FAPI 2.0 Purpose and FAPI WG Scope

Issue #425 open
Dave Tonge created an issue

There was some discussion on the call today about the purpose of FAPI 2.0 and how it fits with the WG Charter.

The current charter - https://openid.net/wg/fapi/charter/ is a little outdated, but is fairly broad in its remit. I don’t personally think that the charter prevents us from producing specifications based on OIDC / OAuth 2 that aid interoperability and security.

The purpose for FAPI 2.0 as expressed in our FAQ is:

  • complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server.
  • easier to use than FAPI 1.0
  • alignment with OAuth Security BCP
  • clear attacker model

It would be good to get any feedback on this.

Comments (11)

  1. Daniel Fett

    With the references to read-only/read-write, JSON schemas, etc., the charter text indeed feels a little outdated. Nonetheless, I think that FAPI 2.0 is covered under “security profiles for OpenID Connect and OAuth”.

    Can we update the charter text?

  2. Dave Tonge reporter

    The OIDF is working on a new website, it would be great to get the charter updated as its very out of date

  3. Dave Tonge reporter

    we discussed on the call today - it should be possible to update the charter as its mainly a contraction. We should work on an updated charter in this issue

  4. Dave Tonge reporter

    Suggested updated charter:

    The FAPI working group provides JSON data schemas, security and privacy recommendations and protocols to enable applications to provide and use secure APIs. utilize the data stored in a financial account, to enable applications to interact with a financial account, and enable users to control the security and privacy settings.

  5. Nat Sakimura

    The result of feedback:

    If you are merely narrowing the scope of the WG Charter the process would seem to be relatively simple and should not involve re-signing the IPR Policy.

    Process Document Section 4.14 gives the WG the right to narrow the scope of its Charter. Specifically,  –

    “4.14. Charter Clarification.  A WG may clarify its Charter only to narrow its Scope or to remove ambiguity; it may not broaden or otherwise change the Scope of its Charter (without re-Chartering).  The list of deliverables may be expanded (without re-Chartering) only if the new deliverables are within the Scope of the original Charter.”

    As noted in 4.14, narrowing the WG Charter would be a WG decision (i.e., an Intra-WG decision).

    Per Section 1.10, it would also be considered as a Core Decision --

    1.10. “Core Decision” means a substantial decision relating directly to the Work Group, examples of Core Decisions include: . . .  

    • to amend the Charter, or Scope or to re-charter the WG; . . .”)

    Accordingly, the decision process to narrow the scope of a WG Charter would be to follow the process for Intra-Work Group Core Decisions, as set out in Process Document “Table 2 – Decision Requirements.”

    The only question is whether removing the word “Financial” from the name is intended to (or has the effect of) broadening the scope of the WG. If so, then it would likely fall into the category of Re-Chartering covered by Section 4.15.

  6. Nat Sakimura

    We are in an interesting situation where technically making the scope smaller, but the application area becomes wider.

    If this is deemed as scope expansion, then it would be easier to do it after the OpenID Process change, which is expected in October. In the new ruling, it will be:

    4.15 Re-Chartering. A WG’s Contributors may elect to propose re-chartering the WG to expand its scope. That proposal should follow requirements set out in §4.1 and review of the proposal will be conducted as per §4.2. After acceptance by the board the re-chartered WG will retain its name, and all email lists and archives, webpages, etc. will move from the predecessor to the re-chartered WG. Each Contributor will remain bound by the IPR Policy as applied to pre-existing Implementers Drafts, Final Specifications, and Final Specifications Incorporating Errata Corrections promulgated under the prior Charter. They are also bound to IPR policy terms for all new Contributions under the re-chartered WG unless, and until, they express their wish to withdraw from being a WG Contributor as described in §4.5.

    So, re-obtaining the IPR agreement becomes unnecessary. The current one does.

  7. Log in to comment