[Openid-dcp] Minutes from DCP WG meeting March 26, 2026

[Frederik Krogsdal Jacobsen]

   - Participants: Brent Zundel, Frederik Krogsdal Jacobsen, Paul Grassi,
   Micha Kraus, Christian Bormann, Valentine Mazurov, Max Crone, Martijn
   Haring, Henna Kapur, Jin Wen, Aniruddha Bildikar, Hicham Lozi, Daniel Fett,
   Ryan Galluzzo, Mike Jones, Gail Hodges, Juba, Bjorn Hjelm, Brian Campbell,
   Patrick Amrein, David Zeuthen, Łukasz Jaromin
   - Events
      - Proposed face-to-face joint meeting with ISO WG10 on May 30th in
      Europe.
      - DCP hybrid meeting before IIW: Invite is on the mailing list.
      - OSW
      - Possibly DCP hybrid meeting before DICE.
   - Test requirement document from the EU
      - The ask is for feedback on the EC requirements for certification
      assessment bodies. The time frame is to provide feedback before
the summer.
      - Reach out to Gail or any of the DCP chairs if you are interested in
      helping.
   - Ecosystem CG updates
      - Ecosystem guidance document is being worked on. Please join the CG
      if you are interested in helping. At some point the CG will bring the
      document to the DCP WG for feedback, but the document is very early right
      now.
   - Conformance test updates
      - Please test the tests if you have an implementation.
      - Gail will ask for feedback in more detail via email on the list.
   - Joint work with ISO
      - There was a meeting yesterday, mainly about FIDO options.
      - The chairs told ISO that we agree with their vision document.
   - Server-to-server issuance
      - Might need a new time slot due to time zone issues with APAC. If
      anyone has opinions on this, please let the chairs know.
   - Display metadata
      - https://github.com/openid/OpenID4VCI/issues/421
      - https://github.com/openid/OpenID4VCI/pull/721
      - The issue is about allowing metadata to be sent in the credential
      response. There has been discussions on this for a long time.
      - Consensus to split discussion in two parts: one about requesting
      metadata for a specific credential instance and another about
updating the
      metadata.
      - Christian will change his PR to only cover requesting
      credential-specific metadata and postpone updating to another PR/issue.
   - VP response encryption with HPKE
      - https://github.com/openid/OpenID4VP/pull/703
      - Needs reviews.
      - Questions:
         - Should JWK hash be included?
            - Christian: Yes.
         - Should separator bytes be used?
            - Martijn: Using separator bytes allows us to be less careful
            about hash collisions when concatenating
attacker-controlled values.
         - Should the structure be hashed similar to session transcript?
         - Should there be a space in the identifier?
            - Christian: No
         - VP 1.1 milestone
      - https://github.com/openid/OpenID4VP/pull/712
         - Needs reviews.
      - Issues with Origins
         - https://github.com/openid/OpenID4VP/issues/646
         - https://github.com/openid/OpenID4VP/issues/224
         - These two are intertwined and depend on us defining what origins
         are outside of a web browser context.
         - We should be careful about whether we are using DC API or some
         platform-specific API that is similar to DC API when writing guidance.
         - The issues are long and confusing. Frederik will attempt to
         summarize the current consensus and open questions.
      - Defining HPKE info parameter
         - See discussion of PR 703 above.
      - If you have anything currently tagged as “1.1 or later” and you
      would like it to be in 1.1, now is the time to speak. Otherwise they will
      be moved to “1.2 or later”.
   - IAE
      - Rebuilding IAE on first-party-apps draft:
      https://github.com/openid/OpenID4VCI/issues/719
         - Micha has made a comparison table. The basic mechanics are more
         or less the same.
         - Potential issues:
            - Security model is different (first-party vs. third-party)
            - Negotiation of supported interaction types is not there
            (because it is unnecessary for first-party apps)
         - Options:
            - Keep current IAE definitions: reinventing parts of the wheel,
            but fast.
            - Rework IAE on current first-party-app spec: definition of
            profile might be awkward due to mismatch in the models.
            - Convince first-party-app spec authors to make their spec more
            flexible: “Best” solution, but most work and might become
confusing.
         - Frederik: It depends a lot on whether they are willing to change
         anything in the first-party-app spec.
         - Brent: The first-party-app spec will probably go to WGLC soon,
         so they might not be willing to change that much.
      - Open PRs
         - Please review 716, it’s super short.
         - Reviews on the concept/structure of 706 are appreciated.
         - PR 695 is being updated to incorporate previous feedback.
         Additional reviews are welcome.
      - Open issues
         - Binding auth_session to DPoP
            - Kind of a sub-issue of the first-party-apps draft, since this
            is us reinventing something that the first-party-apps
draft has already
            considered.
            - The binding in first-party-apps is done by the server
            associating the public key with the auth_session value:
            https://www.ietf.org/archive/id/draft-ietf-oauth-first-party-apps-03.html#section-9.6.1
         - Many of the issues rely on our decision regarding rebuilding IAE
         on first-party-apps. The chairs will try to find a way
forward on deciding
         this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20260326/a509a325/attachment.htm>