Wiki
Clone wikifapi / FAPI_Meeting_Notes_2019-01-16_Atlantic
FAPI WG Meeting Notes (2019-01-16)
Date & Time: 2019-01-16 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
The meeting was called to order at 14:09 UTC.
1. Roll Call
- Attending:
- Nat, Brian, Daniel, Dave, John, Joseph, Torsten, Bjorn, Freddi, Chris
- Guests:
- Regrets:
2. Adoption of the Agenda (Dave)
- Adopted as proposed.
3. Security Whitepaper (Torsten)
- https://bitbucket.org/openid/fapi/src/a12ba4dd3694573310d927d8ae234ec5d4c817e3/TR-Cross_browser_payment_initiation_attack.md?at=master
- Daniel to send a pull request to put the figures in it.
4. External Organizations
4.1. STET, Berlin Group (Torsten)
- No news.
- Dave will also try to get in touch with them once the TR is complete with figures.
4.3. UK OpenBanking (Freddi)
- Progressing with ver. 4.
4.4. ISO/TC 68 (Dave)
- Draft sent out a week ago. He will meet with the editor next week.
- Feedback sought.
5. Issues
5.1. # 204 CIBA Binding Messages (Dave)
Examples should be added. No concrete proposal yet. Assigned to Dave and taken off-line with Freddi.
5.2. #205: Add requirement for Client to verify state matches session (Torsten)
#205- Torsten still work.
5.3. #206: CIBA - Add reference to the relevant clauses in FAPI RW (Dave)
#206- text in the spec that explicitly refers to 5.2.2 in FAPI1 and FAPI2 is sufficient and I propose we close this
5.4. #207: RS256 vs PS256 (again)
#207- Lengthy discussion around it. Recommending not to use RS256 seems to be fine. People tend to use it for both signature and encryption once it is allowed.
- Also, John pointed out that moving from RS256 to PS256 should not require complete re-registration of the client as keys are going to be the same, but Brian pointed out that there is no way to do so in the spec.
- Chris pointed out that OBIE is trying to come up a method that smooths it.
5.5. #208: Part 2 should limit allowed JWE algorithms (Joseph)
#208- PKCS 1.5 banning is only written in the context of signature. We should do so for encryption.
6. AOB
6.1. Ozone reference bank experience (Chris)
- There seems to be some portion of the spec that should be softened from SHALL to SHOULD.
- One of them is the parameter duplication: John and Nat should probably press harder for OAuth JAR.
- Chris/Freddi/Joseph to come up with the concrete set of those issues for the next Atlantic call.
6.2. Security paper feedback (Daniel)
- Daniel is seeking feedback on the paper that was distributed to some members of the WG.
6.3. Next Call
- Pacific call next week. Atlantic call in 2 weeks time.
The meeting adjourned at 15:05.
Updated