Clone wiki

fapi / FAPI_Informal_Meeting_Notes_2016-08-02

FAPI WG Informal Meeting Notes (2016-08-02)

Date & Time: 2016-08-02 23:00 UTC - 00:10 UTC Location: GoToMeeting Attendees: Nat, Nov, Edmund

Since the meeting invitation was not sent 
to the list, this meeting is informal.


  1. Meeting notification and WG Page
  2. New & Open Issues
  3. AOB

1. Meeting notification and WG Page

Nat apologized that as he did not send the meeting invitation properly to the list, this meeting is informal.

Edmund pointed out that the meeting URL is not properly put at the WG page that one has to dig into the meeting calendar to find the link.

Nat updated the WG page on the fly and promised to send out the meeting invitation after the call.

2. New & Open Issues

In the call, participants discussed the following issues listed in the issue tracker

  • issue #2: Accounts: Total Pages and Page does not make sense
  • issue #4: Remove MessageFormat and references to it
  • issue #7: Add "Open Data" data set
  • issue #8: Should hard coded paths be avoided
  • issue #10: Internationalization of strings
  • issue #11: OAuth Profile should mandate RFC7636 (PKCE) for code flow
  • issue #12: OAuth Profile should mandate per AS redirect URI for Clients with session comparison
  • issue #13: TLS 1.0 should be banned
  • issue #14: Allowed Redirection Client URI is not a defined term
  • issue #15: Client Authentication, not Client Authorization
  • issue #16: Client Authentication -- Do we need TLS mutual authentication?
  • issue #17: Incomplete sentence "In line with FFIEC (Federal Financial Institutions Examination Council) guidance on Authentication to mitigate security risks."
  • issue #18: "Authorization token" is not a defined term in RFC6749
  • issue #19: Remove or Improve OAuth Interactions Diagram
  • issue #20: Meaning of the Surrogate Identifier Clause not clear
  • issue #21: Residual Data clause should be generalized and moved to privacy considerations
  • issue #22: Undefined OAuth response parameter user_id appears in the text
  • issue #23: How do I find AccountID to use in transfer?

The discussion results are recorded in each issue tickets. As far as the terminology is concerned, it was prevalent among the callers that OAuth term should be used instead of creating something else.

Some of the issue was related to the ambiguity etc. of the DDA spec that we are basing on. These (#17, #20, #22) was assigned to Anoop.

3. AOB

Nat asked the participants to review the Editor's comments added to

Call adjourned at 00:14 UTC.