[Openid-dcp] [OpenID DCP] EU friendly call meeting notes

[Valentine Mazurov]

Hi all,

Please find meeting notes that occurred on February 26th below.

Participants:
- Joseph Heenan
- Frederik Krogsdal Jacobsen
- Christian Bormann
- Oliver Terbu
- Max Crone
- Brian Campbell
- Brent Zundel
- Klaus Roehrle
- Thomas Darimont
- Martijn
- Bjorn Hjelm
- Hicham Lozi
- Jan Vereecken
- Daniel Fett
- Filip Skokan
- Gail Hodges
- John Bradley
- Valentine Mazurov

Updates:
- Proposed joint face-to-face meeting between ISO WG10/DCP WG Sat 30th May in ?Europe?. (Just after OAuth Sec workshop / just after the ISO WG10 meeting/interop in France)
- Test requirements document for EU
- At the beginning of the next week conformance tests update
    - Community is welcome to run tests themself
- Joint group:
    - https://docs.google.com/document/d/1F5Vz1qeb1N-5OxRKZO66VY9Xq4_8OcDHWRMscHq1cak/edit?tab=t.0
- server-to-server:
    - The group will soon start drafting normative text, so a decision  
     needs to be made on where that will be located.
- Brent Zundel and Dima Postnikov are recommended to co-chair DCP WG

Notes:

HPKE:
- No PRs
OpenID4VP:
- add HPKE exception for enc values supported#698
    - https://github.com/openid/OpenID4VP/pull/698
    - approved and merged
- Add a security consideration not to use VP Token as Access Token. #702
    - https://github.com/openid/OpenID4VP/pull/702
    - WG is welcome to review
OpenID4VCI:
- Stuttgart 7: HTTP status code for IAE responses undefined #694
    - https://github.com/openid/OpenID4VCI/issues/694
    - WG agreed to use a 2xx status code, same as we do for nonce endpoint.
    - assigned to Christian to prepare a PR
- Add URNs for IAE types to prevent collisions #712
    - https://github.com/openid/OpenID4VCI/pull/712
    - WG is welcome to review
    - Add IANA consideration urn `urn:openid` to the spec and then ask for registration
    - Brian Campbell: 
        - DCP WG is not the first one to use `urn:openid` without registration
    - WG is welcome to review
- Corrected JWKs in examples #711
    - https://github.com/openid/OpenID4VCI/pull/711
    - approved, but WG is given some more time to review before merge
- Christian: do we have a preferred way to format examples?
    - Seems that we do not
    - Christian will raise an issue
- Clarify that auth_session value should be most recent in session. #710
    - https://github.com/openid/OpenID4VCI/pull/710
    - Approved and merged
- Make auth_session optional if other binding mechanism exists. #706
    - https://github.com/openid/OpenID4VCI/pull/706
    - WG is welcome to review
- Use expected URL instead of expected origins for IAE flow #695
    - https://github.com/openid/OpenID4VCI/pull/695
    - WG is welcome to review
- Add invalid_tx_code error code to pre-authz code flow #686
    - https://github.com/openid/OpenID4VCI/pull/686
    - WG is welcome to review
- Rephrase conditions to provide `nonce` in proof types based on presence of Nonce endpoint#678
    - https://github.com/openid/OpenID4VCI/pull/678
    - WG is welcome to review
- Define that client_id_prefix value of origin is not allowed for IAE? #701
    - https://github.com/openid/OpenID4VCI/issues/701
    - Oliver suggested using `iae` as the client id prefix, followed by the IAE endpoint url and that would mean we can remove some of the text we already have, e.g. the binding section.
    - WG still needs to decide what to do about expected_origins (WG has [#620](https://github.com/openid/OpenID4VCI/issues/620) for that already).
    - Oliver will look into a bit further.
- IAE redirect_to_web clarification, multiple use of PKCE_verifier ok? #703
    - https://github.com/openid/OpenID4VCI/issues/703
    - it seems to be ok to use the same PKCE verifier multiple time since no security vulnerabilities raise
    - WG is welcome to review


Best regards,
Valentine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20260226/ed35dca4/attachment-0001.htm>