Joseph Heenan

icon indicating an email [email protected]

icon company emobix, Authlete & OpenID Foundation icon location Glasgow, UK icon location CTO. OAuth2 / OpenID Connect / FAPI / etc. Mobile developer (Swift, ObjC, ...).

Results 54 issues of Joseph Heenan

Requirements for JWK in key attestation `attested_keys`

5 comment

The exact fields present in a JWK is a frequent cause of interoperability problems. We don't currently appear to have an language (in VCI or HAIP) that says whether kid,...

Requirement around key_attestations_required with attestation proof type is not clear

3 comment

Current text says: > key_attestations_required: OPTIONAL. Object that describes the requirement for key attestations as described in [Appendix D](file:///Users/joseph/Downloads/output/openid-4-verifiable-credential-issuance-1_1-wg-draft.html#keyattestation), which the Credential Issuer expects the Wallet to send within the...

key attestation example includes iss field that isn't required

The example here: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#appendix-D.1 includes an iss field: We don't appear to define any meaning for the `iss` claim in a key attestation so we should probably remove it from...

editorial

"If the Credential Issuer provided a c_nonce" doesn't really make sense

We should replace all 3 instances with "If the Credential Issuer has a nonce_endpoint", the current text is a hangover from when c_nonce was provided in credential/token endpoint responses. (Although...

Add text about conformance/certification testing

We should add similar text as we added to HAIP/VP (see https://github.com/openid/OpenID4VC-HAIP/issues/271 ) to VCI.

Allow providing of proofing data (e.g. selfies / photos of credentials) during issuance without web views

8 comment

We should extend presentation during issuance to use https://github.com/openid/OpenID4VCI/pull/509/files to allow further types of things to be requested - e.g. photos of physical mdl. Also could need to be encrypted...

ISO 23220-3
stretch-goal

origin value to use for IAR requests is unclear for mdoc presentation / for w3c vc

1 comment

The text around the `openid4vp_presentation` item in the IAR endpoint is a little unclear: 1. About the origin to use in the session transcript - in particular whether to use...

has-PR
iae

request_uri_method should be case sensitive

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5.1 currently says: > request_uri_method: OPTIONAL. A string determining the HTTP method to be used when the request_uri parameter is included in the same request. Two case-sensitive valid values are...

Intro text about communicating credential request mentions only dcql_query even though scope can be used too

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-authorization-request says: > The Verifier articulates requirements of the Credential(s) that are requested using the dcql_query parameter. However https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5.5 allows the use of scopes as well. So something like this...

editorial

Retrieving all client metadata from client_metadata parameter seems too restrictive

We have this text under several of the client id schemes, e.g. x509_hash: "All Verifier metadata other than the public key MUST be obtained from the client_metadata parameter." I'm not...