[Openid-dcp] semantic gap in VP?

Daniel Hardman daniel.hardman at gmail.com
Fri Sep 19 14:04:05 UTC 2025 

In some consulting work I'm doing for a government-focused use case of
OIDC4VP, I have been concerned that the current protocol definition sets
users up for a bad UX in certain cases. My questions to this group are:


1. Have I diagnosed accurately?
2. Do you have an appetite to plug the gap?

Here's the issue.

DCQL lets a verifier specify the type of credential they'd like to see,
along with an acceptable issuer and which credential fields they need to
see. If a user has only one credential that meets the criteria, then such a
query is unambiguous. However, if a user has more than one credential that
matches the profile, how can the user know which credential alternative
will make the verifier happy? They can guess, and send something to the
verifier that they think will be acceptable. The verifier can then apply
additional business logic that the user knows nothing about, leading to a
rejection. In such a case, the user won't understand why their submission
was rejected, since it satisfied all the criteria they knew about. Further,
the verifier won't know that the user actually *could* satisfy all the
criteria they have, because there's no way for the verifier to say
everything they actually want, and no way for the user to tell them that
they have several matches.

DCQL does allow query criteria that match a specific claim value ("I must
see a credential that shows that you live in a city named Berlin), and that
kind of match can be ORed ("I must see a credential that shows that you
live in a city named Berlin or Hamburg or Munich"). This is a partial
workaround for the problem. However, it is impractical for use cases like
this:

   - Prove that you have a bank account with a credit limit greater than X.
   - Prove that you received a shipment of merchandise type X (supply chain
   handoff) less than 6 months ago.

The common characteristic of these use cases is that the user might have
more than one credential that satisfies most of the criteria, but the last
part of the criteria requires checking a range or a very large set that
can't simply be enumerated. As long as there's no way to express such
criteria in OIDC4VP, the user sees only a request like this:

   - Prove that you have a bank account
   - Prove that you received a shipment of merchandise type X

...and verifier then rejects proof for no reason the user can understand.

--Daniel Hardman, involved with identity in various contexts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250919/d83833c1/attachment.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list