Clone wiki

fapi / FAPI_Meeting_Notes_2017-04-04

FAPI WG Meeting Notes (2017-04-04)

Date & Time: 2017-04-04 23:00 UTC

Location: GoToMeeting

The meeting was called to order at 15:10 UTC.

1.   Roll Call

  • Attending: Nat, Dave, Edmund
  • Regrets:

2.   Adoption of the Agenda (Nat)

  • Adopted with the addition of the following:
    • Action items necessary to finalize read/write spec

4.   Issues

4.1.   #83 - Support for GET

  • Awaiting pull request from Pam

4.2.   #82 - Strict Access Control to logs

  • Awaiting pull request from Pam

4.3.   #81 - Identify user associated to the access token

  • Will replace 'user' with 'entity'
  • Awaiting pull request

4.4.   #79 - Part 1: issues with x-fapi-customer-last-logged-time header

  • Nat will merge pull request from Joseph

4.5.   #78 - Malicious Endpoint Attack

  • Having a signed request object in Hybrid flow will mitigate this attack

4.6.   #77 - IdP Confusion Attack

  • Having a signed request object in Hybrid flow and unique redirect_uri per client_id will mitigate this attack

4.7.   #75 - Support other method of HoK than TOKB

  • JPOP will be merged with client certificate authentication at Token endpoint by Brian
  • Waiting for merged spec to become work item in OAuth WG
  • Meanwhile, we can put links in the annex and then update the reference point once the spec is approved

4.8.   #72 - Spec not clear as to which auth flows are supported

  • Dave will create pull request before next call

4.9.   #61 - Fund availability API

  • Discussion is going towards waiting for implementation entities to do it first
  • Put on hold

5.   Action Items Necessary to Finalize Read/Write Spec

  • There seems to be not much in the sections regarding accessing resources and security considerations
  • For Security Considerations, if server supports pure bearer and mutual TLS bound token, it should not support both on same endpoint
  • In UK, some FIs send payment information via reference uri. Is it possible to merge this with request_uri and remove additional endpoint by requiring support and request_uri with encryption?
  • For now, will keep options open
  • Is AS and Client sections complete? Nat will do another pass

6.   External Orgs

6.1.   UK OBS (Dave)

  • John is in UK this week and will speak about the concept of spec profiles and promote advantages of OpenID Connect (specs, test suites, certifications, etc...)
  • Pam sent message regarding compiling a list of vendors for Fintech/FAPI
  • Edmund will send message to mailing list asking parties to identify themselves and compile list

6.2.   ISO/TC68 (Nat)

  • Nat and Paul Grassi of NIST has crafted liaison request with for review and will send it to the TC 68 committee in time for Brazil meeting
  • John could possibly stop by to do presentation

7.   AOB

7.1.   Next Call (Atlantic)

The meeting was adjourned at 23:58 UTC