FAPI WG Meeting Notes (2019-01-16)
Date & Time: 2019-01-16 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
- 1. Roll Call
- 2. Adoption of the Agenda (Dave)
- 3. Security Whitepaper (Torsten)
- 4. External Organizations
- 5. Issues
- 6. AOB
The meeting was called to order at 14:09 UTC.
- Nat, Brian, Daniel, Dave, John, Joseph, Torsten, Bjorn, Freddi, Chris
- Adopted as proposed.
- Daniel to send a pull request to put the figures in it.
- No news.
- Dave will also try to get in touch with them once the TR is complete with figures.
- Progressing with ver. 4.
- Draft sent out a week ago. He will meet with the editor next week.
- Feedback sought.
Examples should be added. No concrete proposal yet. Assigned to Dave and taken off-line with Freddi.
- Torsten still work.
- text in the spec that explicitly refers to 5.2.2 in FAPI1 and FAPI2 is sufficient and I propose we close this
- Lengthy discussion around it. Recommending not to use RS256 seems to be fine. People tend to use it for both signature and encryption once it is allowed.
- Also, John pointed out that moving from RS256 to PS256 should not require complete re-registration of the client as keys are going to be the same, but Brian pointed out that there is no way to do so in the spec.
- Chris pointed out that OBIE is trying to come up a method that smooths it.
- PKCS 1.5 banning is only written in the context of signature. We should do so for encryption.
- There seems to be some portion of the spec that should be softened from SHALL to SHOULD.
- One of them is the parameter duplication: John and Nat should probably press harder for OAuth JAR.
- Chris/Freddi/Joseph to come up with the concrete set of those issues for the next Atlantic call.
- Daniel is seeking feedback on the paper that was distributed to some members of the WG.
- Pacific call next week. Atlantic call in 2 weeks time.
The meeting adjourned at 15:05.