[Openid-dcp] Notes from 'EU friendly call' on September 11th

Klaus.Roehrle at sony.com Klaus.Roehrle at sony.com
Thu Sep 11 17:27:36 UTC 2025 

Hello,

please find below the meeting minutes from today's call:

Attendees

  *   Joseph Heenan
  *   Oliver Terbu
  *   Lukasz Jaromin
  *   Lee Campbell
  *   Brian Campbell
  *   Bjorn Hjelm
  *   Jan
  *   Lenah Chacha
  *   Oriol Canadés
  *   Kristina Yasuda
  *   Rajvardhan Deshmukh
  *   Klaus Roehrle

Events
Update from ISO mDL WG meeting

  *   Annex D discussions:

     *   "Clarification requested on whether HAIP requires the document to be signed using P256."
     *   "Consider what to do with HPKE, given reported exclusion from HAIP 1.0"
HPKE is deemed important by ISO. Possibility that HAIP is not usable for some parties if HPKE is not supported. HPKE mainly relevant for VP.
Proposal: HPKE to be included in a v1.1.
ISO would potentially wait and reference v1.1.
Next ISO meeting in November. HAIP v1.0 might be available until then.
·         "Discuss where (HAIP or Annex D) to address certificate interoperability concerns"

  *   Annex B: Points to an outdated draft of OpenID4VP. Proposal to referencing HAIP 5.1 in an updated Annex B or a new Annex E (deprecating annex B).
  *   Overall positive discussions. Main issue is the missing support of HKPE in VP.

IIW

  *   Please register for pre-IIW DCP meeting:  https://dcpwg-iiw-20oct25.eventbrite.co.uk/<https://urldefense.com/v3/__https:/dcpwg-iiw-20oct25.eventbrite.co.uk/__;!!O7_YSHcmd9jp3hj_4dEAcyQ!0xEcqa3lw_xv9cC01ruR0JavWzIKWYlS05qY1DNIs8ZaQFLTpEhG455yFaGPPMnEhYARbvTDmYMjuJz454v2mgwevrI94c4NHA$> and
OIDF workshop: https://oidf_workshop_iiw_fall2025.eventbrite.co.uk/<https://urldefense.com/v3/__https:/oidf_workshop_iiw_fall2025.eventbrite.co.uk/__;!!O7_YSHcmd9jp3hj_4dEAcyQ!0xEcqa3lw_xv9cC01ruR0JavWzIKWYlS05qY1DNIs8ZaQFLTpEhG455yFaGPPMnEhYARbvTDmYMjuJz454v2mgwevrLC475zOg$>
  *   Also register if attending remotely.
  *   Discount code for IIW available. Probably sent to official company representatives.

General updates

  *   VCI - voting is open until 15th September, please vote: https://openid.net/foundation/members/polls/376<https://urldefense.com/v3/__https:/openid.net/foundation/members/polls/376__;!!O7_YSHcmd9jp3hj_4dEAcyQ!0xEcqa3lw_xv9cC01ruR0JavWzIKWYlS05qY1DNIs8ZaQFLTpEhG455yFaGPPMnEhYARbvTDmYMjuJz454v2mgwevrIlh2wQcQ$>
Almost reached quorum, however further votes appreciated.
  *   EU email to OIDF / chairs: “It is important to note that alignment with the ARF is a key consideration when determining the eligibility of specifications to be referenced in the implementing acts. <…> The Commission therefore kindly encourages all SDOs to take the ARF into account when developing or updating their deliverables.”
Seems to be a generic message, sent to multiple organizations. Not sent because of a specific issue.

OID4VCI 1.0

  *   clarify PKCE session binding by Sakurann · Pull Request #649 · openid/OpenID4VCI · GitHub<https://github.com/openid/OpenID4VCI/pull/649>
No concerns raised. No objections to merge.
Closed.
  *   Clarification on x5c header in jwt proof type by tlodderstedt · Pull Request #648 · openid/OpenID4VCI · GitHub<https://github.com/openid/OpenID4VCI/pull/648>
Editorial updates around the x5c header. Already go 4 approvals.
No concerns raised. No objections to merge.
Closed.

OID4VP

  *   Default value for intent_to_retain: https://github.com/openid/OpenID4VP/issues/669<https://urldefense.com/v3/__https:/github.com/openid/OpenID4VP/issues/669__;!!O7_YSHcmd9jp3hj_4dEAcyQ!0xEcqa3lw_xv9cC01ruR0JavWzIKWYlS05qY1DNIs8ZaQFLTpEhG455yFaGPPMnEhYARbvTDmYMjuJz454v2mgwevrLxrHWdwQ$>
Relates to ISO where the field is mandatory.
Proposal: to define a default if the field is not present.
An opinion was raised that this might not be useful in online presentations. If missing, the verifier is not specifying if it will retain or not. This is a useful option which would not exist anymore when defining a default.
Might also get in conflict in the future with other mechanisms like purpose fields or signed usage policies.
Maybe re-discuss with ISO. No need to have parity in this point.
Any update would need to be part of an Errata.
Related discussion in HAIP: clarify text about intent_to_retain · Issue #233 · openid/OpenID4VC-HAIP<https://github.com/openid/OpenID4VC-HAIP/issues/233>
Lee to add a comment.
Re-discuss with ISO: Oliver/Bjoern to schedule a meeting with the ISO Annex D working group in the next one or two weeks, if possible..

HAIP PRs

  *   More feedback requested on  https://github.com/openid/OpenID4VC-HAIP/pull/263
  *   https://github.com/openid/OpenID4VC-HAIP/pull/262/files
Adds text that ecosystems can require additional requirements in their certificate policies/profiles.
Already 3 approvals.
PR to be merged.

  *   clarify that ecosystems can define certificate profiles for x509_hash · Pull Request #253<https://github.com/openid/OpenID4VC-HAIP/pull/253>
Partly overlaps with #262.
To be updated based on new text after merging #262.
  *   https://github.com/openid/OpenID4VC-HAIP/pull/229
Need further reviews.

HAIP open issues for 1.0

  *   Usage of dpop_jkt · Issue #104 · openid/OpenID4VC-HAIP<https://github.com/openid/OpenID4VC-HAIP/issues/104>
Conclusion to not make any statement about dpop_jkt.
Closed.
  *   https://github.com/openid/OpenID4VC-HAIP/issues/112
Opinion raised to not introduce an mdl specific annex in HAIP. Otherwise might need to define similar annexes for other mdoc formats as well.  Any addition should apply at least mdoc in general.
Oliver to check what ISO 23220 says.
  *   do we need to define key size? · Issue #39 · openid/OpenID4VC-HAIP<https://github.com/openid/OpenID4VC-HAIP/issues/39>
Key size often inferred by the algorithm.
Avoid any contradiction with ISO 18013-5 / 23220.
One option could be to add a security consideration, referencing NIST documents (SP 800-131A or SP 800-57) a
No participant felt that there is normative text needed on key size.
Ready for PR - however no volunteer in the call.
  *   mandate time related requirements? · Issue #242 · openid/OpenID4VC-HAIP<https://github.com/openid/OpenID4VC-HAIP/issues/242>
‘Should’ is currently used and deemed sufficient.
No further comment.
Closed.
  *   Add Ecosystem Considerations/extension points annex · Issue #265 · openid/OpenID4VC-HAIP<https://github.com/openid/OpenID4VC-HAIP/issues/265>
No comments from the group.

End of meeting: 6:30 CEST

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250911/2401c14b/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list