Clone wiki

fapi / FAPI_Meeting_Notes_2017-03-21

FAPI WG Meeting Notes (2017-03-21)

Date & Time: 2017-03-21 22:00 UTC

  • The call started one hour earlier as the calendar entry was pegged to US time rather than UTC.
    • More discussion about it in AOB.

Location: GoToMeeting

The meeting was called to order at 15:10 UTC.

1.   Roll Call

  • Attending: John, Nat, Edmund, Tom, Henrik, Joseph
  • Regrets: Tony, ANoop, Sascha

2.   Adoption of the Agenda (Nat)

  • Adopted as presented.

3.   Drafts

3.2.   Part 2: Read & Write API Security Profile

3.2.1.   PoP other than Token Binding -

  • We need both raw and artifact version of JPOP token
  • Artifact version needs to be introspected.
  • Need new claim "jty": JPOP / JPOPA (for artifact)
  • Resources discovery: abstract resource identifier.
  • AT needs to include aud.
  • Resource server returns the header that includes Resoruce server metada URI.
  • Resource server metadata format needs to be defined. Mike had one in the past.
  • Security consideration on TLS binding on the server side if the server has access to TLS info.

3.2.2.   Other issues in Bitbucket

  • #77, #78: Edmund created a branch for discussion. It is capturing the good practice for authentication protocols.
    • Lengthy discussion followed. While this method leaks less information to attackers, for the know attacks, enforcing JWT client authentication seems adequate. For FAPI purposes, we probably do not need it while it would make a good discussion point in the July OAuth Security workshop in Zurich.
    • The difference in the security characteristics for including client intent in the authorization request or not is whether Authorization Server can detect badly configured client or not.

4.   External Orgs

4.2.   Others

  • IETF is wanting another chair for OAuth WG, who knows the administrative process.

5.   AOB

5.1.   Next Call (Atlantic)

  • Question was raised whether we want to peg the time to UTC or to move around with Daylight saving time.
  • Opinion was split in the call. Nat will ask about it in the list as well.