[Openid-dcp] Notes from 16. Sep 2025

Paul Bastian paul.bastian at posteo.de
Tue Sep 16 20:13:33 UTC 2025 

meeting notes for 16. September 2025

Attendees:
- Torsten Lodderstedt
- Joseph Heenan
- Kristina Yasuda
- Gail Hodges
- Lee Campbell
- Garreth Oliver
- Paul Bastian
- Bjorn Helm
- Brian Campbell
- Christian Bormann
- Daniel Fett
- Hicham Lozi
- Lenah Chacha
- Martjin
- Nate Hardt
- Oliver Terbu
- Peter Sorotokin
- Rajcardhan Deshmukh
- Tim Capalli
- Robert Gallagher

Notes:
- VCI 1.0 vote was successful
   - Authors suggest to add Paul as co-author
   - no objections and support -> will add him
- looking into HAIP issues
- #233: clarify text about intent_to retain
   - Lee is arguing to keep it optional, not every feature from -5 needs 
to be mirrored into online openid4vp
   - changing the default value to false might have impacts for existing 
implementations
   - this leaves us with 3 options:
     - defining the default value as false in HAIP, without any changes 
in openid4vp
     - keep it optional in HAIP. if it is not present, behavior is 
undefined.
     - mandate it in HAIP
- #252: prohibit self-signed certificates for x509_hash
   - Oliver to apply the changes to prohibit self-signed certificates 
for x5c headers
- #217: Modified Wording for Key Attestation
   - Torsten believes Christians proposal should be good to clear 
Martijns objections that the privacy consideration section is too limiting
   - Martijn agrees, suggestion merged
   - re-reviews requested, merging with 1-2 new approvals
- #231: What does high assurance mean?
   - Torsten to apply changes from latest discussions
   - PR still has zero approvals -> reviews needed!
- #266: separate custom schemes
   - remove haip:// with haip-vci:// and haip-vp://
   - MUST changes to MAY, as e.g. custom schemes may be difficult with 
companion devices (see also #248)
   - but this also means there is no mechanism in HAIP that will always 
get Credential Offer and OpenID4VP Request into the wallet
     - profiles of HAIP would need to mandate wallet invocation mechanism
   - wallet has a right not to accept credential offers for non-tech reasons
- #258 ETSI Spec
   - Torsten dug into the spec, showing various issues
   - the profile doesn't point to HAIP yet
- #265 Add Ecosystem Considerations/extension points annex
   - this gives for example ETSI the ideas were to profile HAIP
   - e.g. wallet invocation, key attestation, ...
- #211 allow use of other wallet attestations format?
   - Torsten and Paul arguing to mandate wallet attestation as defined 
in Annex E of VCI
   - Martjin questioning why this couldn't be done differently
   - Christian agreeing that interoperable wallet attestations makes 
sense, Paul arguing with what is possible with today's technology
   - Torsten asks what other mechanisms are available? adding that 
client authentication on OAuth is already an extension point
   - questions for alternative to annex E? no examples seem present today
   - for Martjin its not clear enough yet, what the wallet attestation 
is attesting to
- other big remaining topic is #112 mandatory to implement crypto suites

Best,
Paul

More information about the Openid-specs-digital-credentials-protocols mailing list