[Openid-dcp] DCP WG APAC 2nd October 2025 Meeting Notes

Stefan Charsley charsleysa at gmail.com
Thu Oct 2 08:17:31 UTC 2025 

DCP WG APAC 2nd October 2025
Attendees

Martijn Haring

Kenichi Nakamura

Joseph Heenan

Klaus Roehrle

Stefan Charsley

Hiroyuki Sano

Updates

post-IIW event at google, register at
https://dcpwg_iiw_24oct25.eventbrite.co.uk/

Hope to start HAIP public review on tuesday next week

General

   -

   Martijn: discussion about prioritization should happen as it doesn’t
   sound like things will be quiet after Oct/Nov
   -

   Joseph: we do need to figure out prioritization, maybe discuss at
   pre/post IIW meetings


HAIP

fix: update crypto suites to require at least ECDSA w/ P-256 and SHA-256
#295 <https://github.com/openid/OpenID4VC-HAIP/pull/295>

   -

   Martijn: the last sentence where it says ecosystems can specify
   alternative crypto suites seems too much
   -

   Joseph: need to double check, might just be a typo
   -

   Stefan: would the wallet be required to support P-256 for the holder key?
   -

   Martijn: no requirement, the reason is that mandating a wallet where the
   hardware doesn’t support it would just make the wallet non-compliant
   without possibility to make it compliant


remove intent to retain related text #294
<https://github.com/openid/OpenID4VC-HAIP/pull/294>

   -

   Stefan: would this conflict with ISO requirement making intent to retain
   mandatory?
   -

   Joseph: further discussion in ISO WG required, however it shouldn’t
   conflict


enforce same device flow for redirect-based OpenID4VP #293
<https://github.com/openid/OpenID4VC-HAIP/pull/293>

   -

   Martijn: is RP session binding mandatory for OIDC? My understanding is
   mandatory to do session binding
   -

   Joseph: would have to check normative clauses
   -

   Martijn: if you can do session binding, then cross device flow should be
   fine. Requiring session binding for cross device but not same device is
   weird.
   -

   Joseph: thinking about my comment more, session transfer should be the
   way to go with OpenID4VP flow triggered after session transfer
   -

   Stefan: would still like consideration of in-person cross device flow,
   e.g. age assurance at a retail store. Session transfer could make a
   negative UX impact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251002/b1fb76bd/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list