FAPI WG Meeting Notes (2017-03-07)
Date & Time: 2017-03-07 23:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. External Orgs
- 4. Drafts
- 4.1. Part 1: Read Only API Security Profile (Nat)
- 4.2. Part 2: Read & Write API Security Profile (Nat & Edmund)
- 4.3. Part 3: Open Data API
- 4.4. Part 4: Protected Data API and Schema - Read only (Sascha)
- 4.5. Part 5: Protected Data API and Schema - Read and Write
- 5. AOB
The meeting was called to order at 15:10 UTC.
- Present: Nat, Tom, Brian, Edmund, John, Henrik.
- Added FS-ISAC
- Moved External Orgs as the first item.
- FS-ISAC had a call. Feedback on DDA 2.0 that extends to tax, qtip, etc.
- Banks are also interested in the consent flow.
- Banks supporting DDA: Wells Fargo, Fidelity, Citi,
- OFX: Chase
- Need to come up with some spec in one to two weeks.
- The solution needs to be implementable by the major vendors.
- Bunch of change requests to be discussed in WD section of the agenda.
Followings were not discussed.
- OFX (Anoop)
- JP Banking Association (Nat)
- Change SHALL to SHOULD.
- Make PKCE conditional.
- Nat to make the changes today.
- WG decided to mandate PoP but allow two different methods:
- Token Binding
- Sender constraint via Client Cert.
- Client cert sender constraint should allow following verification methods:
- dn <-- needs to be defined. All the others are defined in RFC8700.
- Nat will come up with a draft and send it over to the list, and post it to IETF on Friday.
- This seems to be a priority.
- Passing payment info in request object to have the user consent.
- Gather example schema in the document so that we can abstract them later.