Send acceptance of the report by U Stuttgart for WP2

Marcus Almgren

I don’t know about WP1, but the statement sent after the first milestone in WP2 was:

The FAPI Working Group (WG) has reviewed the technical report "Formal Security Analysis of the OpenID FAPI 2.0" by Pedram Hosseyni, Ralf Küsters and Tim Würtele from University of Stuttgart, Germany.

The technical report describes a web infrastructure model with an application-specific model, and aims to cover the security properties of the protocol specifications for FAPI 2 message signing, FAPI-CIBA, dynamic client registration and management specifications. In the next project milestone, the eventual goal is to use this model to prove that all security properties are satisfied for all attackers in the model, given the assumption that the cryptographic primitives work as intended since the objective is to evaluate the protocol and not the cryptography itself.

The FAPI WG has evaluated the report in textual form, listened to the presentation by the authors as well as discussed it in the recurring FAPI WG meetings, and it is the opinion of the WG that the delivery fulfills the specification of Milestone 2a: Formal definition in the contract. Additionally, the WG has been continously collaborating with the authors during the development of the model when there has been a need for clarification, and the outcome of that collaboration is being incorporated into the specification refinement.

The FAPI WG is of the opinion that the work performed during Milestone 2a as well as the deliverables meet the contract requirements as well as the needs of both Australian and global stakeholder requirements. The FAPI WG recommends that the stakeholders approve the milestone results.

‌

2023-10-25T09:47:43+00:00

Comments (3)

Marcus Almgren
I don’t know about WP1, but the statement sent after the first milestone in WP2 was:

The FAPI Working Group (WG) has reviewed the technical report "Formal Security Analysis of the OpenID FAPI 2.0" by Pedram Hosseyni, Ralf Küsters and Tim Würtele from University of Stuttgart, Germany.

The technical report describes a web infrastructure model with an application-specific model, and aims to cover the security properties of the protocol specifications for FAPI 2 message signing, FAPI-CIBA, dynamic client registration and management specifications. In the next project milestone, the eventual goal is to use this model to prove that all security properties are satisfied for all attackers in the model, given the assumption that the cryptographic primitives work as intended since the objective is to evaluate the protocol and not the cryptography itself.

The FAPI WG has evaluated the report in textual form, listened to the presentation by the authors as well as discussed it in the recurring FAPI WG meetings, and it is the opinion of the WG that the delivery fulfills the specification of Milestone 2a: Formal definition in the contract. Additionally, the WG has been continously collaborating with the authors during the development of the model when there has been a need for clarification, and the outcome of that collaboration is being incorporated into the specification refinement.

The FAPI WG is of the opinion that the work performed during Milestone 2a as well as the deliverables meet the contract requirements as well as the needs of both Australian and global stakeholder requirements. The FAPI WG recommends that the stakeholders approve the milestone results.

‌
- 2023-10-25T09:47:43+00:00
Nat Sakimura reporter
- assigned issue to
  
  Nat Sakimura
- 2023-10-25T14:08:57+00:00
Nat Sakimura reporter
- changed status to resolved
Nat signed the letter last week.
- 2023-11-01T14:24:32+00:00
Log in to comment