[Openid-dcp] 2026-02-04 DCP WG APAC call meeting minutes

Frederik Krogsdal Jacobsen frederik.krogsdal at idura.eu
Wed Feb 4 09:03:47 UTC 2026 

   - Participants: Joseph Heenan, Paul Bastian, Frederik Krogsdal Jacobsen,
   Kenichi Nakamura, Stefan Charsley, Henry Hang, Martijn
   - Events:
      - IETF 125, March 14-20
      - OSW, May 27-29
      - DICE, June 22-24
   - EU test requirement document: no updates
   - No updates from Ecosystem CG
   - Conformance test updates: If you have an implementation, please test
   it and let the conformance test group know about any issues you may have.
   - Joint work with ISO:
      - Meeting next week will be a different day; look out for invitation
      update or ask Joseph
      - Still working to get an agreement with FIDO Alliance
   - Nobody present was at the server-to-server meeting, so wait for
   updates on that.
   - Reminder: there is a co-chair vacancy if anyone is interested.
   - OpenID4VP:
      - Will use HPKE JWE from IETF for HPKE response encryption:
      https://datatracker.ietf.org/doc/draft-ietf-jose-hpke-encrypt/
   - OpenID4VC-HAIP:
      - Let the chairs know if there’s anything that should go in HAIP 1.1
      but is not currently tagged on the milestone in GitHub
      - Paul: Should HAIP 1.1 wait for VCI 1.1?
   - OpenID4VCI:
      - There are many open IAE issues
         - https://github.com/openid/OpenID4VCI/issues/702: How can the
         wallet know which response belongs to which IAE session if there are
         multiple sessions in parallel?
            - Not clear what the question exactly covers. But generally we
            need to mention the state parameter in the auth_session case.
         - https://github.com/openid/OpenID4VCI/issues/694: which status
         code is used for successful IAE responses?
            - Call consensus: always using 200 makes most sense. Using 201
            would be confusing because you are not necessarily creating a new
            auth_session each time you call the endpoint.
         - https://github.com/openid/OpenID4VCI/issues/693: spec does not
         clearly state that client authentication is needed for
follow-up requests.
            - Call consensus: We should add a sentence requiring client
            authentication normatively.
         - https://github.com/openid/OpenID4VCI/issues/692: Should IAE use
         new request_uri values every time?
            - Call consensus: They should be unique/new each time. We can
            reuse the text from PAR.
         - https://github.com/openid/OpenID4VCI/issues/691: Clarify wording
         on auth_session values in multiple IAE sessions
            - Call consensus: This wording should be clarified to say “the
            most recent auth_session value in the current session”.
         - Current plan for 1.1:
         - February: finish spec work
         - March: start WGLC, formal security analysis, encourage testing,
         implement IAE conformance tests
         - Late April/May: Implement changes from feedback, review if HAIP
         needs changes and start updating, WGLC for VCI 1.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20260204/2b485ad8/attachment-0001.htm>

More information about the Openid-specs-digital-credentials-protocols mailing list