Numbering: FAPI Part 2 Section 5.2
The change of section numbering made between ID2 and Final has made it difficult to compare the differences.
ID2 (https://openid.net/specs/openid-financial-api-part-2-ID2.html)
- Section 5.2.3. Public client
- Section 5.2.4. Confidential client
- Section 5.2.5. JWT Secured Authorization Response Mode
Proposed Final (https://openid.net/specs/openid-financial-api-part-2-wd-07.html)
- Section 5.2.3. ID Token as detached signature
- Section 5.2.4. JARM
- Section 5.2.5. Confidential client
- Section 5.2.6. ID Token as detached signature
- Section 5.2.7. JARM
- Section 5.2.8. (withdrawn)
- Section 5.2.9. (withdrawn)
One way to mitigate this problem would be to number the sections like below.
- Section 5.2.3. (withdrawn; merged into 5.2.4)
- Section 5.2.4. Confidential client
- Section 5.2.5. (withdrawn) or use the content of ID2’s Section 5.2.5 // The proposed final does not have the content which corresponds to ID2’s Section 5.2.5, but is it necessary to drop the content?
- Section 5.2.6. ID Token as detached signature
- Section 5.2.7. JARM
- Section 5.2.8. ID Token as detached signature // if it’s necessary to create an independent section separately for requirements regarding “ID Token as detached signature” for “client” (not authorization server). Can’t they be merged into one section?
- Section 5.2.9. JARM // if it’s necessary to create an independent section separately for requirements regarding “JARM” for “client” (not authorization server). Can’t they be merged into one section?
However, considering the schedule for voting (https://openid.net/2020/11/30/notice-of-vote-for-proposed-final-fapi-1-0-part-1-and-part-2-specifications/), it may be too late to point out the problem now. If the schedule has higher priority, I have no mind to stick to this issue. I just wanted to report the problem which implementers like me would face in future.
Comments (7)
-
reporter -
reporter - marked as critical
-
reporter The proposed final version of FAPI Part 2 Advanced Security Profile (https://openid.net/specs/openid-financial-api-part-2-wd-07.html) refers to non-existent section numbers as I commented above. This is a critical problem for a technical document.
-
- changed status to resolved
Fixes
#354→ <<cset 6dd57a2bd8f1>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
I guess that "Section 5.2.3. ID Token as detached signature" in the proposed final draft should be "Section 5.2.2.1" because "Section 5.2.2. Authorization Server" contains "(moved to 5.2.2.1)" but "Section 5.2.2.1" does not exist.
"Section 5.2.5. Confidential client" in the proposed final draft contains "(moved to 5.2.3.1)" but "Section 5.2.3.1" does not exist.
It seems that the section numbers given to "Section 5.2.3. ID Token as detached signature" and "Section 5.2.6. ID Token as detached signature" are wrong. Should they be "Section 5.2.*.1"? The mismatch of the section number for "Confidential client" (5.2.4 in ID2 vs 5.2.5 in Final) comes from here.