[Openid-dcp] Notes from 25th Sept EU friendly call

Joseph Heenan joseph at authlete.com
Thu Sep 25 17:29:13 UTC 2025 

(Thanks to Akash Shah for taking these!)


## Notes
- **Pre-IIW Meeting Registration**
	- Google is hosting.
	- Registration links were shared in the chat:
		- Pre-IIW Meeting: https://dcpwg-iiw-20oct25.eventbrite.co.uk/
		- OIDF Workshop: https://oidf_workshop_iiw_fall2025.eventbrite.co.uk/
- **VCI Publication**
	- VCI 1.0 has been published.
	- To create version 1.1, the plan is to first publish version 1.0 into the repository to preserve the git history.
	- After that, a new pull request will be made to add the interactive authorization endpoint for version 1.1. This will be handled by the chairs and editors.
	- Please review once made
- **HAIP Issue / PR Discussions**
	- **Issue [98](https://github.com/openid/OpenID4VC-HAIP/issues/98)**:
		- The group discussed the security risks of cross-device flows (e.g., QR code flows) in a vanilla OpenID4VP implementation, as they are vulnerable to session fixation attacks.
		- While these flows are important, they are considered insecure for high-assurance use cases. The only real fix is a mechanism like the DC API, which is not yet widely available.
		- The wallet itself cannot distinguish the flow, so the requirement is on the verifier.
		- For lower-assurance use cases, this profile can still be used, but the security restrictions might be relaxed by the implementer.
		- Tobias is expected to create a PR, and Paul will incorporate the agreed-upon text.
		- See Issue comment for discussion summary
	- **PR [289](https://github.com/openid/OpenID4VC-HAIP/pull/289) / Issue [109](https://github.com/openid/OpenID4VC-HAIP/issues/109)**:
		- This discussion is about which revocation mechanisms to support for mdocs, as ISO 18013-5 rev 2 defines two: Status List and Identifier List.
		- Martijn explained that both mechanisms are very similar and were developed in conjunction with IETF editors.
		- Oliver suggested deferring to the ISO specification to avoid breaking future MDL implementations.
		- The PR is open
			- Please comment and review.
	- **Issue [233](https://github.com/openid/OpenID4VC-HAIP/issues/233)**:
		- A lengthy discussion was held on how to handle the `intent_to_retain` parameter when it is absent, as VCI 1.0 does not specify a default.
		- Changing the default now could have legal implications for existing implementations.
		- Discussion captured in is Issue Comments
			- Please review and add comments
	- **Issue [211](https.github.com/openid/OpenID4VC-HAIP/issues/211)**:
		- We should have a seperate but similar text to key attestation for wallet attestation
		- Open Question: should we mandate it?
		- Open Question: define fields better for wallet attestation.
		- General consensus: client or wallet attestation is required for high assurance
		- Discussion captured in is Issue Comments
			- Please add comments
			- Need Martijn to elaborate on disagreement
## Action Items
- **Joseph Heenan**: Create two PRs for VCI 1.1:
    1. A PR to merge the unmodified 1.0 spec as the baseline for 1.1.
    2. A subsequent PR to add the interactive authorization endpoint.
- **All**: Review **PR 289** regarding mdoc revocation mechanisms and add comments.
- **All**: Add comments to **Issue 233** (`intent_to_retain`) to document the consensus that ecosystems can define default behavior for the absent parameter.
- **All**: Follow up on **Issue 211** (wallet attestation) on the next call or on GitHub.

More information about the Openid-specs-digital-credentials-protocols mailing list