[Openid-dcp] DCP WG APAC November 6 Call Minutes

Andres Olave andres.olave at velocitycareerlabs.com
Thu Nov 6 20:52:16 UTC 2025 

Hi all

Here are notes from the APAC call

1. HAIP Public Review
WG last call passed via email
Public review scheduled to conclude Dec 8
Voting Dec 9-23 & published around Christmas

2. WG Cadence reduction
Probably cancelling Tuesday and keeping APAC/EU & US/EU calls. Need to figure out a better timeslot for the APAC/EU.

3. WG Priorities
IETF meeting in Montreal covering HPKE spec, which hopefully can cover DCP use cases.

4. HAIP PRs
#327 On links to recommended key size advice
#313 Clarify requirements on support for issuer-initiated and wallet-initiated issuance

5. HAIP 1.0 Issues
#318 To retain the term "ecosystem" or switch it?
#319 Clearly state targets of statements in spec are "wallets" or "verifiers"
#319 Which enc should be mandated?
S: It may be best to align with Annex B. Though ISO Annex C mandates AES128. Multiple countries approved differences in the ISO spec.
M: Arguably, around 256 is better than 128. No one ever argues that the smaller variants aren't secure.
S: School system assessment in Aus & NZ - to meet the requirement, the system needs to use AES192 as a minimum, and AES256 is recommended for transport.
M: That mandates using TLS 1.3.
S: The requirement around TLS is 1.2 or greater, and P-384 is also required.
J: Need a good reason to change anything in the HAIP spec, as it would be a breaking change.
Someone mentioned that maybe best to add optional combinations for AES192/AES256 & P-384 to let ecosystems decide

6. VCI 1.0 Issues:
#676 Key attestation is in the proof header, but should include the c_nonce. Suggestions to fix it by permitting the reuse of the key attestation.

  *   errata to set nonce to be server-provided c_nonce
  *   Add VCI different proof type
  *   different proof type in HAIP 1.0

M: mention that pre-generation is a good reason to deviate from the spec. clarify if/how c_nonce in the key attestation is a security feature. Also pointed out that there would be a knock-on effect in HAIP
S: errata to permit reuse
J: That would be tricky since it may already be implemented and in law.


7. VCI 1.1 Issues:
Initial IAE PRs have been merged
#602 Tidies up the text and completes renaming to IAE + Adds format-specific guidance. Origin vs URL binding is separated. Some of this may be moved into OpenID4VP. Needs reviews

8. Publication Planning
After IAE is in, then probably WG will do an Implementors Draft and have Stuttgart do a formal security analysis before the final version. HAIP 1.0 may be in scope of that analysis.
Discussed if VCI 1.1 may require HAIP 1.1


cheers,

Andres Olave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251106/860555a6/attachment.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list