FAPI WG Meeting Notes (2017-01-24)
- Date & Time: 2017-01-24 23:00 UTC
- (15:00 PDT, 23:00 UK, 00:00 Denmark, 08:00+1 JST)
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. Implementer's draft Part 1 voting preparation (Nat)
- 4. Working Drafts
- 5. Issues (Nat)
- 6. External Orgs
- 7. New Use Cases Discussion (Anoop)
- 8. AOB
The meeting was called to order at 15:05 UTC.
- Present: Nat, Anoop, Edmund, Henrik
- Regrets: Tony, John, Sascha
- Adopted ammended:
- Skipping Events as we are missing John.
- New use case discussion added.
- Voting announcement has been made.
- Details can be found at: http://openid.net/2017/01/20/notice-of-vote-for-implementers-draft-of-financial-api-part-1-read-only-api-security-profile/
- Please prepare for voting:
- check if you can login etc.
- Financial_API_WD_001.md Financial API - Part 1: Read Only API Security Profile
- Financial_API_WD_002.md Financial API - Part 2: Read and Write API Security Profile
- Financial_API_WD_003.md Financial API - Part 3: Open Data API
- Financial_API_WD_004.md Financial API - Part 4: Protected Data API and Schema - Read only
- Financial_API_WD_005.md Financial API - Part 5: Protected Data API and Schema - Read and Write
- Edmund applied all the editorial bug fixes collected during the review period.
- Edmund is also working on the Pandoc HTML template and .docx template so that it will look more like OIDF specs for HTML and ISO specs for .docx.
- Nat and Edmund have been adding previously identified requirements onto the drafts.
- For request objects, it is currently referring the section 6 of OIDC, but if OAuth JAR emerges as RFC, we should use it instead. Nat is currently working on SECDIR comments in IETF for OAuth JAR and will be discussed at IESG on Feb. 3.
- No new issues.
For some time, banks were meeting within themselves to work out the charter, especially working out the IPR around data they are sharing. Now they are reconvening the working group and intuit is going to provide the status and advise on how to plug-in OpenID.
- Nat will follow up with Bob Blakley at Citi.
- Citi participant at DDA: Clint Stephan, Security Group.
- Tony will follow up with EMV.
- As FS-ISAC started moving along, OFX should also be aligned with them.
- Nat and JP Fintech Association visited the JP Banking Association.
- JP Banking association is in the process of creation of their API recommendations. The secretariat believes that it should adopt a standard created by experts so adopting FAPI Part 1 and Part 2 seems to be the course.
- For the data schema part, they were pessimistic about the possibility of them being able to come up with a single schema, let alone adopting DDA etc., but Fintech Association advised that they should at least try to. From the point of view of a Fintech company operating worldwide, each countries creating their own schema means they have to prepare for over 200 schemas and that is bad enough. If each country starts to have multiple schemas, that will multiply the "badness".
Denmark situations are changing rapidly. There were two competing banking associations but they got merged. A few days before the merger, the absorbed side published API but as they were absorbed, the API was withdrawn. Now banks are looking at the possibility of postponing the PSD2 implementation as much as possible.
Henrik wanted to know if anyone in FAPI is talking with EBA. Nat pointed out that Dave was responding to the second consultation by EBA (not as FAPI WG liaison) and that we can put it on the agenda of the next week's teleconference.
- Some use-cases where OAuth has shortcomings were identified.
- OAuth Left-out session problems
- Adding two accounts from the same bank to a Fintech software
Nat pointed out that all these "problems" are caused by the fact that the sites are using OAuth for login purpose, which is wrong. Many developers complain that OpenID Connect is complex but if you want to do a sign-in, then you cannot do it with pure RFC6749+6750 and have to extend it, which pretty much end up with the same thing as OpenID Connect.
Nat also pointed out that OpenID Connect WG is working on the logout specs and is probably good to consult with them. Logout is a very complex problem and needs a lot of thinking before actually doing it. In many cases, a single solution will not work and it would require combination of multiple specs.