Clone wiki

fapi / FAPI_Meeting_Notes_2017-10-03

FAPI WG Meeting Notes (2017-10-03)

Date & Time: 2017-10-03 23:00 UTC

Location: GoToMeeting

The meeting was called to order at 23:05 UTC.

1.   Roll Call

  • Attending: Bjorn, John, Nat, Edmund, Sascha, Tom, Pam, Carla
    • Guest:
  • Regrets: Anoop

2.   Adoption of the Agenda (Nat)

  • Added: CA report, FIDO report,

3.   External Orgs

3.1.   Berling Group Consultation (Nat)

Berlin group consultation is out. There are some concerning wrting around OAuth and we may want to respond as OIDF-FAPI WG. The conslutations are found at the following links.


Pam showed the section 4.3 and explained that while it does have code grant, it is markedly silent on the specifics. It also allows 'user password grant', which is concerning. Some comments were made that perhaps the existing APIs actually embed username and password in the request as some of the legacy APIs do. (Note: All the German banks have been mandated to have APIs for a long time.)

3.2.   FIDO (John)

Plenary in Sydney CTAP going under legal review for publication so that W3C can see CTAP. Expected to become public next month.

Making good progress on the W3C.

Google is pushing for U2F to thwart session hijacking.

Some confusion on PSD2 requirements re: PIN sleeve.

3.3.   Open Banking (Dave, Pam)

  • request from OB to have more examples.

4.   Draft status and plans

4.2.   Verification: non-compliant JWT audience (Pam)

The callers agreed to that taking aud out of the software statement is the best strategy.

Tom also asked how we differentiate a software statement from another type of JWT. While it is sent to the specific endpoint in transit, it may be stored in the database and gets mixed up at a later stage so it is always good to have explicit typing. Callers agreed that explicit typing is a way to go.

Pam is going to create an issue on the OB side.

4.3.   Pending pull requests (Edmund)

All the pending pull requests have been accepted and merged.

5.   Events

5.1.   Open Banking F2F (Nat)

  • Nat relayed the info from the last week's Atlantic call that one is planned on Oct. 17 in London.

5.2.   FAPI/Modrna joint F2F

  • Date fixed on Nov. 7. Given Berling Group and API Days, Do we want it to be in Berlin instead?
  • That seems to be certainly possible but if it is going to be joint WG with Modrna, some logistical shuffling may be needed.
  • Carla will find out about the Microsoft event that is happening before the Berling group meeting.

6.   AOB

6.1.   Next Call (Atlantic)

  • The meeting was adjourned at 23:52 UTC.