<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Helvetica Neue";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.E-MailFormatvorlage19
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:181282188;
mso-list-template-ids:1288632480;}
@list l1
{mso-list-id:1028337268;
mso-list-template-ids:-1085135724;}
@list l1:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Below are the notes for the DCP WG cal on 5th of September 2024:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Attendees:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Christian Bormann<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Kristina Yasuda<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Joseph Heenan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Andreea Prian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Bjorn Hjelm<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Brian Campbell<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Daniel Fett<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>David Chadwick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>David Waite<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Jan Vereecken<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Juba Saadi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Judith Kahrer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Lukasz Jaromin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Martijn Haring<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Michael Jones<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Nemanja Patrnogic<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Oliver Terbu<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Paul Bastian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Sebastien<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Steve Venema<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Timo Glastra<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Joseph explains the situation around the EU implementing acts that were initially published a month ago and can only mention finalized standards. It is too late to get into this round of implementing acts, but there will be a next round that will be open. Martijn asks about version 1.1 and what happens if the law references 1.1 - would people be still allowed to use 1.0? Kristina clarifies that this was brought up with the commission and further changes after 1.0 are expected. [Joseph will write an email explaining the situation to the mailing list - more details will be in that mail].<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Martijn asks about breaking change and brings up the example that presentation exchange has to be implemented right now and if we introduce another query language in 1.1, would it still be mandated to be implemented? Martijn proposes to change the language to something like PEX can be used, but other methods are also allowed. Martijn then also brings up that a lot of OAuth features are referenced and some of them might for example to be applicable when used together with Browser API. So we would need to add exceptions here and he asks if this would be a breaking change? Kristina answers that the Appendixes can overwrite parts of the spec and we already have a precedence for it. Martijn also asks about missing parts for Browser API and if there should be new issues for them and then corresponding PRs or how to deal with them for 1.0? Kristina clarifies that issues/PRs with a small scope would be nice.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Joseph adds that worst case would be to advance the 2.0 timeline and introduce breaking changes. Oliver adds that it would be good to have PEX and the new query language as equal alternatives in 1.1. Andreea adds that it would be good to have some kind of versioning within the protocol. Kristina answers that this topic was discussed and there was the fear of getting it wrong right now and introduce it in 1.1 - if that is missing, implementations could just assume it is version 1.0. Joseph adds that there he has little hope of creating a versioning scheme in the timeline for 1.0.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><a href="https://github.com/openid/OpenID4VP/pull/237">https://github.com/openid/OpenID4VP/pull/237</a>:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Oliver explains that one of the discussions was the order of validation. He explains his comment (<a href="https://github.com/openid/OpenID4VP/pull/237#issuecomment-2331820525">https://github.com/openid/OpenID4VP/pull/237#issuecomment-2331820525</a>) that proposes a validation order with specific instructions to validate [The link explains this pretty in detail - check there]. Oliver asks if people have questions about this. Daniel thanks Oliver for providing this order, but is not convinced that the choice of which mechanism to be used should be given to the wallet. Daniel points out that you could still mess with the request, for example by removing the signature. Oliver answers that this issue already exists today and the verifier does not know which mechanism the wallet used to verify the client_id. If the verifier has different certificates for different ecosystems, this problem would still exist. It could be solved by adding the key used to verify in the response.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Daniel answers that he thinks these are 2 different problems. The first one is where the verifier doesn't know which client_id_scheme was used. The second one is that within some client_id_scheme, there might be a different certificate or key that was used to check something.