From 07a892f5e99b4232c72b1eed4a3933f67cfbb01c Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Mon, 27 Apr 2026 19:25:54 +0200 Subject: [PATCH 1/4] Clarify `state` parameter requirements in 1.0 Clarify the requirements for the `state` parameter and its ASCII URL safe character restrictions. --- 1.0/openid-4-verifiable-presentations-1_0.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index cccbdc27..4e8857b3 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -367,7 +367,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is OPTIONAL. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in Section 5.3. Otherwise, state is RECOMMENDED. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials} @@ -3566,9 +3566,10 @@ The technology described in this specification was made available from contribut -31 + * Clarify that state is recommended to match text from Section 14.3.2. Protection of the Response URI * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used -final - * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html \ No newline at end of file + * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html From 45f62ac8584414fbe6a577debe6166c273c7fd78 Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Mon, 27 Apr 2026 19:27:24 +0200 Subject: [PATCH 2/4] Update 'state' requirement and clarify usage Clarify that 'state' is recommended instead of optional and update related text for consistency. --- 1.1/openid-4-verifiable-presentations-1_1.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index c82af1df..b3025323 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -363,7 +363,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is OPTIONAL. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, state is RECOMMENDED. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials} @@ -3633,5 +3633,6 @@ The technology described in this specification was made available from contribut * Add usage of HPKE for the `info` parameter. * Add security consideration not to use VP Token as Access Token + * Clarify that state is recommended to match text from Section 14.3.2. Protection of the Response URI * Clarify that `encrypted_response_enc_values_supported` applies only if JWE content encryption algorithm is used; e.g., it does not apply to JOSE HPKE * Clarify that `aud` corresponds to `issuer` Wallet Metadata paremeter if Dynamic Discovery is used From b12729f097814c4d46caa84d8f8039d9c51d6b2e Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Mon, 27 Apr 2026 19:29:02 +0200 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Paul Bastian --- 1.0/openid-4-verifiable-presentations-1_0.md | 2 +- 1.1/openid-4-verifiable-presentations-1_1.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index 4e8857b3..dc5b5899 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -367,7 +367,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in Section 5.3. Otherwise, state is RECOMMENDED. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials} diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index b3025323..44fc4e9a 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -363,7 +363,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, state is RECOMMENDED. state values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials} From 3d704ac51774d0b48b060254a8e8ba230102764a Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Mon, 27 Apr 2026 19:47:26 +0200 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Paul Bastian --- 1.0/openid-4-verifiable-presentations-1_0.md | 2 +- 1.1/openid-4-verifiable-presentations-1_1.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index dc5b5899..10425978 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -367,7 +367,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED, see (#security_considerations_direct_post). `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials} diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 44fc4e9a..27fa2033 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -363,7 +363,7 @@ The following additional considerations are given for pre-existing Authorization : REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Prefixes as described in (#client_metadata_management). The Client Identifier can be created by parties other than the Wallet and it is considered unique within the context of the Wallet when used in combination with the Client Identifier Prefix. `state`: -: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED. `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). +: REQUIRED under the conditions defined in (#nkb-credentials). Otherwise, `state` is RECOMMENDED, see (#security_considerations_direct_post). `state` values MUST only contain ASCII URL safe characters (uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde). ## Requesting Presentations without Holder Binding Proofs {#nkb-credentials}