Create security and privacy consideration for FAPI 2.0 Security Profile
Issue #505
resolved
The content is empty right now.
For the next I-D, we definitely need to have it.
Comments (8)
-
reporter -
reporter - changed status to open
-
We need to say that instead of defining measures (“messages are authenticated”) we are defining the goals (Authentication/Authorization/Session Integrity) as defined in the attacker model.
-
for the privacy considerations, do we want to pull in what we had in FAPI 1?
https://openid.net/specs/openid-financial-api-part-2-1_0.html#privacy-considerations
-
@Daniel Fett and @Nat Sakimura what do you think about pulling in the same privacy considerations as FAPI 1?
-
Yes, that’s a good starting point. I created a PR based on FAPI 1 including some changes: https://bitbucket.org/openid/fapi/pull-requests/359/privacy-considerations-based-on-fapi-1
-
- changed status to resolved
PR merged
-
reporter - changed component to FAPI2: Security Profile
- Log in to comment
It may belong to 4.5 instead, but in the security consideration, it would be good to explain why it was ok to deviate/relax from FAPI 1.0’s design principles: BCM principles, namely: