1.   Roll Call

• Attending:

  • Nat Sakimura
  • Ralph Bragg
  • Joseph Heenan
  • Henrik Biering
  • Rob Otto

• Guest:
• Regrets:

2.   Adoption of the Agenda (Nat)

3.   Recap of the F2F @ Boston (Nat)

(see notes from last week for the detail)

4.   Short term work plan (Nat)

• We need to distribute the work to expedite the change to the CIBA core spec.

Ralph suggested that OB need an updated document in 8 weeks time.

Several people who had offered assistance weren't able to join the call so no decision was made. Nat will create a ticket in the issue tracker to talk about dividing the work.

Ralph indicated OpenBanking can provide some assistance.

5.   Liaison Reports (If any)

Ralph reported that the STET/Berlin will consider moving to an international standard with a proven implementation, but there's no timescale for a decision.

The Berlin group are focussed on functional changes to their APIs to align with the latest EBA guidance. The EBA guidance has more effect on the rest of the EU (where it provides guidance on the intent of the law) than it does on the UK (where only the letter of the law matters)..

6.   Issues

#149: Make it clear that the entire flow is OIDC Hybrid Flow - no one objection, Nat will suggest text

#150: Mandate at_hash check in the ID Token from the token endpoint - no objection was raised to going ahead with mandating at_hash

There was a discussion about the wider security points like certificate pinning, DNSSEC, etc that would need to be in order to ensure that the mechanism for the client to obtain the server's signing keys is sufficiently secure. Nat suggested that a broader spec like https://tools.ietf.org/html/draft-ietf-oauth-security-topics may be a better place for widely applicable recommendations like that. Nat will suggest to Torsten that this is discussed at IETF Montreal.

7.   Events

8.   AOB