6.1.   UK Open Banking (Dave/Nat)

• IPR contribution agreement received and posted to the site.
• Need to ping Don for the "letter" to the OB trustee.

6.2.   Berlin Group (Dave)

• Talked with Torsten and hopeful to come up with a draft liaison letter next week.

7.1.   OAuth WS @ Zurich (July 13, 14)

Very good discussions. Both Nat's paper and Torsten+John's paper is pertinent to the topic. * Nat's presentation: https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx * Nat's paper: https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf * Torsten's presentation: https://zisc.ethz.ch/wp-content/uploads/2017/02/lodderstedt_accesstoken.pdf

There are other interesting presentations as well. The entire agenda and files can be found at https://zisc.ethz.ch/oauth-security-workshop-2017/.

7.2.   IETF99 OAuth WG (Nat)

• We had the first OAuth meeting.
• Nat reported the status of OAuth JAR. It has now incorporated all the comments received and draft-14 will be pushed later today.
• Torsten and John presented the pros and cons of various ways of constraining access token. The result of the discussion was that sender constrained token only did address the access token phishing properly. Others are not. At the same time, the deployment-ability of token binding is recognized as an issue.
• Dave asked if it is too much of restriction for FAPI to only have Token binding for public clients.
• Nat answered that it is not the client side problem. The client can include libraries, such as AppAuth and that will be fine. It is more of the server side issue. For example, if the server is behind the F5 and if F5 does not support token binding, then the server cannot support token binding.

8.1.   Next Call (Pacific)

• Please do refer to the group calendar for the time.

The meeting was adjourned at 14:__ UTC.