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>The the client_id_scheme in its current form allows you to take a request and remove the signature. The difference between two different x509 certificates might be a problem, but probably much smaller than the first one. We should solve both, but the first one is way bigger. Oliver shows an option to add the key used to verify together with the client_id in the response, for example in the audience. Paul asks if requiring signed requests was discussed. Brian adds that some of the requests using browser API will not be signed and Kristina agrees. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Daniel restates the problem that we have client_id_scheme and client_id, but only client_id is in certain messages. It might be a solution to change one of the parameters: keep the client_id unchanged for all systems where the wallet supports exactly one client_id_scheme and for other systems that allow more schemes, we could add a "client_id_with_scheme" that is client_id_scheme:client_id. The response with this mechanism would include this in the audience. The nice part would be that if we do not require a key, it would also work for unsigned cases.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Mike adds that the shown attack is not possible with the changes Oliver proposed. Mike also mentions that Oliver could add to the PR the algorithm for evaluating client_id values and describing the special case of the unsigned option. Brian asks about Daniels proposal whether this client_id_with_scheme would be a replacement for client_id and Daniel agrees. Brian asks if it would be fine to require the audience to include the client_id_scheme at the discretion of the verifier. [There was a bit more discussion on this, but there will be a separate call and presentation to clarify]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Kristina mentions that next week is an ETSI/CEN workshop for the European Digital Identity Wallet that might be interesting for people (<a href="https://www.etsi.org/events/2353-etsi-cen-workshop">https://www.etsi.org/events/2353-etsi-cen-workshop</a>).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Christian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols-bounces@lists.openid.net> <b>On Behalf Of </b>Kristina Yasuda via Openid-specs-digital-credentials-protocols<br><b>Sent:</b> Thursday, September 5, 2024 5:02 PM<br><b>To:</b> Digital Credentials Protocols List <openid-specs-digital-credentials-protocols@lists.openid.net><br><b>Cc:</b> Kristina Yasuda <yasudakristina@gmail.com><br><b>Subject:</b> [Openid-specs-digital-credentials-protocols] [agenda] EU-friendly DCP WG + SIOP call<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>Hi All,<o:p></o:p></p></div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Below is the suggested agenda for today's DCP WG + SIOP call. It is the same as for Tuesday, with some more focus on other open PRs.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><ol style='margin-top:0cm' start=1 type=1><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>IPR reminder/ Note-taking<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Introductions/re-introductions<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Agenda bashing/adoption<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Events/External orgs<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Update from editors/chairs on the EU implementing acts<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Update from editors/chairs on proposed items to prioritise & suggested plan for publishing of next revisions of VCI & VP<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Update on c_nonce PR: </span><a href="https://github.com/openid/OpenID4VCI/pull/381" target="_blank"><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>https://github.com/openid/OpenID4VCI/pull/381</span></a><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Update on Oliver/Tobias proposal for client_id_scheme security ( </span><a href="https://github.com/openid/OpenID4VP/issues/124" target="_blank"><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>https://github.com/openid/OpenID4VP/issues/124</span></a><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'> )<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>PRs for enabling non-breaking extensibility ready for review: </span><a href="https://github.com/openid/OpenID4VP/pull/240" target="_blank"><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>https://github.com/openid/OpenID4VP/pull/240</span></a><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'> </span><a href="https://github.com/openid/OpenID4VCI/pull/382" target="_blank"><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>https://github.com/openid/OpenID4VCI/pull/382</span></a><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Other PRs/issues needing reviews/discussions<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Issues ready for PRs - who can help please? </span><a href="https://github.com/openid/OpenID4VP/issues?q=is%3Aissue+is%3Aopen+label%3Aready-for-PR+label%3Aeditorial+no%3Aassignee" target="_blank"><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>https://github.com/openid/OpenID4VP/issues?q=is%3Aissue+is%3Aopen+label%3Aready-for-PR+label%3Aeditorial+no%3Aassignee</span></a><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></li><li class=MsoNormal style='mso-list:l1 level1 lfo3;font-variant-caps:normal;font-stretch:normal;font-size-adjust:none;font-kerning:auto;font-variant-alternates:normal;font-variant-ligatures:normal;font-variant-numeric:normal;font-variant-east-asian:normal;font-feature-settings:normal'><span style='font-size:10.0pt;font-family:"Helvetica Neue",serif'>Other Open PRs/Issues<o:p></o:p></span></li></ol><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal>Thank you!<o:p></o:p></p></div><div><p class=MsoNormal>Kristina<o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></body></html>