[Openid-dcp] Notes for the DCP meeting on October 28th :

[Hicham Lozi]

Hi, 

Bellow the notes for todays meeting: 

Thanks 
Hicham 



Notes for the DCP meeting on October 28th : 

- Agenda:
- Provide summaries of IIW. But Note that the call is mainly having attendees of IIW.
- Review HAIP PRs and Issues.
- If time allows , talk about the interactive server end point. 

Event updates :

Interoperability event happening in New Zealand in parallel an online event organized by OIDF covering VP, VC and HAIP. Gail sent an email suggesting time slots. People are asked to look at it. Encourage participating to test latest updates of HAIP. 

IIW coverage: 

DCP working group meeting : progress on multiple subjects in particular the server to server issuance protocol. 
There is an issue with server to server requirement  https://github.com/openid/OpenID4VCI/issues/663. Moving to a google doc to refine the requirement and gather feedback. Participants are invited to provide feedback on the google doc. Diagrams that were created during the DCP WG meeting are added to an issue here https://github.com/openid/OpenID4VCI/issues/668, please have a look and ask questions on the issue  

Other relevant discussions from IIW : single use credential, credential meta data and HPKE. 

General updates : 

HAIP WG last call was supposed to finish last week but it was not on the agenda on Friday so we did not do it. Vote would be done via email for HAIP WG last call. Email will be sent after this call to vote on HAIP to go for public review. 3th December end of public review  and from 9 December vote on HAIP to be final. 

Other discussions : 
Discussion about credential usage policy, particularly the role of switches and policy flags in metadata. There was a debate on the tradeoffs between availability and privacy, with examples such as handling anonymous presentations without available unused credentials and reusing credentials for the same relying party (RP) during retries due to errors. Concerns were raised about whether the RP or an integration provider is responsible for managing credentials across multiple RPs, and the potential additional correlation risk introduced by reuse. An issue in VCI was created: https://github.com/openid/OpenID4VCI/issues/666. Participants were invited to review the issue and provide feedback. 


HAIP PRs: 

PRs are non-normative at this stage. 

PR #312 https://github.com/openid/OpenID4VC-HAIP/pull/312

Some comments are still not resolved,
Discussion about unsolved comments including the capitalization of terms “Key Attestation” and “Wallet Attestation”. It is noted that “Key Attestation” is not defined in VCI or HAIP, and “Wallet Attestation” is capitalized in VCI. The suggestion is to keep “Key Attestation” lower case. Create an issue in VCI to define these terms. 


— Another question on this PR: What exactly is an x509 profile?
- It defines the elements that should be present in an x509 certificate and specifies certain values, for instance, the CA browser forum defines what extensions should be present in browser certificates, what cryptographic suites are allowed, and so on. It’s similar to a credential profile but for x509 certificates.
There is a section on certificate profiles where we have text about it. 

PR #313 https://github.com/openid/OpenID4VC-HAIP/pull/313

Kristina has contributed based on the working group discussion. Christian will suggest how to integrate it, and we’ll revisit it. 

PR #323 https://github.com/openid/OpenID4VC-HAIP/pull/323

Lack of referencing 23220 series , 

PR #324

Clarifying the text for when you have both mDoc and SD-JWT issued in the same transaction. 
There is confusion on what same transaction means . 

The clarification is:  it means the same access token from the same interaction with the authorization server allowing to be redeemed for both SD-JWT and mDoc on different end point. 

Asking for reviews so the PR can be merged. 

PR #325 https://github.com/openid/OpenID4VC-HAIP/pull/325


“Crypto suites” sections has  requirements for signing. It is suggested to name the section “Requirement for digital signatures,”. PR open for review and approval. 

PR #326 https://github.com/openid/OpenID4VC-HAIP/pull/326

Editorial , using "this document" or "this profile" or "this specification" , suggestion to say consistently “this specification”. 

PR #297 https://github.com/openid/OpenID4VC-HAIP/issues/297

This is not normative; it simply provides the location of the guidance in multiple geographical regions.  call for volunteers to review.

PR #327 https://github.com/openid/OpenID4VC-HAIP/pull/327

call to review the PR. Identified 2 reviewers 



HAIP issues : 


Issue #318 : https://github.com/openid/OpenID4VC-HAIP/issues/318

Discussion about the term “ecosystem.” It was discussed that an ecosystem consists of issuers and RPs and Wallets that follow the same rules and policies, similar to a jurisdiction but more technical. Internal Governance was suggested to be added as defining an ecosystem, and ecosystems can exist without being jurisdictional. They can be formed by parties agreeing to the same rules without necessarily being under the same jurisdiction. There was concerns that this definition implies that mDL is not an ecosystem. It was mentioned that  a specification alone does not constitute an ecosystem. There was a suggestion that ecosystems should define certain aspects, which could imply jurisdiction or internal governance. Concerns that If mDL  and similar specifications is not considered an ecosystem, it may impact interoperability. It was mentioned that the 18013-5 specification is maybe partially an ecosystem. a suggestion was made and added to the issue for review. 

Lats thing : 

Interactive end point PR ready and needs to be reviewed before Thursday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251028/1bad32d1/attachment-0001.htm>