Clone wiki

fapi / FAPI_Meeting_Notes_2017-03-21

FAPI WG Meeting Notes (2017-03-21)

Date & Time: 2017-03-21 22:00 UTC

The call started one hour earlier as the calendar entry was pegged to US time rather than UTC.
- More discussion about it in AOB.

Location: GoToMeeting https://global.gotomeeting.com/join/321819862

Agenda

1. Roll Call
2. Adoption of the Agenda (Nat)
3. Drafts
4. External Orgs
- 4.1. UK OBS (Dave, John)
- 4.2. Others
5. AOB
- 5.1. Next Call (Atlantic)

The meeting was called to order at 15:10 UTC.

1. Roll Call

Attending: John, Nat, Edmund, Tom, Henrik, Joseph
Regrets: Tony, ANoop, Sascha

2. Adoption of the Agenda (Nat)

Adopted as presented.

3. Drafts

3.1. Part 1: Read Only API Security Profile

3.1.1. Issue #76 - Can vs May

Accepted changes.

3.2. Part 2: Read & Write API Security Profile

3.2.1. PoP other than Token Binding - https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01

We need both raw and artifact version of JPOP token
Artifact version needs to be introspected.
Need new claim "jty": JPOP / JPOPA (for artifact)
Resources discovery: abstract resource identifier.
AT needs to include aud.
Resource server returns the header that includes Resoruce server metada URI.
Resource server metadata format needs to be defined. Mike had one in the past.
- https://tools.ietf.org/html/draft-jones-oauth-resource-metadata-01
  
  it uses .well-known, which is not good.
Security consideration on TLS binding on the server side if the server has access to TLS info.

3.2.2. Other issues in Bitbucket

~~#77~~, ~~#78~~: Edmund created a branch for discussion. It is capturing the good practice for authentication protocols.
- Lengthy discussion followed. While this method leaks less information to attackers, for the know attacks, enforcing JWT client authentication seems adequate. For FAPI purposes, we probably do not need it while it would make a good discussion point in the July OAuth Security workshop in Zurich.
- The difference in the security characteristics for including client intent in the authorization request or not is whether Authorization Server can detect badly configured client or not.

3.3. Part 3: Open Data API

Skipped

3.4. Part 4: Protected Data API and Schema - Read only

Skipped

3.5. Part 5: Protected Data API and Schema - Read and Write

Skipped

4. External Orgs

4.1. UK OBS (Dave, John)

Not recorded

4.2. Others

IETF is wanting another chair for OAuth WG, who knows the administrative process.

5. AOB

5.1. Next Call (Atlantic)

Question was raised whether we want to peg the time to UTC or to move around with Daylight saving time.
Opinion was split in the call. Nat will ask about it in the list as well.

Updated 2017-03-22