1 of 10

DCP WG Hybrid Meeting 28th October 2024

Google doc for minutes

https://docs.google.com/document/d/1D9PwvMNODojvm70NHJhBh6BoSj5Vu-HwspgYxx4LhUA/edit?usp=sharing

We will use teams to manage the queue

Please respect queue to allow fair participation for remote attendees.

https://teams.microsoft.com/meet/292547940886?p=1B4rjdvhmeALSILWkm

Meeting ID: 292 547 940 886

Passcode: 3Np9jv9v

Wifi: MSFTGUEST Event code: MSFTEXEC2444

2 of 10

Updates on spec status

  • VP
    • WGLC for ID3 in progress
      • Includes new query language (now called DCQL, pronounced ‘duckle’), transaction data, client id scheme changed to prefix, remove client_metadata_uri, Browser API profile, Request URI post mode
    • Public review period starting ~31st Oct
    • Voting starts ~9th December
    • ID publish ~23rd December
  • VCI
    • Want to start WGLC for ID2 ASAP
      • Includes new nonce endpoint, new batch issuance, fixes to deferred credential endpoint, remove c_nonce from token endpoint, remove authorization_pending
      • Hoping to get key attestation in
    • Similar voting timeline as VP (maybe a few days behind)
  • HAIP
    • We need to pick this up again and do an ID soon.

3 of 10

EU letter highlights

  • The letter is based on gap analysis of available specs across all standards organisations
  • It invites us to collaborate on a plan how OIDF can fill those gaps
  • It also asks for confirmation of timelines for VCI/VP/HAIP going ‘final’
  • OIDF is trying to schedule a meeting between EU & DCP WG chairs

4 of 10

EU letter highlights - VP

  • Questions about
  • Compatibility of/use of HAIP & ISO 18013-7
  • Where will work be done on mdoc + OpenID4VP + Browser API
  • Attestation Status List and Attestation Revocation List, as defined in Annex 1 of the ARF, need to work with VP
  • Wallet instance needs to be able to authenticate itself to RP
  • HAIP should go further and be a full interoperability profile like 18013-7

5 of 10

EU letter highlights - VCI

  • Allow the use of key association as defined in ARF Annex 2 Topic 9
    • section 7.3 of “Epic 09 - Wallet Trust Evidence”, v1.0, NiScy, 2024-03-05.

  • Attestation Provider to send an embedded disclosure policy for the attestation to the Wallet Instance, where the policy is expressed in accordance with section 4.2.14.

6 of 10

Work plan for next few months - VP

  • Formally move spec to DCP WG once ID vote finishes
  • Aim is to have final for end-March
    • All PRs must be merged by 15th January at very latest
  • Issues deferred from initial new query language PR need to be addressed
  • Feedback from implementers on new query language needed ASAP
  • Multi-RP authentication (see later in agenda)

7 of 10

Work plan for next few months - VCI

  • Aim is to have final for end-March
    • All PRs must be merged by 15th January at very latest
  • Key attestation
  • Wallet attestation
  • Decide c_nonce tidy ups
  • Decide on format for claims in credential metadata

8 of 10

Work plan for next few months - HAIP

  • We need to pick up work on this again
  • Triage open issues
  • Address EU issues
  • Probably do an ID vote
  • Move to final sometime early next year

9 of 10

IIW Sessions Proposals

  • new Query language 🐕
  • OID4VC 101
  • OID4VCI Browser API profile
  • OID4VP: Conveying purpose from verifier to wallet
  • Revocation methods comparison
  • OpenID4VCI/VP Key and Wallet Attestations
  • SD-JWT and SD-JWT VC 101
  • OID4VCI credential versioning (updates)
  • Do all wallet apps require a wallet server?
  • Query Language and ZKPs
  • OID4VCI native app flows (can it be done with first party app proposal?)
  • SD-JWT VC and ISO 18013-5 close proximity

10 of 10

Summary of major discussions at the IIW

  • HAIP
    • HAIP considering to add Federation as optional for all entities; for RP authn and issuer signing the credentials
  • OID4VP
    • Wallet attestation during presentation: leaning towards adding a new top level parameters for request & response
    • RP Authorization: leaning towards adding „credentials“ parameter to the presentation request to allow RP to pass credentials for intended use & disclosure rules policy JWTs
    • Presentation of non-mdoc credentials (ie sd-jwt vc) offline (ie NFC/BLE): already should be possible to send OID4VP request over CTAP (UWB in the future)
    • DCQL: everyone loves DCQL; some feedback on open issues received
  • OID4VCI
    • Discussed VCI Browser API design: add entire issuer metadata and authorization server to the credential offer
  • ISO requirements
    • multiple RP credentials: nailed the requirements; exploring jws json serialization proposal
    • mdoc browser interoperability profile: leaning towards adding it to HAIP
    • HPKE: considering to add a note HPKE can be used with JWE to OID4VP and/or HAIP