OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard

Published 20 hours ago verified publisher icon openid

Define session transcript for OpenID4VP (without DC API) in OpenID4VP

Open TimoGlastra opened this issue 10 months ago • 8 comments

There has been a lot of discussions about the session transcript for the DC API, but I couldn't find anything related to the non-dc api.

#374 introduced text that no-dc-api should follow ISO 18013-7. However with the addition of the Session transcript for DC API to OID4VP, and with the PR to define session encryption details (https://github.com/openid/OpenID4VP/pull/380) i think it makes sense to also define the session transcript options for OID4VP without dc-api in OID4VP.

Then the specific requirements around encryption algs can be defined in HAIP, and there's no need anymore for ISO 18013-7 when doing OID4VP and mDOC, especially when using DCQL and the PD restrictions don't apply.

TimoGlastra avatar Jan 30 '25 05:01 TimoGlastra

session transcript for OpenID4VP (without DC API) is currently defined in ISO 18013-7 annex B, which is to be followed for now. Issue with that Annex is that it relies on Second implementers draft of openid4vp, while the third one has been recently published. there is an agreement between ISO SC17 WG10 and OIDF that OIDF can define mdoc profile for openid4vp without browser api when it decides the time is right. the issue to track that in HAIP is here (https://github.com/openid/oid4vc-haip/issues/139), but i am ok keeping this one as its counterpart in openid4vp repo.

Sakurann avatar Jan 30 '25 11:01 Sakurann

I think this was closed by accident

TimoGlastra avatar Apr 17 '25 15:04 TimoGlastra

I think this was closed by accident

I believe so too

awoie avatar Apr 17 '25 16:04 awoie

Apparently github understood

We could specify a session transcript in Invocation via other methods {#non-dc-api-invocation} to resolve https://github.com/openid/OpenID4VP/issues/402

as "resolves 402" 😅

c2bo avatar Apr 18 '25 04:04 c2bo

If I understand correctly, there is consensus that OID4VP 1.0 (standalone) will not work for mDOC in modes direct_post and direct_post.jwt, is that right?

andprian avatar Apr 29 '25 08:04 andprian

WG call: after an alignment call with ETSI and EC, agreed to proceed with a PR

Sakurann avatar May 15 '25 16:05 Sakurann

If I understand correctly, there is consensus that OID4VP 1.0 (standalone) will not work for mDOC in modes direct_post and direct_post.jwt, is that right?

I don't believe so. If such a restriction was made I think it would be made in HAIP. (ISO 18013-7 Annex B does prohibit use of direct_post/direct_post.jwt for mDL but VP would not be the correct place to make that restriction, nor would it be right to apply that to all mdoc cases.).

jogu avatar May 16 '25 17:05 jogu

@jogu , I was not talking about making a restriction. This is about defining SessionTranscript, otherwise vanilla OID4VP would not work without some kind of profiling for mDOC

andprian avatar May 19 '25 12:05 andprian

@jogu , I was not talking about making a restriction. This is about defining SessionTranscript, otherwise vanilla OID4VP would not work without some kind of profiling for mDOC

Ah sorry, I was confused by the mention of direct_post - it also doesn't work for (e.g.) response_mode=query. So yes we need to define the session transcript for the non-DC API cases as Oliver has done in his PR.

jogu avatar May 22 '25 12:05 jogu