[Openid-dcp] Notes from 7th Oct EU call

Joseph Heenan joseph at authlete.com
Wed Oct 8 13:46:09 UTC 2025 

Thanks to Peter Sorotokin for taking these notes!



Oct 7th, 2025 meeting

Participants:

Peter Sorotokin
Joseph Heenan
Kristina Yasuda
Torsten Lodderstedt
Daniel Fett
Paul Bastian
Martijn
Oliver Terbu
Dima Postnikov
Christian Bormann
Brian Campbell
Victor Lu
Michael Jones
David Waite
Tim Cappalli 
Oliver Terbu
hichamlozi
David Zeuthen
Bjorn Hjelm
Gareth Oliver


Last call discussion 
start public review 

https://dcpwg_iiw_24oct25.eventbrite.co.uk/

Get feedback from outside (public review)
Normative changes are harder to do during last call

HAIP PRs

#293 enforce same device flow for redirect-based OpenID4VP

Torsten: need to describe why, specify challenge, how to detect and guidelines to reject
Martijn: is there a session binding at all
Joseph: cross-device flow is allowed, for low-value stuff there is no reason to restrict
Torsten: HAIP is about mandating things, maybe cross-device is a different thing
Martijn: I was under impression that there is a mandatory check for session binding
       if it is not mandatory, the rules should be clear and explicit
Kristina: why we are discussion if it is mandatory or optional
Martijn: I think it should be clear
Paul/Torsten: no session binding in cross-device, right?
Torsten: suggest mandating same device
Paul: can do secure cross-device with DC API
Oliver: should it be an ecosystem decision?
Kristina: for this PR (not DC API), any objection to make same device mandatory
Paul: Is it a verifier’s choice whether to implement cross-device?
Gareth: what do you do as a wallet? Different custom schemes? How wallet know what is supported?
Oliver: in ecosystem context you could have decision, based on trusted RPs, etc. 
Martjin: if the check is not mandated by HAIP, not sure what it means in practice, how wallet can be certain
       what is implemented on verifier side; security checks do not seem like ecosystem choice
Joseph: clearly no agreement with existing PR text
Torsten: should not require, but prohibiting cross-device in HAIP would be problematic
Kristina: consensus: everyone must support same-device flow, PR needs to be rewritten
Joseph: consensus: we do not want to block cross-device flow
Paul: what is missing in the current PR text?
Kristina: same-device flow MUST be supported
Paul: is it for wallets or verifiers?
Joseph: this is for verifiers to implement
Torsten: cross-device is for scenarios where phishing resistance can be addressed in a different way
Martjin: so session check is not required?
Kristina: for the same device it should be mandatory
Martjin: but verifier does not know
Torsten and Joseph: verifier certainly knows
Martjin: it’s a critical security mechanism. What determines when you have to do the check? the manner of
   initiating the transaction?
hichamlozi: if verifier can do the check then it should be allowed to do cross-device, good, but if not it
   should not do cross-device. Obligation for HAIP is to do same-device. 
Kristina: please review the PR, added text there

Tim (in chat): I just feel obligated to mention that many national standards bodies only accept verified name binding or channel binding for phishing resistance. So while there may be other workarounds to get close, they may not be acceptable.

#291 Add same 'Requirements Notation and Conventions' as used in VCI

Good to go

#289 Add note about the revocation mechanisms in the second edition of 18013-5

Joseph: 2 competing suggestions; one of the referenced specs is still a draft
Paul: validity period vs expiration date?
edited suggestion
Joseph: everyone OK with new Kristina’s text, anyone objects
Martjin: I do not think MUST does anything here, many things that can be revoked. 
Kristina: no, mdoc has an ISO-defined revocation mechanism, it is not about certificates, etc.
    we talking about MSO revocation, not other things
Joseph: this sets a minimal bar

#303 add new editors and update contributors

Adding editors and contributors 
Good to merge

#300 Ecosystem Guidance

Editorial, would be nice to include before public review
Gareth: need some editing

On Thursday - plan to go to public review period 
no objects

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251008/38ed1d58/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list