New name for FAPI
Issue #140
resolved
In March Board meeting, the board requested the name for FAPI to be generalized so that it will match the wider applicability of the security profiles.
This is a fair request but the catch is that the string 'fapi' is already used in the protocol parameters and we do not want to change it.
Thus we have a constrained name search: the new name should have an acronym that would result in FAPI.
This ticket collects some candidates on it.
Some of the initial ideas:
- Fully Assured Protection Interoperable
- Fair Assurance Protection Interface
Comments (4)
-
-
there is no downside to having your cake and eating it. We do need a better rendering of FAPI - i like Full Assurance Protection Interchange That is an official work group title. We can have a broader "marketing name" for the documents.
instead of FAPI part 1 - Basic assurance protections for OAUTH and OpenID Connect.
instead of FAPI part 2 - Full assurance protections for OpenID Connect,.
-
I think we can close this one? The rename to Financial-grade API is complete I believe.
-
- changed status to resolved
Name has been changed
- Log in to comment
So I agree that it would be good to change the name.
I'm not sure if we need the name to bear a resemblance to FAPI. The main references in the current spec are used in header names. For example:
Required: x-fapi-interaction-id x-fapi-financial-id
Optional x-fapi-auth-date x-fapi-customer-ip-address
We've already had a debate that the usage of "x-" isn't ideal. In addition we have the issue that such values aren't signed.
At the moment "financial-id" seems unnecessary in most use cases. I will raise a separate issue recommending that it is removed and we make it mandatory that each financial institution has separate endpoints (I believe this is the case with all OpenBanking integrations).
The other three parameters should ideally use standardised names rather than using the fapi prefix.
auth-dateandip-addresswould seem to be more appropriately put into a SET (security event token) that the RP sends to the OP. At least then they would be signed.Even while we have the
fapiprefix I suggest that we go for a generic name for the profile that doesn't use the FAPI initials. My suggestions would be:or something similar...