Encryption details for OpenID4VP over the digital credentials API

[Sakurann]

copy from openid/oid4vc-haip#131 (comment)

WG discussion:

• agreement to what was said in the end of the last call: a viable way forward now seems to be to start with option 1 with what we have to meet the deadlines while signaling that we are working on HPKE and add HPKE once it is ready, since that is more desirable.
  • noting that @martijnharing said they believe HPKE is the better algorithm, better library support, easier, can be implemented in a way that is more secure. (no agreement on this)
• @awoie to open an issue in IETF JOSE-HPKE repo why detached AAD is needed (and say it applies to JWE with ECDH-ES too). should not define that in this WG.
• lazy verifier problem does not apply for OpenID4VP over the digital credentials API?
• @martijnharing said he would like this feature to make the protocol more robust and more secure. agreement that this is not catch-all solution to lazy verifier problem.
• @ve7jtb if the alg supports detached AAD, it should be used to help with lazy verifier check - solution might work with ECDH and HPKE.

next step (@bc-pi volunteered):

• do a PR in OID4VP to say "use JWE with ECDH-ES". that PR will also say parameters in AAD that currently go into the protected header (such as apv and apu), and one of them has to be nonce and the other client_id (or origin when DC API is not signed). will try frame it in a way that does not lose alg agility once detached AAD becomes available
• will need a small PR in HAIP mandating a specific alg/curve, once we agree on it. (consider adding MTI crypto suites  oid4vc-haip#112)