Oliver and Tobias raised security consideration about using custom url schemes, as malicious applications can claim to support that custom url scheme. This is applicable for VCI and VP.
wg discussion:
- For both VP and VCI (Credential Offer), define separate custom url scheme value that stands for compliance to the requirements in HAIP. Whether support for that scheme is mandatory or not is up to the ecosystem/etc. claimed urls are a (recommended) alternative. And maybe point to the security concerns of custom schemes that are already documented in other places.

https://github.com/openid/OpenID4VC-HAIP/issues/233 define intent_to_retain only for mdoc in haip so that iso can point to it and ISO don't have to have a separate discussion about it.
wg discussion:
- will clarify with ISO what is their understanding of the "agreement"
- one option might be to have an mDL specific annex in haip where intent_to_retain in mandated? or mandate it only for mdocs?

https://github.com/openid/OpenID4VC-HAIP/issues/239
wg discussion:
- conditional to wg agreeing to use custom schemes for credential offer and presentation, it is reasonable to separate values used for issuance and presentation. haip-vp:// and haip-vci:// or something? (feel free to suggest alternatives)

https://github.com/openid/OpenID4VC-HAIP/issues/193
there is no such things as "haip compliant", but there is such a thing that compliant to one or more of the flows (VP without dc api, VP with dc api, or VCI) with one of the credential formats (sd-jwt vc or mdoc) defined in HAIP. Suggestions have been listed in the issue comments.

https://github.com/openid/OpenID4VC-HAIP/issues/112
wg discussion:
- in cases where there are existing requirements on crypto suites (like ISO 18013-5) mandating specific set of signing curves, probably worth adding a sentence that allows/encourages compliance with those on top of what HAIP requires.
- also. in cases where there are existing requirements on MACing the credential on top of digital signatures (like ISO 18013-5), probably worth adding a sentence that allows/encourages compliance with those on top of what HAIP requires.
- on top of a general statement on the ecosystems defining their crypto requirements, have an annex or something that gives specific examples like 18013-5. new issue will be opened on this

https://github.com/openid/OpenID4VC-HAIP/pull/252 The X.509 certificate of the trust anchor MUST NOT be included in the x5c JOSE header of the signed request. has already been in the spec before but got lost. Oliver might create another PR to just get this specific part in as it was approved in the past.

Thanks,
Raj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250909/1ee140b7/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list