ecosystems diverging from FAPI2-Baseline spec
Issue #481
resolved
I think it’s worth having a discussion about how ecosystems are diverging from FAPI2-Baseline, and if there’s anything we can do to prevent it becoming messy for interoperability.
So far I believe we have:
- at least one ecosystem (CDR) requiring the use of JARM when using FAPI2-Baseline
- at least one ecosystem (currently not public) requiring the use of signed request objects with FAPI2-Baseline
This also creates extra tensions about certification, effectively having quite a few variations of FAPI2 that people can certify to (unless we take a hardline that these ecosystems essentially aren’t FAPI2-Baseline compatible and refuse to certify them).
I think it’s not clear if these ecosystems would instead adopt FAPI2-Advanced if it was further along.
Comments (3)
-
reporter
-
- changed status to resolved
We have change FAPI 2 Advanced to have options like JARM / JAR, etc.
-
- changed component to FAPI2: Security Profile
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 1
Discussed on today’s call and there was a consensus that perhaps in FAPI2-Advanced the various different signing would be considered optional, and that to certify for FAPI2-Baseline you would have to comply with the spec as written.
There was a further concern aired that perhaps the security analysis may reveal that JARM should be used in FAPI2-Baseline, but I believe Daniel Fett felt this was unlikely.