[Openid-dcp] DCP WG APAC 9th October 2025 Meeting Notes
Stefan Charsley
charsleysa at gmail.com
Thu Oct 9 08:16:15 UTC 2025
DCP WG APAC 9th October 2025
Attendees
Martijn Haring
Hiroyuki Sano
Anders Mellqvist
Joseph Heenan
Stefan Charsley
Dima Postnikov
Updates
HAIP WGLC has started, 2 week process, after which there’s a formal vote.
Public review period to start after Thursday’s second meeting. Target 1.0
final published around Xmas time.
HAIP
enforce same device flow for redirect-based OpenID4VP #293
<https://github.com/openid/OpenID4VC-HAIP/pull/293>
-
Martijn: still unsure whether session check is mandated. Is there any
indication for the wallet if the verifier will do the check? Current
understanding is there’s no way for the wallet to know that
-
Joseph: need to be careful with language because not all same-device
flows are unphishable
-
Martijn: does a wallet know if the verifier will do a session binding
check?
-
Joseph: the verifier is required to do a session binding check, but it’s
not specified exactly
-
Joseph: no way in the protocol for the wallet to know this. In certain
jurisdictions verifiers will be certified mitigating some of the concern
-
Dima (chat): It's probably an ecosystem-level concern. RP Certification
might help? But it's not a run time thing apart from RP authorisation which
is out side of the scope of this spec. But i agree on clarity of the spec
-
Martijn: need to be extremely careful and clear with wording. We’re
having these discussions very late in the process, at this point it’s not
as clear as it could be
-
Joseph: might need to add some security considerations after this PR is
merged. This is the type of language that we can improve during the WGLC
process
Ecosystem Guidance #300 <https://github.com/openid/OpenID4VC-HAIP/pull/300>
-
Martijn: I don’t understand backwards compatibility for issued curves,
what does that mean?
-
Dima: I’m not sure if this section belongs to the main spec at all. In
other WGs, this would belong in reference architecture or guidance
-
Joseph: might need to improve the language, intention was to describe
what ecosystems need to think about. Agree that reference architecture
don’t belong in main spec
-
Martijn: also this lumps issuance and presentation together which are
very different things. VCI has vastly different impact than VP. whole point
of HAIP is to have different profiles that aren’t linked
-
Dima: feels a bit opinionated
-
Martijn: now we’re making opinionated examples that combine VCI/VP which
isn’t the best this late in the process. I don’t think this a good place. I
don’t think it’s good to mandate VCI at this point as we’re aware of things
that are missing. Much prefer these examples to be split between VCI/VP.
Feel uncomfortable merging it like this, this is going beyond what was
originally said as the goal of HAIP
-
Joseph: not sure what to do about the examples. There’s a number of
options, could go to public review without this text, could add first
section without examples so there’s more time to address them, 3rd option
to add them as is and then split them up during public review period. No
opinion on which option is best. Will try and come to some interim position
in the afternoon WG call
-
Martijn: the strong language (e.g. MUST) may cause readers to interpret
normatively instead of non-normatively
-
Joseph: don’t know what the right thing to do about that, but it needs
to be thought about
General
-
Joseph: to discuss sometime over the next couple of weeks the priorities
for WG to work on next, please create issues if they don’t already exist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251009/c8ae6f11/attachment-0001.htm>
More information about the Openid-specs-digital-credentials-protocols
mailing list