Wiki
Clone wikifapi / FAPI_Meeting_Notes_2017-04-04
FAPI WG Meeting Notes (2017-04-04)
Date & Time: 2017-04-04 23:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
- 1. Roll Call
- 2. Adoption of the Agenda (Nat)
- 3. MTLS @ IETF report (John)
- 4. Issues
- 4.1. #83 - Support for GET
- 4.2. #82 - Strict Access Control to logs
- 4.3. #81 - Identify user associated to the access token
- 4.4. #79 - Part 1: issues with x-fapi-customer-last-logged-time header
- 4.5. #78 - Malicious Endpoint Attack
- 4.6. #77 - IdP Confusion Attack
- 4.7. #75 - Support other method of HoK than TOKB
- 4.8. #72 - Spec not clear as to which auth flows are supported
- 4.9. #61 - Fund availability API
- 5. Action Items Necessary to Finalize Read/Write Spec
- 6. External Orgs
- 7. AOB
The meeting was called to order at 15:10 UTC.
1. Roll Call
- Attending: Nat, Dave, Edmund
- Regrets:
2. Adoption of the Agenda (Nat)
- Adopted with the addition of the following:
- Action items necessary to finalize read/write spec
4. Issues
4.1. #83 - Support for GET
- Awaiting pull request from Pam
4.2. #82 - Strict Access Control to logs
- Awaiting pull request from Pam
4.3. #81 - Identify user associated to the access token
- Will replace 'user' with 'entity'
- Awaiting pull request
4.4. #79 - Part 1: issues with x-fapi-customer-last-logged-time header
- Nat will merge pull request from Joseph
4.5. #78 - Malicious Endpoint Attack
- Having a signed request object in Hybrid flow will mitigate this attack
4.6. #77 - IdP Confusion Attack
- Having a signed request object in Hybrid flow and unique redirect_uri per client_id will mitigate this attack
4.7. #75 - Support other method of HoK than TOKB
- JPOP will be merged with client certificate authentication at Token endpoint by Brian
- Waiting for merged spec to become work item in OAuth WG
- Meanwhile, we can put links in the annex and then update the reference point once the spec is approved
4.8. #72 - Spec not clear as to which auth flows are supported
- Dave will create pull request before next call
4.9. #61 - Fund availability API
- Discussion is going towards waiting for implementation entities to do it first
- Put on hold
5. Action Items Necessary to Finalize Read/Write Spec
- There seems to be not much in the sections regarding accessing resources and security considerations
- For Security Considerations, if server supports pure bearer and mutual TLS bound token, it should not support both on same endpoint
- In UK, some FIs send payment information via reference uri. Is it possible to merge this with request_uri and remove additional endpoint by requiring support and request_uri with encryption?
- For now, will keep options open
- Is AS and Client sections complete? Nat will do another pass
6. External Orgs
6.1. UK OBS (Dave)
- John is in UK this week and will speak about the concept of spec profiles and promote advantages of OpenID Connect (specs, test suites, certifications, etc...)
- Pam sent message regarding compiling a list of vendors for Fintech/FAPI
- Edmund will send message to mailing list asking parties to identify themselves and compile list
6.2. ISO/TC68 (Nat)
- Nat and Paul Grassi of NIST has crafted liaison request with for review and will send it to the TC 68 committee in time for Brazil meeting
- John could possibly stop by to do presentation
7. AOB
7.1. Next Call (Atlantic)
The meeting was adjourned at 23:58 UTC
Updated