[Openid-dcp] Draft 06 of HAIP published / Notice for Consensus Decision at 4th Dec 2025 DCP EU WG call on updating version of HAIP under public review

Thu Nov 20 23:31:20 UTC 2025

Hi all

Draft 06 of HAIP 1.0 has now been published:

https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-1_0-06.html

The full change log is below; this version addresses comments received during the public review period. From the full change log, the changes that could (in my personal opinion) be considered normative are:

requiring support for the multisig option in wallets (as per my email to the list earlier in the week)
the mention of the new fully specified cose alg identifier
the requirement for x5c in key attestations
new requirement around A256GCM

As discussed on the 2 WG calls (APAC + EU) that happened in the last 24 hours, the editors/chairs have recommended the version currently under public review is updated to this version without restarting the public review period - and on the calls no one raised any comments, so this email serves as a 2 week notice of a formal vote on updating the version under public review, with the vote to happen during the DCP WG EU call on the 4th December.

The foundation-wide public review announcement will be updated today so that people are aware of the new version.

If anyone has any concerns please let the chairs know ASAP.

Many thanks

Joseph

-06

updates to assumptions
add the multi-signed option to the DC API variants
add cose alg identifer -9 (fully specified)
clarify that DCQL applies in HAIP as defined in OpenID4VP and all REQUIRED and OPTIONAL requirements remain the same
add reference to ECCG Agreed Cryptographic Mechanisms 2.0
require x5c header in the OID4VCI Appendix D key attestation
require A256GCM and A128GCM for verifiers
add "Non-normative Examples of Ecosystem-specific Extensions of this Specification" section
remove EU ARF bullet from scenario section as that's already better explained in scope section
add additional acknowledgements
add reference to VP & VCI privacy considerations
improve wording about ephemeral encryption keys
clarify how combined issuance of SD-JWT and mdoc is supported
rename 'Cryto Suites' section to 'Requirements for Digital Signatures'
consistently use 'this specification' rather than 'document' or 'profile'
include links to the relevant sections in the ecosystems considerations section
clarify which requirements apply to wallet or verifier in W3C Digital Credentials API section
make 'Ecosystem' a defined term
clarify requirements for issuer-initiated / wallet-initiated issuance support
clarify that digital sig section applies to jwt proof type too
replace 'Annex' with 'Appendix' when referring to VCI/VP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20251121/5843ec2e/attachment.htm>