[FAPI 2.0] Move "MTLS Protection of all endpoints" from [Message Signing] to [Security Profile]

Comments (19)

1. 

   Filip Skokan reporter

   • edited description

   • 2022-11-23T15:04:38+00:00
2. 

   Filip Skokan reporter

   • edited description

   • 2022-11-23T15:05:31+00:00
3. 

   Tom Jones

   i went looking on the open banking site for mtls but found nothing. Is mtls actually in live use anywhere?

   • 2022-11-29T17:14:07+00:00
4. 

   Daniel Fett

   I agree that this should be moved. I can’t find the Issue or PR for the original text - where did we agree to add this?

   • 2022-11-30T11:05:50+00:00
5. 

   Filip Skokan reporter

   @Daniel Fett the PR is https://bitbucket.org/openid/fapi/pull-requests/329

   • 2022-11-30T13:13:49+00:00
6. 

   Joseph Heenan

   Discussed on today’s call, we agreed to move the text from message signing to security profile, but to do it after SP ID2 and MS ID1 are in process. (i.e. we want to make sure that in the implementer’s drafts we’re starting to vote on imminently that it appears in at least one of them)

   • 2022-11-30T14:30:28+00:00
7. 

   Filip Skokan reporter

   • changed milestone to FINAL

   • 2022-11-30T17:52:17+00:00
8. 

   Nat Sakimura

   • changed component to FAPI2: Security Profile

   • 2022-12-14T15:35:23+00:00
9. 

   Dave Tonge

   • assigned issue to
     
     Dave Tonge

   • 2023-01-25T14:50:43+00:00
10. 

    Dave Tonge

    Wait until message signing is published, then action this ticket

    • 2023-01-25T14:51:37+00:00
11. 

    Joseph Heenan

    My brain randomly decided to recall a possible reason why we’d put this in message signing - I think there may have been logic that MTLS protection of all endpoints isn’t necessary to meet the FAPI2 Attacker Model, and the working group wanted to keep FAPI2 Security Profile as a highly interoperable profile with little optionality. Allowing people to MTLS protect all endpoints and still be considered compliant with “FAPI2 Security Profile” perhaps works against that aim.

    • 2023-01-25T15:37:39+00:00
12. 

    Filip Skokan reporter

    @Joseph Heenan That’s a good insight. Do you think it would be out of place in the Security Profile? Message Signing does not suggest that MTLS should be used everywhere and neither does this text. It feels more cautionary so I’d still side with placing it in the Security Profile.

    • 2023-01-25T15:45:44+00:00
13. 

    Dave Tonge

    • changed status to open

    • 2023-10-04T14:36:55+00:00
14. 

    Dave Tonge

    @Filip Skokan @Joseph Heenan what do you think we should do with this ticket?

    • 2023-10-04T14:37:29+00:00
15. 

    Filip Skokan reporter

    As per your previous message, when MS ID is released we’ll move (or replicate) this in SP.

    • 2023-10-04T14:40:50+00:00
16. 

    Joseph Heenan

    We did get the MS ID out, so we probably could move it now.

    • 2023-10-04T15:39:04+00:00
17. 

    Filip Skokan reporter

    https://bitbucket.org/openid/fapi/pull-requests/437

    • 2023-10-05T08:08:23+00:00
18. 

    Dave Tonge

    • assigned issue to
      
      Filip Skokan

    • 2023-10-10T08:48:10+00:00
19. 

    Dave Tonge

    • changed status to resolved

    pr merged

    • 2023-11-22T12:17:07+00:00
20. Log in to comment