Pedro Felix

Any further information regarding this issue? I believe I've the exact same problem as @devd. I'm using two cookies: - A _regular cookie with session data. - A `SameSite` _marker_...

What does it mean `In 3.0, path becomes a feature`?

I was assuming that the fact that a JWK is used as the proof of possession on the KB-JWT, does necessarily imply that a JWK needs to be used on...

@TakahikoKawasaki Not sure that I understood the different between *Uniqueness* and *Issuance Timing*. My current understanding from the spec is that: - A server (AS or Credential Issuer) MAY return...

Even with Attestation-based Client Authentication, the client (not a specific device) needs to be pre-registered, right? I.e. the `client_id` provided on authorization and token requests must have been previously registered...

That could eventually work, but probably we need a spec to define the content on those interoperable trust lists, namely because we need more than just the `client_id` (e.g. the...

Thanks for the responses. We seem to have multiple ways of dealing with this problem, however the currrent VCI spec doesn't provide any guidance. Achieving interoperability probably requires specific profiles,...

My goal is not to make pre-registration usind DCR mandatory for VCI. However the current document is almost silent about this "client management/discovery" aspect, which IMO is very important for...

`client_id` is required for the interaction with the AS, at least for the `authorization_code` grant. On the `pre-authorized_code`grant, `client_id` is already optional (IINM). Note that for an OAuth 2.0 AS,...

I agree with the batch credential endpoint removal, given the newly added capability on the _regular_ credential endpoint.