[Openid-dcp] HAIP draft 04 published
Joseph Heenan
joseph at authlete.com
Fri Sep 19 11:44:08 UTC 2025
Hi all
Draft 04 of HAIP has been published:
https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-1_0-04.html
The reason for publishing this is it’s been quite a while since we last published a numbered draft and there’s a desire to have a link pointing to a stable version that external orgs can use.
Change log is:
update etsi tl and DC API references
update VP & VCI references to be to 1.0 Final
add separate custom url schemes for issuance and presentation to replace the haip:// scheme
support for haip-vp:// and haip-vci:// custom url schemes is now an ecosystem decision
allow ecosystems the option to use key attestations other than those defined in Annex D of [OIDF.OID4VCI <file:///Users/joseph/Documents/openid-repos/publication/digital-credentials-protocols/openid4vc-high-assurance-interoperability-profile-1_0-04.html#OIDF.OID4VCI>] in some cases
clarify nonce endpoint must be present when cryptographic_binding_methods_supported is
remove various requirements around claims present in SD-JWT VC as upstream spec covers them
require ephemeral encryption keys in VP
add note that lower assurance credentials can also be conveyed using this profile
add note on verifier certificate profiling
added support for credentials without cryptographic holder binding
mandate support for aki trusted_authorities method
remove presentation exchange reference since it was removed in openid4vp
Authorization Server and Credential Issuer must support metadata
x509_san_dns & verifier_attestations client id prefixes are no longer permitted, x509_hash must be used
x.509 certificates are now the mandatory mechanism for SD-JWT VC issuer key resolution
x5c header in Status List Token must be present
clarify that Wallet Attestations must not contain linkable information.
add signed Issuer Metadata
require key attestation for OpenID4VCI
clarify text regarding mdoc specific parameters
add small note that establishing trust in and retrieving root certs is out scope
update wording from Client Identifier Scheme to Client Identifier Prefix #182
fix reference to ARF #177
remove old link in section 8 & clarify a note on claim based binding in OpenID4VP in HAIP #183
Clarify clause 4.1 statement #169
add a list of all specifications being profiled #145
say something about DPoP nonces
refactor to separate generic and SD-JWT clauses
add support for ISO mdoc isssuance
add support for ISO mdoc when using redirect-based OID4VP
remove requirement to support batch endpoint (it was removed from OID4VP)
remove SIOPv2 (webauthn is now the recommended way to handle pseudonymous login)
prohibit self-signed certificates for signing with x509_hash
trust anchor certificates must not be included in x5c headers
Thanks
Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250919/9a4028b9/attachment.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list