Wiki
Clone wikifapi / FAPI_Meeting_Notes_2019-01-30_Atlantic
FAPI WG Meeting Notes (2019-01-30)
Date & Time: 2019-01-02 14:00 UTC
Location: GoToMeeting https://global.gotomeeting.com/join/321819862
Agenda
The meeting was called to order at 14:05 UTC.
1. Roll Call
- Attending: * Nat, Bjorn, Brian, Daniel, Dave, Joseph, Ralph
- Guests:
- Regrets:
- Torsten
2. Adoption of the Agenda (Dave)
- Agenda was agreed
3. External Organizations
3.1. STET, Berlin Group & Session Fixation in Payment Flows (Torsten)
- Cross-browser Payment Initiation Attack is in the repo as a markdown document
- WG members to share bilaterally
- There has been more discussion with STET
3.2. Australia (Ralph)
- Dates have been pushed back
3.3. UK OpenBanking (Joseph, Dave)
- Things are on track for FAPI conformance test
- There may be a delay on banks moving to the FAPI RW standard
- RP conformance tests - should be released in the next month, still need to add negative tests
- Banks need to provide account holder name, currently this will be in an API response rather than an ID Token
- App to App flows are going live
- Banks are using multiple well-known configs, with diff auth endpoints to support different brands
3.4. ISO TC68 (Dave)
- The editor is asking when FAPI will move to a final draft, we discussed that when things settle around the OB implementation we should probably move to final
- Nat and Dave are feeding back to the editor
- Dave asked the WG about guidance for websockets with OAuth.
- Ralph explained that this is an area that needs more work, e.g. a lot of libraries don’t support auth headers
- There are different security implications and may need to be a different protocol - Dave to ask OAuth WG
4. Issues
https://bitbucket.org/openid/fapi/issues/142/standardising-lodging-intent
https://bitbucket.org/openid/fapi/issues/200/ciba-signed-authentication-request
https://bitbucket.org/openid/fapi/issues/213/requirements-on-rsa-ec-key-sizes-should
5. AOB
- Research Paper - Formal analysis of FAPI, this is being reviewed by Nat and will be released shortly
- ISO27002 in revision, the identity and access management section is very weak. WG members are encouraged to feedback
6. Next Call
- Pacific call next week. Atlantic call in 2 weeks time.
Updated